[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] THE LONDON BOMBINGS: PROTECTING CIVILIAN TARGETS FROM TERRORIST ATTACKS PART I AND II ======================================================================= HEARING before the SUBCOMMITTEE ON ECONOMIC SECURITY, INFRASTRUCTURE PROTECTION, AND CYBERSECURITY of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ SEPTEMBER 7, 2005 and OCTOBER 20, 2005 __________ Serial No. 109-39 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html __________ U.S. GOVERNMENT PRINTING OFFICE 28-921 WASHINGTON : 2007 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012007 COMMITTEE ON HOMELAND SECURITY Peter T. King, New York, Chairman Don Young, Alaska Bennie G. Thompson, Mississippi Lamar S. Smith, Texas Loretta Sanchez, California Curt Weldon, Pennsylvania Edward J. Markey, Massachusetts Christopher Shays, Connecticut Norman D. Dicks, Washington Peter T. King, New York Jane Harman, California John Linder, Georgia Peter A. DeFazio, Oregon Mark E. Souder, Indiana Nita M. Lowey, New York Tom Davis, Virginia Eleanor Holmes Norton, District of Daniel E. Lungren, California Columbia Jim Gibbons, Nevada Zoe Lofgren, California Rob Simmons, Connecticut Sheila Jackson-Lee, Texas Mike Rogers, Alabama Bill Pascrell, Jr., New Jersey Stevan Pearce, New Mexico Donna M. Christensen, U.S. Virgin Katherine Harris, Florida Islands Bobby Jindal, Louisiana Bob Etheridge, North Carolina Dave G. Reichert, Washington James R. Langevin, Rhode Island Michael McCaul, Texas Kendrick B. Meek, Florida Charlie Dent, Pennsylvania Ginny Brown-Waite, Florida ______ Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity Daniel E. Lungren, California, Chairman Don Young, Alaska Loretta Sanchez, California Lamar S. Smith, Texas Edward J. Markey, Massachusetts John Linder, Georgia Norman D. Dicks, Washington Mark E. Souder, Indiana Peter A. DeFazio, Oregon Tom Davis, Virginia Zoe Lofgren, California Mike Rogers, Alabama Sheila Jackson-Lee, Texas Stevan Pearce, New Mexico Bill Pascrell, Jr., New Jersey Katherine Harris, Florida James R. Langevin, Rhode Island Bobby Jindal, Louisiana Bennie G. Thompson, Mississippi Peter T. King, New York (Ex (Ex Officio) Officio) (II) C O N T E N T S ---------- Page STATEMENTS The Honorable Daniel E. Lungren, a Representative in Congress From the State of California, and Chairman, Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity: Oral Statement................................................. 11 Prepared Opening Statement, September 7, 2007.................. 3 Prepared Statement, October 20, 2007........................... 55 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security.............................................. 4 The Honorable Norman D. Dicks, a Representative in Congress From the State of Washington........................................ 39 The Honorable James R. Langevin, a Representative in Congress From the State of Rhode Island................................. 40 The Honorable Sheila Jackson-Lee, a Representative in Congress From the State of Texas........................................ 44 The Honorable John Linder, a Representative in Congress From the State of Georgia............................................... 38 The Honorable Bill Pascrell, Jr., a Representative in Congress From the State of New Jersey................................... 35 The Honorable Stevan Pearce, a Representative in Congress From the State of New Mexico........................................ 74 The Honorable Mark E. Souder, a Representative in Congress From the State of Indiana........................................... 45 WITNESSES Wednesday, September 7, 2005 Mr. Peter Lowy, CEO, Westfield America, Inc: Oral Statement................................................. 11 Prepared Statement............................................. 13 Mr. Joe Madsen, Director, Safety and Risk Management, Spokane Public Schools, Spokane, Washington: Oral Statement................................................. 25 Prepared Statement............................................. 27 Mr. Bill Millar, President, American Public Transportation Association: Oral Statement................................................. 5 Prepared Statement............................................. 7 Mr. Michael Norton, Managing Director of Global Property Management, Tishman Speyer Properties: Oral Statement................................................. 15 Prepared Statement............................................. 18 Thursday, October 20, 2005 Mr. Robert Jamison, Deputy Administrator, Transportation Security Administration, Department of Homeland Security: Oral Statement................................................. 64 Prepared Statement............................................. 66 Mr. Robert Stephan, Assistant Secretary, Infrastructure Protection Division, Department of Homeland Security: Oral Statement................................................. 57 Prepared statement............................................. 58 For the Record The International Council of Shopping Centers: Prepared Statement, September 7, 2005.......................... 43 The Honorable Kip Hawley, Assistant Secretary, Transportation Security Administration, Department of Homeland Security: Prepared Statement, September 7, 2005.......................... 87 Letter From Mr. Robert B. Stephan................................ 93 THE LONDON BOMBINGS: PROTECTING CIVILIAN TARGETS FROM TERRORIST ATTACKS ---------- Wednesday, September 7, 2005 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity, Washington, DC. The subcommittee met, pursuant to call, at 10:09 a.m., in Room 311, Cannon House Office Building, Hon. Daniel Lungren [chairman of the subcommittee] presiding. Present: Representatives Lungren, Linder, Souder, Thompson, Dicks, DeFazio, Lofgren, Jackson-Lee, Pascrell, and Langevin. Mr. Lungren. [Presiding.] Good morning. I would like to welcome everyone to this hearing of the Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity. We are meeting today for the first time in the committee's permanent hearing room, so maybe we will also get an office next to it at some time in the future, but we will work on that. This morning, the subcommittee will focus on the protection of civilian or soft targets against terrorist attacks. A soft target can be any place or thing whose destruction or impairment will cause a loss of life, economic damage or psychological trauma, which is difficult to protect or harden because it is a location that is accessible to the public. Soft targets would include schools, buses, trains, hotels, office buildings, restaurants, night clubs, apartment buildings, churches, mosques, synagogues or any place where many people can be found in close proximity. It is true that in a free and open society such as ours, there are an infinite number of such potential targets which a terrorist could choose to attack. Compounding our difficulties, terrorists have many advantages. They have the ability to choose what, where, when and how to execute an attack. As the President has said, we have to be right 100 percent of the time, while they only have to get lucky once. The latest tragedies in London and Egypt have highlighted the ease in which terrorists can perpetrate heinous crimes against the civilian population, even where reasonable security measures had already been instituted. Public transportation, particularly trains and buses, this has been the favored target of many high-profile attacks, but terrorists have also repeatedly targeted night clubs, restaurants and hotels. The inability to effectively restrict access and the potential for numerous casualties, combined with the psychological impact on the public and its resulting affect on our national economy makes these soft targets highly attractive to terrorists. According to the RAND Memorial Institute for Prevention of Terrorism database of terrorist events, there have been almost 10,000 terrorist incidents worldwide since 9/11, of which more than 5,500 could be considered to have taken place against soft targets. Increasing physical security of such sites is, of course, part of the solution to the challenge, but let's face it: screening every person accessing every possible soft target is both a physical and economic impossibility. Even if it were possible, there is simply no way to be 100 percent effective against a determined terrorist that is willing to take his or her own life in pursuit of the mission. So accordingly, we must prioritize our efforts based on known risks and consequences, and avoid the temptation to focus on one soft target sector to the detriment of others. As Secretary Chertoff has said, terrorists are quite adaptable, so as we harden some types of facilities they would naturally switch to others that are seemingly less protected. We must also figure out how to remain one step ahead of the terrorists and stop them before they execute their plans. We can accomplish this in large part by continuing to aggressively pursue intelligence regarding terrorists and their intentions. And we can expand our intelligence-gathering capabilities further by training employees and civilians around or within soft targets to be watchful of suspicious behavior and attempt to intercept terrorists in the planning or reconnaissance or even implementation stages of an attack. Mass transit facilities and other security forces have begun doing this type of training already. So I would like to welcome our witnesses today and thank them for participating in this timely discussion. We had planned to have an initial panel with two witnesses representing the views of the Department of Homeland Security, the Honorable Kip Hawley, the Administrator of the Transportation Security Administration, and Robert Stephan, the Acting Under Secretary for Information Analysis and Infrastructure Protection. But given the need of these witnesses to be focused on the continuing response to Hurricane Katrina, we have decided to postpone that panel to another date later this month. So our planned second panel now will be our only panel today. The witnesses represent a wide array of soft-target sectors, including mass transit, shopping malls, office buildings, and public schools. Let me restate that. Our witnesses represent a wide array of our economy, which, because of the nature of terrorism, makes them soft-target opportunities. As I say, they include mass transit, shopping malls, office buildings, and public schools. The witnesses will provide us with important insights on the steps they have taken thus far to address the challenges posed by terrorists, the assistance they receive from DHS and other federal agencies, and what they believe the proper role of the federal government should be with respect to security within their sectors. As I have said many times, we do not have all the wisdom in government and we can be well educated as to what is being done in the private sector. We would particularly like to concentrate on the cooperative nature of efforts between the private and public sector. So I would like to thank the witnesses for appearing before us today and tell you that I look forward to your testimony. I would recognize the Ranking Member of the full Committee, Mr. Thompson, who has been busy in the last week or so with some concerns in his own district as a result of the hurricane. As you know, you have our best wishes and our prayers for the people in your district and the evacuees who have come to your district. Prepared Opening Statement of Hon. Daniel Lungren Wednesday, September 7, 2005 I would like to welcome everyone to this hearing of the Committee on Homeland Security Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity. This morning, the Subcommittee will focus on the protection of civilian or ``soft'' targets against terrorist attacks. A soft target can be any place or thing whose destruction or impairment will cause loss of life, economic damage, or psychological trauma, and which is difficult to protect or ``harden'' because it is a location that is accessible to the public. Soft targets include schools, buses, trains, hotels, office buildings, restaurants, nightclubs, apartment buildings, churches, mosques, synagogues, or any place where many people can be found in close proximity. In a free and open society such as ours, there are an infinite number of such potential targets from which a terrorist could chose to attack. Compounding our difficulties, terrorists have many advantages-- having the ability to chose what, where, when, and how to execute an attack. As the President has said, we have to be right 100 percent of the time, while the terrorists only have to get lucky once. The latest tragedies in London and Egypt have highlighted the ease in which terrorists can perpetrate heinous crimes against the civilian population, even where reasonable security measures had already been instituted. Public transportation--particularly trains and buses--has been the favored target in many high-profile attacks. But terrorists also have repeatedly targeted night clubs, restaurants, and hotels. The inability to effectively restrict access and the potential for numerous casualties--combined with the psychological impact on the public and its resulting effect on the national economy--makes these soft targets highly attractive to terrorists. According to the RAND-Memorial Institute for Prevention of Terrorism database of terrorist events, there have been almost 10,000 terrorist incidents worldwide since September 11, 2001, of which more than 5,500 could be considered to have taken place against soft targets. Increasing physical security at such sites is, of course, part of the solution to this challenge, but screening every person accessing every possible soft target is both a physical and economic impossibility. Even if it were possible, there is simply no way to be 100% effective against a determined terrorist that is willing to take his or her own life in pursuit of the mission. Accordingly, we must prioritize our efforts based on known risks and consequences, and avoid the temptation to focus on one soft target sector to the detriment of others. As Secretary Chertoff has said, terrorists are quite adaptable, so as we harden some types of facilities, they will switch to others that are less protected. We also must figure out how to remain one step ahead of the terrorists and stop them before they execute their plans. We can accomplish a large part of this by continuing to aggressively pursue intelligence regarding terrorists and their intentions. And we can expand our intelligence gathering capabilities further, by training employees and civilians around or within soft targets to be watchful of suspicious behavior--in an attempt to intercept terrorists in the planning, reconnaissance, or even implementation stages of an attack. Mass transit facilities and other security forces have begun doing this type of training already. I'd like to welcome our witnesses today and thank them again for participating in this timely discussion. We had planned to have an initial panel with two witnesses representing the views of the Department of Homeland Security: the Honorable Kip Hawley, Administrator, Transportation Security Administration, and Robert Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection. But given the need for these witnesses to be focused on the continuing response to Hurricane Katrina, we have decided to postpone this panel to another date later this month. So our planned second panel will now be our only panel today. The witnesses represent a wide array of soft target sectors, including mass transit, shopping malls, office buildings, and public schools. These witnesses will provide us with important insights on the steps they have taken thus far to address the challenges posed by terrorists, the assistance they have received from DHS and other Federal agencies, and what they believe the proper role of the Federal government should be with respect to security within their sectors. I would like to thank the witnesses for appearing before us today and I look forward to your testimony. Mr. Thompson. Thank you very much, Mr. Chairman. Let me acknowledge Mr. Pascrell and a number of other members of the committee who also called during what has been and continues to be a very trying time for this entire country, and more specifically for the people of Louisiana, Alabama and Mississippi. But as you know, the matter we have before us today is a very important issue for this country. Like all Americans, I was shocked and repulsed by the terrorist attacks in London. This latest attack should serve as a reminder that America and its close allies continue to face a determined enemy that thinks nothing of slaughtering innocent people. Now, after seeing the numerous failures to adequately prepare and respond to the Hurricane Katrina situation, I have my doubts about our nation's plans for dealing with emergencies. If we cannot handle a hurricane that we know is coming 4 days before, how can we trust that we are prepared for a catastrophic terrorist attack that we do not know about? Because we live in an open and democratic society, we are particularly vulnerable to terrorists who live among us. This is especially true when it comes to our mass transit systems. Our mass transit and rail systems are large, open systems carrying billions of passengers a year, making it a prime target for terrorists. Almost 4 years after the September 11 terrorist attack, passenger, rail and transit security remains a Department of Homeland Security afterthought. While the United States spent $11 billion on aviation security since 9/11, we managed to offer up $450 million for transit security. That is simply too little and too short, especially when one considers that Americans take mass transit 16 times more often than they travel by air. This disparity, frankly, sends chills down my spine when I consider the pattern of train bombings overseas, first in Madrid, then in Moscow, and most recently in London. If the recent past is any guide, what is to prevent New York, Washington or Chicago from being next? With the establishment of the Department of Homeland Security, the American people expected the department to help prevent such attacks. I would have to like to hear from the department who is doing this, but in the instance of this catastrophe we are dealing with, we will deal with it later. What I would like for them to do when they do come, Mr. Chairman, is provide us with the transit security plan that was due April 1 of this year. I have sent two letters to the administration indicating that you are overdue with this transit security plan, but I have yet to receive a response to those letters. It is sort of indicative of why we are behind right now. Trains are not the only targets of al-Qa'ida and like- minded groups, as terrorists have attacked hotels in Saudi Arabia, a night club in Indonesia, and worst of all, a school full of children in Russia. I would like to hear from the witnesses today what measures are in place to protect these soft targets and what has DHS done to address it. We will look at it when they come. Mr. Chairman, I really would like to know whether or not in emergencies like we had with Katrina how our mass transit systems could potentially have helped with the evacuation of people, especially in the New Orleans area. And after that, how soon could we get our system up and running? In London, they did it in a day after the bombings. I wonder what it would take us, with any kind of event, to get our systems up and running again? Since we are supposed to have a plan, I would like to hear it. I look forward to the witnesses' testimony, and I yield back. Mr. Lungren. I thank the Ranking Member, Mr. Thompson. Other members of the Committee are reminded that opening statements may be submitted for the record. We are pleased to have one distinguished panel of witnesses before us today on this important topic. As I mentioned, Assistant Secretary Stephan has been and continues to be working more than 18 hours a day at the command center dealing with the Katrina devastation. Assistant Secretary Hawley is also working on the Katrina response. The Subcommittee plans on having both of them in later this month to answer questions on this critical issue. Let me remind the witnesses that your entire written statement will appear in the record. Because of the number that we have and the number of members we expect to be asking questions, we would ask that in accordance with committee rules you would limit your oral testimony to approximately 5 minutes, and then we would allow each panel member to testify before questioning any one of the witnesses. The chair would first recognize Mr. Bill Millar, President of the American Public Transportation Association. Mr. Millar, thank you for being here. STATEMENT OF BILL MILLAR Mr. Millar. Thank you, Mr. Chairman and members of the committee. On behalf of the 1,500 members of the American Public Transportation Association, we are certainly glad to be here. It is very clear from your opening statement and Mr. Thompson's opening statement that the committee already has a very good understanding of some of the potential that public transit has to be a target and some of the funding disparities, in our opinion, that have occurred over the years. Quite simply put, we need to invest more money. We need to have better intelligence, and we need to do a better job of planning both for prevention and recovery. Those would be the three fundamental points of my testimony. In light also that we find ourselves the week after Katrina, it is also important to realize that much of the investment in making our transit systems more secure can also assist in meeting national and natural disasters such as Katrina represents. I will be pleased to make further comments upon that point during the question period. Public transit in America is a major form of public transportation. Every year, over 9.6 billion customers use public transit. Every weekday, 32 million times every weekday, Americans use public transit. And as has been pointed out, this is 16 times the number of people who use our nation's airline system, and yet the expenditure by the federal government to make public transit more secure is minuscule compared to the federal investment in the air system. We all understood and understand why the air system needs to be made secure, but now it is time to look at other parts of our transportation system. As you pointed out, Mr. Chairman, over the last 25 years public transit around the world has too often been a target of terrorist attack. While we are focused on the most recent events such as London or Madrid or Moscow, the list goes on and on and on. Thus, prior to 9/11/2001, our industry knew that we could be a target. Our industry had already in place many plans and had taken many steps to try to improve its dealing with security issues. However, much more needs to be done. Since 9/11, the industry has invested out of its own resources more than $2 billion in improving our security and preparing for terrorist attacks and in developing plans for recovery in the even that, God forbid, such an attack would occur in the United States. We do not need more wake-up calls. We need help. We need plans for action. We need investment. We did a survey of our members which we released about 1 1/ 2 years ago asking that, at that point, we were 2 years into the post-9/11 environment. We knew that more needed to be done. What did our members tell us out of that survey? They told us several things. First, I have already referred to the $2 billion that at that point they had invested themselves. Second, they felt that a major capital investment approaching $5.2 billion was necessary to take common sense solutions. You are quite right, Mr. Chairman. None of us believe that you could totally insulate public transit systems from the potential of terrorist attack, but we do believe that there are many common sense steps that could be taken, such things as improving preparedness planning, training, drilling; such things as improving the communications systems of our transit systems; improving the access points to our access systems; and many, many common sense steps that could be taken. Regrettably, sufficient funds have not been provided to undertake these steps. This current fiscal year, the Congress appropriated $150 million to cover all of public transit, passenger, freight and rail security. That simply is not a large enough investment. More needs to be done. According to our survey, what did we find? Well, we find that over 2,000 rail stations in America do not have any security cameras. Some additional work we did subsequent to that revealed that 53,000 buses do not have cameras on those buses. Over 5,000 commuter rail cars do not have security cameras. Over half of all buses do not have automatic vehicle locator systems. And the list goes on and on and on. Certainly, we saw something in New Orleans that ought to make us all think about this next statistic. More than 75 percent of the demand-response vehicles, the small vehicles that are used primarily to transport persons with disabilities or senior citizens or others in that type of need, over 75 percent of those vehicles lack automatic vehicle locator systems. There is no permanent biological detection system in any rail transit system in America. And the list goes on and on and on. The second area I mentioned relates to the need for intelligence. After 9/11, in cooperation with the Federal Transit Administration, a federal public transportation-funded ISAC program, Information Security Analysis Center, was set up throughout the country. Regrettably, the funding for that ISAC center and the great intelligence that it provided to transit systems across the country has expired. The Department of Homeland Security has offered a substitute, allowing us to tap into what they call their Homeland Security Information Network, the HSIN Network. However, in our judgment, this is no substitute for the ISAC that has already proven its worth and is already in place. So we certainly need to work on how we can get more information access to intelligence. We need to make sure that when the terror alert level is raised that everyone understands that has major costs to that. For example, a survey we did this last summer showed that when the alert level was raised to orange, simply going up one step, even though nothing happened, we found that that added $900,000 a day to our costs. In the time between July 7 when the London bombings occurred and the threat level was raised, until August 12 when it was lowered, transit systems incurred over $33 million in costs. So the list goes on and on. I am sure my time is about done. I will be happy to expand on these or any other points as may be appropriate. Thank you, again, Mr. Chairman and members of the committee, for your concern and allowing me to be with you. [The statement of Mr. Millar follows:] Prepared Statement of William W. Millar Wednesday, September 7, 2005 Mr. Chairman, thank you for this opportunity to testify on the security and safety of public transportation systems. We appreciate your interest in transportation security, and we look forward to working with you on these issues. ABOUT APTA The American Public Transportation Association (APTA) is a nonprofit international association of more than 1,500 public and private member organizations including transit systems and commuter rail operators; planning, design, construction, and finance firms; product and service providers; academic institutions; transit associations and state departments of transportation. APTA members serve the public interest by providing safe, efficient, and economical transit services and products. More than ninety percent of the people using public transportation in the United States and Canada are served by APTA member systems. OVERVIEW Mr. Chairman, public transportation is one of our nation's critical infrastructures. We cannot over-emphasize the critical importance of our industry to the economic quality of life of this country. Over 9.6 billion transit trips are taken annually on all modes of transit service. People use public transportation vehicles over 32 million times each weekday. This is more than sixteen times the number of daily travelers on the nation's airlines. Safety and security are the top priority of the public transportation industry. Transit systems took many steps to improve security prior to 9/11 and have significantly increased efforts since then. Since September 11, 2001, public transit agencies in the United States have spent over $2 billion on security and emergency preparedness programs and technology from their own budgets with only minimal federal funding. This year's events in London and last year's events in Madrid further highlight the need to strengthen security on public transit systems and to do so without delay. We do not need another wakeup call like London and Madrid. In 2004 APTA surveyed its U.S. transit system members to determine what actions they needed to take to improve security for their customers, employees and facilities. In response to the survey, transit agencies around the country have identified in excess of $6 billion in transit security investment needs. State and local governments and transit agencies are doing what they can to improve security, but it is important that the federal government be a full partner in the effort to ensure the security of the nation's transit users. In FY 2003, transit security was allocated $65 million in federal funds for 20 transit systems from DHS. In FY 2004, $50 million was allocated for 30 transit systems from DHS. For the first time in FY 2005, Congress specifically appropriated $150 million for transit, passenger and freight rail security. Out of the $150 million, transit is to receive approximately $130 million--almost $108 million for rail transit and more than $22 million for bus. Also, passenger ferries are slated to receive an additional $5 million for security from a separate account. We are very appreciative of this effort. However, in the face of significant needs, more needs to be done. We urge Congress to act decisively on this issue. In light of the documented needs, we have respectfully urged Congress to provide $2 billion in the FY 2006 Homeland Security Appropriations bill for transit security. Of that amount, we recommended that $1.2 billion be provided for capital needs, and $800 million for additional transit security costs. Federal funding for additional security needs should provide for, among other things, planning, public awareness, training and additional transit police. Transit authorities have significant and specific transit security needs. Based on APTA's 2003 Infrastructure Database survey, over 2,000 rail stations do not have security cameras. According to our 2005 Transit Vehicle Database 53,000 buses, over 5,000 commuter rail cars, and over 10,000 heavy rail cars do not have security cameras. Less than one-half of all buses have automatic vehicle locator systems (AVL's) that allow dispatchers to know the location of the bus when an emergency occurs. Nearly 75% of demand response vehicles lack these AVL's. Furthermore, no transit system has a permanent biological detection system. In addition, only two transit authorities have a permanent chemical detection system. A partnership with the federal government could help to better address many of these specific needs. We were disappointed that the Administration recommended only $600 million for a Targeted Infrastructure Protection Program in the FY 2006 DHS budget proposal, which would fund infrastructure security grants for transit, seaports, railways and energy facilities. We were also disappointed that the Administration did not include a specific line item funding amount for transit security. We look forward to working with the Administration and Congress in securing adequate transit security funding that begins to address unmet transit security needs throughout the country. We further request that the existing process for distributing DHS federal grant funding be modified so that funds are distributed directly to transit authorities, rather than to State Administrating Agencies (SAA). While we understand the need to coordinate with the states and urban areas that we serve, we believe direct funding to the transit authorities would be more efficient and productive. For the FY2003 grant funding that was allocated by DHS, it took more than a year to be awarded to some transit systems. In addition, the FY2005 grant funding has not been awarded to the transit systems to date. We are pleased to note that APTA has become a ``Standards Development Organization'' (SDO) for the public transportation industry. Our efforts in standards development for commuter rail, rail transit and bus transit operations over recent years have been significant and our status as a SDO has been acknowledged by both the Federal Transit Administration (FTA) and the Federal Railroad Administration (FRA). The FTA and the Transportation Research Board have also supported our standards initiatives through the provision of grants. We would like to apply our growing expertise in standards development to transit industry safety and security, best practices, guidelines and standards. We look forward to working with the Administration and Congress in support of this initiative and trust that federal financial assistance would be made available to develop such standards and practices. We also would like to work with Congress and the Department of Homeland Security's Directorate of Science and Technology to take a leadership role in advancing research and technology development to enhance security and emergency preparedness for public transportation. INFORMATION SHARING Since the terrorist attacks of September 11, 2001, public transit systems across the country have worked very hard to strengthen their security plans and procedures and have been very active in training personnel and conducting drills to test their capacity to respond to emergencies. As well, to the extent possible within their respective budgets, transit systems have been incrementally hardening their services through the introduction of additional technologies such as surveillance equipment, access control and intrusion detection systems. While the transit systems have been diligent, they have been unable to fully implement programs without more assistance from the federal government. A vital component of ensuring public transit's ability to prepare and respond to critical events is the timely receipt of security intelligence in the form of threats, warnings, advisories and access to informational resources. Accordingly, in 2003, the American Public Transportation Association, supported by Presidential Decision Directive #63, established an ``Information Sharing Analysis Center (ISAC)'' for public transit systems throughout the United States. A funding grant in the amount of $1.2 million was provided to APTA by the Federal Transit Administration to establish a very successful Public Transit ISAC that operated 24 hours a day, 7 days a week, and gathered information from various sources, including DHS, and then passed information on to transit systems following a careful analysis of that information. However, given that the Federal Transit Administration was subsequently unable to access security funds, and given the decision of DHS to not fund ISAC operations, APTA then had to look for an alternate method of providing security intelligence through DHS's newly created ``Homeland Security Information Network (HSIN).'' APTA is now in the process of transitioning from the successful Public Transit ISAC to the new HSIN network. However, we believe that consistent, on-going and reliable funds from Congress should be provided for the Public Transit ISAC that has been proven an effective delivery mechanism for security intelligence. In addition, APTA's membership includes many major international public transportation systems, including the London Underground, Madrid Metro, and the Moscow Metro. APTA also has a strong partnership with the European-based transportation association, the International Union of Public Transport. Through these relationships, APTA has participated in a number of special forums in Europe and Asia to give US transit agencies the benefit of their experiences and to help address transit security both here and abroad. COST OF HEIGHTENED SECURITY Following the attacks on London, APTA was asked to assist the TSA in conducting a teleconference between the TSA and transit officials to discuss transit impacts pertaining to both increasing and decreasing the DHS threat levels. There is no question that increased threat levels have a dramatic impact on budget expenditures of transit systems and extended periods pose significant impacts on personnel costs. These costs totaled $900,000 per day for US public transit systems or an estimated $33.3 million from July 7 to August 12, 2005 during the heightened state of ``orange'' for public transportation. This amount does not include costs associated with additional efforts by New York, New Jersey and other systems to conduct random searches. Many transit systems are also implementing other major programs to upgrade security. For example, New York's Metropolitan Transportation Authority is taking broad and sweeping steps to help ensure the safety and security of its transportation systems in what are among the most extensive security measures taken by a public transportation system to date. NY-MTA will add 1,000 surveillance cameras and 3,000 motion sensors to its network of subways and commuter rail facilities as part of a $212 million security upgrade announced late last month with the Lockheed Martin Corporation. SECURITY INVESTMENT NEEDS Mr. Chairman, since the awful events of 9/11, the transit industry has invested some $2 billion of its own funds for enhanced security measures, building on the industry's already considerable efforts. At the same time, our industry undertook a comprehensive review to determine how we could build upon our existing industry security practices. This included a range of activities, which include research, best practices, education, information sharing in the industry, and surveys. As a result of these efforts we have a better understanding of how to create a more secure environment for our riders, and the most critical security investment needs. Our latest survey of public transportation security identified enhancements of at least $5.2 billion in additional capital funding to maintain, modernize, and expand transit system security functions to meet increased security demands. Over $800 million in increased costs for security personnel, training, technical support, and research and development have been identified, bringing total additional transit security funding needs to more than $6 billion. Responding transit agencies were asked to prioritize the uses for which they required additional federal investment for security improvements. Priority examples of operational improvements include: Funding current and additional transit agency and local law enforcement personnel. Funding for over-time costs and extra security personnel during heightened alert levels. Training for security personnel. Joint transit/law enforcement training. Security planning activities. Security training for other transit personnel. Priority examples of security capital investment improvements include: Radio communications systems. Security cameras on-board transit vehicles and in transit stations. Controlling access to transit facilities and secure areas. Automated vehicle locator systems. Security fencing around facilities. Transit agencies with large rail operations also reported a priority need for federal capital funding for intrusion detection devices. Mr. Chairman, the Department of Homeland Security issued directives for the transit industry in May 2004, which would require that transit authorities beef up security and to take a series of precautions which would set the stage for more extensive measures without any federal funding assistance. Transit systems have already carried out many of the measures that Transportation Security Administration (TSA) is calling for, such as drafting security plans, removing trash bins and setting up procedures to deal with suspicious packages. The cost of these measures and further diligence taken during times of heightened alert is of particular concern to us. We look forward to working with you in addressing these issues. As you know, in the FY 2005 Homeland Security Appropriations bill (PL 108-334), TSA can hire up to 100 rail inspectors using a $10 million appropriation. We have concerns about this provision. We believe that funding for the inspectors would be better spent on things that would support the industry such as surveillance cameras, and emergency communication and other systems rather than highlighting security issues without providing the necessary resources to address them. We look forward to working with you in addressing our concerns. ONGOING TRANSIT SECURITY PROGRAMS Mr. Chairman, while transit agencies have moved to a heightened level of security alertness, the leadership of APTA has been actively working with its strategic partners to develop a practical plan to address our industry's security and emergency preparedness needs. Shortly after the September 11 events, the APTA Executive Committee established a Security Task Force. The APTA Security Task Force has established a security strategic plan that prioritizes direction for our initiatives. Among those initiatives, the Task Force serves as the steering group for determining security projects with more than $2 million in Transit Cooperative Research funding through the Transportation Research Board. Through this funding, APTA has conducted four transit security workshop forums around the nation for the larger transit systems with potentially greater risk exposure. These workshops provided confidential settings to enable sharing of security practices and applying methodologies to various scenarios. The outcomes from these workshops were made available in a controlled and confidential format to other transit agencies unable to attend the workshops. The workshops were held in New York, San Francisco, Atlanta, and Chicago. In partnerships with the Transportation Research Board, the APTA Security Task Force has also established two TCRP Panels that identified and initiated specific projects developed to address Preparedness/Detection/Response to Incidents and Prevention and Mitigation. The Security Task Force emphasized the importance for the research projects to be operationally practical. In addition to the TCRP funded efforts, a generic Checklist For Transit Agency Review Of Emergency Response Planning And System Review has been developed by APTA as a resource tool and is available on the APTA web site. Also through the direction of the Security Task Force, APTA has reached out to other organizations and international transportation associations to formally engage in sharing information on our respective security programs and to continue efforts that raise the bar for safety and security effectiveness. APTA has long-established Safety Audit Programs for Commuter Rail, Bus, and Rail Transit Operations. Within the scope of these programs are specific elements pertaining to Emergency Response Planning and Training as well as Security Planning. In keeping with our industry's increased emphasis on these areas, the APTA Safety Audit Programs have been modified to place added attention to these critical elements. CONCLUSION Mr. Chairman, in light of our nation's heightened security needs post 9/11, we believe that increased federal investment in public transportation security by Congress and DHS is critical. The public transportation industry has made great strides in transit security improvements since 9/11 but much more needs to be done. We look forward to building on our cooperative working relationship with the Department of Homeland Security and Congress to begin to address these needs. We again thank you and the Committee for allowing us to testify on these critical issues, and look forward to working with you on safety and security issues. Mr. Lungren. Thank you very much, Mr. Millar, for your testimony. The chair would now recognize Mr. Peter Lowy, the CEO of Westfield America, Inc., to testify. Thank you for coming, sir. STATEMENT OF PETER LOWY Mr. Lowy. Thank you and good morning, Mr. Chairman. My name is Peter Lowy. I am the chief executive of the Westfield Group. Westfield is, in terms of equity market capitalization, the world's largest publicly traded real estate company, with an equity market capitalization of over $23 billion. We own and operate 129 regional shopping malls in four countries: Australia, New Zealand, the United Kingdom, and here in the United States, where we own 68 regional shopping centers and manage the retail concessions at nine major airports, including terminals at JFK, Logan, Miami, Dulles and Reagan National. I am testifying today on behalf of the Real Estate Roundtable. In my written testimony, there are a number of broad suggestions with regard to business and homeland security relations that while I believe would be helpful, seem almost trivial in light of Hurricane Katrina. I would be happy to discuss those suggestions with the staff or the committee at a later date. It is clear from the country's response to the devastation in Louisiana, Mississippi and Alabama that we are not adequately prepared for the aftermath of a terrorist attack. Democracy and the political process that we are governed by, is by definition reactive. The issues that business and government need to deal with fall into three interrelated categories. They are communication, coordination and preparedness. From a communication point of view, things as simple as an organizational chart should be distributed so that we in business, and presumably the government, know who is responsible for what; whom to deal with for what issue; and most importantly, who is actually in charge. At Westfield, our security plans assume the new normal is a yellow alert level. However, we do not know if our normal operating systems are consistent with what the government might consider appropriate for a yellow alert level. Business often receives no indication of what threats we should be protecting against. And if they are identified, there is no standard for us to look at that tells us how to protect against that particular type of threat. A published list by Homeland Security of best practices, tied to specific types of threats, for example, would be extremely useful and helpful. As you may know, Westfield owned the leasehold on the retail mall at the World Trade Center prior to 9/11. Because of our involvement in the World Trade Center, we unfortunately have direct knowledge of the issues that a terrorist attack can cause, whether they are personal, corporate, legal, economic, or insurance-related. From a coordination and preparedness point of view, prior to 9/11 Westfield implemented a nationwide program to improve coordination between ourselves and first responders. We also photographed all of our centers and fully digitized those photographs and the building plans, including those of the World Trade Center. The idea is to create a database that can effectively and efficiently be shared with first responders. As you know, the Port Authority offices were destroyed on 9/11, and all of the paper building plans were destroyed with it. So the emergency personnel did not have the use of the blueprints for search and rescue operations. We realized immediately after the attack that we actually had the plans digitized. However, we literally could not find anyone to give them to. Finally, 10 days after 9/11, with the help of the mayor's office, we were able to get those plans to FEMA and the Office of Emergency Management to assist rescue and recovery workers in their efforts. This experience resulted in our placing renewed emphasis on building solid lines of communication between ourselves, the local police, and fire and emergency departments at each of our locations. There is no doubt that 9/11 accelerated our security program and our investment in technology, people, systems, and increasing working relationships with our first responders. We sometimes even need to provide the technology that the local authorities need in order to access our information. We have now built strong relationships between the local authorities and ourselves. We have held tabletop exercises in our Los Angeles headquarters with the LAPD, L.A. Fire Department, FBI, DHS, U.S Secret Service, Los Angeles Sheriff's Department and other local emergency responders. We also staged joint drills and training exercises with those authorities in the many local jurisdictions where we have shopping centers across the country. In summary, I think that the events of the past week have clearly demonstrated that Congress must aggressively pursue its oversight of the government's planning and execution for all activities related to homeland security. Congress must work with DHS and all relevant state and local entities so that clear lines of communication exist for coordinated action to be carried out. The explosion of a biological or nuclear bomb or multiple conventional terrorist attacks in a major city can cause similar problems as those we have witnessed in New Orleans. Congress must make the effort to see around the corner and designate with strict precision who is responsible for all major facets of the government's response to a terrorist attack, in order to best mitigate the potential damage and loss of life. The private sector can work to take as many proactive measures as possible. As a mall owner, we can practice getting our customers and tenants safely out of the door. However, an effective evacuation will demand that the police can secure the routes, the city can provide potential medical relief if needed, and the state can provide transportation. Congress must do all possible to achieve a comfort level that Homeland Security and all relevant government entities will work and communicate in the execution of these crucial plans. I thank you for your time and would be happy to answer any questions after. [The statement of Mr. Lowy follows:] Prepared Statement of Peter Lowy Wednesday, September 7, 2005 Good morning Mr. Chairman and Members of the Committee. Thank you for this opportunity to address you this morning. My name is Peter Lowy and I am the Chief Executive of The Westfield Group. By way of reference, Westfield is in terms of equity market capitalization the world's largest publicly-traded real estate company with an equity market capitalization of over $23 billion dollars. We own and operate 129 regional shopping malls in four countries-- Australia, New Zealand, the UK and here in the US where we own 68 regional shopping centers and manage the retail concessions at 9 major airports including terminals at: JFK, Logan, Miami, Dulles and Reagan National. I am testifying today on behalf of the Real Estate Roundtable.\1\ --------------------------------------------------------------------------- \1\ The Real Estate Roundtable is the organization that brings together leaders of the nation's top public and privately-held real estate ownership, development, lending and management firms with the leaders of major national real estate trade associations to jointly address key national policy issues relating to real estate and the overall economy. The Roundtable provides day-to-day operational staffing of the Real Estate Information Sharing and Analysis Center. --------------------------------------------------------------------------- I think I am in a somewhat unique position to discuss this issue. As you may know, Westfield owned the leasehold on the retail mall at the World Trade Center prior to 9/11. Because of our involvement in the World Trade Center we unfortunately have direct knowledge of the issues that a terrorist attack can cause--whether they are personal, corporate, legal, economic or insurance related, as well as firsthand experience in trying to cope with the new reality that malls as public gathering places are considered to be targets for potential terrorist activity. Because we view our malls as ``town centers,'' even prior to the recent events in London and before 9/11, Westfield was looking for more effective ways to keep our centers--and thus our customers and employees--safe. For instance, we had begun a nationwide program to (1) improve communication and coordination between ourselves and first responders and (2) photograph our centers and fully digitize them and the building plans--including those of the World Trade Center. The idea is to create a database that can be efficiently shared with responding governmental entities so that first responders can know very quickly where all the points of entrance and egress are--how to access the roof, the HVAC and other sensitive areas. We did this because we took on the view that while we may not necessarily be able to stop a terrorist event--we have an obligation to try to mitigate the damage one might cause in terms of death, injury and property damage. As you know, the Port Authority offices were destroyed on 9/11 and all of the paper building plans were destroyed with it--so that the City and first responders were lacking the blueprints of the structures. We realized immediately after the attack that we had the plans digitized--however, we literally couldn't find anyone to give them to. Finally, 10 days after 9/11 and with the help of the Mayor's office we were able to get the plans to FEMA and OEM to assist rescue and recovery workers in their efforts. This experience caused us to place renewed emphasis on building solid lines of communication between ourselves and local police, fire, and emergency departments. There is no doubt that 9/11 accelerated our security program and we invest in technology, in people, in systems, in creating active working relationships with first responders--we sometimes even need to provide the technology that local authorities need in order to access and understand our information. In the US alone (since 9/11), 20% of our operating costs are now devoted to security, that's approximately $40 million per year, and 20-25% of our operating capital expenditures have been diverted to security infrastructure. But, as I have alluded to, arguably the most important--and most challenging--piece of this is the most low-tech of all. . .basic communication between the private sector and the local and federal authorities. Firstly, I recognize as a business person that building strong relationships between local authorities and other key agencies is a priority. That is why we have held table top exercises in our Los Angeles headquarters with the LAPD, LA Fire Department, FBI, DHS, US Secret Service, Los Angles Sheriffs Department and other local emergency responders. We have also staged joint drills and training exercises with those authorities in the many local jurisdictions where we have shopping centers across the country. As an observer and a participant in this process, it has been my observation that one of the most difficult issues to solve is the lack of communication and coordination between ourselves, the local authorities and the FBI and the Department of Homeland Security. However, I understand that DHS has launched a new initiative in the form of placing in the field ``Protective Security Advisors'' to provide better coordination between Washington and the rest of the country. And there have been other outreach efforts including local Homeland Security Advisory Councils-- which I have recently become involved in the greater-LA and Orange County region. These and other initiatives are important as the communication gap must be closed in order for prevention and response to be effective. No where is this more telling than in the threat-level system. While again progress has been made, we all know of instances where the level has been elevated without business leaders then hearing from the government what measures we ought to take in order to meet that higher level of threat. Our security plans assume that the new, ``normal'' is a yellow alert level. However, we don't know if our normal operating systems are consistent with what the government might consider appropriate for a yellow threat level. So that if there is an incident at one of our centers, I can almost guarantee that someone will sue us and make the argument that we didn't operate up to par with what a company should be doing under a yellow alert. However, business often receives no indication of what threats we should be protecting against. And if they are identified, there is no standard for us to look to that tells us how to protect against that particular type of threat. While I am not looking to codify some new set of lengthy government regulations, it would be helpful to create for business some ``safe harbor'' in the event of litigation after a terrorist incident. One way DHS might assist business would be to publish a list of ``best practices'' tied to specific types of threats and then encourage insurers to incentivize them. I have here an internal document that shows how a mall such as ours might deal with the various threat levels. This is obviously a sensitive document that I would be hesitant to put into the official public record but I would be very happy to review it and share it with the Members of the Committee and the staff if that is helpful to them. Currently, insurers have incentives in place for certain building improvements to better protect the property in case of earthquake, flooding and other natural disasters. In theory, if insurers are provided guidance from federal or local authorities as to best practices in security--they can then in turn incentivize their policy holders. I am working with other CEOs around the country as a Member of the Advisory Board of Rand's Center for Terrorism Risk Management Policy where we are focusing on this issue of how insurance should function in the post 9/11 economy. Rand currently has a study that is underway which will look at the factors that affect the security decision-making of commercial real estate owners and will include insurance company incentives--or the lack thereof. I would be pleased to share the results of this research with the committee when they are available. However, a recent Rand's study, ``Trends in Terrorism'' did touch on this subject. That report stated: ``a long-run solution to terrorism should be designed to incorporate specific mechanisms, such as security-based premiums discounts, so that appropriate security investments can be encouraged through private insurance.'' Needless to say, in order for insurance to create incentives coverage needs to be available in the marketplace; so while I know its not the focus of this hearing I feel bound to remind you how important it is for Congress to extend the Terrorism Risk Insurance Act. As part of their outreach to the private sector, I know that DHS has been working with industry groups and the Chamber to address the need for more specific guidelines to the color code system. Clearly, this is positive. I would simply urge that more communication with the business community--and especially businesses like ours which thrive on drawing large numbers of people to our properties--is necessary if we are to be truly prepared for an emergency situation. The Rand ``Trends in Terrorism'' study has made it clear that the US Government's War on Terrorism has changed the operational environment of al-Qa'ida and other terrorist groups to softer targets that are easier to attack and more likely to be in the private sector. This trend has been exacerbated by target hardening around prominent sites--which has triggered a process of threat displacement to the easier to attack, civilian-frequented locations. In summary, it is my opinion that at the heart of any cooperative efforts between the government and the private sector lays clear and reliable lines of communication. With more direction from DHS as to ``best practices'' and with insurers showing a willingness to reward policy holders for instituting them, I believe business would spend their limited resources more wisely and with greater benefit to the public. If we accept that soft targets have in fact become more attractive to terrorist cells, then it is especially important that a vibrant private-public partnership continue to develop and from that provide the business community with the best tools possible to secure our properties and most especially our employees and customers. Mr. Lungren. Thank you very much, Mr. Lowy, for your testimony. The chair would now recognize Mr. Michael Norton, Managing Director of Global Property Management for the Tishman Speyer Properties, to testify. Thank you, sir, for coming. STATEMENT OF MICHAEL NORTON Mr. Norton. Thank you, Mr. Chairman and members of the committee. My name is Michael Norton. I am responsible for directing all property management activities at Tishman Speyer both in the U.S. and globally. Our company is one of the leading owners, developers, fund managers and operators of first-class real estate in the world, with a property portfolio totaling more than 42 million square feet in major metropolitan areas across the United States, Europe and Latin America. Notably, our portfolio includes Rockefeller Center, the MetLife Building and the Chrysler Building in New York City. I am testifying today on behalf of the Real Estate Roundtable, the Real Estate Board of New York, and BOMA International. Thank you for holding what I believe is the first congressional hearing since the events of 9/11 at which major real estate companies and their associations have been invited to share their experience and expertise in security-related matters. As a company and as an industry, we are committed to managing the risk of future acts of terrorism. That commitment is, of course, influenced by the expectations and demands of our various constituents including our tenant customers, our lenders, investors, insurers, legal advisers and local, state and federal government. In the end, any approach to security in buildings will need to be supported by all those constituents in order to be successful over the long term. As an industry, we are spending over 20 percent more on security than we were pre-9/11. And yet, in the end, managing the risk of terrorism is not principally about spending more money. It is about strategically using existing resources to cost-effectively mitigate risks. Access to information, experience and best practices are assets that are hard to put a hard-dollar number on and yet they may be the most critical resources we have. In my statement, I have detailed specifically some of the risk mitigation measures we have implemented at our company for the buildings I mentioned above and for other high-profile properties. These best practices fall into six basic categories: communications; emergency response, including emergency area access; training programs; hardening techniques; information sharing; and coordination initiatives. In reviewing the specific security measures, it is important to recognize that we do not institute these measures without first undertaking building specific risk assessments. We are fully accountable for how we use our limited resources. Our tenants and other key partners are looking for us to be as efficient as possible by allocating limited resources where there is the greatest combination of threat and vulnerability. We certainly encourage Congress to take a similar risk- based approach to funding homeland security. Scarce federal resources should only be allocated to places and initiatives that are addressing the greatest risk of death or injury to civilian populations. As for lessons learned, first let me say the need for robust local communications channels with emergency response officials is perhaps the single greatest lesson learned since 9/11. One excellent system that I believe has become a model for other cities is the New York Police Department's communication channel to the private business sector known as the Area Police-Private Leadership Security Liaison, also referred to as APPL. Information about events taking place throughout the city is now continuously provided via APPL e-mails. The recipients of these e-mails are notified, normally in real time, of events such as a manhole explosion on Fifth Avenue or a suspicious package in a Times Square train station. This information flow allows real estate operators to ratchet up or down elements of their emergency response plans, if necessary. Equally important is the fact that we can forward this kind of information to our tenants and thus relieve frazzled nerves by reassuring them that we are in the know. Nationally, our focus on the need for improved communications led to the development by 13 major trade associations, representing office, hotel, shopping center and multi-housing owners, for our own Information Sharing and Analysis Center, also referred to as ISAC. Our ISAC is a 24/7, two-way information channel between the real estate industry and DHS that facilitates information sharing on terrorist threats, warnings, incidents, vulnerabilities and response planning to a network of over 120,000 real estate owners and operators. Our best local government partners know we are looking for information, including actionable intelligence that bears directly on the operation of our buildings, and they provide it quickly. I am not sure there is any organization in the country that does a better job of this than the NYPD. By working closely over time, we have begun to have a mutual understanding of our respective roles. We know our buildings' individual vulnerabilities. Government has more of a beat on the changing threat environment. We both need each other to succeed. This is the proper model for our partnership at the federal level as well. Another lesson learned has been the need to ensure government officials know who is actually responsible for the security of high-profile buildings in this country. Notably at the time of the orange alert for the New York financial sector last year, the first DHS officials to communicate with the private sector about the potential risks to the Citicorp Center, including the then-Secretary of DHS, were initially unaware that Citicorp neither owned nor managed the physical security of the facility that bore its name. To assist DHS and others to avoid that mistake in the future, the Real Estate Board of New York has made available its database of New York City commercial building owners and managers as a reference to local, state and federal officials. We strongly recommend other cities implement similar programs, perhaps working with local building owners and managers associations. In conclusion, we are truly blessed that there have been no major attacks on our country since 9/11. However, without further incidents, it is sometimes difficult, particularly in cities that have not experienced terror attacks in the past, to ensure the proper level of realistic vigilance. Through our ISAC, the real estate industry has recently completed a 6-month public service advertising campaign reaching well over 100,000 members of our industry. To that same end, in April, the Real Estate ISAC facilitated the participation of over 60 real estate firms in the national terrorism simulation known as TOPOFF-3. DHS should continue to reach out to the public at large with similar awareness campaigns and to provide our industry with opportunities to participate in exercises. We will get more support for what we are doing from our key constituents if there is consensus among the general public and our industry on the need for appropriate measures. These priorities must continue to be addressed aggressively by DHS and other government authorities. Only then can we feel confident that if there are other major acts of terrorism, we can return to your committee and say we did everything reasonably within our power to save human lives. That, in the end, is what this is all about. Thank you. [The statement of Mr. Norton follows:] Prepared Statement of Michael L. Norton Wednesday, September 7, 2005 Introduction Chairman Lungren, Ranking Member Sanchez, and Members of the Committee, my name is Michael Norton. I am responsible for managing and directing all global property management activities at Tishman Speyer. Tishman Speyer (www.tishmanspeyer.com) is one of the leading owners, developers, fund managers and operators of first class real estate in the world, with a property portfolio totaling more than 74 million square feet in major metropolitan areas across the United States, Europe and Latin America. Let me note at the outset that I am not aware of any Congressional hearing where owners of landmark buildings have been given the opportunity to share their homeland security experience in the post 9/11 era. Thank you then for providing this unique forum. I am testifying today on behalf of the Real Estate Roundtable \1\ (www.rer.org) where our company's Chief Executive Officer, Jerry Speyer, is a member of the Board of Directors. I am also testifying on behalf of the Real Estate Board of New York \2\ (www.rebny.org) and the Building Owners Managers Association (BOMA) International \3\ (www.boma.org) two organizations where I personally sit on senior governing boards and councils. In addition to my work with these organizations, I am active on a number of other civic and charitable organizations and was recently promoted to the rank of Lieutenant Colonel in the U.S. Marine Corps Reserves. --------------------------------------------------------------------------- \1\ The Real Estate Roundtable is the organization that brings together leaders of the nation's top public and privately-held real estate ownership, development, lending and management firms with the leaders of major national real estate trade associations to jointly address key national policy issues relating to real estate and the overall economy. The Roundtable provides day-to-day operational staffing of the Real Estate Information Sharing and Analysis Center. \2\ As the oldest and most influential real estate trade association in New York City, The Real Estate Board of New York represents major commercial and residential property owners and builders, brokers and managers, banks, financial service companies, utilities, attorneys, architects, contractors and other individuals and institutions professionally interested in the city's real estate. \3\ Founded in 1907, the Building Owners and Managers Association (BOMA) International is a dynamic international federation of over 100 local associations. The 19,000-plus members of BOMA International own or manage over 9 billion square feet of downtown and suburban commercial properties and facilities in North America and abroad. BOMA's mission is to enhance the human, intellectual and physical assets of the commercial real estate industry through advocacy, education, research, standards and information. I. Managing the Risk of Further Terrorist Attacks on Commercial Office Buildings A. Our Company's Stake and Commitment The unique nature of our portfolio of assets--both existing buildings and projects under development--ensures that sophisticated risk management, including managing the risk of further terrorist attacks, is a core business priority. We own and manage some of the highest profile office buildings in the world, including Rockefeller Center, the MetLife Building and the Chrysler Center in New York City. Rockefeller Center, for example, is the number one tourist destination in New York City with all the pedestrian traffic that comes with that status. The Chrysler Center is a worldwide icon that, together with the Empire State Building, defines the New York skyline. All these buildings--and many others in our portfolio--sit atop mass transit and, in the case of the MetLife Building, Grand Central Station itself. Current projects now under development by Tishman Speyer include the new baseball stadium for the New York Yankees, a major new building for Citigroup in Long Island City, and the new headquarters buildings for Goldman Sachs and the Hearst Corporation in New York City. In the end, our guiding principle as a company in managing the risk of terrorism is to meet or exceed the expectations of our customers-- our tenants. Many of these tenants are Fortune 500 companies or other high-visibility institutions with strong commitments to managing terrorism-related risks. We are also deeply influenced by the expectations or demands of our lenders, investors, insurers, legal advisors and local, state and federal government. B. Our Industry's Commitment Managing the risk of terrorism in the post 9/11 environment, and I am speaking for the industry as a whole at this point, has galvanized our individual and common resources to an unprecedented degree. By our industry's standard benchmarking reference--BOMA's 2005 Experience Exchange Report \4\--we are spending, as an industry, over 20% more on security than we were pre 9/11. And yet, I hesitate to mention that statistic because in the end managing risk is not principally about allocating additional resources, it is about strategically using existing resources to cost-effectively mitigate risks. Information and experience are two assets that are hard to put a dollar value on and yet they may be the most critical resources we have. Post 9/11, there has been an unprecedented degree of information sharing within our industry and with local, state and federal counter-terrorism and emergency response authorities. This sharing of information--including best practices--is being advanced in New York City through the sophisticated local networks facilitated by the Real Estate Board of New York as well as national networks supported by the Real Estate Information Sharing and Analysis Center or ISAC (www.reisac.org), and the various committees and task forces of BOMA and the Real Estate Roundtable. We are also allocating substantial resources as an industry to support the work of Rand Corporation's new Center for Terrorism Risk Management Policy. (http://www.rand.org/multi/ctrmp) --------------------------------------------------------------------------- \4\ The Experience Exchange Report is an annual income and expense benchmarking report for the commercial real estate industry performed by the Building Owners and Managers Association International for more information see www.boma.org. The report is based on the weighted average responses of 3,210 buildings, representing approximately 700 million square feet of space. C. The Nature, Including the Limits, of Our Industry's Role Upon reflection, it is evident that the terrorist attacks in New York City on 9/11 were, among other things, attacks on major US commercial buildings and their tenants/occupants. In the aftermath of these events, no one has implied that the collapse of the two towers was as a direct result of the failure of the commercial real estate industry. In fact, just five years after the 1993 Trade Center bombing, the twin towers became internationally renowned for having the best security measures of any commercial real estate property in the world. After 1993, the World Trade Center had to provide the utmost security, without making that office, retail and hotel complex the equivalent of a closed military compound. In fact, as we all know, even a closed military complex--the Pentagon itself--was also unable to deter airborne attacks on 9/11. As a result of the attacks of 9/11, the subsequent anthrax scares (including one at NBC studios, located in Rockefeller Center), last year's Citigroup Building incident, and the recent London bombings, the commercial high-rise building industry, through no failure of its own, has been severely affected, challenged, and thrust into the heart of the terror threat issue. We always look for ways to better manage the risk of further threats and attacks. But, at the same time, we remain very dependent on the ability of government (including mass transit authorities) to help limit the ability of terrorists to reach our facilities in the first place. D. The Reality of Target-Substitution As Frank Cilluffo, the former special Assistant to the President for Homeland Security and the current Director of the Homeland Security Policy Institute at The George Washington University, testified before this subcommittee on June 15, 2005, We do not face an adversary that we can defeat in a conventional war on a traditional battlefield by going plane for plane or tank for tank, but one that will take the path of least resistance by constantly searching for our greatest vulnerabilities. Mr. Cilluffo's assessment, as well as that of many experts with Rand's Center for Terrorism Risk Management Policy, confirm the harsh reality of ``target substitution.'' Specifically, as traditional critical infrastructure, including government facilities, are further hardened, the attractiveness and vulnerability of our nation's so called civilian ``soft targets'' is increasing. To mitigate this disturbing reality, it is crucial that we move to simultaneously address the threats against both hard and softer targets. E. Pre-condition for all Security Measures: Sound Risk Assessment Before detailing specific risk mitigation measures, it is important to stress the central role that building-specific risk assessments play in any rational allocation of resources. We are fully accountable for how we use our limited ``resources''. Our customers, lenders and investors are looking for us be as efficient as possible. Spending more of their money, while sometimes appropriate, is not the way that we or our constituencies measure progress. Limited resources need to be applied first to those measures that have the greatest potential for limiting loss of human life and property damage. Risk is assessed both from the standpoints of threats and vulnerabilities. In addressing the vulnerability-part of the equation, we have benefited (as I know other major real estate companies have been) by visits from DHS officials that have reviewed with us our own assessments of our properties' vulnerabilities. These teams toured a number of our buildings and spent a day at each property, speaking with the staff and assessing what security measures were in place and what additional measures we might consider now or in the event of specific threats. We understood the overall aim of this exercise for DHS was to assess privately owned commercial office buildings across the country in an effort to establish the current state of security at these high profile locations and to identify what ``best practices'' can be established and shared among our business community. The DHS visits were informative exchanges of private and public sector perspectives and helped establish improved working relationships between our organizations. In New York, the NYPD provides a similar service. II. Commercial Real Estate Industry Lessons Learned and Best Practices for Managing Terrorism Risk for Higher-Risk Buildings The specific ``lessons learned'' and examples of best practices I would like to share now with the subcommittee fall into six basic categories: communication, emergency response (including emergency area access), training programs, ``hardening'' techniques, information sharing, and coordination initiatives. A. Communication & Information Sharing One of the greatest lessons that the real estate community learned from 9/11 was the need for more robust communication channels between the private and public sectors. These channels--both formal and informal--should enable real estate operators to instantaneously receive information and act more effectively based on that that information. The channels should convey valid information, as well as dispel rumors. Locally: The need for robust local communications is perhaps the single greatest lesson learned since 9/11. One excellent system--that I believe has become a model for other cities--is the New York Police Department's communications channel to the private business sector known as the Area Police-Private Leadership Security Liaison or ``APPL.'' \5\ Information about events taking place throughout the city is now continuously provided via APPL emails. The recipients of these emails are notified normally in real time of events such as a manhole explosion on Fifth Avenue, a suspicious package in a Times Square train station, or an unauthorized helicopter flight over the Empire State Building. This information flow allows real estate operators to ratchet up or down elements of their emergency response plans, if necessary. Equally important is the fact that we can forward this kind of information to our tenants, and thus relieve frazzled nerves by reassuring them that we are ``in the loop.'' --------------------------------------------------------------------------- \5\ A number of other cities have strong systems in place or under development. In Chicago's Central Business District the Chicago Police Department has established the Security Broadcast Email System to communicate with private sector security directors. Within the same district they have established the Early Alert Radio Network (EARN) program. EARN is a system by which high-rise buildings that purchase a radio receiver can obtain information from the Chicago Police Department. In the District of Columbia, ``D.C. Alert'' uses the Roam Security Alert Network (https://textalert.ema.dc.gov/ index.php_CCheck=1) to provide immediate text notification and update information during a major crisis or emergency. This system delivers important emergency alerts, notifications and updates to a number of devices, including cellular telephones, e-mail accounts, Blackberry devices, and pagers. --------------------------------------------------------------------------- After this communication channel was established with the NYPD, Tishman Speyer subscribed to an international communication service that enables us to send messages to employees and tenant contacts worldwide via email, text messages, and voice messages. Here is a real- world example of how this information flow helps our company operate more effectively: Last month a suspicious package was discovered against a building located on 54th Street and Madison Avenue, which is directly across from one of our properties. The police had arrived and closed off all pedestrian and vehicular traffic. APPL sent out a message that informed us what was occurring and later notified us that the package was found to be a regular briefcase with no explosive devices. We were then able to use our own in house multi-medium communication channels to simultaneously inform every one of our tenants. Nationally: The real estate industry--including major office, hotel, shopping center and multi-housing owners and operators--has requested and received permission from federal counter-terrorism officials to create our own Real Estate Information Sharing and Analysis Center (ISAC). The ISAC is a 24/7, two-way information channel between the real estate industry and DHS that facilitates information sharing on terrorist threats, warnings, incidents, vulnerabilities and response planning to a network of over 120,000 real estate owners and operators. For many years prior to 9/11, traditional critical infrastructure industries (e.g., the financial services, electric power, oil and gas, water, telecommunications, information technology, chemical and food industries) all operated similar ISACs. We are grateful to the White House and DHS officials that were willing to think ``outside the box'' by supporting the creation of an ISAC for our industry. B. Emergency Area Access Procedures Another lesson learned was the need for essential authorized building personnel to have access to their properties as soon as possible following an event. Immediately following the September 11 attacks on the World Trade Center the police cordoned off a very large area in downtown Manhattan. However, in the future, property managers and building engineers, who can identify themselves as such, will be granted access to these types of restricted areas in order to address vital building issues (e.g., shutting down running machinery and turning off water lines). This will allow us to prevent any additional damage and further economic loss. The cities of Boston, New York, and Chicago have all instituted programs that allow private property owners to register critical personnel with the city for that purpose. C. Training Programs Another lesson learned is the importance of expanding training programs that incorporate the lessons learned from 9/11 so that they can better prepare security officers and building management officials that work in high-rise office buildings. Training should address not only evacuation procedures, but also consider the difficult issue of how and when to ``shelter-in-place'' if an actual or suspected bio- chemical event occurs. The American Society of Industrial Security, International (ASIS, International) has established the Private Security Officer Selection and Training Guideline. This guideline sets forth minimum criteria for the selection and training of private security officers, which may also be used to provide regulating bodies with consistent minimum qualifications. In addition, ASIS's Physical Security Measures Guideline is currently under development. This guideline will assist in the selection of appropriate physical security measures, including defining risk levels, implementing an integrated set of physical security measures, and devising policies and procedures related to security incidents, access control, monitoring systems, lighting, security personnel, and audits and inspections. When completed, this will be an extremely helpful tool to ensure that we members of the private sector are providing improved training to our security officers and other relevant officials. Training should be provided not only to security officers but also to other building personnel, including property managers, engineers, fire safety directors and cleaners. It is important to remember that, for all these groups, emergency action plans should be considered crucial elements of their respective training programs. Exercises that test these action plans are fundamental to the learning process. The training, should, of course, include how to address biological and chemical attacks, explosive devices, suicide bombers, and other recognized terror techniques. D. Target Hardening Techniques As discussed above, it has become common practice, as part of sound risk assessments, to perform vulnerability risk assessments on all major properties. Buildings that receive high threat vulnerability ratings may be appropriate for target hardening especially against explosive devices (vehicular or pedestrian borne). Target hardening focuses particularly on building lobbies, and since 9/11 many large commercial office buildings in New York have installed turnstiles and card access readers. In addition to the lobbies, the facades, loading docks, and underground parking lots of many commercial office buildings have been target hardened. After 9/11, Tishman Speyer target hardened various elements of all of its then existing properties We are also developers and as such we now incorporate target hardening from the very beginning of the design and construction process. E. Research As stated above, post 9/11, the commercial real estate industry has supported sophisticated research on how best to protect our homeland. Most notably, we have helped launch the new RAND Center for Terrorism Risk Management Policy (CTRMP) and provided high-level technical consulting to that organization. While the Center has several missions, one of its principal goals is to help security decision-making in an age of catastrophic terrorism. Its mission is to help not only the private sector but also the public sector assess the consequences of individual and collective decisions about allocating terrorism security resources and help these institutions make decisions about the risks they face and the security portfolios appropriate to mitigating those risks. In addition to analytic research, the CTRMP has provided invaluable learning tools for interactive strategic exercises. Most recently, CTRMP further developed a RAND simulation involving the mock detonation of a nuclear device smuggled into the United States aboard a container ship in a major California port city. The exercise, which was developed for various business sector audiences and senior Congressional staffers, showed just what the human and financial losses would be if this were actually to occur and what impact it would have on other parts of the United States and the rest of the world. F. Coordination with Government Authorities on Building Ownership and Management Data The commercial real estate industry stepped up to face another challenge last summer when the national threat advisory system was elevated for the financial sector. As you know, intelligence was uncovered showing al-Qa'ida was doing extensive pre-attack surveillance on prominent properties housing several major financial institutions. The Citicorp Building in New York City was one of those properties. Notably, the first DHS officials ``on the ground'' in New York-- including the then Secretary of DHS--were initially unaware that Citicorp neither owned nor managed the physical security of that facility. Indeed, across the country, it is not uncommon for counter- terrorism officials to assume that the companies whose names are associated with landmark buildings actually own or manage those buildings. To assist DHS and others identify quickly those actually responsible for the management of a given building's physical security, the Real Estate Board of New York has made available its database of New York City commercial building owners and managers as a reference. This database is regularly updated as purchases and sales take place within the New York City office market. It includes landline telephone, cellular telephone, beeper, and email contact information sorted by building name and address. This could prove to be a valuable resource for DHS, especially when notifications are required in an ``actionable'' timeframe. REBNY has also provided this database to the New York City Office of Emergency Management (OEM) and to the New York City Department of Buildings (DOB). We encourage other cities to make use of similar data bases of office buildings by working with local BOMA organizations. G. Building Industry Awareness Through Media Campaigns and Exercises Post 9/11 it has become increasingly clear that without continuous citizen awareness campaigns, public interest and concern about terrorism can drop dramatically. This is particularly true in cities that have never had a major terrorist incident. Therefore, the Real Estate ISAC in January of 2005 commenced a six-month public service advertising campaign to encourage building owners and managers to address homeland security issues. Through their ``Fighting Terrorism'' advertising campaign in Real Estate Forum and 10 trade journals, the ISAC, its trade member groups and its media partner, Real Estate Media Inc., have reached over 120,000 real estate professionals with their important message about the need for a well-prepared real estate industry sector. To the same end, in April, 2005, the Real Estate ISAC further advanced its mission of encouraging greater industry awareness and readiness by facilitating the participation of over 60 real estate firms in the national terrorism simulation exercise known as ``TOPOFF 3''. This biennial exercise, involving some 10,000 federal and state officials and representatives of Great Britain and Canada, sought to strengthen the nation's capacity to prevent, prepare for, respond to, and recover from large-scale terrorist attacks involving weapons of mass destruction. It was the first of these exercises in which the private sector, including the commercial real estate sector, was allowed to participate on an equal footing with our public sector partners. Those who participated from our industry leveraged this multi-million dollar federal exercise to assess their own current emergency plans. Following the exercise, industry participants reported making changes to those aspects of their plans that were found to be insufficient. Going forward, I cannot stress enough the importance to our industry of opportunities to participate in joint exercises with local, state and federal officials. H. Specific Security Measures and Best Practices for Major Buildings In our company's experience, effective building security is a combination of design features (e.g., physical barriers and electronic systems), personnel and staffing strategies (personnel and procedural) that are integrated into a well-defined program. As indicated above, determining the degree to which each of these components should be utilized depends on several risk factors. These factors include whether the building is a symbol or has some other national status, the specific environment at or around the building (e.g., is it a tourist attraction? Are their high-risk tenants or other specific risk factors?), and the structural design of the building (e.g., is there interior parking). I would like to take a few moments to tell you about some of the security measures that have been implemented in our industry. I will use some examples of security measures that Tishman Speyer has employed at its properties, but most of these are recognized as best practices by other major owners in our industry.Satellite Telephones: Many real estate owners and operators have satellite telephones in each region where they have properties. In the event of an emergency, when all landline and cellular connections are busy, these portable satellite telephones will continue to operate. As events unfold in a region, security directors and senior managers can remain in contact with personnel on location in order to assess the situation and issue instructions. The satellite telephones also ensure that the building staff will be able to communicate with the emergency services at all times during an incident. Furthermore, key personnel, including senior management, should carry emergency contact information with them at all times. Emergency Procedure Guidebooks: Buildings are often equipped with Emergency Procedure Guidebooks These standardized manuals provide staff members with check lists of their respective responsibilities in the case of a property emergency. This ensures that, even under difficult circumstances, building personnel will know the procedures necessary to facilitate the safe evacuation of their properties. Company or Building Specific-Color Coded Alert Systems: Many real estate companies have instigated their own internal color code or security level alert systems. For example, under our procedures, the color green represents the current ``Standard Operating Procedures'', the color yellow indicates ``Heightened Alert Operations'' and the color red signifies ``Emergency Event Operations.'' This system requires us to constantly and consistently assess the security risk in any region at any time. Emergency Response Training Videos: Tishman Speyer has developed a two hour training video for property staff to learn about biological and chemical agents, including their effects on the human body, how they can be transmitted, and what initial actions should be taken while waiting for emergency services to arrive. The objective of this training program is to help ensure that the property staff can better identify the potential release, dissemination, or detonation of these deadly agents in the event of an attack. This training segment also addresses what actions may be appropriate to take once an attack has occurred, including evacuations or sheltering in place, shutting off of fresh air intakes, and receiving of updates from the local authorities. Terrorism Awareness Training: Security officers also receive training in terrorism awareness and response. The elements of common terror attack modes are discussed with a focus on the opportunities a security professional may have to intervene. The officer is encouraged to concentrate on a person's behavior, as opposed to a person's physical characteristics. For the purpose of this training, the ``Stages of a Terrorist Event'' are defined as ``Target Selection; Surveillance of the Target; Planning of the Operation; Rehearsals and Dry-runs; Escaping from the Target; and the Exploitation of the Act.'' Finally, substantial time is committed to discussing conventional explosive devices and improvised explosive devices, as well as the correct way to handle a report of a ``suspicious package'' or telephone or written bomb threat. This kind of in-house training may be supplemented by DHS's own `'soft target'' terrorism awareness training programs. Rapid Shut Down of Air-Intakes: Some high profile buildings have implemented controls that enable building personnel to quickly and easily shut off the fresh air intakes in the case of an emergency. Automatic shut-off switches have been installed at appropriate locations and can easily be activated if we receive timely information from the relevant authorities. A critical aspect to successfully addressing a potential biological or chemical agent attack/event at or in the vicinity of a building is having adequate early warning/ communication channels with the appropriate local government. In-Depth Property-Specific Threat Vulnerability Assessment: In our high profile properties property specific threat vulnerability assessments were performed by nationally recognized security consultants, and these consultants provided recommendations on how to improve security in certain areas. Action plans to implement these recommendations, together with the corresponding budgets, are formulated by each individual building's property manager in light of property specific factors including tenant demand. ``Closed Buildings'': Many properties that are viewed as potential targets have been transformed from open access buildings into ``closed'' buildings. Building lobbies were historically vulnerable areas for unauthorized access into a facility. Without lobby access control, anyone can enter an elevator and reach any floor desired. Prior to September 11, 2001, most properties only enacted access control systems after normal business hours (6PM--7AM, Monday--Friday and weekends). Since 9/11, turnstiles and visitor pre-registration systems have been installed in certain buildings to provide management with detailed knowledge of when people are entering the property. In order to pass through the turnstiles, tenants must have valid building-issued identification cards including personal photographic images. Visitor Processing Centers and Courier Centers: Post 9/11, some buildings have set up visitor processing centers and courier centers. The visitor centers authorize access to the elevators only after they have received approval from relevant tenant hosts. The security officers then scan the visitors' proof of identification and issue temporary access badges, in some cases with photographs of the visitors on them. At the courier centers, security officers use X-ray machines to scan all packages. In some cases, couriers are not granted access to the buildings and instead building employees deliver packages to the appropriate offices. H. Response to the London Mass Transit Bombings The London bombings occurred exactly two months ago to the day, on July 7, 2005. As such, it is still too early to identify exactly what new lessons we learned and what new security measures will be instituted as a result of this tragedy. We have long had an excellent working relationship with the Metropolitan Transit Authority (MTA) and are working with the REBNY and the Real Estate Roundtable to build a stronger industry-wide partnership with mass transit authorities throughout the nation. We are, of course, also watching closely as the MTA looks at the benefits of increased use of CCTV. This is one example of how this nation appears to be embracing technological advances to increase the safety of our civilian infrastructure. This is particularly relevant to us as we need to provide tenants with secure buildings but also we are directly affected by our tenants' confidence in the public transportation that delivers them to our properties on a daily basis. Furthermore, as I mentioned at the outset, many of our properties are built directly above subway networks and we are only as secure as our weakest link. Again our dependence on sound government security initiatives is extraordinary. III. Continuing Challenges & Policy Recommendations My testimony has stressed specific ``on the ground'' lessons learned and best practices with the hopes that this may spur dialogue within our industry and elsewhere on how best to encourage improved homeland security. I recognize the extraordinary challenges that local, state and federal government authorities face in helping to advance the state of the art in terms of homeland security. At the same time, as an industry, we do have some policy suggestions for you to consider as you oversee the work of DHS. A. Priorities Emergency Response: In terms of allocating scarce federal resources, when it comes to improving public-private homeland security partnerships, we agree with the emphasis the 9/11 Commission has placed on the need for emergency response and business continuity planning. In that regard, we believe that partnerships at the local level with emergency response agencies should be a top priority. DHS can and should continue to support--financially where appropriate--outreach efforts at the local level to bring the business community more fully into partnerships with local emergency response officials. The decision to spend very limited federal funds should be made with a very realistic understanding of the different level of threat and vulnerability presented by different geographic locations. Also with respect to emergency response planning, we are well aware of the spotlight the 9/11 Commission, and later federal legislation, placed on the general goals and principles set out in the National Fire Protection Association Standard on Disaster/Emergency Management and Business Continuity Programs (NFPA 1600). As an industry we have a range of sound references to help us begin to apply those very general goals and principles to specific buildings and situations. As you may know, that Standard was not developed with individual building issues in mind. It will be important to retain the flexibility to make asset specific decisions, based on asset specific risk assessments. At the same time, we recognize the need to encourage greater consistency of performance across all business sectors and within our sector. The government does have a role in helping to create a shared language and set of performance oriented metrics in this area. We look forward to working with DHS and others to help improve the private sector's emergency readiness. A solid simulation and exercise program at the local level--supported where necessary by federal resources--is an important step in this direction. We also suggest that DHS continue to work closely with the insurance industry to ensure their policies offer proper incentives for positive performance in the area of emergency response planning. B. Actionable Intelligence With respect to the issue of intelligence sharing with the private sector, I want to stress that we are not asking for uncensored access to all intelligence reports. What we are looking for is access to any information made available to local counter-terrorism officials that bears directly on the operation of our buildings. Where the threat is so vague and general that no ``actions'' are being recommended, that fact also needs to be made clear. As indicated above, we have a growing number of strong partnerships at the local level where intelligence is shared effectively with our industry. I am not sure there is any organization in the country that does a better job of that than the NYPD. By working closely over time, we have begun to have a mutual understanding of our respective roles. We know our buildings' individual vulnerabilities; government has more of a beat on the changing threat environment. We both need each other to succeed. This is the proper model for our partnership at the federal level as well. C. Public Awareness Often, conflicting tenant expectations and awareness are challenges that we face as an industry. The tenants want to be comfortable that we are doing everything possible to ensure their safety but at the same time they do not want to work in a military fortress. We note that striking the right balance in this regard is also an issue that the public transportation authorities are forced to deal with today. The DHS needs to support the efforts at the local level to build public and business awareness of the importance of proper planning and training in this area. Only when our tenants have fully ``bought-in'' to the importance of this issue do they support our efforts to take rational security measures. In many parts of the country, tenants do not believe this issue is a major risk factor and are therefore unwilling to pay for some or all of the specific measures, I've detailed above. In my view, government has an obligation to help educate the public in a reasonable and realistic way about the threats we face in the post 9/11 environment. Frankly, unless or until there are more attacks, that educational process will be very challenging. Hearings like this and recent public comments by Secretary Chertoff suggest top government officials are committed to this goal. Conclusion These priorities must continue to be addressed aggressively by DHS and other government authorities. Only then can we feel confident that, if other major acts of terrorism were to occur, we could return to your committee and say we did everything reasonably within our power to save human lives. That, in the end, is what this is all about. Thank you and I am happy to take questions. Mr. Lungren. Thank you very much, Mr. Norton, for your testimony. The chair would now recognize Mr. Joe Madsen, director, safety and risk management for the Spokane Public Schools, to testify. Thank you for coming, sir. STATEMENT OF JOE MADSEN Mr. Madsen. Chairman Lungren, members of the Committee, I am Joe Madsen. I am a risk manager in a school district of 31,000. There are 47 million students every day attending schools in our nation. Of those, 25 million ride 444,000 school buses. They do over 8.8 billion trips and are exposed that many times per year in regards to them being a soft target. I have provided you written testimony indicating what we in Spokane have done with the school district, the fire department and the police department. I certainly could come before you to indicate our wants, needs and desires in terms of funding for facilities, for training, target-hardening, or specific allocations for school resource officers. I, however, think it is more important to concentrate on the big picture, those things that actually matter at the ground level; those things that have affected us in Spokane. The all-hazards approach that we have conducted affects not only terrorism, not only disasters, or natural disasters, but any type of incident and the planning and preparation for those in advance has been what made the difference for us. Potential issues such as critical incidents, natural disasters and of course terrorism are those issues that we need to concentrate on. We are a nation of special interests, but one that cannot be seen through only one set of lenses. We need to be constantly looking at the big picture and looking at systems approaches, systems which combine resources, shared data, relationships built on trust, joint training exercises, not just large-scale required drills, but small-scale trust- building exercises. It is less about me and mine, but more about us. Systems revolving around communications, relationships, pre-planning, data-sharing and the use of technology, I am here to tell you that it can be done with successful results. In a microcosm, I manage five departments: safety, transportation, security, worker comp, and insurance. Those five departments 10 years ago did not work together. They reported to different people and they did not help each other. But over the last 10 years, we have been able to cause the effect that we need to successfully work together. By ensuring that safety officers work with security officers, that security officers work with transportation staff, we ensure a system that responds to an incident no matter large or small, no matter whether it is a security issue or a safety-related issue, as a unit. In the city of Spokane, we also have made that opportunity. For over 10 years, we have had police liaison meetings between the school district and the police department. Those types of relationships and trust-building are critical to having resolved our incident at Lewis and Clark High School. Just 2 weeks ago, the police department conducted SWAT exercises within our high schools. They did not do it by themselves. They did not do it at the police academy, but they came into our schools. They have been doing this for years. At those exercises, we had our principals and our district resource officers. It is the relationships that we have built over the past several years that allow us to respond to an incident, to plan for it, and to communicate effectively when an incident occurs. At the state level in Washington, we have the Department of Emergency Management, the Office of Superintendent for Public Instruction, the Washington State Patrol, all working together with a data management system that allows us to map schools, to provide photographs, to provide the information related to the critical structures and information related to the organizational charts in every one of our facilities. Right here today in my computer, I have all 12 of our high schools and middle schools and all the data I need to make a decision from across the nation to be able to respond to an emergency or to communicate effectively with the fire department and police department. It is communication, relationships, data-sharing, preparation and working together as a system that causes the effect that we need. The question is, is on the federal level, are we sharing data, are we communicating, and do we have the relationships between the multitude of different agencies? I work currently with the Department of Homeland Security, the Department of Education, Occupational Safety and Helath Administration (OSHA), but I receive different direction from each of them. If we can have the relationships and the information and the communication that I think that we have shown in Spokane in the state of Washington with our police and fire, I think that we would go a long ways to solving our issues such as Katrina. Thank you for the ability to present. You have my written testimony. I would be happy to answer any questions. [The statement of Mr. Madsen follows:] Prepared Statement of Joseph C. Madsen Wednesday, September 7, 2005 Mr. Chairman, Ranking Member Sanchez, and Members of the Subcommittee, thank you for having me here to discuss this important subject. My name is Joe Madsen and I am the Director of Safety and Risk Management for Spokane Public Schools in Spokane, Washington. I am before you today to discuss school safety and how the federal government can be more proactive in protecting our school children, teachers, and staff from a wide variety of threats and emergencies. Following 9/11, the federal government focused its efforts on improving security around airports, transit systems, and public facilities, the so called ``hard targets.'' Today I'd like to talk about one of our nation's most valuable assets, our children, and a successful program begun in Washington State that combines old fashion relationship- building, interagency cooperation, and state-of-the art technology to protect our schools against terrorist attacks and other emergencies. We have more than 47 million children enrolled in educational facilities across the U.S. Because schools typically contain large numbers of students in a single location, they represent an appealing target for terrorists seeking the maximum emotional impact for their cowardly acts. Domestically we've already experienced a form of terrorism, and schools like West Paducah in Kentucky; Springfield in Oregon; Columbine in Colorado; and Red Lake in Minnesota stir emotion in the hearts of parents and dispel the feeling ``that it couldn't happen here.'' On the international side, it's even more disturbing. In Beslan, Russia last year, terrorists took more than 1,100 hostages at a local school. More than 330 students and staff were killed and another 700 people were seriously injured. A similar incident occurred this June when terrorists attacked an international school in Cambodia and took over 70 children and staff hostage. I know first hand the damage a terrorist attack can do at a school. At 11:30 a.m. on September 22, 2003 a student with a 9mm handgun entered one of my schools, Lewis and Clark High School, in Spokane. It was the lunch hour and the school was packed with more than 2,000 students eating lunch in the hallways, a tradition at this school. Normally, chaos would break out at this point. But in Spokane, the police, fire, school staff, and students are well trained on how to respond to emergencies. Just prior to the incident, Washington State had begun deployment of a statewide crisis management system (CMS) for protection of critical public infrastructure. Using this new system, the Spokane Police Department, the Spokane Fire Department, the Washington State Patrol, and school district officials implemented pre- determined tactical response plans and quickly responded to the school. Detailed information about the school building in the CMS system allowed police to isolate the gunman in just 12 minutes, evacuate more than 2,000 students to a pre-established family re-unification center, and immobilize the gunman. The students were spared the trauma of having to witness the incident and were able to return to their school the very next day. This situation, and it would be no different if it had been an organized terrorist incident, a fire, a hazmat spill, or a hurricane, was successfully mitigated because the first responders in Spokane have developed an excellent system for emergency response, involving training, relationship building, implementation of FEMA's National Incident Management System (NIMS) protocols, and use of state-of-the art CMS technology that makes critical facility information accessible to all responding agencies. How this incident was handled, and the systems put in place to mitigate such events, could well serve as a model for other school districts across the nation. I'd like to take a few minutes to talk about this incident in greater detail, because the story exemplifies many of the issues facing police and fire today in responding to a wide variety of emergencies. To provide you with some background: In 2003 the State of Washington funded development of a statewide crisis management system for critical infrastructure. The computer-based system provides first responders with instant access to critical information, including fire and police tactical preplans and more than 300 data points including facility emergency plans, satellite images, interior and exterior photos, floor plans, evacuation routes, utility shut-offs, hazardous materials locations and more. The simple, easy-to-use software is designed to allow emergency response personnel to act quickly, decisively, and safely during any facility-related emergency incident. The system combines data that used to be kept in three-ring binders at a variety of locations into a single, master database. It also provides all responding agencies with equal access to critical infrastructure data. Equally important, facility owners can quickly update information about changes at their facilities via the Web, ensuring that first responders are basing their decisions on the most current data available. This system was implemented at Lewis and Clark High School in August 2003, just two weeks before the actual shooting incident. An integral part of the implementation is a series of planning sessions where school officials meet with their local police and fire representatives to pre-plan how each agency will respond to various emergency scenarios. This process establishes working relationships between first responders from various agencies and is the basis for development of trust and cooperation. The system is also compliant with FEMA's National Incident Management System (NIMS) and the Incident Command System (ICS). ICS, a subset of NIMS, is a standardized on-scene incident management protocol designed to allow responders to adopt an integrated organizational structure equal to the complexity and demands of any single incident or multiple incidents without being hindered by jurisdictional boundaries. The crisis management system adopted by Washington State melds well with the approach advocated by many of our nation's police and fire departments emphasizing the primary role local public safety agencies play in emergency response: 1. Local responders need to have venue specific information available to them in order to plan, prepare, and mitigate acts of terrorism and other emergencies (both man-made and natural). 2. While not frequently addressed in national anti-terrorism policy, schools represent perhaps our community's most sensitive venues. 3. Local, tribal, state, and federal public safety providers need to have affordable, reliable, scalable, and extensible data system(s) to manage this information. 4. Development of ``information silos'' creates interoperability issues at local, regional, and federal levels. The goal would be development of a standardized national interface. 5. First responders need to have simple and reliable access to information in order to act swiftly and decisively. 6. Disaster mitigation requires interagency cooperation and common access to information in a standardized form. The Lewis and Clark High School Shooting Incident Now, let's go back and look at how this combination of interagency cooperation, preplanning, use of the Incident Command System protocols, and implementation of a crisis management system helped us successfully mitigate a potentially dangerous shooting incident at Lewis and Clark High School. It is important to remember that during this type of incident, many things are happening concurrently and involving a wide number of public safety agencies and other stakeholders. As gunfire rang out in the school, the principal and the school resource officer (SRO) immediately responded to the 3rd floor to evaluate the situation and determine the exact location of the gunman. In a shooting incident, the standard operating procedure calls for a school lockdown, but in this situation there were thousands of students out in the hallways eating lunch. After a short discussion, they realized the quickest way to evacuate the students was to pull the fire alarm. Lewis and Clark students go through numerous fire drills during the school year and were quick to respond. At the same time, a SRO at another school had pulled up the crisis management system on his laptop and was relaying information about the gunman's location and the school layout directly to police dispatch, which in turn passed the information on to responding officers. Local patrol officers arrived at the school within four minutes and initiated what is known as an ``active shooter response'' to contain the suspect. This means that they immediately entered the school and moved directly towards the gunman, not waiting for a SWAT team to arrive and deploy. During the Columbine incident, it took more than five hours before officers responding from multiple police agencies coordinated their efforts and entered the building. Fire, police, and school security quickly set up a command post in a pre-determined location and accessed the crisis management program on a nearby computer. The program can be accessed via laptop computers, Internet connected computers, or by thumbnail-sized USB devices carried by SROs and first responders. A SRO initially assumed the role of Incident Commander per the ICS protocol. Police, fire, and emergency services in the Spokane area all adhere to ICS, whereby responders play pre-determined roles during an emergency, independent of their rank or agency. This high level of coordination made a world of difference in their ability to quickly respond and mitigate the critical situation at the high school. The SWAT team, taking over from the active shooter team, positioned themselves in a nearby stairwell outside of Room 307 where the gunman was barricaded. They were puzzled when he popped his head out of three different doorways along the 3rd floor hallway. Officials at the command post accessed the floor plan via the CMS system and told them that Room 307 and Room 305 were connected by an internal doorway. As a hostage negotiator began talking with the gunman, officials in the command post noticed that the corner room he occupied had unobstructed views of the grassy field where the students had been evacuated, and to eight lanes of traffic on the adjacent Interstate 90 freeway. Officials viewed aerial photos of the site and decided to move the students under the overhead freeway where they would be out of the line of fire. Using phone contacts listed in CMS, I called our transportation contractor, Laidlaw Educational Services, and asked them to immediately send 20 buses to relocate the students to an alternative site. Since the school district transportation department had participated in the preplanning sessions, they immediately understood what was needed. At the same time, a list of pre-determined roadblocks from the CMS was sent to the Spokane City Streets Department to block access to the school. Another list was sent to the Washington State Patrol to block access to the eight lanes of Interstate 90, which were exposed to the gunman's line of fire from the corner classroom. In both instances, valuable time was saved because all the roadblocks were determined during the pre-planning sessions with school officials, police, fire, and State Patrol that are part of the CMS implementation. As news of the incident spread to parents via cell phone calls from their kids, it became important to discourage parents from driving towards the school and blocking local access routes for emergency vehicles. PIOs from both the school district and the police departments worked together to provide ongoing information to parents and the general public regarding the evolving situation. Another problem developed when the gunman asked the police negotiator for matches. Fire officials knew from the CMS that Room 307 was a science lab, and as such, had a number of natural gas outlets. The concern was the gunman may be suicidal. In addition, there was always the potential for an explosion caused by any errant gunfire. Officials in the command post called the local gas company, which dispatched the nearest crew to help shut off the gas. Unfortunately, the crew was used to working on residential facilities and wasn't familiar with commercial installations. Using the CMS, officials printed out photos of the utility shut-off valves and their location. A police officer escorted the utility crew and the gas was quickly shut-off. Fire officials also used the CMS to print out a list of all chemicals stored in Room 307. The printout listed the type of chemicals, their location, quantity, and Material Safety Data Sheets (MSDS) that profiled the chemical's characteristics and safety precautions. With all the students safely evacuated, the roads blocked off, and the gunman isolated to a single location, it became a waiting game between the police and the gunman. Unfortunately, the gunman chose to provoke the SWAT team who were forced to fire in self-defense. The wounded student was quickly evacuated by waiting paramedics to a nearby hospital where he eventually survived his wounds. What was learned as a result of this incident that is pertinent to terrorism incidents and other emergencies? First, schools are highly vulnerable to a terrorist type attack. They need to be considered by DHS for both increased funding and protection. Secondly, in any such incident, local responders always will be the first on the scene. In even a minor emergency, these responders will represent multiple agencies with overlapping and sometimes divergent priorities. It is absolutely critical that these agencies establish trusted, working relationships with each other prior to a major event. Facility owners (schools, court houses, businesses, etc.) also need to sit down with public safety officials to talk about how they will respond to a wide variety of emergencies, and how they will work with other agencies to mitigate the situation. Third, agencies need access to common, pre- established communications channels during emergencies. Last week's rescue operations following Hurricane Katrina emphasize the problems when public safety and other responders cannot communicate with each other during rescue and recovery operations. And lastly, all first responders need access to detailed, up-to-date building and site information, such as that provided by a crisis management system. The Problem of Protecting Students on School Buses I've talked about the procedures for protecting students in school buildings, but we also need to consider the problem of protecting students on school buses, an often neglected area in emergency plans. Spokane Public Schools serve 31,000 students in 55 different facilities, including six high schools, six middle schools, 35 elementary schools and a variety of special schools located in jails, hospitals and contracted agencies. Seven thousand of these students ride school buses to get to and from their local school. These 167 buses, carrying between 44 and 72 students each, travel 9,000 miles each day, the equivalent of going from Spokane to New York City and back 180 times a year. Along the way, they stop at thousands of bus stops to pick up children. To give you an idea of the scope of the problem, there are more than 47 million students in any given day attending our nation's schools. Of these, 25 million ride in 440,000 yellow school buses that travel 8.8 billion trips each year. This is in comparison to public transit systems that serve 5.2 billion unlinked passenger trips each year in the U.S. It is now easy to understand why protecting students on all these buses is a gargantuan task. Imagine this frightening scenario: One of the Spokane School District buses does not show up at its school of destination after picking up its 58 students. It takes 12 minutes until a phone call is made from the school to the transportation department. They in turn call the bus contractor who attempts, without success, to contact the bus by radio. After another 15 minutes, the school district's security department and the Spokane Police Department are notified. In a city of more than 150 big, yellow school buses, it is next to impossible to check each one to see if they are the missing school bus. Meanwhile in Miami, Florida; San Francisco, California; Dallas, Texas; Tupelo, Mississippi; and Mt. Lebanon, Pennsylvania the same scenario is unfolding. Each local jurisdiction is dealing with a crisis of a missing bus full of children. It isn't until an hour later that a connection is made by a national AP reporter who ties together news reports of three of the instances. Thirty minutes later, now two hours into the incident, it is confirmed by an anonymous phone call to the FBI that what was a series of localized emergencies is now a national terrorist crisis. While it would be impractical to provide armed escorts for the thousands of school buses on our nation's roads each day, we can use technology, training, and communications tools to better protect these children. One solution, being implemented in Spokane Public Schools, is to do ``security mapping'' of school buses and incorporate this information, along with tactical response plans, into a CMS system. A similar approach could be taken with our metropolitan transit authorities nationwide, many of whom provide transportation services for school children. Constant Shifting of Priorities Jeopardizes National Security--A Study of HVAs Another issue effecting national security is how Hazard Vulnerability Analysis (HVA) information is ``siloed'' and not shared with other agencies. HVAs have been and continue to be a vital means of studying and prioritizing local community, state, and national areas of concern regarding natural disasters, emergencies, and security crises. There is no question that HVAs should be conducted at the local, state, and national levels. That said, local agencies, including emergency responders such as police, fire, medical, and EMS, as well as the institutions they serve (school districts, businesses, hospitals, etc.) should be held responsible for response planning, training, facilities security improvements, etc. Equally important is that the HVAs utilize an ``all hazards'' approach. I feel HVAs should not focus solely on security issues at the expense of fire prevention, medical services, or hazardous chemical exposures. As Hurricane Katrina has shown us in the past week, whether it is a terrorist incident, a hurricane, a flood or any other type of disaster, the emergency response is similar in all cases. Emergency agencies, as well as businesses and institutions, should support the cooperative sharing of HVAs through communication and joint planning. The root of this problem is that agencies often operate within a vacuum of their own priorities, frequently at the detriment of other agencies or service providers. Nationally, we seem to be bouncing from one priority to another (air transportation to subways to trains, etc.) with little coordination between agencies, first responders or those affected. HVAs certainly help to set department goals, budgets, training, etc., but if done without consultation with other responder agencies, it creates a system of individual priorities, and often, conflicting priorities. As a result, decisions about finance, training, personnel, equipment, policies, and response procedures are made without dovetailing into a national priority. It is easy to get caught up in MY needs and priorities when in an emergency; WE will need to work and act together as a system. The Importance of Sustainability of Programs Often the sustainability of a program is only thought of in regard to the funding of the program. Sustainability should be tied to local community priorities, or decisions regarding the determination of HVAs made by all stakeholder organizations. It is only through this joint decision-making that long term support of a program can be ensured. Most federal grants now require the signatures of many different service agencies or end users. These signatures by themselves, however, do not ensure long term cooperation. Another aspect of sustainability is the continued ``silo effect'' that permeates many agencies based on their specific goals or mission. While these missions are important to those they serve, they do not necessarily meet the needs of a common good. Take for example the Department of Justice, the Department of Homeland Security, and the Department of Education. Each of these agencies offers grants designed to serve the needs of states and local agencies. It is rare, however, that these agencies coordinate their efforts and require these funds to be used jointly or leveraged to serve a common good. One of the final indignities regarding sustainability of programs is that if a program is effective, the funds are cut! Why would you not reward and promote programs that have been successful, thereby enabling the programs (with a requirement in future funding) to help other agencies or service providers, both public and private. Agencies invest time, energy, and limited funding into these programs. To not support the outcomes and take advantage of their successes is poor fiscal planning in my opinion. Lastly, the sun-setting of grant funding creates an unmet need for newly created programs. In many programs, services are established or programs developed that then create service expectations in the local community. When the local entity cannot fiscally support these services due to grant money drying up, the program goes away leaving recipients empty handed and not served. Having the money to start up well meaning programs is great and serves to fill a short-term need. A more effective approach would be to tie grant funding to longer timelines for providing services and ensure that the written assurances of agencies supporting the grant application are, in fact, not just signatures but collaborative commitments. And by working with grant recipients in their local communities, rather than having them attend planning and training sessions in Washington, DC, you would go a long way to ensure the long term success of the programs. Federal Direction and Support for Communications Systems Currently, the various response agencies and those they support in Spokane have the following means of communications available for use in emergencies: ``push to talk'' radios, such as Nextel®, UHF radios, VHF radios, 900 MHz radios, cellular phones, PDA's, Smart Phones, cell phones, laptop computers with a variety of communications software platforms, personal recreation radios, and PC-based Internet e-mail. As you can see, we are not lacking in the means of communicating; we are in fact buried in it. Due to the number of divergent systems in place, we are less able today to communicate with other agencies and even within our own organizations. As an example, even the local branch of the U.S. Postal Service has its own internal PDA communications system. They have a wonderful means of communicating with their fellow members of the U.S. Postal Service, but it does not allow for communications with other agencies or those emergency responders who might be providing services to them. The ability to communicate is essential in an emergency. From the advent of the NIMS system in the 1970s, the result of disastrous wildfires that occurred due in part to a lack of common communications systems, to the recent 9/11 tragedy in New York City where fire and police could not communicate, communication continues to be a critical issue. Common radio frequencies or communications methods are an important part of an essential communications system. Again, the breakdown of communication between first responders during Hurricane Katrina exemplifies this point. Functional radio communication is one part of the solution, and human communication is another. Having agencies and end users meeting, planning, and training prior to an incident is critical to reducing response time and saving lives. Sitting down together and conducting pre-plan tactical exercises allows: 1) relationship building, 2) establishment of trust; 3) an understanding of the other agency's or business' needs during an emergency; and 4) the development of a common plan of action. In Spokane, we use a crisis management program that facilitates collaborative pre-planning sessions and collection of critical data about key facilities. In addition to providing a common platform for data collection (including photos, organizational charts, floor plans, site plans, hazard chemical listings, etc.), it provides the necessary forum for the pre-incident planning. In my experience, this approach is critical in breaking down communication barriers and building trust between first responder agencies and the organizations they serve. One of the benefits of the crisis management system developed by the State of Washington is that it is a statewide program. In Washington, all first responders, including police, fire, State Patrol, and others all have access to the same master database of information. The Washington Association of Sheriffs and Police Chiefs is responsible for the crisis management system, assuring that there is a common platform for data collection, training, procedures, response policies, and data security between local, county, and state first responders and their recipients. If each local fire, police, and emergency management agency chose to use a different system, a coordinated response would be difficult. Establishing a standardized statewide system is certainly not without its difficulties, especially those issues concerning ``turf,'' budgets, and political concerns. But once agencies begin to use the system in actual emergencies, most of these issues resolve themselves and the agencies begin to see the inherent value of such a system. In our case, the CMS approach has truly served as a catalyst for collaboration and problem resolution. This type of program fosters communication, collaboration, and helps to build trusted relationships, all of which are critical factors during an actual emergency situation when lives and property are on the line. Suggestions and Recommendations 1. Facilitate relationship-building between agencies at the local, state and national level, both within individual disciplines and between different types of agencies and organizations. Providing for training, in-services, and product conferences where planning, response, resolution and recovery conversations could be facilitated to establish common ground and exchange key information. 2. Provide for sustainable funding of model programs based on the requirement that agencies share their expertise and experience with others in their industry. The funding would be broad-based in that it would come from various agencies and serve to establish and maintain collaboration between local agencies and those they serve. It would encourage local investment of time, talent, and funding to create joint planning and response. 3. Develop and adopt communication models that can be implemented on a local or statewide basis. Support programs that facilitate pre-incident data collection and pre-plan tactical exercises, and encourage relationship-building between emergency responders and those they serve. 4. Support the development of an ``all hazards'' approach to emergencies, disasters and crises by providing all first responders with the basics in response protocols, communication, and incident response. Encourage adoption of NIMS / ICS protocols. Provide ICS training not only for police and fire services, but also for other emergency responders, including those in the public and private sector who will be responsible for ensuring their own employees' safety during the early stages of a crisis. 5. Establish model plans for response to various emergencies, disasters and crises. Select a lead federal agency in each area that would become the ``go-to'' agency. This would reduce competition between agencies, create efficiencies at the Federal level, and reduce confusion on the part of local agencies regarding direction. Once again, I appreciate the opportunity to come before this subcommittee to share my views on these subjects. I will be available for any questions. Thank you. [GRAPHIC] [TIFF OMITTED] T8921.001 Mr. Lungren. Thank you very much for your testimony. I want to thank all the witnesses for their testimony. More than that, I would like to thank you for the work that you have already done in terms of responding to the various hazards, specifically terrorism, but all of the hazards that may affect your facilities wherever they might be. I would like to ask one question to all four of you on the panel. It seems to me that all four of you have talked about communications being extremely important, communications at the time of an incident, but even before that, communications in preparation for any type of problem, with local authorities, in some cases federal authorities. My question is this: While the detail of information that you have, the digitalized documents that actually give people a blueprint and a visual of where they go and where vulnerabilities are, I presume you would be very concerned about that falling into the wrong hands. Has there been any concern expressed by any of you about this information getting public? For instance, we do have the Freedom of Information Act. There are certain exceptions that we have built into the legislation that prohibit that from being turned over to the public. But have any of you had that concern raised, and if you have raised it, have you had responses that are satisfactory to you by the authorities, either local, state or federal? Mr. Millar? Mr. Millar. Yes, we have had that concern. However, we do believe that the steps taken by the Congress a couple of years ago to change, give those exceptions, as you have said, have taken care of it. That has greatly enlarged our ability to share among transit properties. So I do not believe that is a significant problem to us right now. Mr. Lowy. We are nervous about the issues there. Not only do we have the plans digitized and we give an update disk to local authorities each month, we also have then on the Internet. We have a Web site that is available where the local police, fire, ambulance, et cetera, have access to the mall that they may be dealing with. The issue for us, though, is that since we deal with them on such a local level, I would be surprised if even as you get higher up in the LAPD or certain of the police departments that we deal with that even know that that actually happens. When we deal with them, we deal with the local watch commander or the person in the local patrol cars. We go as far as having to buy them actually laptop computers because they do not have them to access the information. So while it is a risk, it is one that we deem appropriate because there is no other way to inform them and give them all the information they need. Mr. Lungren. So you are not sure exactly who all has it within the departments that you are dealing with? Mr. Lowy. We know who we are dealing with who has it. We do not know how far up the chain they actually send them and deal with the authorities. It also depends on how large a city you are dealing with or how small a city. Mr. Lungren. Sure. Mr. Lowy. In Los Angeles, such a large city, if it is not the West L.A. guys who know what we are dealing with, I would be surprised if they know what is going on downtown. That is no opinion about the city and how it is run. It is just such a large city. Mr. Lungren. Just an observation? Mr. Lowy. Yes, just an observation. Mr. Lungren. Mr. Norton? Mr. Norton. We have taken steps post-9/11 with regards to this, especially in New York City, where a lot of our building documents were a matter of public record. Anybody could go down to city hall and pull these documents and do studies on them. There was, working in conjunction with the Real Estate Board of New York, a law passed that there is a signature now required by the owner of that building if somebody goes down and is trying to get reference to that particular site. So that was a good thing that was implemented. Additionally, in other markets where we used to have readily available, and I am speaking on behalf of commercial office buildings, plans for potential leasing and potential bringing in tenants, that kind of data is now secured both internally within the company and outside as well as off-site locations. So in the event of an emergency, we have access to that and we can get that to federal and local officials. Again, I think it is important to emphasize we need to build the trust, and I think you have to earn that trust over time in working in conjunction with the federal, state and local. We have done that in New York City and we feel that working with them and having them look at our high-profile assets, they have a very comfortable level of if there was an issue that came up, they understand what we are up against and they understand how to attack it, unlike the World Trade Center when they went down. There were no plans. They did now know where people were down in the retail. So there were a lot of lessons learned there. Mr. Lungren. Mr. Madsen? Mr. Madsen. Three points. The data-set that we have in Spokane and Washington state is controlled by the Washington Association of Sheriffs and Police Chiefs. They own that data as such, so it is confidential in that nature. Secondarily, there are different levels of access in terms of us being able to authorize different agencies, whether it is police, fire, or the Department of Emergency Management. And then the last point is really about the control of the data, while still allowing it to be used. We had a flood in one of our high schools. That data was very important to the maintenance department to save a $100,000 gym floor. If we regulate it down to a point where it can only be used for one purpose, I think that that is wasted financial dollars. Again, that all-hazards approach is very important. That data can be used for a multitude of different things and it would be a shame to waste it. It is secure. We can limit it, but it has a multitude of purposes. Mr. Lungren. Thank you very much. Mr. Pascrell is recognized for 5 minutes. Mr. Pascrell. Thank you, Mr. Chairman. Mr. Madsen, I am very interested in what we tell kids about impending threats. I want to ask you a couple of questions, if you will respond, since you are there day to day. How do you prepare children to respond to an attack without inducing fear in those kids? How do you do that? Mr. Madsen. We have, for the last 10 years, done training with our staff and our students. We have a four-step process. That process starts with the general orientation of the principal of the building to let them know about the district- wide plan, our three levels of crisis codes. From there, we then move on to the building staff itself. The reason for that first and second step is to make sure that the building staff, the school staff, have an understanding that their principal, their person in charge of the building, has a level of understanding and they then in turn have a confidence with them. We then move on to the third level, which is actually conducting tabletop exercises or small drills. Mr. Pascrell. What do you tell the kids before you are conducting the drills? Why are we conducting the drills? What are you telling these kids? Mr. Madsen. That is the fourth step, and that is publicizing to both parents in newsletters as well as students in orientation that we are going to be doing these drills, again from an all-hazards approach. It does not matter whether it is a terrorist activity, a school shooter, or a railroad tanker overturned by a school. We want to be prepared. They do nine fire drills every year. We are very well supported by the superintendent. In addition to that, we do two crisis drills. Those are active drills that are done, both walk-down as well as all-hazard. It is to the point where they are not fearful. It is commonplace, much like throughout this nation for 100 years we have done fire drills. It is the same level of preparedness, and just as they are not anxious because of the ongoing nine fire drills, their doing the two crisis drills every year allows them to not be anxious. Mr. Pascrell. So what you are telling us is that what you are telling children, communicating to children, is that we are stepping up the process, the mechanism, but really this is a fire drill we are doing which will encompass the entire school that you are in. Is that what you are telling kids? Mr. Madsen. It is moving beyond just a hazard of fire itself in a building, but all other hazards that could occur. Unfortunately in our nation, with what is occurring, we need to be prepared. We want to keep you safe. We tell parents we want to keep their children safe. We have had very, very little push-back from parents in regard to that these live drills. We are doing them throughout the school district at all levels, elementary, middle and high school in 55 facilities. Mr. Pascrell. Spokane schools, I imagine, have quite a few police officers in them with regard to the COPS program, which was a very successful program. What experience have you had with the very police that are already in your schools? Mr. Madsen. There are two levels of police. We have our own Spokane public school district resource officers. There are 11 of them located throughout the elementary, middle and six particularly in the high schools. We did have six SROs as part of that COPS in-schools program. Those funds have gone away, and so unfortunately we do not have the Spokane Police Department SRO program currently. We still have retained the 11 officers and I know that the chief has prioritized the SROs to come back first on his budget. Mr. Pascrell. Mr. Millar, if I may? Mr. Millar. Yes, sir. Mr. Pascrell. In your testimony, you talked about not only the lack of response from Washington and this huge $6 billion inventory of needs that you laid out for us. And you are disappointed, correct me if I am wrong, at the $600 million response in the 2006 budget. Is that correct so far? Mr. Millar. That is correct so far. Mr. Pascrell. Let me ask you this question. It seems that you spent some emphasis on how the money gets to the transit systems. You are recommending and suggesting, I think, a change in how this money is distributed, since a lot of it has never gotten to the point of implementation. What you are suggesting is, are you not, the money go directly to the transit system, rather than go through the state administrative system. Would you explain that and why you believe that the system should change? Mr. Millar. Yes, sir. Transit systems are responsible for the safety and security of their customers. We understand that. We have long-time direct relationships with the federal government, primarily through the Department of Transportation. We are used to applying for federal money. We are used to receiving it. We are used to all the requirements for audit and other things that necessarily come with the federal government. We do not believe that there is any value-added by sending it through the states. It is simply another step. Now, we certainly agree that the states have statewide planning responsibilities, and we certainly agree that the money that we would receive ought to be consistent with the statewide plans, much the way transportation money is now distributed. It has to be consistent with area-wide and statewide plans. But we see no value in sending it through the states. In addition, the Congress at least 2 years ago authorized as much as 20 percent of the money intended for transit to be skimmed off by the state. Now, last year the Appropriations Committee put a 3 percent limit on it, but still we do not see why 3 percent of the money that should be going to improve security for our customers, your constituents, ought to go off to some administrative red tape. It makes no sense, never mind the time delays and all the other aspects of it. Mr. Pascrell. Thank you for the response. Mr. Chairman? Mr. Lungren. Thank you. The chair now recognizes Mr. Linder for 5 minutes. Mr. Linder. Mr. Millar, if $600 million is not enough, how much is enough? Mr. Millar. Let's be clear about the $600 million. The president's proposal was to take several infrastructure groups, public transit, railroads, ports, a number of other group, and lump them all together to $600 million. So even on my happiest day, I could not imagine, even if the Congress appropriated $600 million, that public transit would get anything other than a small portion of that because the needs in the other areas are great as well. What we have suggested is that we work with the Congress and the administration on about a $6 billion program. We could not spend all that money in a single year. We have suggested that it be spread over 3 years. We do believe that once this initial investment is made in capital infrastructure improvement, in training, in research, in planning, there will be an ongoing need, but it will be a much smaller need. It will be perhaps $800 million a year, something like that. But we simply need to bring our systems up to standard; do common sense improvements. As the chairman has said and we completely agree, we are not talking about an airport-style screen every passenger, but we do believe the kinds of improvements that I have spoken about in my testimony, which everyone agrees need to be done, ought to be done. It is a partnership between the federal government, state government, local government, and we are prepared to be part of that partnership. Mr. Linder. Mr. Lowy, how many owners of real estate, organizations are doing this, digitizing their plans? Mr. Lowy. As far as I understand, we are the only one that I know of. It is something we actually developed ourselves. As we were involved, we were in the retail facility at the World Trade Center prior to 9/11. It was something that we started doing even before that. Mainly the issue there is to be able in an emergency to know where all the entries and exists are; how to get people in and out; and how to get the first responders into the facilities. Mr. Linder. And that is in your interest? Mr. Lowy. That is definitely in our interest, and in the interest of our customers. Mr. Linder. Mr. Norton, why aren't other organizations doing that? Mr. Norton. I cannot speak for what other organizations are doing with regard to digitizing. But as I stated earlier, we have taken precautions post-9/11 with regard to building plans, securing them, making sure in the event, especially on a high- profile asset like the ones that I had mentioned earlier, that we are prepared. If an event does take place, we are prepared to go in with both federal and local governments and assess that situation with the proper plans. Again, I cannot speak for what the rest of the industry and what they are doing and why they are not doing it. Mr. Linder. Do you have a rough idea, Mr. Lowy, of how much you have spent doing this? Mr. Lowy. Just on the digitization? What we have actually done is we have probably spent on the investment in security somewhere around $25 million a year on capital items, and about $40 million a year on operations. But the digitization of the plans and what we have done, we have actually created our own internal systems that integrate the digitization of the plans, the CCTV cameras that we use and all of the information on the malls that we can use remotely are on-site, really in response to what happened to us at the World Trade Center. Because we have been involved in it and have dealt with it, we have unfortunately a knowledge and an expertise that we would rather not have. But once we saw all the issues that we faced, we have just been developing these systems for the last 4 or 5 years in-house. The problem at the end of the day, though, is while we can do this for our facilities, integrated with all these other office buildings and all the other cities and everything, and we need to be part of the wider community as well. Mr. Linder. Mr. Norton, why isn't it in the interests of BOMA to spread this information and do it on your own? Mr. Norton. Again, I cannot speak for BOMA, but again for Tishman Speyer's properties, we, and I think there are organizations on the vendor side that have new programs out there that you can actually buy into, are looking at this. Again, are you going to do a suburban building in Phoenix versus a high-profile asset that sits over a transit station in midtown Manhattan? I think post-9/11 we have put a lot of emphasis on just gathering that data and making sure it is secure and safeguarded. Again, I think it is something of the future, especially with the computer age, that we will continue to look at this and eventually get all of our buildings as an industry on this kind of a program. That will then be shared. Again, I think it will take getting more association with DHS and the other state and local government and federal agencies more time in getting comfortable with these organizations, to start sharing this kind of information. Because I think it would be overwhelming to try to get all this information and give it to these people. In the commercial real estate sector, it changes. You will move tenants in; you will move them out. You will reconstruct space. You will add floors and take floors down. So it is a continually changing process. So to update and keep plans accurate on such a mass volume of real estate throughout the portfolio of the United States that we are focusing on, I think would be a big undertaking. I think in time you will have to address it. It will have to be addressed. Mr. Linder. Thank you, Mr. Chairman. Mr. Lungren. The gentleman, Mr. Dicks, is recognized for 5 minutes. Mr. Dicks. Thank you very much. I want to thank all the witnesses for their testimony, particularly Mr. Madsen. I want to welcome you here to the committee. I appreciate your work on the school mapping program. The incident that occurred at Lewis and Clark High School, which you referred to in your testimony, was terrifying, but lives were very likely saved because of your mapping program that had just been implemented a couple of months before, which enabled first responders to see detailed maps and information about the high school while they were traveling to the scene. Instead of taking many precious minutes to formulate a response, once they got the high school police were able to hit the ground running. That is the key to this mapping program, that you have all the information gathered and in a PC you can go through it as you proceed out to the incident, wherever it is. Mr. Madsen. You can access it in a variety of fashions. You can have it on the hard disk as I do on my laptop here. You can do it with a thumb-drive or you can do it via the Web. The benefit of the program is two-fold. One is the data-set itself. The other is the creation of trust and relationships. The pre- planning tactical sessions that were done prior to the incident between police, fire, transportation and the school district is one of the critical pieces. Mr. Dicks. I would say to my colleagues on the committee, I am very proud of what Washington state has done on this. Washington has completed the emergency planning, mapping and inventorying all of the public high schools in the state, over 400. The state legislature has initiated funding for mapping of all public elementary and secondary schools. The year-long project to map the more than 1,275 elementary and middle schools began this July. Also, we have done a program on critical infrastructure in the state of Washington so that key buildings, Washington has entered over 1,200 sites and 6,500 individual buildings into the critical infrastructure planning and incident management system, which I think will give first responders in our state a much better opportunity in a crisis to be able to deal with that particular facility. I think this technology, which has been developed by a company not in my district, but in Seattle, Prepared Response, Inc., they build and deploy this school mapping and solutions used by the state of Washington. So I want to commend you for your work on this and your involvement and leadership in the Spokane area. You need a little leadership over there these days. But honestly, you guys have done a great job and we are proud of you. Also on the question of transportation, I agree. I think we need to have a more even-handed approach to this thing. My view of it is a lot of the money has been spent on air transportation, and these other modes have not been given the consideration that they need to. I also want to thank the witnesses from the private sector. I would recommend that you take a look at what we are doing out in the state of Washington. I think in major cities to have this kind of a mapping program where they really can look and have the analysis of these buildings ahead of time would help in any situation. I thank you for my time, Mr. Chairman. Mr. Lungren. I thank the gentleman. Mr. Langevin is recognized for 5 minutes. Mr. Langevin. Thank you, Mr. Chairman. Gentlemen, I thank you all for your testimony this morning. It has been very enlightening and the committee appreciates it. Mr. Madsen, let me begin with you, if I could. In your testimony, you describe a sophisticated technological system to provide building plans and predetermined emergency response scenarios for first responders. I am actually familiar with the technology. It is actually very impressive. As my colleague Mr. Dicks just mentioned, the Lewis and Clark shooting incident proved that the system can mobilize police, fire and school security to quickly respond to an emergency. My question, if I could just delve in a little bit and talk about again the costs: I think you have mentioned that already, but the costs associated with implementing the system, and if I could ask how did your school district pay for the system? Did you receive any federal assistance in helping to pay for those costs? And if you could just elaborate a little bit for the committee on what other soft targets could potentially benefit from a similar implementation. Mr. Madsen. Our funding in Spokane public schools has come from a variety of sources. The initial funding, by us being proactive and actually wanting to be part of a pilot, we do that quite a bit, allowed us to be part of the state pilot project, which allowed us to be mapping Lewis and Clark High School when that incident happened. The rest of the high schools came from the state, funding through the state legislature. Our middle schools were a separate grant, privately funded. Our elementary schools, I attached that to our Safe Schools/Healthy Students Grant that we applied for last year and received this year. Our school district, along with five others, share a $8.3 million, of which a portion of that, about $250,000, was assigned to our 35 elementary schools and the other 27 elementary and middle schools in the other school districts. So it is creative financing. It runs anywhere from $5,000 to $12,000 per building. Then it is just time from there on maintaining that data. Mr. Langevin. And can you elaborate for the committee on other soft targets, buildings, assets, that could benefit from the technology? Mr. Madsen. Currently, we are working on our school buses. I feel--and I am in a very unique position with both safety, transportation and security departments, to see kind of a bigger picture. I think that the issue with school buses in our nation, but specifically in Spokane, is critical. We will have all of our school buses, the six different types that we operate, with our contractor, Laidlaw as a partner, actually mapped. So all of the exits, all of the electrical shutoffs, the fuel tanks, all of those types of systems or components in regard to the physical school bus. So whether it is a rollover or whether it is a terrorist or hostage situation or a fire on board a bus, fire and police, school security and transportation all have access to that critical data. That is my next step in our school district, is to map the actual school buses. It is not a building, but it is a rolling facility for us, and it has up to 72 students. Mr. Langevin. Thank you. Mr. Dicks. Would my colleague yield just for a quick point? Mr. Langevin. Of course. Mr. Dicks. RPI, the company, has mapped all types of venues, including schools, hospitals, port facilities, commercial office buildings, water treatment facilities, and Navy ships. So this has been used broadly in many different contexts. I appreciate your yielding. Mr. Langevin. Thank you. I appreciate your making that point. Quickly before my time runs out, to Mr. Lowy. Your testimony indicates that your company spends about 20 percent of your operating costs on security. Can you just tell us, is this amount standard across the commercial real estate industry? At what point, I should say is there a point, where the economic costs of security have a greater affect on your bottom line where the cost-benefit analysis shifts? Mr. Lowy. I think the issue is not how much money we spend, but how effective is the money that we spend. Security is now the single largest line item in the mall industry itself, the single largest cost line item that we face, which is even more than our cleaning costs, which cleaning used to be major item. Where it is really affecting it is in the mall industry you tend to be able to collect the cost of managing and operating a mall back from the merchants. So what happens is at the end of the day the cost of security ends up in the price of goods that are sold to the consumer. It is in essence added to the rent that a retailer pays. The issue with those costs, though, is a retailer can only pay a certain percentage of the cost of these total sales at the end of the day. The cost of security, that is increasing substantially after 9/11, while it is not eating into the bottom line just now, it all depends on how much you can pass on to the consumer or not, what happens with general prices, and then what happens with the total cost of operations for a retailer. I would like to add to the last testimony, just for one second. We actually do something similar to what they are doing in Washington in our malls across the country. We are actually have integrated that into our CCTV cameras, which is also on the Internet. We run a 24-hour-a-day central facility which we can access and also local authorities can access, which has all the plans, all the maps, all the fire hydrants, everything available to them, as well as real-time online cameras that we use for management as well. So we have actually implemented that in the mall business here in the U.S. and we are actually exporting that to the U.K. within our own portfolio. Mr. Langevin. I see my time has expired. Thank you all for your testimony and for being here. It has been very helpful. Thank you. Mr. Lungren. The chair would state that we have received a statement of testimony from the International Council of Shopping Centers, who have requested that it be entered into the record. If there is no objection, I will do so. So ordered. For the Record Statement Prepared on Behalf of the International Council of Shopping Centers September 7, 2005 Founded in 1957, the International Council of Shopping Centers (ICSC) is the premier global trade and professional association of the retail real estate industry. Its more than 50,000 members in 96 countries include shopping center owners, developers, managers, marketing specialists, investors, retailers and brokers, as well as academics and public officials. As a global trade association, ICSC has relationships with 25 national and regional shopping center councils throughout the world. The shopping center industry takes its role of providing a safe and comfortable environment in which to shop very seriously. Security has always been a priority of the industry. Simply put, consumers will not shop at a shopping center that they do not feel is safe. Shopping centers employ well-trained professional security officers and enjoy excellent working relationships with their local municipal police departments. In fact, many shopping centers actually have a police sub-station located within the center. Those that do not have a police sub-station are frequently visited by local police patrols. While the shopping center industry has a long history of providing a safe environment in which to shop, we recognized that the terrorist attacks on our nation forever altered the way we police and secure our shopping centers. In October 2001, ICSC and the shopping center industry convened a conference call with the newly formed Department of Homeland Security (DHS) and representatives of the Federal Bureau of Investigation (FBI). The conference call was initiated by ICSC to establish a working relationship with DHS and to allow shopping center security professionals and law enforcement officials the opportunity to share security practices and procedures. In all, over 1,000 shopping center industry professionals participated in the call. Since that initial call, ICSC has been in constant contact with DHS and the FBI to provide a communication channel for our members. Communication is paramount. ICSC joined with other real estate associations in creating an Information Sharing and Analysis Center (ISAC) to expedite two-way security intelligence between retail properties and DHS. ICSC will continue to monitor the threat level and communicate to our members any and all information from government authorities as soon as it becomes available. ICSC members have actively participated in the DHS Basic Terrorism Awareness Training program. In the first year, ICSC had 609 participants representing 20 programs. In 2005, 18 programs were involved with over 500 participants. In addition, ICSC is developing a comprehensive training program that addresses the potential for chemical, biological or radiological terrorism. Designed to meet the DHS Office of Domestic Preparedness requirements for the first- responder community, ICSC's program is utilizing a ``train-the- trainer'' approach. Each participant will be expected to share the program's training insights with other security personnel thereby enabling the industry to maximize the effectiveness of the program. Since September 11, 2001, the shopping center industry has been on a heightened state of alert. Many of the security procedures the industry implemented will be obvious to consumers. These include but are not limited to: Increased patrols by uniformed security personnel in and outside of the shopping center. Increased patrols by uniformed local police officers in and outside of the shopping center. No overnight parking in parking lots. No curbside parking. The use of barriers and or blockades in front of entrances. The use of security surveillance camera systems. In addition to these security procedures, the shopping center industry has implemented many programs and policies that go on ``behind the scenes'' and will not be obvious to consumers. These include but are not limited to: The lockdown of heating and ventilation systems with access limited to center personnel. The lockdown of loading docks. The lockdown of supply corridors. Searches of incoming deliveries. Background investigations of center personnel. All workmen entering a center must be prescreened, have identification, and report to security before starting work. Increased patrols by non-uniformed security personnel. Increased patrols by non-uniformed local police officers. Shopping center security is very site-specific. What is needed and used at one center may not be appropriate at another center. There are many factors that are used by shopping center security professionals in concert with their local police departments to determine the level of security required. These factors include but are not limited to the size of the center, location of the center, history of criminal activity in the surrounding community, and size of the local police department. While we are under a heightened state of alert, some centers may choose to change or increase their level of security. Others may not because they are confident the level of security in place is sufficient. Again, security is a site-specific science and it is important for consumers to have a sense of normalcy in their lives, and that includes the ability to travel freely about our shopping centers without being unduly inconvenienced. As Peter Lowy of The Westfield Group demonstrated in his testimony before this subcommittee, the retail real estate community is actively engaged in responding to the lessons of September 11 as well as the attacks in London. ICSC appreciates this opportunity to provide the subcommittee with an additional perspective of the overall shopping center industry. Please do not hesitate to call upon ICSC or its individual members during your future deliberations. Mr. Lungren. The Gentlelady from Texas? Ms. Jackson-Lee. Thank you very much, Mr. Chairman. The issue before us is an extremely important issue and I will pose a question based upon your expertise. I would like to acknowledge the committee for its wisdom in delaying the other witnesses who are presently dealing with a horrific horror in our own nation that is occurring. In light of that and in light of my representation of the impact area in Houston, I just want to make these remarks for the committee's consideration, and as well for the record. It is very important that the work of rescue and recovery dealing with Hurricane Katrina continues, so I am the least willing to distract individuals from the work at hand. But I do believe that there should be important interaction. I note that a number of impacted members are on the Homeland Security Committee and are probably functioning from one place to another trying to assist their constituents and others. But I do believe, Mr. Chairman, and to the prospective full committee chairman and ranking member, that we should be having daily briefings either by conference call or otherwise of the progress that is being made in the region. I think there are some serious policy issues that should be addressed as well, particularly on the question of the human devastation. The individuals, in essence, in Houston for example, probably the largest repository at this time, placement of evacuee survivors, has an array of disparate policies that are enormously confusing, particularly with the presence or the work of the Red Cross and FEMA and the need for there to be some alignment and cooperation. The establishment of Red Cross sites is not really organized. The presence of FEMA personnel is not there yet, not enough. The need for increased technology, a system-wide technology that would be able to reunite families. And then one of such magnitude that I think that we need an immediate cease-secession order, cease and desist. And that is the random evacuation of persons who desire not to be evacuated to places unknown. There are policies of putting people on airplanes, and when the door is open in the jurisdiction they say, ``They put me on the plane, they closed the door, and I didn't even know where I was going.'' And this is in America. So I hope that, although Mr. Chertoff is certainly consumed with the responsibilities, I think part of the problem was that he was consumed and not in communication. Many members cited that on the floor of the House and I think that is unpardonable without excuse, inexcusable, if you will, and unacceptable. It certainly is unacceptable for those of us who have a large share of the responsibility, willingly so. I cannot announce for you, if you will, or articulate for you the wide depth of charitable expression in Houston; $10 million that the city voted on in an emergency session just on Monday; feeding, if you will, food service bills for a day-and- a-half of $225,000 at one site; individuals who have opened homes and gyms and otherwise taken money out of their own pocket; others who are in hotels; 15,000 Vietnamese are in our community that we have to address through their language; a number of people from Central America. And there are no enunciated policy positions dealing with this vast number of people except waving them out across America against their will. It is well known that the leaders, the elected persons of Louisiana want their constituents to return home. So we have a crisis that we need to deal with here. I expect and would hope that this committee would have immediate hearings or briefings. If they can be abbreviated, so be it, but we cannot operate in the dark again. I thank the committee for its indulgence. Gentlemen, your issue is very important, but I am facing day-to-day life and death situations, as my colleagues in Louisiana and Mississippi are. I have the aftermath. They have the real impact. I believe this is something egregious occurring and I believe we should act immediately. Mr. Lungren. I thank the Gentlelady for her comments. Mr. Souder is recognized for 5 minutes. Mr. Souder. Thank you. I apologize that I missed the first panel and the testimony. I have been trying to go through the testimony here. I had actually a hearing that I had to start in my own subcommittee, as well as another meeting. I have become particularly interested in this, having gone over with Curt Weldon over to London. We met with Prime Minister Blair shortly thereafter and gave him our congressional condolences, and was there particularly on the day where they had just had the shooting of the suspect who defied the authorities, and they thought potentially had a bomb. I wondered, Mr. Millar, do security guards have the ability to detain people, and if they restrain, can they shoot at them? Do you have the legal authority if they make a judgment on the ground that many people may die if they do not act, can they act? Mr. Millar. The individual police powers that individual transit police forces have is generally speaking governed by the state law of that particular state. So, for example, I used to run a transit system in Pennsylvania. Our police officers had full police powers and were trained and licensed to carry guns. Obviously, that was the absolute last resort, but in that case they were trained to use their judgment and were permitted to use guns if appropriate. So it depends on the state and depends on the jurisdiction as to what the law allows and what the orders are that guide what the officers do. Mr. Souder. In going through your testimony and looking at this problem in general, we spent so much time on airports and the numbers that use mass transit every day are much harder to screen and go through. Mr. Millar. Yes, sir. Mr. Souder. Yet much of what we seem to be oriented toward video surveillance and so on, seem to be more how to find the perpetrator after they have blown us up. Do you believe that it is possible to do more if we get a network, a security pass system that works for airports, that that can also be used long-term for mass transit, particularly for subways, but also for buses and other things? Or is this just not going to be possible because of the scale? When you think of the Staten Island Ferry and the numbers there, and people coming in at the last minute and holding the doors open, I mean, is this even conceivable? Mr. Millar. We do not believe that with current technology it is practical to screen every person who would choose to use the public transit systems. There are thousands and thousands of railroad stations. There are tens of thousands of bus stops. You are talking about more than 100,000 vehicles that provide service across the country, from the very largest cities to the very small. We believe that there are other steps that must be taken. We believe you need to start with good intelligence. In my testimony, I emphasize the fact that I think we need to continue the ISAC, the Information Sharing Analysis Center for Public Transportation, for example. We believe that you need to secure the facilities the best you can. Some of that is very low-tech and some is very high- tech. It is low-tech in the sense of having better fending around garages where trains and buses are stored. It is high- tech in the sense of in-stations have biological sensors, chemical sensors, radiological sensors. We believe that surveillance cameras have a very important role to play. We believe that the experience in London showed that. For example, while the terrible tragedy that occurred in London, we know over the last several years the camera system there has prevented at least 20 major attacks on the system. We know that in the aftermath of the attack, the camera system in London has been instrumental in obtaining evidence and ultimately obtaining the arrest of the perpetrators. So there are several different steps that must be taken, in our view. We believe these steps are common sense steps. We are not asking for pie-in-the-sky things that do not make sense, but it does require an additional investment, as my testimony lays out. Mr. Souder. With the chairman's indulgence, I would like to ask a question of Mr. Madsen that also may apply to those who work with the malls. At Columbine High School and the aftermath, over in the Education Committee one thing we learned, part of the reason for the delay is the police went in and the cafeteria had been remodeled. The map that they had did not work, and they had to come out, and a student and a teacher had to draw how the doors were shaped. A similar thing in 9/11, apparently going into the World Trade Center, some of the stairways were in different places because often when a school is redone, when a mall is redone, the plans that they find do not have the updates on them for the emergency personnel. Is this something that your school system has addressed? Is this something malls are addressing? I know that it is happening across the country. It can be fairly expensive, but it is unbelievable that when we go into the buildings we do not know where the doors or the stairwells and so on are. It is kind of a basic thing we ought to be focusing on. Mr. Madsen. The system that we have allows us to update and uplink information, and then that is automatically downlinked to all of the other computers that store that data that police, fire, school district security access. I have charged each of my district resource officers that responsibility to at least annually ensure that if there are any changes from a capital project standpoint that they communicate with our facilities department, get updated CAD drawings, and those are then entered into the system, much the same as organizational charts, photos from our photo ID system. Individual district resource officers have buildings assigned to them, and that is one of their charges to ensure that that data is correct and updated on an annual basis. Mr. Souder. Are the malls doing that as well? Obviously, if there are hostages; if there is a bomb in a location and our maps do not work, we are helpless. Mr. Lowy. It is a little easier for us because we get to control the resources, rather than a city itself. With merchants coming in a changing in the mall all the time, we actually update them every month, and then we uplink them onto our Web site and then we send a new disk to the local police and fire every month. They are on mall properties all the time anyway so we have terrific relationships with them. But you are right, if you do not update it every month or every year, the plans that you pull down can be old and things change. The one issue about digitizing all of the plans and having first responders come and go is the initial costs may be high, but you have to also keep the ongoing expenditure because you must update them all the time, otherwise it is a waste of time. Mr. Souder. Thank you. Mr. Lungren. Mr. Lowy, you mentioned in your written testimony that--and I know it is not the total focus of this hearing, but it seems to me it is an important component in this whole process, and that is the extension of Terrorism Risk Insurance Act (TRIA). Why do you find that important enough to have mentioned it? Mr. Lowy. It is a very important issue for us. One of the issues we talked about a little bit is the amount of money we spend on security and why have we put all these systems in place. One of the issues that we face even with TRIA or without TRIA is it is very difficult for us to get terrorism insurance. So that the risk of insurance or the risk of a terrorism attack prior to 9/11 was actually taken by the insurance industry itself. Without TRIA, we could not get enough insurance or in some cases any insurance for a terrorist attack, so the economic risk of that attack was moved over to the shareholders or the business owners or whoever else was earning the asset itself. So one of the reasons we spend so much money and time on the security is that we are actually at risk, whether TRIA is in place or not right now. We cannot get enough coverage. We have $14 billion worth of assets in the U.S. We can get $800 million of coverage today. We believe that without TRIA being renewed, that coverage will fall to somewhere close to zero, and that we just will not have any ability to get insurance. The issue with that, then, is if you get another attack similar to what went on with 9/11, we believe at the end of the day that the federal government will have to decide whether it will come back in and make all the losses, make everybody good and settle up all the losses for the people and/or the property. Or it will stay out and the economics effects on the economy will be much greater than happened in 9/11. Just one last thing. The key in 9/11 to the economy being stable straight after the attack was that the federal government stepped up and put almost $30 billion into the economy to make good the losses and the victim's compensation fund. Mr. Lungren. Even though TRIA is not under the jurisdiction of this committee, I happen to think it is important for us to look at because it is part of the total picture as we deal with the soft targets that are out there in private industry. That leads me to another question. I would like to direct it to Mr. Lowy and Mr. Norton. That is this. Mr. Lowy, you have talked about the specific way you have developed you own program digitalizing plans and so forth, making them available, updating them every 30 days. It is obviously not the standard in the industry right now. Some may say you are the leaders in the industry. One of the concerns I have is this. How do we work from a governmental standpoint, working with those of you in the private sector, to emphasize best business practices that are actually best business practices? That is, if some take certain steps that they can afford to take to protect them against or their assets against possible terrorist attack, does that leave others open to lawsuits thereafter such that you are fearful of exchanging information, or such that the business community is worried about establishing what the business practices are? The reason why I say this is when we originally--I was outside the Congress at the time, but working on it--when TRIA was originally passed by the House, it contained in it some liability limitations with respect to terrorist attacks. When it went over to the Senate side, that was taken out. The Administration, having looked at TRIA, is not quite as negative about it as I feared the Treasury Department would be, but they indicated that Congress needs to look at some changes in the program. From your standpoint, both of you, is there a concern about liability after the fact that in some ways impedes the ability of your industry to get together and say, these are best business practices, or publish what the best business practices are, for fear that later on you will be subject to suits because you did not expend 20 percent of your capital as others have done? Mr. Lowy. I think the way we look at it is if there is a terrorist incident, we are convinced we will be sued no matter what we do. Part of the issue in the testimony is that one of the things we are looking for from Homeland Security is that we might have best practices or the money we spend may be wasted. I doubt it is wasted, but we think we have best practices. But depending on the alert level that Homeland Security puts out depends on how we operate our malls. I actually brought with me, which we would not put into the public record because it is a security document, what happens when the threat levels actually increase; what we actually do in the mall; how much more manpower; where do we put them; what do we do. So we respond to Homeland Security, but we do not know if we respond in a manner that is in line with what the government thinks or not. So at the end of the day, while it was not in my testimony, we would be looking for some form of safe harbor; that if there were best practices that came out from Homeland Security after a survey of what everybody does, that if we follow those practices we do get some safe harbor provision. Mr. Lungren. My concern is at some point in time you could make us so hardened to attack that you cannot do your job. We could make every mall in America and every hotel in America and every business in America and every school in America basically impenetrable, but people would not want to go. People do not want to go to a moat. You do not want to go to a prison to enjoy your honeymoon. You know what I am saying. Mr. Lowy. I agree. Mr. Lungren. So how do we strike that balance and how do we in the Congress encourage such activity? TRIA is part of it, but best business practices are others. Maybe tax incentives are others. But how do we do it in a mix of incentives and disincentives such that we do respond to the terrorist attack, but we do not change essentially who and what we are? Mr. Lowy. We agree with that. The biggest issue that we face is, while we all talk about security here, that is not my main focus in life, but we do have to make sure that our customers and our consumers are protected to the best of our ability, while keeping the malls open and while having freedom of movement, freedom of goods. At the end of the day, people have to come and shop and work within the society. The way we look at it is in conjunction with TRIA. At the moment, we get no benefit on our insurance premiums for any of the security work that we do, any of these systems that we have designed or any of the capital that we put in. Our insurance premiums are exactly the same as the person next door or the guy down the street. We would hope that Congress could work with the insurance industry and ourselves; that if a certain set of practices were used, that we could then get some break on the insurance premiums that we are paying for terrorism insurance, because we are making our responses better, our targets better. At the end of the day, we are not looking to make our malls impenetrable because we actually need to operate in a capitalist society, which we honestly prefer to do. Mr. Dicks. Mr. Chairman? Mr. Lungren. Yes. Mr. Dicks. Just for a second. I think it is especially relevant on transportation what you just said. I mean, you are talking about malls, but you have to have transportation systems that the people can use in a timely way. We have, for example, ferry systems in Washington state. If we had an inspection of every car or every truck, that would stop it. You would not be able to use the ferry system or the subway system. I think it is very relevant to the other witnesses here as well. Mr. Lungren. Thank you. I understand the Gentlelady has a statement to make? Ms. Jackson-Lee. Thank you very much, Mr. Chairman. Gentlemen, the hearing is very important. I am going to ask unanimous consent to have my statement placed in the record, and subsequently pose questions dealing with best practices. But as you realize, there are conflicting and competing concerns, and I want to thank you for this hearing and look forward to a further hearing. Mr. Lungren. Without objection, so ordered. The Gentleman from Indiana? Mr. Souder. I wanted to make an additional comment. As a member of Congress, we all have different things in our district that shed light upon the different things. By the time we retire, we are almost up to where we understand. This insurance question is huge, because it is not the insurance companies, it is the reinsurance companies. Lincoln Financial in Fort Wayne sold their big division to Swiss Re, and Swiss Re took a hit on 9/11 that was unbelievable because they had like 50 percent or 60 percent of all the reinsurance for the insurance companies. The insurance companies do not hold the bag; they just hold a percent. They pass it off. American Specialty in my district handles a high percentage of stadiums, NASCAR places, amusement parks and so on, and they put together the packages. Right after 9/11, we sat down with the risk assessment people. I mean, it is a tough decision right now whether to insure all you guys with their private capital, because unless we have these government programs to back it up, there is no way to factor in the risk of a failure without just assuming you are going to go bankrupt, then you do not have insurance anyway. Because if your reinsurance and your insurance preparers go bankrupt, the government is doing to wind up, either the people are out or the government is there. We have to have some form of backup supplemental. It is more of a question of what it is going to be and how much is going to be absorbed directly through the consumers; how much is going to be absorbed through taxes; and how much is going to be theoretically, businesses are just pass-through institutions. It is a huge challenge because from the insurer's perspective, they do not know how to factor this risk either. Mr. Lowy. As an industry, what we are really asking for is that the federal government give the reinsurance industry capacity so we can actually buy insurance at a reasonable cost. We are not looking for any handouts. We do not want this to be a big handout to the insurance industry. What we really need them to do is insure our risk at a reasonable cost for us to be able to deal with it. Mr. Souder. What the chairman was saying in sharing best practices and risk pooling, while it may be counter to some things that we have looked at in the past, the fact is it is one of the only ways to keep the insurance rates in a reasonable way either to the taxpayers or to the consumers who are going to pay it in raised prices, because businesses, like you say, are going to pass it on. You are just a pass-through institution. You either have to reduce the quality of your products or the labor costs or something, or raise the prices. This is a crux of how we are going to protect people, because if they cannot get insurance, we are in real trouble. Mr. Lowy. The biggest fear we have without TRIA is there will not be terrorism insurance and the economy will actually be taking the risk, not the insurance industry. Mr. Lungren. I thank the Gentleman from Indiana. Having been at Heinz Field in Pittsburgh this weekend to watch Notre Dame beat Pittsburgh, I compliment you on your dress today. [Laughter.] I will not say anything about the Washington Huskies. I thank the witnesses for their valuable testimony and the members for their questions. The members of the committee may have some additional questions for the witnesses, and we will ask you to respond to these in writing please. The hearing record will be held open for 10 days. Let me once again thank you. Your very, very helpful testimony will assist us as we move forward. Without objection, the committee stands adjourned. [Whereupon, at 11:43 a.m., the subcommittee was adjourned.] THE LONDON BOMBINGS: PROTECTING CIVILIAN TARGETS FROM TERRORIST ATTACKS PART II ---------- Thursday, October 20, 2005 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity, Washington, DC. The subcommittee met, pursuant to call, at 3:06 p.m., in Room 311, Cannon House Office Building, Hon. Dan Lungren [chairman of the subcommittee] presiding. Present: Representatives Lungren, Pearce and Thompson (ex officio). Mr. Lungren. The hearing of the Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity will come to order. The subcommittee is meeting today to hear testimony from the Department of Homeland Security on protecting soft targets from terrorist attacks. I want to thank our panel of witnesses for joining us today. What we are doing today is convening as a continuation of a hearing that was held in the beginning of September on efforts to better secure our Nation's numerous soft targets. At that time we heard from representatives of shopping malls, office buildings and schools on their efforts to prepare for, protect against and mitigate a terrorist attack. We originally planned on having a government panel before the private panel, but due to Hurricane Katrina and the workload that ensued afterwards, our DHS witnesses had to postpone until today. This was fortuitous in some respects as we were able to learn a lot from that first panel of witnesses, and we can now get some answers and clarification from the Department with respect to some of the issues that were raised at that time. What became apparent during our first panel discussion on the soft target issue, and really an issue that we have grappled with time and time again on this committee, is how do we take our limited resources and expect to protect against an almost infinite number of civilian targets and terrorist scenarios. The response that we have collectively heard again and again to this problem is that our Nation must be risk-based in our approach to security. I think it is important that we take time to realize what this would actually look like in practice and begin to think about how the Department can move forward towards utilizing this methodology across the board. In practice, a risk-based methodology means not focusing on each sector from top to bottom--it means not focusing on one sector at the expense of others. I don't expect the Department to secure, or for that matter, even to analyze, the risk of every single chemical facility in this country and then move on to do the same for dams and office buildings, and then off to malls and so forth. There are not enough resources to do this, and certainly not enough time. We must be acting as if the next terrorist attack is just around the corner. And, the job at the Department of Homeland Security, I believe, is to focus on securing the highest-risk sites first. Each sector is filled with a mix of low, medium, and high- risk sites, the majority falling into the first two categories of medium to low risk. For every low risk site the Department spends time analyzing or securing in one sector, there is the potential for a high-risk site in another sector to go unaddressed--at least for a time. What we need is cross-sector risk analysis to identify the highest-priority sites across the country and across all sectors, and simultaneously be working to identify protective measures that can be taken to mitigate those risks. At the same time, we should be working with our partners in the private sector to develop guidance for the low and medium risk sites so they can improve the security practices there as well. As Secretary Chertoff has said repeatedly since taking office earlier this year, Homeland Security must be more than simply reacting to the latest action of our adversary. We should avoid being dictated to by the ``target du jour''. We should be securing our homeland in a systematic and prioritized manner based on our best understanding of the risk. When we originally scheduled this hearing, I was expecting that Members would focus on transit security in the wake of the London subway attacks. We now know from the President himself that we have foiled al-Qa'ida attacks aimed at apartment buildings, other urban targets, tourist sites and ships. And, of course, post-Katrina there is a renewed focus on the vulnerabilities of dams and levees. Yet we recently learned that the New Orleans levee system, which for years has been identified as being vulnerable to hurricanes with catastrophic consequences by DHS itself, was something that received little attention by either DHS or state officials prior to Katrina, even though a terrorist attack on the levee system could have been even more catastrophic than a hurricane. In fact, it is my information that this levee system was not even included on the Department's list of top priority assets, even though other less consequential sites did make that list because they fell within a particular sector. I would hope that we would be better--we have to be better about developing a truly prioritized national list and doing so quickly. What I hope to hear from our witnesses today is how you are prioritizing across sectors, and what you are doing in real time to secure our most critical and most at risk infrastructure, whether they be dams, levees, chemical plants, subways, apartment buildings, malls, you name it. I thank the witnesses for their appearances today, and I recognize the Chairman of--excuse me, the Ranking Member--I keep calling him Chairman, I keep trying to get him to become a Republican. Prepared Statement of the Hon. Dan Lungren October 20, 2005 Good Afternoon everyone and I want to thank our panel of witnesses for joining us today. The Subcommittee is convening today as a continuation of a hearing that was held in the beginning of September on efforts to better secure our Nation's numerous soft targets. At that time, we heard from representatives of shopping malls, office buildings, and schools on their efforts to prepare for, protect against, and mitigate a terrorist attack. We had originally planned on having the Government panel before the private panel, but due to Hurricane Katrina and the workload that ensued afterwards our DHS witnesses had to postpone until today. This was fortuitous in some respect, as we were able to learn a lot from that first panel of witnesses and we can now get some answers and clarification from the Department with respect to some of the issues that were raised then. What became apparent during our first panel discussion of the soft target issue--and really, an issue that we have grappled with time and again on this Committee--is how do we take our limited resources and expect to protect against an almost infinite number of civilian targets and terrorist scenarios? The response that we have collectively heard again and again to this problem is that the Nation must be ``risk-based'' in our approach to security. I think it?s important that we take time to realize what this would actually look like in practice and begin to think about how the Department can move towards utilizing this methodology across the board. In practice, a risk-based methodology means not focusing on each sector from top to bottom--it means not focusing on one sector at the expense of others. I don't expect the Department to secure--or, for that matter, even to analyze the risk of--every single chemical facility in this country, and then move on to doing the same for dams, and then to office buildings, or to malls. There are not enough resources to do this--and certainly not enough time. We must be acting as if the next terrorist attack is just around the corner. And your job, as the Department of Homeland Security, is to focus on securing +the highest risk sites first. Each sector is filled with a mix of low, medium and high-risk sites--the majority falling within the first two categories of medium to low risk. And for every low-risk site that the Department spends time analyzing or securing in one sector, there is the potential for a high-risk site in another sector to go unaddressed. What we need is cross-sector risk analysis to identify the highest priority sites across the country--across all sectors--and simultaneously be working to identify protective measures that can be taken to mitigate those risks. At the same time, we should be working with our partners in the private sector to develop guidance for the low and medium-risk sites so they can improve their security practices as well. As Secretary Chertoff has said repeatedly since taking office earlier this year, homeland security must be more than simply reacting to the latest action of our adversary. We should be securing our homeland in a systematic and prioritized manner, based on our best understanding of the risk. When we originally scheduled this hearing, I expected that Members would focus on transit security in the wake of the London subway attacks. We now know, from the President himself, that we have foiled al-Qa'ida attacks aimed at apartment buildings, other urban targets, tourist sites, and ships. And, of course, post-Katrina, there is a renewed focus on the vulnerabilities of dams and levees. Yet we recently learned that the New Orleans levee system--which for years had been identified as being vulnerable to hurricanes with catastrophic consequences by DHS itself--was something that received little attention by either DHS or State officials prior to Katrina, even though a terrorist attack on the levee system could have been even more catastrophic than a hurricane. In fact, this levee system was not even included on the Department's list of top priority assets, even though other less consequential sites did make that list simply because they fell within a particular sector. We have to be better about developing a truly prioritized, national list, and doing so quickly. What I hope to hear from our witnesses today is how you are prioritizing across sectors, and what you are doing, in real time, to secure our most critical and most at-risk infrastructure--whether they are dams, levees, chemical plants, subways, or apartment buildings. I thank the witnesses for their appearance today, and I will now recognize the Ranking Member, Ms. Sanchez, for any opening statement she may wish to make. Mr. Thompson. You are already looking into the future. Mr. Lungren. Well, maybe I am looking into the future. We would always welcome you in the Republican Party. The Chair now recognizes the Ranking Member of the full Committee, the gentleman from Mississippi, Mr. Thompson, for any statement he might have. Mr. Thompson. Thank you very much, Mr. Chairman. The good thing about this committee is, as you know, whether you are Democrat or Republican, our real goal is to make sure that we are safe, and I can say that all our members see that as number one priority. Let me welcome the panelists for today. Generally speaking, this would be a full panel, but when the Congressional schedule changes, people go to their districts real quick, and we understand that. I think their absence is no indication of them not being interested in this issue. Like all Americans, I was shocked and repulsed by the terrorist attacks in London. This attack has served as a reminder that America and its close allies continue to face a determined enemy that thinks nothing of slaughtering innocent people. I was troubled, I have to say, by Mr. Chertoff's comments yesterday before the Katrina Committee that he had to get his house in order. How many disasters, attacks, and close calls is it going to take before the Department of Homeland Security wakes up? First, we saw the Government's response to the hurricanes. Then we saw the disconnect between the Federal Government and the New York officials about threats to the city's subway systems. Two days ago the Baltimore tunnel was closed. I heard, as the tunnel closed, conflicting reports about whether it was a real or fake threat. Mr. Chertoff, in your absence, while you have been putting your house in order, it has crumbled to the ground from neglect to its foundation and walls. Trust is important. I, along with every other American person, must be able to trust the Department of Homeland Security to perform at 100 percent, if not more. I am close to losing all trust. With regard to our mass transit and passenger rail systems, I am especially worried. Almost 4 years after the September 11th terrorist attacks, passenger rail and transit security remains a Department of Homeland Security afterthought. While the United States has spent over 18 billion on aviation security since 9/11, we managed only to offer up 717 million for transit security. That simply falls too short, especially when one considers that every American takes mass transit 16 times more often than they travel by air. The National Strategy for Transportation Security that the Department recently submitted that was supposed to lay the groundwork for securing our mass transit systems was lacking. Indeed, it did not meet Congressionally mandated requirements. Speaking of which, I want to know when DHS will start using the National Response Plan. Secretary Chertoff told Members of Congress yesterday that the Department did not have an integrated plan in place when Katrina struck. What about the National Response Plan? Did he forget about it? Is it another document that contractors put together that wastes taxpayers' dollars because the Department doesn't think it is good? I would like to know. One thing I would also like to hear from today's witnesses is when will the Department finish the National Infrastructure Protection Plan? Our Chairman alluded to this plan. The levee systems are not included in that plan. We had some, as you know, miniature golf courses that were on the plan, and I can't see how we can put a miniature golf course on this infrastructure protection plan but we can't put a levee system on the plan. Andy Purdy from the Department testified 2 days ago that he couldn't tell us definitively when it was going to be completed. I hope you can do better than that. GAO and IG both have looked at the National Infrastructure Plan, and they said it is inadequate. It is back in the Department for further review. We were told initially we might get it by November; now we hear February, but I would like to know for sure when that time is. I yield back. Mr. Lungren. Thank you, Mr. Thompson. Mr. Lungren. We are pleased to have two members for a distinguished panel of witnesses before us today on this important topic, and the Chair recognizes Mr. Robert Stephan, the Acting Under Secretary for Information Analysis and Infrastructure Protection of the U.S. Department of Homeland Security to testify. STATEMENT OF ROBERT STEPHAN Mr. Stephan. Thank you, Mr. Chairman. Good afternoon. And good afternoon to you, Representative Thompson. I appreciate the opportunity to speak with you and your distinguished committee today. The Department of Homeland Security, I assure you, is committed to working with our partners in State and local and tribal governments, as well as across broad elements of the private sector to reduce the overall level of risk of terrorist attacks against our national critical infrastructure and key resource base. In analyzing terrorist risk, it becomes clear that certain means of attack against certain types of targets are easier for terrorists to accomplish and execute, and more difficult for us to protect against. The July 7th and 21st horrific attacks on the London mass transit system in 2005, as well as the March 2004 attacks in Madrid, underscore the inherent vulnerability of so-called open-access systems. Recognizing that despite our best efforts we cannot always protect everyone and everything against all dangers, Secretary Chertoff's risk-based approach allows us to make better judgments about where we target resources, and prioritize our protection efforts to reduce this overall risk, and protect our critical infrastructures and key resources from terrorist attacks. In doing so, DHS has several principle objectives in mind: providing resources and training to State and local governments and law enforcement for security enhancements across the board; providing information to both public and private sectors on the threat environment, the tactics, techniques and procedures of terrorist organizations and terrorist individuals, our common vulnerability and risks, suggested protective measures; as well as creating information-sharing networks and mechanisms that efficiently and effectively enable DHS to share best practices, as well as our Federal Government partners in the unique aspects of their assets, to improve situational awareness during a crisis or when faced with a general or a specific threat situation. These objectives are being realized through the implementation of a Unified National Plan--and I will answer Representative Thompson's concerns regarding the National Infrastructure Protection Plan in follow-along questions, sir-- for the consolidation of critical infrastructure protection activities into your basket that we are responsible for. The cornerstone of this National Infrastructure Protection Plan is a risk management framework that combines threat, vulnerability and consequence information and approaches to produce a comprehensive, systematic and informed assessment of national and sector-specific risks that drive our risk reduction efforts in the critical infrastructure and key resource sectors. The principal steps in this risk management framework are to set sector security goals, identify assets, assess risks, and prioritize our efforts and resources accordingly based on the severity and mass effect of potential consequences principally, although, importantly, also taking into account vulnerabilities and specific threat information. DHS has developed two important tools to assist in this process. The first of these is the National Asset Database, the central Federal repository for national infrastructure-related information that we get from a host of stakeholders across State, local and private sector arenas, and serves also as an inventory of the Nation's assets and infrastructures. Secondly, we have a risk management tool called RAMCAP, which is an acronym for risk assessment and management for critical asset protection, which is collaboratively being developed across sectors that will guide and provide a spearhead for this national risk assessment, Mr. Chairman, that you are looking so desperately for, to enable an assessment and comparison of risk of critical infrastructure assets both across and within our most important sectors of responsibility, thereby enabling the prioritization of protective efforts and resources, and a more efficient conduct of our responsibility. DHS leads the Federal Government's critical infrastructure protection efforts and works in collaboration with State and local governments, the private sector, and, of course, numerous other Federal departments and agencies. We are not lone wolves in this mission. Examples of protected programs DHS has implemented successfully and will continue to execute upon include the DHS Vulnerability Identification Self-Assessment Tool, which has a very broad application across these open-access targets that you are very concerned about with this hearing. The goal of this program is to raise the level of security awareness in public assembly facilities across the Nation, as well as establish a common baseline of security from which these facilities can build their protection plans and their appropriate response mechanisms with Federal, State and local partners. We also have a Target Awareness Training Program that provides baseline prevention and awareness training to first- level supervisors and security personnel across these so-called soft target categories in order to increase their ability to deter and detect potential attacks, as well as increase the reporting of suspicious activity and suspect items. One of the principal goals of our Federal, State, local and private sector partnership is providing the necessary framework and support to really enable coordination and information sharing within critical infrastructure sectors across these sectors, and between all levels of government and the private sector in order to achieve and execute our responsibilities. Examples of various information-sharing mechanisms. Later on in the question-and-answer session, I would love to get in more deeply with you some of the more specific incidents surrounding the London bombings, the recent terrorist threat information relative to New York and Baltimore, if you would like. Examples of things that we use as information-sharing mechanisms includes sector coordinating councils, government coordinating councils, our Homeland Security Information Network--which our director Matt Broderick will be briefing you on tomorrow--the National Infrastructure Coordinating Center, and various private sector information-sharing and analysis centers. DHS also has and will continue to work closely with allied nations and international partners with respect to garnering information relative to open-access target sets as well as tactics, techniques and procedures that are employed by terrorist adversaries that more routinely perhaps than in the United States perpetrate devastating attacks abroad against their facilities, assets and open-access systems. We also are members of the Department of Defense's effort in the Joint Improvised Explosive Device-Defeat Task Force, which is an important interagency, international effort with Israeli, Australian, Canadian and British participation to get at very significant problems. In terms of reacting to crisis situations in the immediate aftermath of the London attacks on July 7th, DHS activated our Interagency Incident Management Group to serve as the national headquarters-level multiagency coordination hub for incident management and response. Upon the decision to elevate the Homeland Security advisory system from yellow to orange for the mass transit sectors specifically targeted, the Office of Infrastructure Protection, in partnership with the Transportation Security Administration, coordinated outreach with the private sector and public sector partners broadly in the mass transit sector to provide them with an overview of the latest threat intelligence, to explain the implications nationwide of the move to orange, and to provide them an opportunity to discuss those implications. We have worked with our Federal partners to enhance security in our Nation's largest mass transit system and transit systems across the board, and have made Urban Area Security Initiative funding available for overtime to State and local law enforcement for activities related to increased mass transit security. Throughout this process DHS effectively executed a mission during the July 7th and 20th attacks as coordinator of National Critical Infrastructure Protection efforts as well as the national--level focal point for information sharing both within the Federal Government and between the public and private sectors. In conclusion, I would like to reinforce--and I want to answer many of the important questions you raised in your introductions, gentlemen--that we are dedicated to working with infrastructure stakeholders across the country to increase the security of our Nation's critical infrastructure sectors using Secretary Chertoff's risk-based approach. The places and events where our fellow citizens are most vulnerable are a key priority. With your continued support, spirit of cooperation, as well as that of the American people, we will succeed in this very important issue, and these people are not going to beat us. Thank you. Mr. Lungren. Thank you very much, Mr. Stephan. [The statement of Mr. Stephan follows:] Prepared Statement of Robert B. Stephan October 20, 2005 Introduction Good morning, Mr. Chairman, Ranking Member Sanchez and distinguished Members of this Subcommittee. I appreciate the opportunity to speak with you. The Department of Homeland Security is committed to working with our partners in State, local and tribal governments and the private sector in reducing the overall level of risk of terrorist attacks against our national critical infrastructure. By reducing risk, we mean examining the consequences of a potential attack; examining the vulnerability of critical sites and facilities to various modes of attack; and examining the potential threat--that is, the intent of terrorists to attack in a given place and their likelihood of success. In analyzing risk, it becomes clear that certain means of attack against certain types of targets are easier for terrorists to accomplish and difficult for us to protect against. The July 7 and 21 attacks on the London mass transit system in 2005, as well as the March 2004 attack in Madrid, underscore the inherent vulnerability of open- access systems. Recognizing that despite our best efforts, we cannot always protect everyone against all dangers, this risk-based approach allows us to make better judgments about where we target resources and prioritize our protection efforts. In working to reduce risk and protect critical infrastructure, DHS has three principal objectives: Provide resources and training to State and local governments and law enforcement for security enhancements; Provide information to both public and private sectors on the threat environment, tactics and techniques of terrorists, common vulnerabilities and suggested protective measures; and Create information-sharing mechanisms that enable DHS stakeholders to share best practices and the unique aspects of their assets to improve situational awareness during a crisis or when faced with a specific threat. The National Infrastructure Protection Plan These objectives are being realized through the implementation of the National Infrastructure Protection Plan (NIPP). Directed by Homeland Security Presidential Directive 7 (HSPD-7), the NIPP is a unified national plan for the consolidation of critical infrastructure protection (CIP) activities. The NIPP is a collaborative effort between the private sector, State, local, territorial and tribal entities and all relevant departments and agencies of the Federal government. The cornerstone of the NIPP is a risk management framework that combines threat, vulnerability, and consequence information to produce a comprehensive, systematic, and informed assessment of national or sector risk that drives our risk reduction efforts in the critical infrastructure/key resources (CI/KR) sectors. This framework applies to the general threat environment as well as specific threats or incident situations. NIPP Risk Management Framework Set Security Goals. Achieving a secure, protected, and resilient infrastructure requires a common set of national and sector-specific security goals that address those aspects of risk that can be affected and collectively represent an acceptable security posture. Therefore, sector security goals will be determined through a collaborative effort of government agencies and the private sector. Establishing sector security goals is the nexus of the NIPP planning process that will drive the public/private partnership. Nationally, the overarching security goal of reducing risk begins with an enhanced state of CI/KR security, a state which is best achieved through the implementation of focused risk reduction and protective strategies across the critical sectors. Identify Assets. Once security goals are set, the next step in the framework is to develop and maintain an inventory of the Nation's assets. First, asset information is collected and catalogued in the National Asset Database (NADB), which is the central Federal repository for national infrastructure-related information. Second, after an asset is identified and basic information on it is collected, DHS employs an initial screening methodology to determine whether or not it is of national consequence. Finally, priority is given to applying federal resources to those assets that, if attacked, could have a nationally significant effect. Assess Risk. If an asset is determined to be of national consequence, it is then subjected to a risk analysis. As mentioned before, risk is determined through a combined assessment of: Consequence--estimates of the damage a successful attack would cause; Threat--estimates of the likelihood that a particular target or type of target will be selected for attack; and Vulnerability--assess which elements of infrastructure are most susceptible to attack and how attacks against these elements would be most likely carried out. One of the Department's principal risk-assessment tools is RAMCAP (Risk Assessment Methodology for Critical Asset Protection). RAMCAP is being developed by DHS in collaboration with other federal agencies and the private sector as a sector-specific consequence, vulnerability, and risk methodology. RAMCAP enables an assessment and comparison of risk of critical infrastructure assets both across and within CI/KR sectors, thereby enabling the prioritization of protective efforts and effective use of available resources. Prioritize. It is impossible, nor do we attempt, to protect all CI/ KR equally across the entire United States. We assess the potential consequences of an attack, threats, and vulnerabilities for CI/KR sectors, as well as individual assets within those sectors and prioritize our efforts based upon the severity and mass effect of potential consequence. Conducting risk analysis provides us with the information needed to make such determinations, as well as provides the department a basis upon which to make longer-term resource decisions including strategic protective programs and planning for response and other contingency situations. Implement Protective Programs. The widely dispersed nature of critical infrastructure demands equally dispersed ownership and execution of protection programs. It requires centralized leadership which in turn drives consistent implementation and ensures the greatest cost-benefit through addressing the greatest risks. DHS leads the Federal government's critical infrastructure protection effort, and works in collaboration with State and local governments, the private sector, and our international partners to protect against potential terrorist attacks through reducing our vulnerabilities and enhancing our response capabilities to potential terrorist attacks. Some of the key DHS programs include: Vulnerability Identification Self-Assessment Tool--An important initiative designed to increase the capabilities of private sector owners and operators to enhance their own security is the DHS Vulnerability Identification Self- Assessment Tool (DHS-VISAT). This is a voluntary, on-line assessment tool that was originally developed to help transportation asset owner/operators enhance security. The goal of this program is to raise the level of security awareness in public assembly facilities across the nation and establish a common ``baseline'' of security awareness from which these facilities can build their protection plans. To date, it has been adapted for use by stadium and arena managers and access has been provided to over 300 stadiums and 400 arenas. Currently this tool is being modified for use by other commercial venues including convention and performing arts centers. In addition, we have engaged in piloting efforts with the States of Texas, Virginia, and California to adapt the tool to support security awareness in K-12 schools. Target Awareness Training--The Target Awareness Training (TAT) program provides baseline prevention and awareness training to first level supervisors and security personnel and is supported by VISAT. The primary objectives of TAT are to increase the ability to deter and detect potential attacks and to increase the reporting of suspicious activity and suspect items. The courses focus on law enforcement and security staff working in shopping malls and centers, places of worship, educational institutions, hotels, and sports complexes. Over 2,500 law enforcement and private sector personnel have participated in 128 TAT Courses since September 2003. We also provide a Surveillance Detection Course, Surface Transportation Antiterrorism Program, and an Improvised Explosive Devices/Weapons of Mass Destruction (IED/WMD) Electronics course. Bomb Prevention--Bombing is a preferred tactic for terrorists seeking relatively uncomplicated, inexpensive means for harming large numbers of people and inflicting maximum damage on critical infrastructure. The threat that IEDs and other types of explosive weapons pose are of great concern given the relative technological ease with which such an attack could be planned and executed. Central to preventing bombing attacks are: the need for new critical thinking and analysis regarding the nature and scope of preventing an attack; innovation in detection, deterrence, and improving system robustness in the face of an adaptable enemy; the importance of increased stakeholder participation and cooperation; the need for more robust information sharing and collaboration measures; and meaningful dialogue between State and local jurisdictions and the Federal government to identify and fill operational capability gaps related to training, equipment, technology and resources We will continue to assist state and local entities in identifying gaps in protective capacity and obtaining required resources. Under Homeland Security Presidential Directive-8 and the National Preparedness Goal, the Department is identifying bomb prevention capabilities at every level of the government and identifying gaps in this capability. We are taking steps to address any gaps that exist by developing a focused and unified national bombing prevention effort through such groups as the Interagency Governance Board and the IED Task Force. DHS is also developing enhanced knowledge management systems that foster information sharing and collaboration between Federal, State, and local entities involved in bombing prevention, and among various and disparate law enforcement jurisdictions. Information Sharing One of the principal goals of the Federal-State-local-private sector partnership is to provide the necessary framework and support to enable coordination and information sharing within each CI sector, across all CI sectors, and between all levels of the government and private sector in order to achieve the execution of a full spectrum of prudent and responsible protective actions. Sector Partnership Model--Under the NIPP framework, DHS is helping to create private sector-led Sector Coordinating Councils (SCCs) for each of the 17 critical infrastructure sectors. These councils will serve as a mechanism for identifying risk and protection issues within their specific sector and addressing the range of infrastructure protection activities. For example, the ``Commercial Facilities'' sector coordinating council encompasses open-access facilities that, if attacked, could cause significant casualties and economic damage. Accordingly, membership in the Commercial Facilities SCC includes all major sports leagues, International Council of Shopping Centers, Marriott, Warner Brothers, Disney, the Real Estate Roundtable, the Self Storage Association, the International Association of Assembly Managers, and others. Both the SCCs, and their government counterparts, Government Coordinating Councils (GCCs) will increase inter-agency coordination and information sharing on critical infrastructure protection activities. The GCC coordinates strategies, activities, policy, and communication across organizations within each sector. Unlike the SCC, it does so through the Federal government. The SCC and GCC work together to create a coordinated national mechanism for infrastructure protection in their sector. Members of the Commercial Facilities GCC include the US Secret Service, the Federal Protective Service, the Environmental Protection Agency, the General Services Administration, and the Departments of Commerce, Justice, Interior, and Education. Homeland Security Information Network--DHS is developing a networked approach to information-sharing that enables rapid information dissemination to decentralized decision makers across the nation. The key objectives of this approach are to enable multi- directional information sharing between and across government and industry; provide all CI/KR sector owners and operators with a robust communications framework, tailored to the specific information sharing requirements of each sector; and provide a comprehensive threat landscape to all security partners, including general and specific threats, incidents and events, impact assessments, and best practices. At the core of this networked approach is a series of sophisticated, secure tools and support mechanisms, collectively referred to as the Homeland Security Information Network (HSIN), which provides a national communications platform that enables the flow of near real-time information among governmental entities at all levels (i.e., Federal, state, territorial, local, and tribal), private sector organizations, and international security partners. National Infrastructure Coordinating Center--The National Infrastructure Coordinating Center (NICC) is a 24x7 watch operation center that maintains operational and situational awareness of the Nation's CI/KR sectors. The fully operational NICC provides a centralized mechanism for gathering information and a process for sharing and coordinating information between and among government, SCCs, GCCs, and other industry partners. The NICC receives incident reports from specific sectors in accordance with pre-established information-sharing standard operating procedures. When required, the NICC also disseminates a wide range of products containing warning, threat, and critical infrastructure protection (CIP) information to the private sector and government entities. The NICC is also responsible for receiving situational and operational information from the private sector and disseminating that information throughout the Homeland Security Operations Center (HSOC), other government operation centers, and industry partners as applicable. Information Sharing and Analysis Center--The private sector has established a number of information-sharing mechanisms that contribute to the protection of their assets. One such mechanism is the Information Sharing and Analysis Center (ISAC). While the SCCs ultimately define the unique information-sharing requirements for each sector, ISACs and other existing mechanisms provide an array of options and capabilities for some infrastructure owners and operators. ISACs, while varying greatly in composition, scope, and capabilities, offer a viable information-sharing mechanism. Some ISACs, for example, maintain 24x7 watch centers and provide various levels of sector-specific alerting and analysis. In this regard, the Surface Transportation and Public Transportation ISAC collects, analyzes, and distributes critical cyber and physical security and threat information from government and numerous other sources on a 24/7 basis. Other ISACs maintain a watch center that is staffed during traditional business hours, with the ability to contact analysts via telephone or pager during periods of increased activity. Still others operate primarily through Websites, allowing members to access sector-related alerts, warnings, and incident information. Regardless of the variance in breadth and depth, however, ISACs are capable of disseminating DHS- issued threat information. International Information Sharing--We have made significant progress in cooperation with our international partners in the war on terror to share best practices and intelligence. This is especially true in the area of bombing prevention. The United Kingdom and Israel have years of experience in bombing prevention. DHS has and will continue to work closely with Scotland Yard and the Israeli Defense Force and police in order to learn better methods of bombing detection and prevention. Additionally, we are part of the Department of Defense's effort in the Joint Improvised Explosive Device-Defeat Task Force, an interagency, international effort with Israeli, Australian, Canadian, and British participation. The task force will establish an open-door program of international partners who will work to develop and exchange detection and prevention technologies. Reacting to Crisis In the immediate aftermath of the July 7, 2005, attacks in London, DHS stood up the Interagency Incident Management Group (IIMG) to serve as the national headquarters-level multi-agency coordination entity for incident management. Secretary Chertoff then recommended to the President that the Homeland Security Advisory System (HSAS) move from YELLOW to ORANGE for the Mass Transit Sector. In response, the Office of Infrastructure Protection, in partnership with TSA, coordinated outreach with public and private sector owners and operators in the Mass Transit Sector to provide them with an overview of the latest threat intelligence, to explain the implications of a move to ORANGE, and to provide them an opportunity discuss those implications. We worked with our Federal partners to enhance security at our Nation's largest mass transit systems and made Urban Area Security Initiative (UASI) funding available for overtime to State and local law enforcement for activities related to increased mass transit security. Our intelligence and analytical units produced Joint Advisories and Information Bulletins with the FBI that detailed what we knew about the terrorists target selection, attack methodology, implications, and suggested protective measures that mass transit operators could implement. Following the attacks, personnel from the Office of Infrastructure Protection and TSA conducted analysis of mass transit systems, starting in large cities such as the New York and New Jersey systems. Inspectors from the Federal Railroad Administration conducted inspections of passenger rail operations in the days immediately following the July 7 attacks. Throughout this process, DHS effectively executed its mission as a coordinator of national critical infrastructure protection efforts, and served as the focal point for information sharing both within the Federal government and between the public and private sectors. Conclusion DHS is dedicated to working with infrastructure stakeholders across the country to increase the security of our Nation's critical infrastructure sectors using a risk-based approach. The places and events where our fellow citizens are most vulnerable are a key priority. With your support and that of the American people, we will succeed. Thank you. Mr. Lungren. The Chair would now recognize Mr. Robert Jamison, the Deputy Administrator, Transportation Security Administration of the U.S. Department of Homeland Security, to testify. STATEMENT OF ROBERT JAMISON Mr. Jamison. Good afternoon, Mr. Chairman and Mr. Thompson. I am pleased to appear before you in my new capacity as the Deputy Administrator for TSA to testify on the critical subject of protecting civilian targets from terrorist attack. My testimony this morning will focus on our approach to accomplishing this mission, focusing particularly on public transportation. At the outset, I want to acknowledge the team nature of security in today's world and express appreciation for the work of the Department of Transportation and our partners in State and local government and throughout the transportation industry. Public transportation in America is a dynamic, interconnected network. It consists of overlapping subnetworks and multiple organizations with a variety of government structures and a mix of public and private ownership. In terms of security, decentralized systems such as this are more difficult to control, but they also have advantages. They present more operational uncertainty to those who seek to harm them, and they are more robust in the face of catastrophic failure of any single component of their network. Despite the good work that has already been done in improving security in transit, the London bombings and other events throughout the world have demonstrated the need for a new strategic approach to transportation security. Fundamentally our challenge is to protect our transportation network in a constantly changing threat environment. We understand better that terrorists will not only look for weaknesses in our transportation system and in security measures, but they will also adapt to perceived security measures. As a result, it is not possible to precisely predict with any degree of certainty the next attack based on previous terrorist activity. In the face of this unpredictability and rapid change with respect to threats, our approach to security in every transportation sector must be based on flexibility and adaptability. While it is necessary, it is no longer sufficient to protect ourselves against known or suspected terrorists; we must protect ourselves against people with no known affiliation to terrorism. While it is necessary to, it is no longer sufficient to focus on finding threat devices like guns and explosives; we must enhance our ability to find terrorists before an attack is underway. And while it is necessary, it is no longer sufficient to subject every passenger to basic security procedures; we must create uncertainty, an element of unpredictabilty in our security operations, in order to disrupt terrorist planning and attempts. To accomplish these objectives, TSA is pursuing a security strategy based on Secretary Chertoff's Second Stage Review. There are four cooperating principles applicable to TSA. First, we will use analysis based on risk vulnerability and consequence to make investment and operational decisions. Second, we will avoid giving terrorists an advantage based on our predictability. TSA will deploy resources, such as K-9s and air marshals and inspectors, for example, and establish protocols, standards and best practices flexibly based on risk. Terrorists will not be able to use the predictability of our security measures to their advantage in carrying out an attack. Third, we will continue to intervene early based on intelligence, law enforcement information and suspicious incident reporting that focus our security measures on the terrorist as well as the means for carrying out the threat. Effective analysis and dissemination of timely information to those in need is a vital component of this effort. Finally, we will build and take advantage of security networks. We are pursuing a restructuring of TSA that will put renewed emphasis on building on information-sharing networks in every transportation sector. Through these efforts, we will work more closely with stakeholders and put a renewed emphasis on sharing intelligence, capacity and technology with other law enforcement, intelligence-gathering and security agencies at every level of government. We will build a more robust, distributed network of security systems to protect America. As we move forward, we are fortunate to be able to build on solid foundation not only at the local level, but nationally as well. This foundation includes products and resources developed by our Federal partners, especially at the Department of Transportation, with the Federal Transit Administration and the Federal Railroad Administration, and partners in the industry at the American Public Transportation Association, the Association of American Railroads and its members, labor unions, and individual public transportation systems. This collective expertise fortifies their knowledge, expertise and overall strategic approach. We value the critical role of Congress and especially this subcommittee, that this subcommittee plays in this effort, and we look forward to working with you on a full range of these issues. I am happy to appear, and I would be pleased to answer any questions you might have. Mr. Lungren. Thank you very much. [The statement of Mr. Jamison follows:] Prepared Statement of Robert Jamison October 20, 2005 Good afternoon, Mr. Chairman, Congresswoman Sanchez, and Members of the Subcommittee. I am pleased to have this opportunity to testify on the subject of ``The London Bombings: Protecting Civilian Targets from Terrorist Attack.'' As requested, my testimony today will focus largely on public transit and intercity freight and passenger rail transportation. As you know, the September 11 attacks focused Congress, the Administration, and the public on improving the security of our aviation system. It is an honor today to assist Assistant Secretary Hawley in leading TSA as we refocus and realign it to reflect the changing reality of terrorist threats to the transportation sector. Of necessity, much of our early work at TSA focused on the very real and present threats and vulnerabilities in aviation. We were fortunate to have partners at DOT and in industries and communities around the Nation who immediately stepped forward at that time to initiate security improvements in the transit and rail sectors. Today, we continue to work with these partners and build upon their record of success to address the changing transportation threat environment. Overview of Surface Transportation America's passenger and freight transportation system is a dynamic, interconnected network. It consists of overlapping sub-networks and multiple organizations, with a variety of governance structures and a mix of public and private ownership. In terms of security, decentralized systems such as this are more difficult to ``control,'' but they also have advantages. They present more operational uncertainty to those who seek to do them harm, and they are more robust in the face of catastrophic failure of any single component of their networks. Public Transportation. America's public transportation system is actually composed of over 6,000 separate local transit systems. These local systems range from very small bus-only systems in rural communities, to very large multi-modal systems in urban areas that may combine bus, light rail, subway, commuter rail and ferry operations. Transit systems are not only locally operated, but they are also protected largely by State and local law enforcement. Americans took 9.4 billion trips using public transportation in 2003. The 30 largest transit systems in the U.S. carry most (almost 80 percent) of the Nation's transit passenger trips. There is now some form of rail transit (light rail, subway, or commuter rail) operated by 53 different transit agencies located in 33 cities and 23 States. These rail systems provide a combined 11.3 million passenger trips each weekday, compared to 1.8 million domestic emplanements per day nationwide. Approximately 28 percent of all transit trips and 77 percent of all rail transit trips are on heavy rail. There are 14 heavy rail transit systems (also known as subways) in the U.S., consisting of more than 2,000 route miles, with over 1,000 stations and approximately 10,500 subway cars. The New York City subway system is the largest in the U.S., carrying about 75 percent of the nation's heavy rail passengers, with half of the stations and more than 6,000 scheduled trains per day carrying over 3 million riders. In New York's Penn Station alone, more than 1,600 people per minute pass through dozens of access points during a typical rush hour. Intercity Bus Transportation. Though not owned by public entities, intercity bus service is an important component of America's transportation network. Intercity bus service is provided by over 4,000 private operators across the country, 90 percent of which operate 25 or fewer buses. Greyhound is the largest intercity bus operator, with a fleet of more than 2,400 buses. Public transit buses annually carry about 8 times the number of riders as intercity buses; heavy rail (subway) operators carry over 3 times as many riders as intercity buses. Intercity Passenger Rail. Intercity passenger rail service is provided by two entities: Amtrak and the Alaska Railroad Corporation (ARRC), which is a public corporation of the State of Alaska. The ARRC provides freight and passenger service from Whittier, Seward and Anchorage to Fairbanks, Denali National Park, and military installations. Amtrak carries approximately 25 million passengers per year or an estimated 68,000 passengers per day, operating as many as 300 trains per day and serving over 500 stations in 46 States. In many large cities, Amtrak stations are co-located with stations serving rail transit, intercity bus, and other modes of transportation. Amtrak operates over more than 22,000 route miles. It owns 650 route miles, primarily between Boston and Washington, DC, and in Michigan. In other parts of the country, Amtrak trains use tracks owned by freight railroads. Freight Rail. U.S. freight railroads operate over a network spanning more than 140,000 route miles. This system is vital to the economy, linking businesses and ensuring products reach consumers in an efficient, safe, and cost-effective manner. Still, recent events, such as the accidental derailment in Graniteville, SC, that resulted in the release of chlorine gas, have highlighted the need to focus additional attention on the potential security risks associated with freight rail. Over 64 percent of toxic inhalation hazard chemicals are currently transported by rail. In 2003, over 60,000 tank cars of chlorine or anhydrous ammonia chemicals were shipped, each carrying an average of 90 tons of chlorine or 30,000 gallons of anhydrous ammonia. London Lessons Learned Al-Qa'ida and its affiliated extremist groups and sympathizers demonstrated their ability to strike mass transit targets with suicide bombings on buses in Israel, Turkey and China, and bombings of subways, rail systems, and ferries in India, Pakistan, Thailand, Chechnya, Russia and the Philippines. The Madrid train attacks in 2004 and the London subway and bus attacks on July 7 and 21 of this year have further reminded us that our trains, subways and buses may be terrorist targets. Heavy rail transit systems in the U.S., like the London Underground, are particularly high consequence targets in terms of potential loss of life and economic disruption. These systems carry large numbers of people in a confined environment, offer the potential of targeting specific populations at particular destination stations, and often have stations located below or adjacent to high profile government buildings, major office complexes, or public icons. Threats to particular economic sectors, like government or financial institutions, may also be carried out through attacks on public transit. The London attacks were particularly noteworthy from a security perspective. In a relatively short period of time, unknown and apparently unaffiliated individuals/groups were able to plan and execute the attacks with little or no surveillance or rehearsal activity. The perpetrators came through fare-gates directly onto the train; they did not access storage yards, tunnels or bridges. As a result, London's extensive intrusion detection devices and security cameras did not prevent the attacks. Recording capability was helpful, but only after-the-fact in helping to identify suspects. The improvised explosive devices used by the attackers were assembled with materials readily available in local shops. The devices fit easily into backpacks of the type and design commonly carried by students, commuters, and tourists. Even with markedly increased public awareness, countermeasures, and law enforcement presence after the first London bombings, the same methods were able to be used in the second attack without suspicion or detection. Immediately following the first London attacks, transit agencies and local officials took action. Responding to a joint inquiry by TSA and DOT's Federal Transit Administration (FTA), the 30 largest transit agencies reported that they: Extended patrol hours through law enforcement overtime and the deployment of administrative and operational personnel; Expanded the use of canine explosive detection patrols; and Issued more frequent and more detailed public awareness announcements regarding how to report unattended bags and suspicious behavior and how to evacuate from particular transit environments (i.e., train cars, tunnels, and bridges). These actions built upon the important security foundation that was established over the last several years. In contrast to their pre-9/11 security posture, all of the largest transit agencies have now: developed and implemented action plans that are specific to each Homeland Security Alert System threat level; sent front-line employees to Federally-funded security and emergency response training courses; instituted public awareness campaigns, many utilizing Federally- developed materials; developed and tested emergency response plans; and hardened numerous assets to protect against security threats. Adapting to a Changing Threat Environment Despite the work that has already been done, Mr. Chairman, the London bombings and other events throughout the world have demonstrated the need for a new strategic approach to transportation security. Fundamentally, our challenge is to protect passengers, freight, and our transportation network in a constantly changing threat environment. We understand better that terrorists will not only look for weaknesses in our transportation system and its security measures, but they will also adapt to perceived security measures. As a result, it is not possible to ``predict'' the next attack based on previous terrorist activity or put into place specific security measures to protect against it. In this dynamic environment, history is an unreliable guide. In the face of unpredictability and rapid change in terms of threats, our approach to security in every transportation sector must be based on flexibility and adaptability. While it is necessary, it is no longer sufficient to protect ourselves against known or suspected terrorists; we must protect ourselves against people with no known affiliation to terrorism. While it is necessary, it is no longer sufficient to focus on finding weapons and common explosives; we must enhance our ability to recognize suspicious behavioral patterns and demeanors to identify people who may have devised a new means to attack our transportation systems or passengers. While it is necessary, it is no longer sufficient to subject every passenger to the same basic security procedures; we must create uncertainty and an element of randomness in security operations in order to disrupt terrorist planning and attempts. While it is necessary, it is no longer sufficient to focus solely on identifying the actors, like suicide bombers; we must integrate our security measures with local law enforcement to identify those who make the bombs and provide support. Therefore, TSA is pursuing a security strategy based on Secretary Chertoff's Second Stage Review, the National Strategy for Transportation Security, and the following four operating principles: First, we will use risk/value analysis to make investment and operational decisions. That means that we will assess risks based not only on threat and vulnerability, but on the potential consequences of a particular threat to people, transportation assets, and the economy. Further, we will assess and undertake risk management and risk mitigation measures based on their effect on total transportation network risk. This holistic approach to risk assessment and risk mitigation may lead us, for example, to redirect the actions of our airport screeners to focus less on identifying and removing less threatening items from carry-on luggage, so that their time and attention can be spent on identifying potential components of an improvised explosive device. Second, we will avoid giving terrorists or potential terrorists an advantage based on our predictability. TSA will deploy resources-- whether they are canine teams, screeners, air marshals, or inspectors-- and establish protocols flexibly based on risk, so that terrorists cannot use the predictability of security measures to their advantage in planning or carrying out a threat. This may mean changing or adding to inspection routines on a daily or hourly basis to introduce uncertainty into terrorist planning efforts. Third, we will continue to intervene early based on intelligence, and focus our security measures on the terrorist, as well as the means for carrying out the threat. Enhancing and expanding the techniques to identify suspicious persons at the transit, train, or bus station, or to detect explosive devices is necessary. However, the strongest defense posture detects the terrorist well before the attempt to launch an attack has begun. A coordinated interagency intelligence collection and analysis effort must stand as the first line of defense. Effective dissemination of timely intelligence products to those who need them is a vital component of this effort. And, finally, we will build and take advantage of security networks. As you may know, I am pursuing a restructuring of TSA that will put a renewed emphasis on building information sharing networks in every transportation sector--rail, transit, maritime, and trucking, as well as aviation. Not only will we work more closely with stakeholders in these industries, we will put a renewed emphasis on sharing intelligence, capacity and technology with other law enforcement, intelligence gathering and security agencies at every level of government. We will build a more robust, distributed network of security systems to protect America. As we apply these operational principles, I have also directed my staff to rededicate themselves to important customer service principles, as well. As we move forward, TSA will identify opportunities and engage the private sector in its work to develop and implement security systems and products. We will protect the privacy of Americans by minimizing the amount of personal data we acquire, store and share, and we will vigorously protect any data that is collected, stored or transmitted. And TSA will remember, in all that we do, our goal in stopping terrorism is to protect the freedoms of the American people. Therefore, we will work to make travel easier for the law-abiding public, while protecting the security of the transportation network and the people who depend upon it. A Solid Foundation As we move forward strategically to enhance our security efforts in the public transportation and rail sectors, we are fortunate to be able to build upon a solid foundation of work, not only at the local level, but nationally, as well. Grants. Substantial Federal assistance has been and will continue to be provided to support improved transit and rail security. TSA has assisted the DHS Office of State and Local Government Coordination and Preparation (SLGCP) in the development of its Transit Security Grant Program (TSGP). To date, SLGCP has provided more than $255 million to State and local transit agencies through this program to increase protection through hardening of assets, greater police presence during high alerts, additional detection and surveillance equipment, increased inspections, and expanded use of explosives detection canine teams. In April 2005, DHS announced $141 million in TSGP funding, of which more than $107 million has been dedicated to owners and operators of rail systems. An additional $6 million was awarded to Amtrak through the Inter-city and Passenger Rail Security Program (IPRSGP) for security enhancements to passenger rail operations in the Northeast Corridor and at Amtrak's hub in Chicago. Additionally, through SLGCP's State Homeland Security Grant Program and Urban Area Security Initiative, the Department has allocated more than $8.3 billion for general counterterrorism preparedness. The FY 2006 appropriations bill includes an additional $2.5 billion for this purpose. The bill also includes a total of $390 million in discretionary grants specifically for surface transportation security programs, including $150 million for rail and transit security, $175 million for port security, $10 million for intercity bus security, and $5 million for the Highway Watch program. TSA will continue to work closely with SLGCP on these programs, as well. Security Exercises and Training. TSA has held numerous security exercises that bring together stakeholders, Federal, State, and local first responders, and security experts to test preparedness and response and identify best practices and lessons learned. We are also seeking new and improved ways to exercise and train for prevention methods, which will help strengthen a national prevention capability. These efforts will develop and support effective relationships among Federal, State and local entities and the private sector, and they significantly enhance our ability to anticipate and respond quickly and appropriately to security issues. Additionally, through an interagency agreement with the Federal Law Enforcement Training Center (FLETC), TSA has trained over 400 law enforcement officers, transit police, and first responders through the Land Transportation Anti-Terrorism Training Program. TSA has also contracted with FTA's National Transit Institute to develop a CD-ROM- based interactive training program for passenger and freight rail employees. This product is expected to be completed before the end of the current fiscal year. These training programs emphasize antiterrorism planning and prevention for land transportation systems. Areas of focus include security planning, transit system vulnerabilities, contingency planning, recognition and response for threats involving explosives and weapons of mass destruction, and crisis and consequence management. Guest instructors with specialized expertise supplement the FLETC staff, providing the benefit of actual experience through case studies. Self-Assessment Tool. TSA has developed the Vulnerability Identification Self-Assessment Tool (VISAT), a multi-modal tool that public transportation agencies may voluntarily use to self-assess vulnerabilities within their systems. Specific modules focus on mass transit (heavy rail/subways), rail passenger stations, highway bridges, maritime, and operations centers. Additional modules under development will ensure this tool covers the spectrum of modes for which TSA holds lead responsibility for security. In general, the tool focuses on the prevention and the mitigation of an array of threat scenarios developed for each mode within the sector. Users rate their entity in terms of target attractiveness (from a terrorist's perspective) and several consequence categories that broadly describe health and well-being, economic consequence, and symbolic value of the entity. The tool enables a user to capture a snapshot of its security system baseline assessing vulnerabilities in the system and assisting in the development of a comprehensive security plan. Surface Transportation Security Inspector Program. The Department of Homeland Security Appropriations Act for FY 2005 provided $12 million to TSA for rail security, including $10 million to deploy 100 Federal security compliance inspectors and Congress has continued this funding in FY 2006. TSA has made substantial progress in developing a robust and comprehensive surface transportation security compliance inspector program with emphasis on hiring, training, and logistical and procedural planning. A total of 99 inspectors are now on board. Among other tasks, the security compliance inspectors will identify gaps in security and validate compliance with TSA's security directives. Conclusion Mr. Chairman and Members of the Subcommittee, I want to assure you that TSA is pursuing a robust strategy to support rail and transit security that builds upon the work of other Department of Homeland Security agencies, the Department of Transportation, and our public and private sector partners at the State and local level. We look forward to working with Congress and this Committee as we continue to protect America's transportation infrastructure, its passengers, and the commerce that depends upon it. Thank you. I would be pleased to respond to questions. Mr. Lungren. We only have the two of us here, but I will sort of go by my 5-minute rule so we can go back and forth on this and spend as much time as we need. Mr. Stephan, do you prefer being referred to as Colonel Stephan? Mr. Stephan. Either one. Mr. Lungren. Well, I think someone who has earned that title ought to be able to keep it; so if you don't mind, I will call you Colonel. Mr. Stephan. All right, sir. Mr. Lungren. Thank you very much for your testimony. We have had this question about the National Infrastructure Protection Plan and sector-specific plans due by the end of the year. When are we actually going to see them? And plans are all well and good, but what do you do with them? I mean, what is the added value to those plans over and above what your Department is doing or what sectors are doing themselves individually? Mr. Stephan. Yes, sir. This subject is very near and dear to me, and I want to be very up front and candid with both of you gentlemen. I took this job--the most significant responsibility I think I have had in my life--the end of April of this year. The strategic backbone document for everything I am supposed to be doing is something called the National Infrastructure Protection Plan. I grabbed ahold of that document in the early May time frame in its interim form that the Department issued in February, and as I read the document, a sinking feeling rapidly came over me. I took the document and I compared it to what the requirements that President Bush set forth clearly, very clearly articulated in HSPD-7, and the document was simply missing in action 50 percent of what I believe the President clearly articulated needed to be in that document, in HSPD-7. And the document appeared to me to be yet another one of these never-ending series of documents that tell us what has to be done. After multiple years have passed since September 11th attacks, everyone in this room knows what has to be done. The question that document has to get to is: How are we going to do the whats that are listed in the document? So doing this the only way I know how to do it--and I have developed or led the development of three other national plans or strategies at this level--I took the document, I got a new team. It is not a team of contractors, it is a team of government employees that have helped me with previous plans. I have got them firmly under my direction, and we have worked that document over the last several months to include some very important missing-in-action items. We very clearly articulate now in this document what the roles and responsibilities of various State and local players in all of this and private sector players are; the international dimension; the cyber dimension; how the Federal budget infrastructure protection should come together in some kind of logical, meaningful way, a series of metrics, a series of things that will hold people accountable, deliverables, timelines. All of this, I am happy to report, I completed with my team last week, and I have turned it in to Department Secretary Jackson and Deputy Secretary Chertoff for their review. Prior to this, I conducted a broad review across our Federal Interagency Senior Leadership Council and have gotten back from them on a one-for-one Q&A session with no significant pushback on anything in the plan. What I need to do now is, upon release authority from the Secretary and the Deputy Secretary, is allow this plan in final draft form to go out for about a 30-day comment period to a broad gathering of State, local, tribal government partners and the private sector folks so I get their opinions, because the previous version of this document was not very broadly coordinated as it should have been across the very wide stakeholder community. I owe that to those people, so I am going to do that when I get the send button pushed from the Secretary. I hope to get that very, very soon. I will take the comments that come back from that process, and if there are significant comments, I will propose a second round of coordination across that stakeholder community. And I want to put the final pieces of this together as quickly as I can towards the end of the year or the first of the year, to be as frank and honest as I can with you. That will be depend on the level of comment that I get across the private sector and across our State and local government partners. I firmly believe in this document. If we don't have this document, we have no strategic backbone. We don't have the ``hows'' answered. We need to figure out how we are going to operationalize this risk assessment piece that is now in this plan. We have to figure clearly and clearly state who is responsible for what, that is in this plan; how our resources come together; and how they are wisely targeted against the broad array of critical infrastructure and key resources. Mr. Lungren. You appreciate the frustration of Members of the Committee when they hear that this is the strategic backbone, and here we are 4 years after 9/11 and we don't have it yet? Mr. Stephan. Yes, sir. And I can say to you personally that no one in this room is more frustrated than I am personally by this, sir. And it is my job to fix it. I own this operation now, and it is going to be fixed. And it is on my boss's desk. Mr. Lungren. I looked at your bio, and I noticed that you had been involved with contingency operation planning in Somalia, Haiti, Bosnia, Croatia, Liberia, Colombia, Kosovo. You have been the one that has been involved in that kind of planning in the past as part of your military experience. Mr. Stephan. Yes, sir. Mr. Lungren. And I take it from what you are saying you have tried to apply that same sort of military rigor to this planning even though you arrived late at the process? Mr. Stephan. Sir, it has to be a very rigorous process. And I led the development of the President's Strategy for Critical Infrastructure Protection in the year 2001 and 2002. I know how to do this. I spent a lifetime trying to attack other people's target sets. I have to reverse-engineer that across the United States. And the defensive team is challenging, a lot more challenging than the offensive has it. Mr. Lungren. You see what happens here in the Committee, we look at DHS as sort of an amorphous operation, and when we have heard this plan is going to be coming out, it is going to be coming out, it is going to be coming out, we tend to look with a little skepticism about another repeat that ``it is going to come out''. But what I am taking from what you are saying is you arrived late to the game, you found somethi ng that looked like a fumbled football, and you picked it up, and you are trying to bring it forward; would that be correct? Mr. Stephan. Sir, I realize the importance of this document and how important it is to the country, and I realize I am not going to get another chance to get it right. And I am going to get it right with my team. Mr. Lungren. It was not right when you picked it up. Mr. Stephan. I don't believe it was accurate; it did not meet President Bush's thoroughly articulated criteria that appeared in HSPD-7. Mr. Lungren. Well, this is the President's clearly articulated criteria. What about your sense of what you needed to do to have a mission understood and carried out? Mr. Stephan. No, sir, it was not an operational document. This document was more akin to a strategy, broad-level strategy document that we have multiple copies of those kinds of things floating around the Federal Government. This needs to be an operational plan that everybody understands, knows what their part is, knows how resources come together, how they are applied, how we are going to focus, what risk assessment criteria we are going to use as a standard across the Nation. That is what this has to be. And I believe Bob Stephan has produced what it needs to be, and it is sitting on my boss's desk right now. Mr. Lungren. The Ranking Member is recognized for 5-plus minutes. Mr. Thompson. Thank you very much, Mr. Chairman. Colonel, I appreciate your truthfulness. And I think this committee supports the effort to come up with a document that we all can feel proud of. Anything less is not acceptable. I don't think you will have any problem from this committee pursuing exactly what you see as that mission and the production of the plan. I had a couple of questions I wanted to ask. Mr. Jamison, I actually had a hazmat question to ask you, and I was told I can't ask you this question as you have a conflict. Any idea on when you are going to get the conflict resolved so I can get my question answered? Mr. Jamison. I would be happy to provide an answer to you for the record. Unfortunately, this is my first day on the job at the Transportation Security Administration, so I am still going through the ethics process, and as soon as I am through with that process, I will be able to answer your question. But I will be happy to provide an answer to you for the record. Mr. Thompson. Can you give me some kind of time frame on when you will have it resolved? Mr. Jamison. I am hoping to have it resolved in the next several weeks. Mr. Thompson. And that conflict doesn't prevent you from doing your job? Mr. Jamison. It does not prevent me from doing my job. I am recused from certain matters until that conflict is resolved, but I am able to execute the duties of the job. Mr. Thompson. All right. Thank you very much. In the 9/11 Commission report and the legislation that came from that, we require a plan to be developed for transportation security, a strategy. When will Congress see that strategy? Mr. Jamison. They received the strategy in September, which is the National Strategy for Transportation Security, which was submitted. After Mr. Stephan submits his National Infrastructure Protection Plan, I believe it is 180 days after that it will be updated, but the strategy was received. Mr. Thompson. So it is your testimony that we now have that strategy? Mr. Jamison. You have the National Transportation Security Strategy. Mr. Thompson. Well, Mr. Chairman, I have a list of questions I would like to submit for Mr. Jamison to answer because what we have is not a strategy. We have some elements, but we don't have a strategy. But I will accept your word on it and just pursue it at a later date. Mr. Thompson. In addition to that, this committee heard testimony earlier in the week relating to some intelligence questions around collection and analysis as it relates to transit security with both New York City and Baltimore. We were a little troubled that there appeared to be a disconnect between the transit security system and the Department of Homeland Security intelligence-gathering system and the city of New York. Have you had--and I know this is your first day on the job, but have you had an opportunity to look at that disconnect? If so, can you tell us how we can fix it? Mr. Jamison. Well, while I was involved in my role in DOT in that event--and I think the lesson learned from London is even one of the most prepared systems in the world at a heightened state of alert, it is very difficult to prevent attacks on mass transit. So it is very important that the shared responsibility of security between Federal, State and local, that we share information as quickly as we can and get as much information to the State and locals and have them make a decision they need to make. In this instance that was done quickly, the information was shared. In addition to the information, an analysis portion, which the Federal Government plays a key role in, was shared with the New York officials. And it is their role--and I respect that role--to take that information and weigh the risk in their local areas versus the information and make decisions to take action. Mr. Thompson. So do you agree with what they did? Mr. Jamison. I respect the decision. I mean, the analysis that we gave them was given in an effort to enable them to make decisions. Mr. Thompson. I will ask you one more time, did you agree with the decision they reached, yes or no? Mr. Jamison. I agree that they have the right to make that decision. The issue on whether or not they have the right to deploy the resources, absolutely, I agree that they should have deployed resources if they felt like that was their responsibility. Mr. Thompson. Well, one of the things we keep hearing is we don't have enough connectivity between all these agencies; even though we passed legislation that mandated it, we still don't see it. At their press conference that Mayor Bloomberg had, the FBI was standing next to him, but not DHS. I am trying to figure out whether you agreed with it or you didn't. Does your absence at this press conference signify that you didn't agree with it? Mr. Jamison. Well, again, Congressman, I think this is a positive story that the system worked, that the information got down to the local levels, it got to the local levels quickly, they were able to assess it and make decisions. You know, I was not in Mayor Bloomberg's shoes-- Mr. Thompson. Were you invited to the press conference? Mr. Jamison. Was DHS invited to the press conference? I don't know that. I don't know the answer to that. Mr. Thompson. Mr. Chairman, can we, for the record, find out from DHS if they were invited to this process conference that Mayor Bloomberg had? I think it would be important. Mr. Lungren. I am sure you can let us know whether you were invited or not. Mr. Jamison. Absolutely. Mr. Thompson. Your absence at the press conference would indicate a lot, given the information you provided New York City. Thank you, Mr. Chairman. Mr. Lungren. Mr. Pearce, are you ready to inquire? Mr. Pearce. Thank you, Mr. Chairman-- Mr. Lungren. We have a loose 5-minute rule, more than 5. Mr. Pearce. Thank you very much. That differs from some committees, and I appreciate the Chairman's-- Mr. Harley, the Transportation Security Administration just recently did a field test of the--we don't have Mr. Harley. Mr. Jamison. The TSA ran the puffer machines. I have seen one of those. They had, I think, one at Mount Vernon--not Mount Vernon, the Statute of Liberty--and I wonder how those machines are working and the effectiveness and what the cost on those is. Mr. Jamison. We did run what we deem as a successful test called Trip on the puffer machines, and actually a three-phase test. The first part was in New Carrollton, Maryland. And the major success part of the test is that we were able to take that technology, the puffer machine that is usually used in aviation, and adapt it to the transportation environment. It did work in that arena; however, there still remain a lot of problems with deploying that technology in the security or in the transit environment. One, the throughput, it takes 15 seconds or more for each passenger to go through that system, and it was tested in very low-volume conditions. So in an environment such as New York City, Penn Station, where you have 1,500 people a minute coming into a system through various entrances, it is just not practical to deploy that type of technology. We are continuing to research the technology, continuing to try to find ways that we get better throughput and develop the alternatives, but at this point there is no current plans to deploy that technology in the transit environment. Mr. Pearce. What is the basic cost on those units? And then if we could work out some of the problems, what cost are we looking at broad scale? Mr. Jamison. I don't know what the individual cost of the units are. I would be happy to provide that for you for the record. They are expensive. Mr. Pearce. Multiples of where we are right now? Mr. Jamison. Excuse me. I just got the answer to your earlier question. It is $125,000 per unit. Mr. Pearce. And how does that compare to some of the screening mechanisms we are currently using? Is that a multiple of two or three or the same? Mr. Jamison. Do you mean in the aviation environment? Mr. Pearce. Mm-hmm. Mr. Jamison. Actually, it is a multiple of two on some of the technology screening. Mr. Pearce. About $65,000 versus $125,000. If you we look at some of the screening devices that we are using at the airports, we look at the time that it takes there plus the labor intensity, do you see any emerging technologies that can detect the same thing the puffers do, the explosives or weapons? Are we seeing any technologies coming out of that? Mr. Jamison. We are carefully evaluating all the technologies that have been used in the aviation arena to see whether or not they are applicable in the transit environment, like backscanner and other types of technologies, to see if we can get high volumes of throughput. But based off of the evaluation currently, we don't see any near-term technology that is going to come up that is going to give us an opportunity to apply it in the transit environment. Mr. Pearce. What are the European nations doing with regard to transit safety? Are they doing anything at all? Mr. Jamison. There are some contemplating some technology deployments, as pilots only, and we are working closely with them. I was just on a trip overseas to London, and lessons learned, and we were discussing with them what some of the options are, but they currently don't have that technology deployed in London. Mr. Pearce. If there is none of the technology deployed, what is the basic philosophical outlook on safety in the mass transit system? Mr. Jamison. Well, first of all, I mean, I think the mass transit systems are more secure than they have ever been. What London did was validate that the approach to try to get the terrorists before they get to the system is the most effective strategy, and we need to continue to receive good intelligence and so forth. They also validated that the focus that we have had on training, awareness training, and making sure that your operators know how to spot suspicious behavior and know how to report it and know how to react, in addition to public awareness campaigns, and in addition to emergency preparedness so that you know how to respond and mitigate the impact of an event are still the most effective strategies. Mr. Pearce. And are we prepared in your agency to come to the conclusion that you might not--it might not be able to provide 100 percent fail-safe screening mechanisms; that the cost would be too prohibitive, and there are too many other access points? Are we prepared in this Nation and in your agency to have an open discussion about whether or not we can and should? Because it sounds like that is where Europe already is; that they may employ some things, but they are definitely not sitting here at the cutting edge of technology and approaching it the way we are. Mr. Jamison. That is correct. And as I mentioned before, I think we must continue to look--to put research money into technology and to try to determine what the opportunities are to continue to improve the security. But currently more boots on the ground, awareness training, other types of methods are most effective, and screening is not the solution in the near term. Mr. Pearce. I see my red light blinking, Mr. Chairman. How loose is your parameter here? Mr. Lungren. I just understand that Mr. Thompson has to leave, so I was going to let him inquire, and then-- Mr. Pearce. Let me yield, and then if we have a second round, I will take another turn. Thank you, Mr. Chairman. Mr. Lungren. Mr. Thompson. Mr. Thompson. Thank you very much, Mr. Chairman. I appreciate you allowing me to do this. A couple more questions, Mr. Jamison. Can you tell me if TSA mandates transit systems to provide security training for its employees? Mr. Jamison. There is a security directive that instructs transit agencies to provide training to their front-line employees, yes. Mr. Thompson. Do you interpret ``instruct'' to mean ``require''? Mr. Jamison. It is a security--it is a legal, binding security directive, yes. Mr. Thompson. Can you provide this committee with that document that requires transit systems to provide training to its employees? Mr. Jamison. Sure. Mr. Thompson. Thank you. Mr. Thompson. Another question. Colonel, at a hearing earlier this summer, we talked about chemical plant security, and I think basically you promised, in response to a question from me, that we would have a plan for chemical security within a few weeks. Can you tell me where we are with that now? Mr. Stephan. What I have done at my level in coordination with the Secretary and Deputy Secretary and the Homeland Security counsel, we have worked out, I believe, internal to DHS what we believe the major pillars of a regulatory framework for the chemical industry would look like in terms of a risk- based approach by facility, by facility category, by facility type, performance measures. I am ready to discuss with Members of Congress the parameters associated with this. I don't believe we promised a plan, sir; I believe we promised we would be ready to have discussions with our friends on the Hill regarding a framework that would end up in a piece of legislation eventually. Mr. Thompson. Well, given the fact that our chemical plants, as you know, are vulnerable, we do need to come up, I think, in a short period of time with some kind of strategy for the security of those plants, and I look forward to working with you on it. Mr. Stephan. May I add, whether or not we get authority or not, as part of our sector-specific plan for the chemical industry we will have an option A and a B; an option A if we get regulatory authority through legislation, and an option B if we do not have a set authority. We will work through what our other options are and put that as far as the NIPP. Mr. Thompson. Could you, if it is available, provide us with any of that information? Or maybe, Mr. Chairman, we might need to set up a briefing because a number of our Members have concern about chemical plant security. Mr. Stephan. I would like to give you a briefing, if I could do that. Mr. Lungren. We can set that up. Mr. Thompson. Thank you very much. Mr. Jamison, earlier, in response to a question dealing with the transportation security strategy, I am aware that a plan was sent to us, it was a classified document, and for some reason we are not able to really address it as we should. I understand it is under review to be declassified, but according to Section 4001 of the 9/11 Act, there were some things that that strategy had to include, and I will read them: Set realistic deadlines to address transportation security needs across all modes, establish clear responsibilities between all levels of government and the private sector, delineate roles and responsibility for response and recovery, and prioritize research and development to ensure that effective technologies are deployed as soon as possible. Now, our reading of the plan indicates that these requirements are not there, so now can you tell me--if my interpretation is wrong. Can you just tell me if those things are there? Mr. Jamison. I don't know that the specific plan gets into that much detail. What I can tell you is it is currently security-sensitive information which should give you access to it for one issue. But also the issues that you just laid out there, the majority of those issues have been addressed in a memorandum of understanding between the Department of Transportation and the Department of Homeland Security, such as roles and responsibilities, research, and so forth and so on. Part of that memorandum of understanding requires that DHS and DOT do an annual plan to prioritize research funding, other resources to make sure that they are coordinated, and focused on risk, and prioritized based off of the resources of both agencies. Mr. Thompson. Mr. Chairman, I would basically submit my question to Mr. Jamison in writing so he can give it back to me in writing. Thank you very much. Mr. Lungren. Thank you, Mr. Thompson. And I am sure, Mr. Jamison, you will respond in writing to the question by the Ranking Member. Mr. Lungren. Mr. Jamison, following the Madrid bombing last year, it is my information that TSA issued 20 security directives to public transit agencies to increase transit security. There has been a suggestion by some observers as to whether or not these directives would be effective in preventing a terrorist attack. Has TSA had a chance to go back and look at those security directives to see if, in fact, they are sufficient for the purpose that they were issued? Mr. Jamison. Well, we continue to look at the security directives. And the security directives were meant to establish a baseline of protective measures, and they are also intended to give agencies some flexibility within those baselines so that they could adapt those directives to their individual operating conditions. But the fundamentals of some of the discussion that we were just talking about, about having aware employees, reporting suspicious activity, utilization of K9 teams and other types of measures, is a good indication of the security directives. We need to continue to look at those, continue to work with the industry and continue to determine what are the most effective security measures. Mr. Lungren. So does that mean you are? Mr. Jamison. Yes. Mr. Lungren. I mean, you said you should, but I guess that means you are doing that. Mr. Jamison. Yes. Mr. Lungren. Congress appropriated millions of dollars to hire 100 rail security inspectors to enforce these security directives. What is the status of that, and how will they be utilized to improve security of mass transit? Mr. Jamison. Currently, 99 of the 100 on board are being processed through the HR process. That is an opportunity to look at the security directives and to continue to analyze the gaps in rail transit. It is also a huge opportunity to improve coordination with our stakeholders and make sure we will get real-time, ground-truth information from the field to determine whether or not the appropriate security measures are in place. Mr. Lungren. What kind of feedback are you getting? Mr. Jamison. Generally, the majority of the transit agencies--the overwhelming majority of the transit agencies are doing those measures, all of those awareness measures; and as the program ramps up and we get the opportunity to do more security gap analysis, we hope to get more information that helps us develop a more robust strategy. Mr. Lungren. Colonel Stephan, you stated the Department is focused on a risk-based approach to critical infrastructure protection. You heard my comments at the beginning that I was concerned that IP might have developed a risk-based methodology that focuses on each sector from top to bottom and one sector at the expense of others. What are you doing to make sure we are doing it across the board? I mean, risk number 10 in one sector may be less severe than risk number 75 in another; and if we are doing sector by sector my concern is, with the limited amount of resources we have, that we might divert them to a less risk-appropriate target scenario than otherwise. Mr. Stephan. We do not intend to methodically go through one sector at a time sequentially and somewhere, years and years and years from now, get to the bottom of this problem. What we are doing is attacking this at cross sectors now in terms of our data calls and data acquisition efforts with State and local governments and the private sector. We are doing this across all 17 critical infrastructure and key resource sectors that are defined in HSPD-7. The problem that we face, of course, is getting the data. That is one piece. The second piece is doing something meaningful with that data that would then inform a risk-based approach to planning and resource investments. What we are working on feverishly is making sure that we can compare these apples and oranges within sectors and across sectors. In order to do that, we have worked with the private sector: first with nuclear energy; the chemical industry, next; liquefied or natural gas; the various modes of transportation; the energy sector, to develop this RAMCAP piece. This is a risk-assessment technology, a technological tool that, when we get this deployed across all the sectors, we will have a standardized criteria by which these data calls will be supported with consequence information, vulnerability information and threat information that is logical across the sectors. That is my big stumbling block now. We are working diligently. We piloted these first two efforts. It took us about a year to get it right with the energy sector and the chemical piece. The next versions of these are going to go much quicker; and, again, I want to close this whole piece out within the next year or so in terms of having a risk-assessment module, that we have the same thing in each of the sectors in terms of the standardized criteria that allows me to take the data that people are providing me, put it into a computer, and have the apples and oranges all become apples so I can do this cross- sector comparison. But we are also not waiting for that. We are also taking by whatever criteria I have now and we recently put out about 3 months ago a data call across all the 17 sectors asking us for based-upon criteria that we put out to them. I will be happy to share this document with the committee. Agriculture and food, banking and finance, chemical, energy, information technology, emergency services, postal and shipping, the list goes on. What are your top assets systems or networks based upon criteria that is specifically defined for each of these sectors? Give us this information so that we can use it to better inform our buffer zone protection plan grant activities, to inform our operational planning, to inform our information-sharing activities. So that stuff is all under way now. Mr. Lungren. Let me pick up on the buffer zone protection plan grants. It is my information that the way it is to operate is that every State will be given 70 BZP slots. That is, the State of California will be given 70, the State of Wyoming will be given 70. Then, within that, each State is supposed to make a determination on their own. My question is: Is that your understanding of the way it is going to be? And, if so, does that make sense that each State gets 70 slots? That is, that you would presume--and I don't want to pick on Wyoming, but in the previous grants program everybody has analyzed it to show that Wyoming has 7 times or 10 times per capita the amount of grants in the previous homeland security grant funding than New York does. So that is why I will pick on Wyoming. Mr. Stephan. That must have been an earlier version of the BZPP for '06 process. I saw what I think is probably a similar version about 2 or 3 weeks ago; and I told my people that is not the way, in fact, we are going to do this. The BZPP thing, we have to take a look at using a risk-based approach. We are going to have to marry it up with the UASI program, marry it up with the transit grant programs. We are going to focus it where we have clusters of targets so we can get more bang for the buck. Because the intent of this program is to drive operational planning between State and local governments and the private sector and help those people develop operational prevention and response capabilities clustered around key areas where nuclear plants, chemical plants, transportation systems--where if we are going to provide grants to law enforcement capability, it can surge multiple ways. That is one piece of this, but there are still important facilities across the country that may not be clustered with others, that are standalone, very consequential; and the BZPP program has to take those into account. I think one of the Secretary's visions in creating this new preparedness directorate, of which IP would be a part as well as the new Assistant Secretary for Grants in Training, is to make sure we are logically looking at what the requirements are across the board, figuring out what the criteria are for the different individual grant programs and making sure we are putting the most bang for the buck where it makes sense based on risk. Mr. Lungren. I am going to recognize the gentleman from New Mexico but first mention, at least from what I hear at the local level in my State, what you have just said has not been conveyed to them. Somehow it was conveyed to them every State was going to get a predetermined number of slots, irrespective of risk; and the States would decide what they do. The number we heard was 70 to each State, and that didn't seem to me to make a whole lot of sense. Mr. Pearce is recognized for at least about 5 minutes. Mr. Pearce. Thank you, Mr. Chairman. If we explore this risk-based prioritization again as Secretary Chertoff has placed emphasis on, can you--what is the ultimate determinative risk? Mr. Stephan. There are three pieces to the risk puzzle. The first piece is threat information, which, sadly, is not always as granular as we would like it to be with respect to these critical infrastructure, key resource sectors, although we are following it with very smart people every single day. Just never seems to get us the granularity expect for some specific instances you all know about, mainly in the mass transit world over the last several months. The other piece of the equation is consequences, consequences in terms of public health and safety, human lives, human impacts, economic consequences, national security consequences. Those go into the mix. And, finally, vulnerabilities, just how vulnerable is a consequential facility with respect to various potential modes of terrorist attack. All of these pieces involve a formula that is basically consequences times vulnerabilities times threat equals risk. Mr. Pearce. So if we were going to say look at the nuclear power plant that is just west of our State in eastern Arizona and we are going to assess the risk of that versus a conventional power plant located in New York State with a dense population, which of those is going to percolate higher in the risk stream? Mr. Stephan. If you go strictly by consequences in terms of population impact, naturally the piece in New York is going to receive more attention. But I also have to say this is not-- this is an art, this is not a science; and I would say a successful attack on any nuclear plant anywhere in the United States of America is going to have a very important psychological dimension that no mathematical formula can bring to the table. So in addition to those pieces of the risk calculus, we have to have good old-fashioned common sense and roll in some Kentucky windage reference psychological impacts to all of these target sets out there. Mr. Pearce. I understand that, but as a Department agency and looking at Secretary Chertoff's emphasis on risk-based prioritization, I am just asking which is going to percolate higher in the stream. Mr. Stephan. I think all nuclear power plants are going to receive a high priority focus across the country. Mr. Pearce. If we then downgrade the risk to the next level and we look at water systems and you get, say, a water system pretty well protected and not very vulnerable, no threat info, and you have the open lake in New Mexico that feeds all down through Mexico and Texas, through the rest of New Mexico, and a biological hazard placed in that, no threat info on that, so which of those are going to percolate to the higher end of the risk-based assessment? Mr. Stephan. Again, then we get a little bit more into the mathematical calculus piece. But this is not a winner-take-all or a winner-loser zero sum game. No matter what your level of risk happens to be, there are certain kinds of things that the Department of Homeland Security is going to reach out and touch you on. Everyone is going to be part of some kind of organized leadership structure that allows us to interact and interoperate and figure out what each other's needs and requirements are. Everybody that wants to be is going to be tied into an Information Sharing Mechanism, no matter what your level of risk, because I hope to God in all this risk-management piece that al-Qa'ida kind of follows our own risk-management methodology or we could be in trouble. Therefore, everybody--if you are on a target set today that meets our risk criteria, but al-Qa'ida goes another way, everybody has to be connected from an information perspective so we can rapidly adjust from where we think they hit us to where they might hit us based upon their own calculations. So when we say risk-based focus, I am really talking about an allocation of DHS dollars and specifically IP dollars in terms of the monies we have at our disposal for specifically targeted initiatives like BZPPs, or buffer zone protection plans. Everybody is going to get a leadership structure put on top of them that they participate in. Everybody is going to get an information-sharing mechanism. Everybody is going to get access to a widely accepted vulnerability assessment methodology set of criteria and tools to help them out. And everyone is going to get information bulletins that specify specific threats when they do arise. So I don't want to leave you all with the impression this is a zero sum game in terms of risk. There are certain baseline things everyone will be plugged into or be a part of. Mr. Pearce. Being from one of the rural areas, I will tell you that the great concern is that, through whatever mechanism that bureaucracies work and agencies work, is that risk-based is going to end up percolating down to population; and I will tell you that the Nation will be worse off than better off if population becomes a single criteria. I know you are telling me that is not the case, but I will tell you that human nature is that we try to find the easiest solution when the solutions are not very easy. I will tell you that the nuclear components in New Mexico, with al-Qa'ida sitting there, coming across a border, that has nobody posted on it now. Last night, we got word that the border patrol has completely evacuated, and we are the last to learn that al-Qa'ida has come across our border. We get that in the newspapers when everybody else reads it. Somewhere we have to do a little bit more thorough job of understanding that risk-based is a little bit broader than just population. That I think is a task for us to remember through the long, dark nights of trying to assess our risk, but I appreciate your work on the effort. I yield back. Mr. Stephan. Thank you, sir. Mr. Lungren. Colonel, if I could just ask you something with respect to an issue we dealt with on the committee yesterday that has to do with the Bureau of Reclamation. They run over 400 dams and levee assets in the western half of the country in the 17 western States. They have what they would describe as a rather robust effort to provide security for their assets. Is your operation informed of their efforts? Are you integrated in any form, shape or fashion? What added value do you provide to them, if any, over and above what they are doing? And how does that contrast with what your other elements of DHS are doing with the other dams? Because we are talking about 400 dams, levee assets under Bureau of Reclamation. That doesn't talk about State dams and certainly doesn't talk about privately owned dams. Mr. Stephan. Yes, sir. Our problem is we have about 80,000 or so dam structures and levee structures across the United States of America. I think about 5 percent may be owned by the Federal government across multiple agencies. The rest are State and local owned and operated facilities. Our value in this has given this incredible patchwork of ownership authorities, regulations, resource dollars that go into this, is to provide an organizing leadership to all of that patchwork of different people out there searching for leadership. Through the NIPP structure, the National Infrastructure Protection Plan organizing umbrella, we at DHS IP lead the dams sector in terms of the government coordinating council represented by DOI, the Bureau of Reclamation, the Army Corps of Engineers, Agriculture, Energy, the Department of Defense, other folks that own dams wearing Federal hats. We also, through that coordinating council, bring together the major State players that own dams within their jurisdictions; and we have a private sector and some State membership on another council that we also bring to the table so that all of those equities are there. Our goal is to bring this amazing patchwork of different dam owners and operators together, make very sure that all those people are connected to some kind of information-sharing network. The Federal pieces of the puzzle are fairly well connected together at this point in time. The State pieces of the puzzle are connected very well through the homeland security advisor network at this point. We have more work to do in terms of connecting individual State-level and private-sector dam owners and operators together from an information-sharing piece. Right now, we reach out and touch them through local law enforcement networks in partnership with the FBI, but I also need to be able to reach out and touch the owners and operators of those various facilities together. We work together, realizing that some people like Bureau of Reclamation has some important resources they can bring to the fight. In other cases, where there is nobody covering down on a particular set of assets, we may make a buffer zone protection grant available based on consequences to a State government that has an important dam within its jurisdiction and try to make all of that work in some meaningful way. Again, just a lot of different actors out there, a lot of players, a lot of information needs to be shared. We have to work together to make sure we clearly have identified what is more important than other things based mainly on consequences in the dams world and that we are all putting some kind of resource patchwork together to get at the really significant problems. Mr. Lungren. I hope you don't mind if I harp a little bit on dams, but as I have explained before, I live downstream of a major dam that has been identified by the Bureau of Reclamation as one of concern. Let me ask you about this. DHS and with dams, other than this information sharing and trying to get people together and so forth, do you have any operational responsibility in a terrorist attack scenario? What I mean by that is this--We know now, because we have had a couple of breaches of the no-fly zone around the D.C. area, that there is a decisionmaker that makes the decision as to whether or not to shoot down a plane. What about in terms of critical assets like a Federal dam? I am not going to talk about any specific dam, but dams have different structures. You may have a reservoir that has several dams on it, maybe earthen, maybe the concrete structure, maybe dikes. A determination could be made at a particular time that, because of a threat to it, they have to relieve some stress on certain areas; and that decision could put some population centers at risk more than other population centers, actually, life-and-death situations. Do those decisions that would be made operationally by Bureau of Reclamation in that context, would they in any way interface with the Department of Homeland Security before that decision is made or is that decision made within the Bureau itself? Mr. Stephan. Sir, again, the decisionmaking power, as you correctly stated, resides with those organizations. But I think if we are talking about a terrorist incident here in terms of prevention, protection, response and recovery phases, DHS owns the overall operational coordination piece across the Federal Government for each particular phase of a response to a potential terrorist threat or national incident. There is an important role that headquarters would play in terms of that operational information-sharing reference the threat, reference protective measures that are in place and that need to be bolstered through the State homeland security advisor network principally as well as our Federal Department and agencies if it is a Federal asset. The FEMA component of DHS has a very significant role to play in terms of consultation and the emergency preparedness posture of the downstream communities. There is a big program in FEMA, the Dams Safety and Security Program, that was created back, I think, in 2002 by an act of Congress that give those guys some very specific roles and responsibilities and some grants to facilitate preparedness planning on a steady state basis every day of the year, as well as technical assistance, as well as some other security-related activities. Mr. Lungren. Maybe I will have to follow up with you at some other time, and maybe I need to look at some of the tabletop exercises that have gone on. It just strikes me after seeing Katrina and some suggestion that we didn't have--we had failure of decision making in some areas and not others. And posse comitatus, that goes in there. But if you have got a Federal facility and a terrorist attack, I don't think you have to worry about posse comitatus, but I think it would be good for us to insure we know what the chain of command is and the decisionmaking, where it may be considered operational of a dam or other asset. But the decision could very well determine who is in harm's way by the election of the decisionmaker, and I just would hope that we think about that ahead of time. Mr. Pearce, if you have some further questions. Mr. Pearce. I do, Mr. Chairman, one more series of questions. Mr. Stephan, the idea that we have got 80,000 dams out there that need some sort of protection plan, is homeland security going to provide the protection plan for each one of those? Mr. Stephan. No, sir, we are not. The protection plan is the responsibility of the owners and operators. Mr. Pearce. How can we tell when they have done their homework? Mr. Stephan. That is the challenge. There is no way that we can insure that 80,000 facilities--and they go from things like the Grand Cooley dam all the way to a simple earthen levee that is part of some neighborhood complex. Mr. Pearce. Early on, our office engaged in the difficulty of not only dams--I mean, 80,000 dams tends to put it in perspective, but if we look at the number of communities with the number of risks in communities, there is no way the Federal Government can identify and understand each risk, that it becomes a local and a State responsibility but mostly it is a local responsibility. In trying to put some sense into that process, our office early on established--we went to one of the institutions that is syndicated with several other higher education institutions to provide security for the Nation and security training; and they helped us develop a thing called Certified Communities, with 35, 34 different components that are measurable--many are already measured, just not tabulated--and we created a concept called Certified Communities. The idea is that the certified communities would get some sort of rating from insurance agencies. The insurance agencies do that right now, the ISO ratings for fire. What happens if your community loses its capability or drops its training for fire protection, homeowners get increases in their insurance policies. So what you have is you have all the residents of a community become kind of overseers. They are the first to realize that their insurance rates are going up because our community has not prepared itself. And if our community hasn't prepared itself then they call and they begin to raise pressure, you guys have let your ISO rating drop and we now are paying more insurance. So it is not just that you need a program but you need a program that reinforces itself, that self-enforces it; and tying it to insurance rates is a way to get the public vision on it. The second aspect of tying it to that is communities will know, if they have a better ISO rating, then their personal insurance costs go down. So, many times, they can pay for the protection that they are getting through the lower insurance premiums for the community. Now we submitted this thing, and it has been locked down in ODP for about 6 months, and they refuse to bring it to the light of day. We think it could be done regulatorily, and it just does not make sense that Homeland Security has got this thing deep-sixed. It is just a gift that these education institutions have given to the Homeland Security Department. It would be very easy to implement, and it doesn't have any requirement that you do it. It just gives us a measuring stick, gives the tie-together that if you do--we visited with the insurance industry. Would you be willing to give better rates if communities are prepared against either terrorist threats or natural disasters, and they said of course we would. So the enforcement mechanism is right there. That is the people and their insurance accounts. I just--someday maybe Homeland Security is going to think it important enough to get those 80,000 dams certified and all the communities across the Nation, some sort of process to where people will know if they are actually doing their work to prepare or not. It is very frustrating from our point of view to have asked agencies or institutions to do this of work and then have it locked down over in ODP. So if you want to make a comment, fine. Mr. Stephan. The only comment, I am not aware of the status of this paperwork, but I will go back and press on that. Mr. Pearce. I would appreciate it. It just makes sense for the Nation and appears like it would give us a measurement mechanism. The thought process that went into it came far broader than just into New Mexico. It was institutions across the country that are in this group that just worked to prepare. Mr. Stephan. May I ask for the title of the program? Mr. Pearce. Certified Communities Program. Mr. Stephan. Certified Communities Program. Mr. Pearce. It is very straightforward. I appreciate it, Mr. Chairman. Thanks for your indulgence. Mr. Lungren. I thank the gentleman from New Mexico for his questions, his inspiration and his persistence. I thank the witnesses for their valuable testimony and the members for their questions. I just want to let you know the absence of more members is not an indication of an absence in the interest of the work that you are doing, but it is the fact that at 12:30 we stopped having votes. Mr. Pearce. The other people got their airplanes out, and we did not. Mr. Lungren. Mr. Pearce and I decided we would rather stay here with you. The members of the Committee, as you know, may have some additional questions for you, and some will be submitted to you in writing. We would ask for you to respond to these in writing in a timely fashion. The hearing record will be held open for 10 days. The subcommittee stands adjourned. [Whereupon, at 4:27 p.m., the subcommittee was adjourned.] For the Record Prepared Statement of the Honorable Kip Hawley Spetember 7, 2005 Good morning, Mr. Chairman, Congresswoman Sanchez, and Members of the Subcommittee. I am pleased to have this opportunity to testify on the subject of protecting civilian targets from terrorist attack. My focus today will be on the programs and initiatives of the Transportation Security Administration (TSA) in rail and mass transit security--where we are investing our resources and why--as well as our immediate response to the London bombings and our vision for the road ahead. TSA is an agency created on the heels of the atrocious 9/11 attacks on our Nation. We are charged with protecting all modes of transportation--a mandate we have taken seriously since our inception, notwithstanding the more visible comprehensive federalization of our Nation's aviation security system directed by the Aviation and Transportation Security Act (ATSA). The tragic bombings in Moscow on February 6, 2004, in Madrid on March 11, 2004, and in London on July 7, 2005, and the attempted attacks there two weeks later, are grim reminders of the heinous tactics of our enemies and of the need to remain vigilant and prepared. Our Current Program Efforts to ensure transportation security vary with the nature of the system being protected. The Nation's rail and mass transit systems are fundamentally different from our aviation system. Transportation systems differ in size, in openness, and in control. Most importantly, our passenger rail and mass transit systems are, by design, far more accessible than the commercial passenger aviation system, with multiple entry points, few barriers to access, and hubs that serve and allow transfers among multiple modes--subway, intercity rail, commuter rail, and bus--and multiple carriers. While commercial passenger aviation is a closed system that can be closely monitored at controlled checkpoints, passenger rail and mass transit are open systems without controlled checkpoints--hence, monitoring cannot be accomplished by a single staff person or closed circuit television. Many passenger rail and mass transit systems are vast in terms of infrastructure and ridership. As just one example, each weekday an average of 4.5 million passengers ride the New York City subway, compared to approximately 1.8 million domestic aviation enplanements per day, nationwide. In addition, passenger rail and mass transportation assets are owned or controlled by State or local governmental entities or private industry, each of which is responsible for its own security. The Federal government has only very recently issued security regulations in mass transit and passenger rail. In contrast, although commercial passenger aviation also has a wide variety of owners and operators, its security has historically been heavily regulated by the Federal government. And so, we cannot simply graft our commercial passenger aviation security systems onto the passenger rail and mass transit modes. To do so would be unrealistic, expensive, disruptive, and ultimately ineffective. Instead, we have, since our inception, been carefully weaving a web of security measures that depend upon three key components: stakeholder partnership and cooperation; risk assessment; and technology evaluation. These components have provided a strong security base and promise to strengthen mass transit and passenger rail security as we move forward. Stakeholder Partnership and Cooperation. One hallmark of our rail and mass transit security program is the close working relationships we have fostered with other DHS components, with the Department of Transportation (DOT) and its modal administrations, and perhaps most importantly, with the stakeholders--the public and private providers of rail and mass transit transportation who are also responsible for the systems' security. Our efforts have focused on greater information sharing between the industry and all levels of government; addressing vulnerabilities in the rail and mass transit sector to develop new security measures and plans; increasing training and public awareness campaigns; and providing greater assistance and funding for rail and mass transit activities. Risk Assessment. Security measures are a filter, not a guarantee, but effectiveness can be maximized, without unduly sacrificing freedom of movement, through risk assessment. A primary goal of our approach to security is to assess the risks and evaluate vulnerabilities associated with different components of the rail and mass transit systems to determine how to optimize resources. TSA's initiatives are intended to focus the collective limited resources available on the protection and prevention of terrorist incidents with the greatest potential consequences. Technology Evaluation. The challenge of harnessing security technology for rail and mass transit is two-fold: How can we best adapt the security technology developed for aviation to the unique circumstances of rail and mass transit systems? What new technologies are uniquely suited to rail and mass transit systems? Pilot programs, exercises, and research and development aim to leverage current and emerging technologies to deter attacks against rail and mass transit systems, especially those intended to cause catastrophic damage through use of chemical, biological, radiological, or high explosives weapons. Together, these three components support our current security program and future planning. Grants. Although primary responsibility for funding mass transit security rests with State and local governments, substantial Federal assistance has been and will continue to be provided through a variety of grants. TSA has worked closely with DHS' Office of State and Local Government Coordination and Preparedness (OSLGCP) in the review of grant applications, the determination of eligibility, and final award determinations. Since its creation, through the State Homeland Security Grant Program and the Urban Area Security Initiative, DHS has allocated $8.6 billion for counterterrorism preparedness. The President's FY 2006 homeland security budget proposes an additional $2.4 billion for this purpose as well. These funds can also be allocated by State and local governments for rail and mass transit security efforts. The FY2006 budget also requests $600 million--a more than 60 percent increase--for the Targeted Infrastructure Protection Program, which covers security for mass transit, rail, ports, inter-city buses, and programs such as highway watch and buffer zone protection. These areas and programs combined received $365 million in FY 2005. Additionally, to date DHS' Transit Security Grant Program (TSGP) has provided more than $255 million to State and local transit authorities to increase protection through hardening of assets, greater police presence during high alerts, additional detection and surveillance equipment, increased inspections, and expanded use of explosives detection canine teams. In April 2005, DHS announced $141 million in TSGP funding, of which more than $107 million has been dedicated to owners and operators of rail systems. An additional $6 million was awarded to Amtrak through the Intercity Passenger Rail Security Program for security enhancements to rail operations on the Northeast Corridor and at the railroad's hub in Chicago. TSA has also coordinated closely with DOT's Federal Transit Administration (FTA), which launched a comprehensive public transportation security initiatives program funded primarily through a $23.5 million supplemental security allocation in an FY 2003 emergency wartime appropriation. The program included threat and vulnerability assessments at 37 of the largest transit agencies, most involving multiple modes; the deployment of on-site security technical assistance teams to the 50 largest transit agencies; the award of security drill and exercise grants to over 80 transit agencies; the launching, with industry partners, of a Transit Watch security public awareness campaign; and the development and holding of community forums to enhance coordination and integration of transit agencies with emergency responders, fire and police departments, and other key stakeholders. Security Exercises and Training. TSA has held numerous security exercises that bring together rail carriers, Federal, State, and local first responders, and security experts to test preparedness and response and identify best practices and lessons learned. These efforts support effective relationships among Federal entities and with State and local governments and the private sector and greatly enhance our overall security posture. These exercises assist TSA and stakeholders in addressing gaps in antiterrorism and response training among rail personnel. Through an interagency agreement with the Federal Law Enforcement Training Center, TSA has trained over 400 law enforcement, transit police, and first responders through the Land Transportation Anti- Terrorism Training Program. Additionally, TSA has contracted with the National Transit Institute to develop a CD-ROM based interactive training program for passenger and freight rail employees. This product is expected to be completed before the end of the current fiscal year. Stakeholder Engagement. TSA has reached out and engaged with industry stakeholders, including the American Public Transportation Association and Amtrak, to identify common security practices and obtain feedback on security programs and initiatives. This input is crucial to TSA's efforts to identify best practices, which will enhance security in the rail and mass transit modes. We are committed to maintaining these engagements and using the information and experience gained in security measures and programs. Corporate Security Reviews (CSR). Since FY 2003, TSA has conducted 27 on-site corporate security reviews with rail and mass transit stakeholders, including six of the Nation's seven Class I railroads, to gain an understanding of each surface transportation owner/operator's ability to protect its critical assets. The program's goals are to supply baseline data that can be used to develop security standards, provide domain awareness of security measures throughout the transportation sector, and promote outreach to transportation stakeholders as a means to ensure constant communication and foster stakeholder relationships. The CSR Program has several recognized benefits. The data collected during these visits, such as security plans and critical infrastructure lists, supplies TSA with information to assist with other programs and exercises, baseline the state of security in the Nation, and establish performance-based security standards. This data also assists TSA in identifying areas where additional resources need to be dedicated to address security shortfalls. Additionally, the field presence fosters a higher degree of confidence in TSA with the stakeholder community, builds trusted partnerships faster, and validates stakeholder policies and procedures already in place. Security Directives. To secure the U.S. passenger rail and mass transit sectors after the Madrid attacks, TSA issued Security Directives (SDs) that mandate specific security measures. The SDs set a standardized security baseline. They were developed in conjunction with stakeholders and DOT. The measures required by the SDs support DHS's overarching goals of prevent, protect, respond, and restore. A key measure mandated by the SDs is frequent inspections of key facilities, including stations, terminals, and passenger rail cars, for suspicious or unattended items. Surface Transportation Inspection Program. In addition to the grant programs I have discussed, the Department of Homeland Security Appropriations Act for FY 2005 committed $12 million to TSA for rail security, including $10 million to deploy 100 Federal security compliance inspectors. TSA has made substantial progress in developing a robust and comprehensive surface transportation security compliance inspector program with emphasis on hiring, training, and logistical and procedural planning. More than 60 have been deployed to date. TSA expects to have hired and deployed all 100 inspectors to field locations in the next 60 days. The inspectors will identify gaps in security and inspect for compliance with the SDs. Pilot Programs. TSA has successfully conducted the Transit and Rail Inspection Pilot (TRIP) program, which was designed to test the feasibility of screening passengers, their luggage, and cargo for explosives in the rail environment. The pilot occurred in three phases and tested advanced automated x-ray explosives detection equipment and canine patrols. TRIP provided valuable lessons on how to successfully deploy, maintain, and use screening technology outside the airport environment. Results indicated that such technology might be useful if threats were made against a specific rail or mass transit system or in support of a National Special Security Event (NSSE). This aspect was successfully demonstrated at the Republican National Convention in the summer of 2004 and at the Presidential Inauguration in January 2005. Explosives Detection Canine Teams. The FY 2005 DHS Appropriations Act also includes $2 million to deploy explosives detection canine teams. The National Explosives Detection Canine Team Program consists of two components. First, a Rapid Deployment Force (RDF) has been developed to deploy DHS explosives detection canine team resources in support of local law enforcement agencies on an as needed basis in the event of heightened levels of security. TSA's participation in the RDF has included augmentation of local law enforcement and local authorities during NSSEs, such as the Presidential Inauguration and the Democratic and Republican National Conventions, as well as conducting joint training and assistance to existing mass transit canine teams. The second component of the explosives detection canine team program is devoted to rail and mass transit and should be completed by the end of calendar year 2005. This segment is being accomplished by partnering with local mass transit and rail authorities. It includes the training and deployment of additional TSA-certified explosives detection canine team assets to support mass transit systems and the development of national standard operating procedures for rail and mass transit systems. As one example, TSA partnered with the Metropolitan Atlanta Rapid Transit Authority, deploying six TSA-certified explosives detection canine teams throughout their system. This program is effective and expanding. On August 10, 2005, TSA offered a cadre of three dogs each to ten of the largest mass transit systems in the Nation. Law enforcement officers from the ten systems that choose to participate will attend the TSA Explosives Detection Canine Handler Course beginning this month. During that ten-week course, handlers will be matched with a TSA canine and trained in proper dog handling and search techniques. Upon graduation, the teams will return to their systems for local training, familiarization, and certification. Hazardous Materials. The security of hazardous materials (HAZMAT) shipments, including radioactive materials and defense related items, is an area that has received special emphasis since September 11, 2001. DHS and DOT have been working on several initiatives that support the development of a national risk-based plan to address the shipment of HAZMAT by rail and truck. For rail, a major effort is the assessment of the vulnerabilities of urban areas through which toxic inhalation hazard (TIH) materials are transported. TSA and DHS' Directorate for Information Analysis and Infrastructure Protection (IAIP) have worked together to enhance security in the Nation's capital with the National Capital Region (NCR) Rail Security Corridor Pilot Project. The $9.6 million pilot initiative established a seven-mile long Rail Protective Measures Study Zone to protect HAZMAT traveling through the city. Measures undergoing testing and development include screening and monitoring of trains, monitoring of personnel, chemical monitoring, radiation and contamination monitoring, and physical security measures to prevent intruders from tampering with the rail lines or trains. The task force for this effort includes private stakeholders and other Federal and local government agencies that conducted risk vulnerability assessments and identified critical areas and mitigation strategies to enhance HAZMAT security along the D.C. Rail Corridor. TSA continues to improve HAZMAT security through the High Threat Urban Areas (HTUAs) Corridor Assessments. The DHS/DOT team is conducting vulnerability assessments of HTUAs where TIH HAZMAT is transported by rail in significant quantities. TSA, IAIP and federal partners from DOT (Federal Railroad Administration (FRA) and Pipeline and Hazardous Materials Safety Administration (PHMSA)) have completed four corridors. The goal of DHS is to complete nine corridor assessments of selected high-threat urban areas by the end of this calendar year. These assessments comprise one portion of a DHS and DOT plan to enhance the security of TIH rail shipments. Other goals of the plan are to enhance the ability of railcars to withstand attack, improve compliance with security plan regulations, develop protocols for protective measures, establish communication standards on rail car tracking systems, and improve rail car security during storage in transit. TSA contracted with the Texas Transportation Institute (TTI) to conduct an independent rail HAZMAT placarding study to assess the feasibility of technological alternatives to the current placard system that would enhance security while maintaining the same level of safety for the first responder community. TTI identified alternatives in three categories: cloaking devices; decentralized systems; and centralized systems. The study was completed on December 17, 2004, but the technologies examined did not demonstrate capabilities that would justify replacing the current system. Therefore, the Secretary of Homeland Security has decided that the current placarding system will remain in effect. In addition, FRA has administered and enforced the hazardous material shipment regulations promulgated by PHMSA or its predecessor, DOT's Research and Special Programs Administration since the 1970s. These safety regulations cover multiple subjects implicated by the shipment of HAZMAT by rail, including loading, unloading, transloading, placarding, rail car placement in trains, and documentation of the movement. There are nearly 100 FRA and State inspectors involved in aggressively inspecting and enforcing the HAZMAT regulations with respect to railroads, shippers by rail, tank car manufacturers, and tank car repair facilities. The FY 2005 FRA budget provides funding specifically for additional HAZMAT inspectors for tank car design, construction, quality, and maintenance. Freight Rail Security Demonstration Projects. TSA has worked with IAIP and DOT's FRA and PHMSA to develop projects to be funded with $5 million allotted from the appropriation in the FY 2005 DHS Appropriations Act to OSLGCP for intercity passenger rail transportation, freight rail, and transit security grants. These projects will be carried out in accordance with the September 2004 Memorandum of Understanding between DHS and DOT on agreed upon roles and responsibilities. Through this team approach, OSLGCP, TSA, IAIP, FRA, and PHMSA will engage stakeholders at the ground level in designing a comprehensive and meaningful strategy for successful implementation of the proposed demonstration projects. Self-Assessment Tool. TSA has developed a Vulnerability Identification Self-Assessment Tool (VISAT), a multi-modal tool that a rail or mass transit system may voluntarily use to detect and weigh the vulnerabilities within their systems. In general, the tool focuses on the prevention and the mitigation of an array of threat scenarios developed for each mode within the sector. Users rate their entity in terms of target attractiveness (from a terrorist's perspective) and several consequence categories that broadly describe health and well- being, economic consequence, and symbolic value of the entity. The tool enables a user to capture a snapshot of its security system baseline by assessing vulnerabilities in the system and assisting in the development of a comprehensive security plan. Of note, VISAT has been adapted for use by stadium and arena managers to enhance security as well. To date, access to VISAT has been provided to over 300 stadiums and 400 arenas. IAIP is spearheading efforts to adapt the program for use by other commercial sector venues, to include convention and performing arts centers. An IAIP pilot program with the States of Texas, Virginia, and California, aims to adapt the tool to support security awareness in K-12 schools. Infrastructure Protection. TSA has been integral in assessing the vulnerability of rail and mass transit infrastructure. To date, TSA has reviewed over 2,600 facilities, structures, and systems in a comprehensive effort to determine critical infrastructure. DHS has conducted 52 Site Assistant Visits (SAVs) in the transportation sector including mass transit systems, tunnels, bus terminals/systems, rail lines, and bridges as of August 26, 2005. DHS and TSA personnel continue to review the security plans, countermeasures, mitigation strategies, and technologies used by industry, and will identify best practices in the future. FRA is assisting Amtrak in enhancing the security and safety of New York City tunnels under the East and Hudson Rivers. TSA and FTA are assessing the security of high-risk transit assets, including vulnerabilities in subway tunnels and at stations where large numbers of people converge and where an attack would cause the greatest loss of life and disruption to transportation services. FTA is working with local systems to develop best practices to improve communication systems and develop emergency response plans. By a final rule issued on May 31, 2005, FTA met Congressional direction to establish a program providing for State-conducted oversight of the safety and security of rail systems not regulated by FRA. To be codified at 49 C.F.R. Part 659, the rule imposes specific requirements for the development, implementation, monitoring, and assessment of security plans in addition to expanding safety oversight requirements. Response to the London Attacks The recent London subway and bus attacks reaffirmed our need for vigilance in securing our rail and mass transit systems. The nationwide response to those attacks, however, also affirms the capability of TSA's approach to mass transit security to date. TSA and FTA jointly surveyed the top 30 transit agencies to determine changes in their security posture. Even before DHS officially raised the threat level for this sector, many transit agencies had voluntarily enhanced their security with additional patrols, explosives detection canine support, and enhanced public awareness campaigns. These efforts built upon improvements in the security posture brought on by adherence to the security directives TSA issued in the aftermath of the Moscow and Madrid bombings in 2004. Most transit agencies also increased the frequency of security inspections, including track inspections. Many indicated that they would continue increased use of these resources even after the downgrading of the threat level from Orange to Yellow. In the immediate aftermath of the bombings, TSA personnel were given access to transit agencies' operations centers nationwide to observe and evaluate and assist in responsive measures. TSA's surface transportation inspectors deployed to the operations centers of the major railroads and transit systems across the Nation to assess security posture and facilitate protective actions. FRA safety inspectors provided exceptional support and assistance in this effort with the railroads. This collective effort leveraged the assets, expertise, and carefully fostered partnerships of government and industry stakeholders to increase our situational awareness. Lessons learned by all parties will enhance overall security posture and awareness and foster effective cooperation and partnering among Federal, State, local, and private sector entities in the prevention of, and response to, acts of terrorism. Internationally, TSA officials have engaged with their foreign counterparts on rail and mass transit security issues, with the aim of sharing and gleaning best practices from countries with a history of terrorism against their surface transportation systems, an effort we will continue and expand upon. TSA has met with the responsible officials from the United Kingdom, Spain, Russia, Israel, France, Japan, Greece (particularly in preparation for the 2004 Olympic Games), the Netherlands, Canada, and other countries. TSA has developed forums for sharing security information and practices on behalf of DHS across all modes of transportation. TSA also benefits from the efforts of DHS representatives based overseas in U.S. Embassies, who have expanded their traditional aviation security roles to include security issues relating to all modes of transportation. The Road Ahead We go forward with a disciplined measured program for protecting our rail and mass transit systems. Our efforts will continue to emphasize the shared responsibility of the Federal government, State and local governments, industry, and academia. TSA will continually set the standard for excellence in transportation security through people, processes, and technology. Crucial to our success as we move forward will be our ability to determine how to best invest our resources. As we continue with our risk assessments and pilot programs, we must optimize our resources to assure that they are invested where they will give the most information or protection. We cannot and will not arbitrarily push money into security programs without an intelligent assessment of their utility. Securing rail and mass transit systems must be a shared effort among Federal, State, and local governments and private stakeholders. Owners and operators are properly responsible for their own security. In mass transit, well-trained local law enforcement personnel understand the unique design characteristics and security challenges of their home town systems far better than anyone else. Success depends upon an effective partnership that builds on the strengths and resources that each level--Federal, State, and local--can offer and reflects the unique attributes and architecture of each system. To foster this effort, TSA has initiated a pilot program aimed at leveraging and networking information resources to ensure decision- makers at all levels have the tools they need to implement measures and take actions to deter and prevent terrorist actions. Our challenge is great--to assure security and protect lives and property while maintaining the access and efficient movement that is essential to rail and mass transit systems. Stakeholder partnerships, information networks, development and leveraging of technology, using a risk-based approach to deployment of Federal resources, grants to foster innovation at the State and local level and in the private sector--through these means, we will continue to strengthen our base of security programs in a manner that ensures freedom of movement for people and commerce. Thank you for the opportunity to appear this morning. TSA looks forward to a continuing dialogue with Congress on the issues of rail and mass transit security. I will be pleased to answer any questions you may have. [GRAPHIC] [TIFF OMITTED] T8921.002