[Senate Hearing 107-335] [From the U.S. Government Publishing Office] S. Hrg. 107-335 RECLAMATION RECREATION MANAGEMENT ======================================================================= HEARING before the COMMITTEE ON ENERGY AND NATURAL RESOURCES UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS FIRST SESSION on S. 1480 TO AMEND THE RECLAMATION RECREATION MANAGEMENT ACT OF 1992 IN ORDER TO PROVIDE FOR THE SECURITY OF DAMS, FACILITIES, AND RESOURCES UNDER THE JURISDICTION OF THE BUREAU OF RECLAMATION __________ OCTOBER 9, 2001 Printed for the use of the Committee on Energy and Natural Resources _______ U.S. GOVERNMENT PRINTING OFFICE 78-209 WASHINGTON : 2002 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON ENERGY AND NATURAL RESOURCES JEFF BINGAMAN, New Mexico, Chairman DANIEL K. AKAKA, Hawaii FRANK H. MURKOWSKI, Alaska BYRON L. DORGAN, North Dakota PETE V. DOMENICI, New Mexico BOB GRAHAM, Florida DON NICKLES, Oklahoma RON WYDEN, Oregon LARRY E. CRAIG, Idaho TIM JOHNSON, South Dakota BEN NIGHTHORSE CAMPBELL, Colorado MARY L. LANDRIEU, Louisiana CRAIG THOMAS, Wyoming EVAN BAYH, Indiana RICHARD C. SHELBY, Alabama DIANNE FEINSTEIN, California CONRAD BURNS, Montana CHARLES E. SCHUMER, New York JON KYL, Arizona MARIA CANTWELL, Washington CHUCK HAGEL, Nebraska THOMAS R. CARPER, Delaware GORDON SMITH, Oregon Robert M. Simon, Staff Director Sam E. Fowler, Chief Counsel Brian P. Malnak, Republican Staff Director James P. Beirne, Republican Chief Counsel Deborah Estes, Counsel Colleen Deegan, Counsel Howard Useem, Senior Professional Staff Member C O N T E N T S ---------- STATEMENTS Page Bennett, Hon. Robert F., U.S. Senator from Utah.................. 7 Bingaman, Hon. Jeff, U.S. Senator from New Mexico................ 1 Cantwell, Hon. Maria, U.S. Senator from Washington............... 7 Keys, John W., III, Commissioner, Bureau of Reclamation.......... 16 Kyl, Hon. Jon, U.S. Senator from Arizona......................... 12 Landrieu, Hon. Mary L., U.S. Senator from Louisiana.............. 4 Murkowski, Hon. Frank H., U.S. Senator from Alaska............... 2 Otis, Lee Liberman, General Counsel, Department of Energy........ 19 RECLAMATION RECREATION MANAGEMENT ---------- TUESDAY, OCTOBER 9, 2001 U.S. Senate, Committee on Energy and Natural Resources, Washington, DC. The committee met, pursuant to notice, at 9:35 a.m. in room SD-366, Dirksen Senate Office Building, Hon. Jeff Bingaman, chairman, presiding. OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. SENATOR FROM NEW MEXICO The Chairman. Good morning. The purpose of this hearing is to receive testimony on S. 1480. Before I get into a very short opening statement on that and ask Senator Murkowski to do the same, let me advise folks we were planning to mark this bill up tomorrow. Senator Mansfield's funeral is scheduled for tomorrow morning, and they are taking quite a few Senators to that, so we will postpone that markup until Thursday morning instead of tomorrow morning. As I indicated, the purpose of the hearing today is to receive testimony on S. 1480, a bill to amend the Reclamation and Recreation Management Act of 1992 in order to provide security for dams, facilities, and resources under the jurisdiction of the Bureau of Reclamation, and to consider other proposals related to energy infrastructure security. S. 1480 was submitted to Congress by the administration and introduced by request on October 1, the committee has also received suggestion from the Department of Energy and from various energy industry groups regarding legislation that they believe would improve the security of our critical energy infrastructure. Based on this input, the committee has developed some draft language which has been made available to witnesses for their comments. The attacks of September 11 have made assuring the security of energy and water infrastructure an urgent priority. The legislation we are considering would provide law enforcement authority as requested by the administration to the Bureau of Reclamation, which has the responsibility for the operation of some 347 dams and reservoirs in the West. The draft language developed by staff would provide law enforcement authority to the power marketing facilities as well. We have also included provisions to facilitate criminal background checks for certain energy industry employees. Those provisions are to protect our critical energy infrastructure information and provisions addressing the sharing of information between the Government and energy industry companies. Pursuant to presidential decision directive 63, an organizational structure designed to deal with threats to critical infrastructure has been put in place by the Federal Government and private industry. However, the electric power information sharing and analysis center, ISAC, only became operational in June, and the oil and gas ISAC was formed this September. We urge the Department of Energy and the industry to place a high priority on making these organizations work well, and to come back to the committee promptly if additional authority is needed. Our first witness today is Senator Bennett from Utah. Senator Bennett and Senator Kyl have introduced S. 1456, the Critical Infrastructure Information Security Act of 2001. This bill applies to all of the critical infrastructures, including energy, banking, and financial communications, transportation, and vital human services. A number of energy industry representatives have indicated their interest in the legislation, and we are very glad to hear about it today. Before I call on Senator Bennett, let me call on Senator Murkowski for his opening statement. STATEMENT OF HON. FRANK H. MURKOWSKI, U.S. SENATOR FROM ALASKA Senator Murkowski. Thank you very much, Senator Bingaman and Senator Bennett. If you will bear with me for a moment, let me give you the Minority view on this proposed legislation related to security and law enforcement capability at the Bureau of Reclamation sites, namely our dams, reservoirs, irrigation facilities, and other water delivery systems. These facilities provide for the agricultural production, power generation, flood control, and they form the basis for the settlement of the West and are crucial to the economy--the existence of communities west of the Mississippi River. While other Federal agencies have clear authority for law enforcement, the Bureau of Reclamation apparently does not. We want to satisfy ourselves to that, but that appears to be the case. Now, the administration has proposed legislation that would enable the Bureau to contract with State, local, and Federal officials, as well as law enforcement agencies, for law enforcement on Bureau of Reclamation lands and at Bureau of Reclamation facilities. What we want to be careful of is to not create a new law enforcement agency. This legislation, as I understand it, does not increase or diminish authorities that already exist. We want to make sure that this does not inhibit in any way access to Bureau of Reclamation lands for the general public enjoyment. I understand the House Resources Committee has already reported a companion measure. It is my hope we could deal with this matter in a timely fashion. In the energy sector there are numerous facilities, each with a varying degree of vulnerability and consequences of attack, whether it be oil and natural gas pipelines, refineries, electric transmission, substations, control facilities, hydroelectric dams, and certainly nuclear powerplants. For some of these, such as Federal powerplants and hydroelectric dams, the Federal Government already plays an important role in ensuring safety and security. For others, however, such as oil refineries, electric transmission lines, currently there is little, if any, Federal role. Now, before we jump headlong into directing the Federal Government to protect each and every infrastructure facility, we need to ask some basic questions. What is their vulnerability? What is their risk? What is the private sector already doing to safeguard facilities? Most major corporations obviously, whether they have specific sites associated with processing, refining and so forth, maintain their own security capabilities. It is my understanding that last week one major oil company received a bomb threat on one of its facilities here in Washington, D.C. As a matter of fact, the threat was that three bombs were in the building. They were evacuated--fortunately it was a nice day--but nevertheless, private security is maintained by those corporations, and we do not want to duplicate that. Now, clearly there are some things that can and should be done immediately. I think we have been ignoring far too long the issue of nuclear waste, and we have simply got to come to grips with it on a bipartisan basis. We should immediately complete Yucca Mountain so that our high level radioactive waste can be stored safely. It is not being stored safely because the facilities where it is located were not designed to store it beyond a reasonable period of time, and that time is past. Securing our Nation's waste in one central, secure, and remote facility is far safer than our current scatter-shot approach of leaving waste at 103 nuclear sites Nation-wide, in some 30 States. The Nuclear Regulatory Commission should remove from its web site detailed information about the location and the safety features of individual powerplants of a nuclear nature. I cannot imagine that the public needs to know the exact longitude and latitude of the location of our nuclear plants. We need to review existing Federal reporting requirements in the Freedom of Information Act to prevent the disclosure of sensitive information. We must make sure that we never again allow for the release of sensitive nuclear weapon data through bulk declassification. We must also be careful about expecting too much from the Federal Government. The FBI, or our intelligence agencies will play key roles, but we cannot station Federal troops along every mile of pipeline or at the front of every refinery. State and local police will remain the frontline law enforcement agency, and the industries will have primary responsibility for security of those facilities. As we review what should be done, it should be proportionate to the public risk. That means somebody is going to have to measure that risk. We look forward to hearing from the witnesses this morning and hearing their ideas that they are sharing with us. Thank you. The Chairman. Since we have a very sparse attendance right now, and this is a subject of great interest to members, let me just see if either Senator Campbell or Senator Landrieu would like to make any kind of opening statement. If they would, I would call on them right now. Senator Campbell. No, Mr. Chairman. The Chairman. All right. Senator Landrieu. STATEMENT OF HON. MARY L. LANDRIEU, U.S. SENATOR FROM LOUISIANA Senator Landrieu. I do, Mr. Chairman. I appreciate your calling the hearing this morning, and I welcome our colleague to testify. I am looking forward to hearing his testimony, and I have reviewed the outline, Senator, of your bill, and I think it has a lot of merit, and clearly an area that we need to move in, and I would like to just share a few points in this opening statement, and I will reserve some time for questions, because I think this whole issue, Mr. Chairman, is of critical importance to our Nation. Not only did the September 11 events refocus our attention on some of the most immediate needs that our Nation is facing, but I think it has made more clear the necessity for us to reevaluate much of the infrastructure in this Nation and look at it, unfortunately, in a different light. The dangers that it presents to communities, et cetera, as well as the benefits of this infrastructure system, and when we talk about energy that is, I think, particularly crucial. Now, last week, we know that an individual was able to cause about 150,000 gallons of oil to spill from the 800-mile trans-Alaska pipeline with a bullet from a high-powered rifle. That is just one example of the points that I am hoping to make in the next few minutes. I want to commend you, Mr. Chairman and our ranking member, for moving quickly on this energy security infrastructure issue. I know that the bill that you have put down for us to consider today, and the testimony that we will be hearing contains a lot of important parts. Law enforcement authority for Bureau of Reclamation Power Marketing Administration facilities, criminal background checks of employees at critical energy infrastructure facilities, all of these are important. These items are significant, but we need to do more. I think we need to expand on this concept, and our colleague has brought forward his ideas about sharing information, but I would like to add a couple of things to this discussion now that we are engaged in an operation to combat terrorism which will take considerable time. Some of the emergency measures put in place at energy facilities throughout the country in response to the September 11 attacks can only be maintained for so long. For example, off the coast of my State, in Louisiana, the Nation's largest port for off-loading crude oil was being and has been patrolled by military vessel. While a kind of safety zone around such areas makes sense, should we expand our military, or expend our military resources in order to continue to do so? Merely using our present available resources to operate at such high levels of alert for the duration of what all indications are will be a long-term effort does not seem realistic. There is an urgent need for substantial commitment to protect our country's infrastructure, energy infrastructure both in scope and duration. Although 90 percent of the infrastructure in this country is privately owned, the bill before us directs resources to those entities that are publicly owned. The industry has an obligation to provide security, but there is sufficient evidence that the Federal Government should make additional and significant contributions to this effort. Not only for the people's safety in communities, but also for the safety of our economy, which has its foundation on a reliable, safe source of energy for this Nation. And I do not need to put into the record a number of ideas which would lead us to indicate that our economy is not as strong as it could be and potentially should be, and what a disruption might cause. First, our country is now experiencing an economic downturn of some significance. Prices for oil and gas are low. It is imperative for the industry to continue to focus its attention on production measures to keep our domestic supply of energy steady, instead of diverting considerable financial resources to protection. Secondly, the actual impact of infrastructure located in one State more often than not extends beyond a particular State. Three of the country's top 10 gasoline-consuming States are in the Midwest. The Midwest imports 25 percent of its total demand from the gulf coast. Our gulf coast refining centers are handling half the total barrels produced in the United States today. There are only two pipeline systems moving the product from the South to the Midwest. This is, Mr. Chairman, a tremendous amount of pressure on gulf coast refining. Not only are refineries under pressure, the pipelines are under pressure, and now I think there is evidence that there could be some threat, not specific evidence, but clearly in the light of September 11 we have got to look at this infrastructure with a different light. What happens if one or both of these systems are disrupted? In addition, the only off-shore terminal in the whole continental United States is the loop facility which is off the shore of Louisiana. 13 percent of all the imported oil comes through that one facility. So in conclusion, whether we are talking about pipelines, transmission lines, refineries, nuclear plants, as Senator Murkowski indicated, ports, rigs, platforms, the Federal Government has a clear and compelling interest in providing necessary resources to ensure that our energy infrastructure is sufficiently protected. I am going to propose legislation today which will do four things, and I want to get this on the record this morning and look forward to working with my colleagues on this. One, it will establish a multi-year national energy infrastructure program to provide funding annually to all 50 States in order to make sure that all appropriate measures from the monitoring and detection of potential threats to mitigate, respond and recover are in place against hostile and natural threats. Two, to create two funds, one for the protection of energy infrastructure located in coastal zones of oil and gas- producing States, the other for energy structures, infrastructure of all 50 States, including those in oil and gas-producing States. Three, provide funding based on a formula related to the amount of energy infrastructure a State has, as well as to the contribution of the State's infrastructure to the rest of the Nation. Finally, the Governor of each State would consult with Federal, State, and local law enforcement public safety officials, industry and other relevant persons or agencies to put together this security plan to submit to the Secretary of Energy detailing what measures might be necessary to protect the infrastructure to the best of our ability and within the framework of the resources provided, and within, I might say, a public-private partnership, which clearly will be necessary. In order to pay for this program, we should use a percentage of off-shore revenues from oil and gas development on the Outer Continental Shelf. We need to increase production in that area as well as on-shore, and use those additional dollars to help protect our Nation and to provide the resources necessary to do the things that, Senator, you are going to be speaking about this morning, the chairman has suggested in his legislation. I thank you, Mr. Chairman, for allowing me, because I will be introducing this bill today and offering it as an amendment to our markup tomorrow. Thank you. [The prepared statement of Senator Landrieu follows:] Prepared Statement of Hon. Mary L. Landrieu, U.S. Senator Louisiana The vulnerability of our country's energy infrastructure became more clear last week when an individual was able to cause about 150,000 gallons of oil to spill from the 800-mile Trans-Alaska Pipeline with a bullet from a high powered rifle. I want to commend the Chairman for moving to focus our attention on the issue of security of our energy infrastructure. You have put forward a legislative proposal that addresses some of the matters of importance to us: law enforcement authority at Bureau of Reclamation and Power Marketing Administration facilities; criminal background checks of employees at critical energy infrastructure facilities; and protection of critical energy infrastructure information. While all of these items are significant, I believe the events of September 11 have proven that we need to do more legislatively to make sure our nation's energy infrastructure is adequately protected from both hostile and natural attacks. We are now engaged in an operation to combat terrorism which will take considerable time and resources. Some of the emergency measures put in place at energy facilities throughout the country in response to the September 11 attacks can only be maintained for so long. For example, off the coast of my state of Louisiana, the nation's largest port for offloading crude oil was being patrolled by a military vessel. While a kind of safety zone around such areas makes sense, should we expend our military's resources in order to do so? Merely using our present available resources to operate at such high levels of alert for the duration of what all indications are will be a long-term effort does not seem realistic. There is a need for a substantial commitment to the protection of our country's energy infrastructure both in scope and duration. Although 90% of the energy infrastructure in this country is privately owned and operated and industry does have an obligation to provide security, there is sufficient evidence to suggest the federal government should make a more significant contribution. First, our country is now experiencing an economic downturn. It is imperative for our government to continue to focus its attention on production measures to keep our domestic supply of energy steady. Second, energy infrastructure is by nature not contained within the borders of one state or region. For example, three of the country's top ten gasoline consuming states are in the Midwest. The Midwest imports 25% of its total demand from the Gulf Coast. While the Gulf Coast refining centers handle half of the total barrels processed in the U.S. today, there are only two pipeline systems in place to move the product from the South to the Midwest. This is a tremendous amount of pressure on Gulf Coast refineries to meet demand in the Midwest. What happens if one or both of these systems are disrupted? In addition, the only offshore oil terminal in the United States, the Louisiana Offshore Oil Port (LOOP), is estimated to take in 13% of the United States' imported oil and refining capacity and is connected by five pipelines to over 30% of the United States refining capacity. Imagine the impact its disruption from natural or hostile threats would have on the nation's refining capacity. So, whether we are talking about pipelines, transmission lines, electric generators, refineries, nuclear power plants, ports, rigs or platforms the federal government has a clear and compelling interest in providing the necessary resources to ensure that our energy infrastructure is sufficiently protected. Since the disruption of a particular facility or transmission line has economic consequences and could pose a significant threat to the safety of the surrounding population, as well as the effect on our economy, environment, state and local authorities must also play a role. This would require a partnership among the federal, state and local governments and industry. I am proposing legislation which would:establish a multi-year national energy infrastructure program to provide funding annually to all 50 states in order to make sure that all appropriate measures from the monitoring and detection of potential threats to mitigation, response and recovery are in place against hostile and natural threats; create two funds, one for the protection of energy infrastructure located in the coastal zones of oil and gas producing states, the other for the energy infrastructure of all fifty states excluding those areas in the oil and gas producing states that would be provided for in the first fund; provide funding based on a formula related to the amount of energy infrastructure a state has as well as to the contribution of the state's infrastructure to the rest of the country; the Governor of each state would consult with Federal, state and local law enforcement, public safety officials, industry and other relevant persons or agencies to put together a security plan to submit to the Secretary of Energy detailing what measures were necessary provide adequate protection of that particular state's infrastructure; and in order to pay for this program we would use a percentage of offshore revenues from oil and gas development on the Outer Continental Shelf. If we are truly serious about protecting our country's energy infrastructure from present and future threats, it is necessary for us to provide a commitment of significant federal resources as soon as possible. Thank you. The Chairman. Thank you very much. Senator Cantwell, did you have an opening statement? STATEMENT OF HON. MARIA CANTWELL, U.S. SENATOR FROM WASHINGTON Senator Cantwell. Mr. Chairman, thank you. I did want you to know prior to our last closed session on the energy infrastructure, I did visit with the Army Corps of Engineers that has responsibility for security on part of our hydro system in the Northwest, and I would like the committee to have that information in light of the Bureau of Reclamation legislation as well. Thank you. The Chairman. Thank you, and Senator Bennett, thank you for being here to tell us about your proposed legislation. Go right ahead. STATEMENT OF HON. ROBERT F. BENNETT, U.S. SENATOR FROM UTAH Senator Bennett. Thank you very much, Mr. Chairman. I congratulate you on your foresight in including in your bill a reference to infrastructure protection. Senator Kyl and I have introduced our bill, which is something of an orphan. We are looking for someone to adopt it, and if you should decide to fulfill that function and put our bill into your bill, I think I can speak for Senator Kyl, we would be delighted to have that kind of parentage. One word I want to leave with you with respect to critical infrastructure as you conduct your deliberations is the word seamless. Unfortunately, as we have addressed critical infrastructure in this country, we have done it in a stovepipe way. We have looked at critical infrastructure in one industry or one sector of the economy, and the one thing that leaves us vulnerable to is the overlapping seamlessness of the threat that can come in today's information age world. I have a chart here which I do not expect anybody to understand, other than to look at it and get an overall impression of what it is. That, Mr. Chairman, is a map of the world. You will notice there are no oceans on it, there are no mountains, there are no geographical barriers. It is a map of the Internet in the world, and everything is connected in some way with everything else, so when you think in terms of critical infrastructure, you must understand the seamlessness of the problem. If there is an interruption in the critical infrastructure in the transportation world, for example, if the computers fail that run the railroads, that means that coal cannot get to coal-fired plants, because if the computers fail in the transportation system, no one knows where any of the railroad cars are. There are no physical records any more tracking railroad cars. They are all run by computer, so that someone who can break into the transportation computer infrastructure can have an impact on energy. The same thing is true with telecommunications. When the Secretary of Defense picks up the telephone in the Pentagon to connect him with the Commander of the Central Command, that phone call goes through Verizon, so that someone who breaks into the telecommunications system can affect our defense posture. If someone decides to get into the Fedwire banking and financing, and if they could shut down the Fedwire with a computer attack, there could be no financial transactions. No one in any energy refinery or other facility could get paid. Their paychecks would not be automatically deposited because the Fedwire controls all of the financial transactions in the country, and so on and so on and so on. I put this chart up to indicate just how seamless the modern world has become, how productive it is, but at the same time as we have the tremendous productivity that comes from this kind of interconnectiveness, how vulnerable it is, so someone can break in in one place and then have an impact some place else. The second chart, which is simply a subset of the first, comes out of a hearing that I held in the Joint Economic Committee, and this is a map made of one company's network. Now, you will notice different colors. The interesting thing about it is that the green color, the dark color, the most dominant color is of the networks the company knew that it had. The other colors, the other portion of the map come from network connections that the company was unaware of. They come from suppliers, customers, others who are connected with the company's networks, which means if you were a terrorist who wanted to shut this company down, you could break into one of the orange networks. Unbeknownst to the company you are then connected with the green network, and you could do mischief from directions where no one would be expecting any kind of attack. So a cyber threat that could shut down a computer in one situation can have a cascading effect and end up causing damage to critical infrastructure some place else, so while I applaud what is in your bill, the point I want to make is that it is tied directly to the water and energy sector, and there are vulnerabilities that threaten the water and energy sector that come from cyber space, of which many people might not even be aware. Now, as Senator Landrieu pointed out, the vast majority of the critical infrastructure is owned by the private sector. She used the phrase, 90 percent. We are told 85 percent. I will not quibble about the difference. That means the protection of the computers that run our critical infrastructure system in this seamless atmosphere in which we live is primarily in private hands. We have a blind spot in this situation, a major national blind spot, and it comes from the fact that we do not know what is going on in one portion of that map that could affect the other portion of the map. For example, if the Defense Department sees increased computer attacks on their networks, no one in private industry knows that. There is no trading of information. And conversely, if there is an increased attack on private networks, the people in the intelligence community or the Defense Department do not know that, but what you are looking for on a national basis is the emergence of a pattern, a pattern of attacks that tells you that some terrorist is after you. Now, our defense intelligence communities are under attack every day. I have been in the facilities where these attacks are monitored. The information is classified, and so I will not in this hearing go any further than that, but I can tell you that I have seen in real time the attacks that are going on every single day against our defense facilities. Some of these attacks come from hobbyist hackers who simply want to get in to prove that they can, but many of them come from much more sinister sources and are after access which, if they achieved it, could be very dangerous to our defense capacity. Now, someone who recognizes the map that I have just shown you says, all right, I have tried to get into the U.S. Defense Department directly. I cannot. Now let us try some place else. Let us try something in the private sector that may not be as well-protected, or that can be detected as carefully, and a pattern of attacks starts somewhere where the folks in the Defense Department have no knowledge of it. I have used the Defense Department as an example, but we could take the energy and water sector of the economy and say exactly the same thing. Someone could try to get into an energy installation, say the labs in your State, Mr. Chairman, in an attempt to get information that would be valuable to a terrorist. They are repulsed by Government firewalls that are built in and around the labs. And so they say, okay, we cannot get in there, let us go into the telecommunications system and see if we could come into the labs somehow through the telephone network. Let us try something as humble as a supplier of the labs, something that has nothing whatever to do with energy, but from that orange network, find ourselves being able to get into the green network and then get the information that we need, or do the damage that we seek to do from a source that no one had anticipated. So with that background, let me outline for you the bill that Senator Kyl and I have introduced which we think should be considered as a possible substitute for what you have in your own bill. In this chart, I have outlined the problem as I have tried to describe it in my comments. We have private industry that is seamlessly connected. The four examples we put up here were the telecom industry, the banking industry, high tech, and the power industry, but you could add many, many more to that particular circle. We have tried to keep it fairly simple. The blind spot, as I said, is that there is currently no ability for private industry to share information about attacks with each other in that circle on the left-hand side of the chart, nor is there any formal ability to share the information with the U.S. Government, or for the U.S. Government to share its analysis of what is going on with anybody in private industry, and this is what the bill that Senator Kyl and I have introduced seeks to correct. We want to make it possible for private industry to consult with each other as attacks are mounted, and then as that information is gathered, to furnish that to the U.S. Government in a way that will not compromise the security of that information, and this is where we come up to deal with the Freedom of Information Act. Now, the Freedom of Information Act contemplates the ability of private citizens to share information with the Government and have that information kept confidential, kept out of the public arena, but because it was drafted before we got to the state we are in the cyber age today, the Internet age, the Freedom of Information Act does not have crisp, clear definitions of which pieces of information can be protected from FOIA and which pieces cannot. FOIA simply says it will be up to Congress to provide these definitions in the future, so it is in the spirit of complying with the Freedom of Information Act that Senator Kyl and I have introduced our bill to provide the specificity of that kind of information that can be protected. Many people have attacked our bill on the grounds that the public has a right to know, therefore, Senator Bennett and Senator Kyl are trying to hold down public disclosure with their bill. Those who make that kind of attack miss the point, the point being that if the FOIA protections outlined in our bill are not granted to private industry, private industry will not share this information with the Federal Government. It is not that the public is being deprived access to information that they would otherwise have if our bill does not pass. It is that the Government is being deprived of information that they would not have unless our bill is passed. Understand, FOIA not only gives the American public the right to this information, it gives other people the right to this information, including, if you will, Mr. Chairman, the terrorists who might want to use their attacks to cripple our critical infrastructure, and then the private industry says an attack is going on. Here, Government, is a list of the pattern of attacks. Tell us what it means. The terrorist files a FOIA request and says, we want that same analysis, and they can sit wherever they are in the world and say to themselves, well, we have got a complete analysis of how successful we have been. They were able to stop us here, here, and here, but they are worried about there, there, and there, so now we know where to target our attacks. That is why our bill says that this information that is shared voluntarily by the private industry solely for the purpose of informing the Government of what is going on and then getting analysis back from the Government as to what the private industry ought to be doing about it, that that information will be kept confidential and will not be subject to a normal FOIA request. We are not treading on unfamiliar ground here. Senator Kyl and I served on the Y2K special committee, and the bill that passed this Congress, signed by President Clinton, had some FOIA information exemptions there as well, so that private industry could share with the Federal Government their vulnerabilities to a Y2K shutdown, receive back from the Federal Government information about it, and that it would not be shared with their competitors or with some potential terrorist, and so we have experience with this. The world has not come to an end, the First Amendment has not been degraded, and we are simply building upon that experience with the legislation we are proposing. So Mr. Chairman, to summarize this, and I appreciate your indulgence in allowing me to go on this long, let me say that there are four needed provisions in any legislation that deals with information on critical infrastructure. First, the critical infrastructure must be better-defined than it is, and our bill attempts to do that. Second, the private sector must be able to share information with the Government, knowing that that information will be protected. Third, that the Federal Government must have the capability to analyze that information and share back with private industry. And fourth, that the private sector must be enabled and empowered to work together around this circle on the left-hand side of the chart, and that is why there are some antitrust provisions in our legislation. So I close, Mr. Chairman, as I opened. We must understand when we deal with critical infrastructure that we cannot stovepipe the problem. We cannot say, well, this is the vulnerability in this sector, this is the vulnerability in this sector, and so on. We must understand horizontally that the computer world has made the information that controls all of our sectors virtually seamless, and a cyber attack that might be mounted by a terrorist could come anywhere in the economy and then travel through the Internet virtually anywhere else. We have raised this issue a number of times. members of the committee have a chart that comes out of a GAO report that responded to queries that were raised by a number of us in which they discussed the vulnerability and assessments and remedial plans that are currently available industry by industry. This chart goes to the question of seamlessness, and goes down all of the sectors, banking and finance, electric power, emergency fire services, law enforcement, and so on, and again and again, in the column that discusses vulnerability assessments, we see some assessments performed, no remedial plans, some assessments performed, no remedial plans, no assessments, methodology developed but no assessments performed, no remedial plans. We need to get on with this as quickly as we can, and the first place where we start is with information. With that, Mr. Chairman, again my thanks for your indulgence. Senator Kyl is here, and I would be delighted to have anything that he might wish to add as a cosponsor of this bill. The Chairman. Let me sort of interrupt our normal procedure and ask if Senator Kyl has anything he wants to add at this point. STATEMENT OF HON. JON KYL, U.S. SENATOR FROM ARIZONA Senator Kyl. Mr. Chairman, thanks very much, and I appreciate very much your willingness to hear Senator Bennett and to call on me, because he has made the case I think thoroughly for the substantive aspects of this legislation. I cannot conceive of Congress not doing this. I will just address one thing, and that is what committee should do it, and in what piece of legislation, and if you just go round the chart--and there are some groups that are not even on there. You have got the Government Affairs Committee, you have got the Finance Committee, the Commerce Committee, the Judiciary Committee, the Energy and Natural Resources Committee. Any one of those could take the lead on this. Somebody has to take the lead, and because the Attorney General's reforms were the essence of the Judiciary Committee work, I felt, and Senator Bennett agreed, that perhaps the bill that everyone knew was going to have to move, an energy bill that affected more than just the subject of energy might be the most propitious place to start this. If we do not start some place and put it in some bill, as Senator Bennett said, it is an orphan, and yet I cannot imagine anybody not agreeing that the essence of the bill needs to be addressed, and addressed very, very quickly. So rather than addressing the substance of it, let me just make a plea for this committee to think out of the box a little bit. I mean, terrorists have now caused us to all think out of the box, and because of the seamlessness of this threat to our information infrastructure, we have to start some place. The energy sector is a very logical place to start, and that is why I propose that we include these provisions in the bill, which, by the way, would subsume what you, Mr. Chairman, have put in with respect to energy, but are not contradictory to those two particular sectors. Senator Landrieu. Mr. Chairman. The Chairman. Senator Landrieu. Senator Landrieu. If I could, since we are not following our regular order, let me just say, a) I would love to be a cosponsor of your legislation. I think it is very important, and I would like to join with you in helping you, and I will do my part to urge this committee to adopt this piece of legislation, because I think it would fit nicely, Senators, into what we are trying to put together and push forward with some urgency to this Congress about the importance of protecting our energy infrastructure, both cyber and physical, and there are obviously, as you pointed out in your legislation, some things that we should do sooner as opposed to later, and I want to commend you and thank you for making that presentation. The Chairman. Thank you. Senator Bennett. We are always happy to receive support. The Chairman. Senator Bennett, let me just ask the obvious question that both you and Senator Kyl addressed. You say we cannot stovepipe the problem, and I do not disagree with that. Congress is very good at stovepiping issues. We have done that by dividing ourselves into these committees. It is your position, the same as Senator Kyl's, that we should go ahead and not just deal with the provisions in your bill as they relate to energy, but the broader provisions, is that what I understand? Senator Bennett. That is correct, Mr. Chairman. If I can share this experience with you, again going back to our Y2K days. When the airplane slammed into the World Trade Center in New York, the New York emergency services were immediately called on. Senator Dodd, who was the vice chairman of the Y2K Committee, paid a visit to the emergency preparedness center in New York City, where the coordination of all of these services in the city took place. The leaders of that facility said to him, Senator, if we had not done the Y2K remediation necessary to make sure that our computers did not fail, we would not have been able to provide the emergency services necessary to deal with the crisis in Lower Manhattan, and Senator Dodd shared that comment with me on the Senate floor, and he said, at least we did something worthwhile out of that, because once again the seamlessness of the problem manifested itself, so I believe you are doing the right thing for protection of information that would impact energy and water. Back again to the labs in your home State, which are very dependent on computers and the network, the Internet, you are doing a service to protect those labs when you adopt something like our legislation, even though the legislation goes all across the board, and is not just aimed at the labs. The Chairman. Now, as I understand it, there is similar legislation that is pending in the House. Could you tell the committee what your understanding is as to whether it is similar, and what the status of it is? Senator Bennett. There is similar legislation pending in the House. With all of the modesty that we all possess in the Congress we think our bill is better. We think we have focused on the definition issue a little bit better than the House has, and again drawing on the experience that Senator Kyl and I had in the Y2K committee, we think we have a better handle on the overall problem, but the House is moving forward, and I think the Senate ought to do the same. The Chairman. Senator Murkowski. Senator Murkowski. Senator Bennett, I share your observation. I think we all saw some of the television coverage after September 11 which indicated that, indeed, the quick recovery from the standpoint of our financial community, the bond houses, trading groups, brokers and so forth, was a consequence of preparation for Y2K, where they had the fear of the unknown at the end of that year starting the millennium really geared up in such a way as they had a backup that was there, a plan, and they were able to initiate it, and I think it speaks for the reality of being prepared. From the standpoint of one member of the minority, I think we would be prepared to recommend to our minority the inclusion of your bill in the infrastructure security bill that we are talking about here, and I commend you for your forthrightness, and Senator Kyl as well, because obviously your contribution in Y2K was significant, and I think it is a carryover, and I wish you well. Senator Bennett. Thank you, sir. The Chairman. Senator Landrieu, did you have other questions? Senator Landrieu. Yes, I have one question. I have got a document here that is very interesting from the American Petroleum Institute that responded to the chairman's request to submit points that they would like for us to consider, and one of them, as I am reading this, is on this particular subject, and I wanted to know just for the record if you could help clarify something. This organization is concerned that under the EPA's risk management program that you are probably, Senator, familiar with, that was developed, this sort of body of law about the right to know, for consumers and communities' right to know in terms of hazardous materials and chemicals, and many States and communities have developed, but they point out in there, and I think they are making a good point, and it was sort of along the lines of what you said, that the public's right to know has to be balanced, with some of this information being readily available on the Internet being then turned around and used against us, so their point is basically, in whatever legislation that we would do, that we would, whatever legislation we would advocate for, would address this issue. So my question is, in your hearings, or in your work in this particular area, could you give us any suggestions about how to make that balance appropriate in terms of the Cyber or Chemical Emergency Preparedness and Prevention Act? Senator Bennett. Thank you. As I indicated in my presentation, there is a hesitancy on the part of industry to let out information which they feel would be detrimental to them, either competitively or in terms of some kind of public panic or overreaction. Our bill addresses that information that would be voluntarily given, so the comments that I made apply here. If a particular plant says, we do not want anybody to know this, and they are under currently no obligation to tell anybody, that information would not be available to any emergency preparedness personnel either if they were afraid the emergency preparedness personnel might leak it. So instead of restricting the amount of the public's right to know, the approach we are trying to take is to increase the flow of information among responsible parties without endangering the confidentiality of that, and I think the exchange of this information would actually increase the public right to know. If somebody in an emergency preparedness agency gets a piece of information voluntarily, and says, wait a minute, we probably ought to have some sort of public alert on this issue, and then talks to the people in the plant, and they talk it through and come to a joint decision that yes, we will publicly announce so much, but not this much, the public learns more than they would have otherwise, and it has been screened in a responsible way instead of being subject to a FOIA request, which is nothing but a fishing expedition, very often, and ends up getting out information that might, in fact, cause panic and do more harm in the name of right to know than would otherwise be the case. Senator Landrieu. Thank you. The Chairman. Senator Domenici. Senator Domenici. First, Mr. Chairman, I compliment you for having the hearing, and I urge you to proceed with dispatch, which I think you already intend to do, and frankly, the fact that there are so many jurisdictions that have a piece of this legislative pie to me would indicate that you ought to move ahead with a broader-based bill than that which would technically fit within this committee's jurisdiction, because if you do not get started and get something moving to the floor, where debate can occur, we will be out of here, and we will be into next year's legislative agenda. We will not have done something that is patently needed. I want to suggest to you that on the Armed Services bill that was an authorizing bill you joined me in what I think is a very interesting amendment, and I would intend to offer it on this bill, and it has to do with the national infrastructure and simulation analysis. We have an amendment that you and I sponsored on the floor which would take the existing analysis-gathering network, which is essentially the national laboratories, and they are making sense out of piecemeal kind of damage to our infrastructure. They make sense out of the cascading effect where one particular piece of infrastructure, if you analyze it all alone, you do not get its impact on the country because it has all other kinds of ramifications. So I will be here tomorrow when you mark this up, and I am hopeful that Senator Bennett, who is aware of the laboratory's role in this--that is, the three major defense laboratories-- and I hope you would accept the amendment as an amendment tomorrow, and we will be going over it with you and the staff, Mr. Chairman. I think it has already been done, but we will do it again. Thank you for calling the hearing and getting something done. The Chairman. Thank you. Let me just repeat what I said at the beginning of the hearing. Because of Senator Mansfield's funeral tomorrow we are going to try to mark up Thursday morning, rather than tomorrow morning. Senator Campbell. Senator Campbell. No, thank you. The Chairman. Senator Kyl. Senator Kyl. Mr. Chairman, thank you. First of all, I appreciate Senator Landrieu's willingness to cosponsor, and the others' willingness to include this legislation. As I said, I think the case is very easy to make. The question is just the same procedural conundrum we always get into around here, and maybe we are blessed by the fact that since virtually every committee in the Senate could have some jurisdiction over this, because the very intention is to make it broad and seamless, that point was well made by Senator Domenici. We need to start some place, or we will still be talking about this when we leave at the end of the year, and perhaps this bill does, as I said before, offer the best opportunity for us to get it out there, see if there are any other things that we need to do to it, and then have a vehicle for it to become the law, and again, I really appreciate your willingness to consider this. The Chairman. Thank you, and Senator Bennett, thank you very much for your presentation, and we will take all of your recommendations under advisement here. Senator Bennett. Thank you very much, Mr. Chairman. I will say that my staff and I have looked at Senator Domenici's bill. We find it completely complementary with what we are doing, and I cannot speak for my cosponsors, but as far as I am concerned, I would be delighted to have that bill included with ours, and I appreciate very much your consideration. The Chairman. Thank you. Let us start with the next panel. I think we will find ourselves interrupted. We have a vote coming at 10:30, I believe. Our other two witnesses today are Mr. John Keys, III, who is Commissioner of the Bureau of Reclamation, and Ms. Otis, who is the General Counsel with the Department of Energy. Mr. Keys, why don't you go right ahead with your statement. STATEMENT OF JOHN W. KEYS, III, COMMISSIONER, BUREAU OF RECLAMATION Mr. Keys. Good morning, sir. This is my first appearance before your committee as Commissioner, and I really appreciate your having us here to talk about law enforcement today. The Chairman. You might just pull that microphone a little bit closer to you there. Mr. Keys. I would appreciate my whole written statement being entered in the record, and I would certainly summarize, if I could. The Chairman. It will be included, as Ms. Otis' written statement. Mr. Keys. Thank you, Mr. Chairman. The Bureau of Reclamation is the largest water management agency in the West. We operate 348 reservoirs, 58 hydroelectric plants, and in excess of 300 recreation areas that serve about 90 million visitors a year. What that means is, we have over 400 sites that need some sort of security in one level or the other. In spite of our obligation to operate, manage and run those facilities on 8 million acres of land in the West, we still need express authority to enforce Federal laws and regulations within a Reclamation project and on Reclamation administered lands. The Bureau of Reclamation's dams, powerplants, and other sites are secure. We are operating on a normal schedule at the current time. That was the case before September 11, the tragedy in Washington and New York, but we are now operating at a high state of alert and a high level of security at all of those facilities. Unfortunately, there have been and continue to be violations of Federal law on Reclamation property that threaten public safety and security and the resources that we depend on there. Agency-wide, the Bureau of Reclamation offices have recurring problems: unauthorized entry onto lands and facilities, vandalism, theft of cultural resources, illegal dumping, illegal drug activities, and similar type violations all over the West. A couple of examples: at Lake Berryessa in California, our recreation area, we had a riot that we had an awfully hard time dealing with. Yuma project in Arizona, we have had breaches of facilities there, vandalism that causes great problems. In a nutshell, we can contract with State and local law enforcement agencies to enforce State and local laws. They cannot enforce Federal laws on the Reclamation property, or Reclamation-administered lands. For example, at a recreation site in Oregon, we had to work with county government to have them establish local ordinances around our facilities so that they could enforce local and State law, rather than the Federal law on those Federal lands. Often, lands adjacent to Reclamation properties are managed by other Federal agencies who have law enforcement capability. Currently, we are limited in our ability to acquire those law enforcement services from sister agencies. Another problem that we face is local sensitivity. The Bureau of Reclamation has been denied local law enforcement support at times, when issues are sensitive in a community, when that community does not agree with the Federal law that we are trying to enforce. A couple of examples, lately we have been trying to deal with the trespass and the protection of our facilities in the Klamath Falls area. A few years ago we faced similar problems at the American Falls. Such situations put the Bureau of Reclamation personnel and resources in danger. Now, on S. 1480, let me tell you what the bill does not do, first. It would not create a new Reclamation police force or law enforcement agency. It would not authorize Bureau of Reclamation employees to carry firearms at work. It would not empower Reclamation employees to issue warrants or make arrests. Now, what it would do for us, it would give the Secretary the discretion to authorize personnel from Interior or other Federal agencies with law enforcement authorities, except Defense, to enforce Federal laws on Reclamation's behalf around our facilities. It would give Reclamation the discretion to enter into agreements with State, local, or tribal law enforcement agencies to enforce Federal law at Reclamation projects and on Reclamation-administered lands. It would authorize the Secretary to reimburse law enforcement agencies, and it would ensure that only trained law enforcement personnel, who are authorized to carry firearms, make arrests and enforce criminal laws, would be eligible to enforce Federal law on Reclamation lands. In conclusion, lack of authority impedes Reclamation's ability to provide for public safety and security around our facilities. The administration strongly supports S. 1480. We understand from discussions with committee staff that some technical modifications have to be made or may be needed to fully effect the bill's purposes. We would work with the committee and staff to do that, and to make those changes. The administration, Secretary Norton, and I, urge adoption of S. 1480 with the necessary minor changes. We would appreciate a clean bill so that it could be passed as soon as possible and let us be on with the business at hand. Thank you again for being able to be here, and I would certainly answer any questions you might have. [The prepared statement of Mr. Keys follows:] Prepared Statement of John W. Keys, III, Commissioner, Bureau of Reclamation My name is John Keys, I am Commissioner of the U.S. Bureau of Reclamation (Reclamation). Let me start by saying that as my first appearance before this Committee as Commissioner, I am honored to be here before you today to provide the Administration's views on S. 1480, legislation concerning law enforcement authority within Bureau of Reclamation (Reclamation) projects and Reclamation administered lands. Thank you for holding this hearing and I would especially like to express my appreciation to the Chairman for introducing S. 1480 at the Administration's request. Reclamation is the largest water resources management agency in the west. The agency operates 348 reservoirs, 58 hydroelectric power plants, and more than 300 recreation sites which receive 90 million visits a year. Despite Reclamation's obligation to operate, manage, and use these facilities on 8 million acres of public land, Reclamation still needs express authority to enforce Federal laws or regulations within a Reclamation project or on Reclamation administered lands. With that being said, I want to be clear that all of our dams and other sites are secure and we are operating on a normal schedule. This was the case even before the recent tragedies in Washington, D.C., New York City, and Pennsylvania. However, in addition to this heightened state of alert, there are regular violations of Federal law on Reclamation property that could present a threat to public safety or to the resources that we manage. Let me give the Committee just a few examples. At Lake Berryessa, a popular recreation site in northern California, trespass, vandalism, resource damage, unauthorized large- scale camping and events, and hazardous materials dumping occur on a regular basis. In Yuma, Arizona, unauthorized use of Reclamation facilities such as trespass are common occurrences. Throughout the agency, Reclamation's area offices report recurring problems such as unauthorized entry into lands and facilities, vandalism, theft of cultural resources, illegal drug-related activities, and illegal dumping and burning. While Reclamation can contact State or local law enforcement agencies to enforce State and local laws, these entities cannot enforce Federal laws within a Reclamation project or on Reclamation- administered lands. In one case, because of our lack of authority, Reclamation found it necessary to work with the local county government to establish local ordinances, so local law enforcement officers could protect the safety of visitors at Reclamation's recreation site. Very often the lands adjacent to Reclamation properties are managed by other Federal agencies capable of providing law enforcement for the protection of visitors and public resources. However, Reclamation is limited in its ability to acquire those services. Before touching upon the details of this legislation--what the bill does--it is important to clarify a few points about what this bill does not do. S. 1480 would not create a new police force or law enforcement agency within the Bureau of Reclamation. Now to what S. 1480 would do. S. 1480 would give the Secretary of the Interior (Secretary) the discretion to authorize law enforcement personnel from other Department of the Interior agencies or other Federal agencies that have law enforcement authority (but not the Department of the Defense) to enforce Federal laws on Reclamation's behalf at Reclamation projects and Reclamation-administered lands. Also, the Secretary will have the discretion to enter into agreements with law enforcement personnel of any State or local government, including Indian tribes, to enforce Federal laws at Reclamation projects and Reclamation-administered lands. The bill authorizes the Secretary to reimburse law enforcement agencies for their services. S. 1480 specifies that only trained law enforcement personnel authorized to carry firearms, make arrests, and enforce criminal laws would be eligible to enforce Federal law within Reclamation projects or on Reclamation-administered lands. Mr. Chairman, the lack of law enforcement authority within a Reclamation project or on Reclamation-administered lands impedes the Bureau's ability to provide for public safety and the security of its facilities. In discussions with the Committee staff, we have learned that there are some technical modifications that may be needed to fully effect the purposes of the bill. The Administration strongly supports S. 1480, and we will work with the Committee to address any potential changes. That concludes my testimony, I would be pleased to answer any questions you may have. The Chairman. Thank you very much for your testimony. Why don't we go ahead and hear from Ms. Otis, who is General Counsel for the Department of Energy. STATEMENT OF LEE LIBERMAN OTIS, GENERAL COUNSEL, DEPARTMENT OF ENERGY Ms. Otis. Thank you very much, Mr. Chairman. This is my first appearance before the committee in my official capacity as General Counsel as well, and I very much appreciate the opportunity to be here to discuss with you today some steps that can be taken to assist in protecting our critical energy infrastructure. I have been asked to address really two topics. One is what the Department is doing now, and the other is to comment on a staff draft substitute amendment to S. 1480 which would extend the provisions of the bill to include some provisions relating to energy infrastructure as well as the Bureau of Reclamation subject matter that it covered originally. As to what the Department is doing now, the Department of Energy is basically playing a coordinating role in attempting to coordinate the efforts of elements of the private energy sector in making plans to enhance our capacity to protect our energy infrastructure. We do not currently have any kind of regulatory role. We are simply performing a coordination function, and people who are participating in that effort with us on the outside are doing so voluntarily. And so essentially what we are doing is working with industries, States, and localities on a voluntary cooperative basis, and sharing information and working with industry groups like the North American Electric Reliability Council (NERC) and the National Petroleum Council (NPC) to try to provide information about potential threats to infrastructure, and steps that can be taken to protect it. Our Office of Critical Infrastructure is the focal point for this activity. Turning to S. 1480, the draft substitute contains several provisions that we think will enhance our ability to play this kind of role more effectively. Let me comment first about the ones we view as the most important, and then as time permits I will talk about the other ones. The ones that we think are the most important are sections 5 and 6. Let me also add, because of the timing of all of this, I am essentially presenting the Department's preliminary thoughts. We do not have an official administration position yet on any of this, but section 5 would essentially create a prohibition on disclosure of critical infrastructure information relating to the energy sector, and I believe to that extent it is closely related to the provision in Senator Bennett's and Senator Kyl's bill that will do that more broadly. We think this is an important provision, because we think that the exchange of information that we are currently engaging in would be enhanced by our ability to assure people who are providing information to us that it is not going to be disclosed absent a solid governmental reason for doing so. My staff made some technical suggestions about the language in the bill, I think at the end of last week, essentially to extend it to make sure that it covers cyber security and to make sure that there is an appropriate disclosure mechanism for important governmental purposes, because it will not do us a lot of good to get this information and not be able to do anything with it. We also want to modify it so that the prohibition against disclosure is not tied to the source of information, but, rather, the nature of the information, and to provide rulemaking authority to make sure that the concepts in the bill can be carried out in a manner that is understood. The other provision I would like to spend a few minutes on is section 6, which is an antitrust exemption that parallels to a significant extent the antitrust exemption for information- sharing related to critical infrastructure in the Kyl-Bennett bill, but again this is related to the energy sector rather than to information more broadly. The substitute provision is similar to authorities under the Defense Production Act (DPA) and Energy Policy and Conservation Act (EPCA) to create exemptions from the antitrust laws for voluntary agreements to carry out important national purposes. In the DPA's case, the exemption is for information- sharing and for planning related to preparedness and expansion of production capacity and supply necessary to the national defense, and in EPCA's case it is to carry out international emergency response provisions if there is an energy emergency. We think this is a reasonable parallel, and therefore we think that in making plans to address disruption of our critical energy infrastructure it is sensible to analogize that to these other two instances. We again have made some suggestions for conforming S. 1480's language to the preexisting exemptions to make sure the Federal Advisory Committee Act (FACA) exemption from these other pieces of legislation is picked up, and to allow the exemption to cover not only agreements to plan but potentially also agreements to take actions to implement plans relating to these voluntary agreements. We are also interested in exploring the idea of allowing the Department to certify a private organization to set standards for critical infrastructure protection that would then be carried out by the private sector. The other two provisions that I would just like to say a few words about are section 3, which is an effort to confer Federal law enforcement on employees of the Bonneville Power Administration (BPA), who monitor the BPA infrastructure, in a manner similar to what the original bill does with respect to the Bureau of Reclamation. We think that BPA employees should be able to have that kind of authority, as designated by the Secretary, and we would like to work with the committee on the language that is being proposed. Finally, let me say a few words about section 4, relating to background checks for employees of various elements of the energy sector. We are less sure about what is sought to be done here, and how to go about it. Because those employees are part of an industry that currently is not closely regulated by the Federal Government, we are not sure that the kind of program that the committee is looking at in that regard, the breadth of it, is necessarily the way to go. We would like to work with the committee and with the Department of Justice to see what the issue is that is sought to be addressed, and how we could best address it. [The prepared statement of Ms. Otis follows:] Prepared Statement of Lee Liberman Otis, General Counsel, Department of Energy Mr. Chairman and Members of the Committee, I am Lee Liberman Otis, the General Counsel of the Department of Energy (DOE). This is my first appearance before this Committee in my official capacity. The topic the Committee is meeting to consider this morning, critical infrastructure assurance, is a serious one at any time, and all the more so in light of this weekend's events. I therefore especially appreciate having the privilege of discussing that topic with you today. I have been advised that you would like me to address two subjects: first, to discuss DOE's current role in critical infrastructure assurance; and second, to discuss provisions of S. 1480, a bill that I am advised is being expanded to include a number of provisions intended to strengthen DOE's and the energy sector's critical infrastructure protection capacity. I will take these topics in order. I. DOE'S CRITICAL INFRASTRUCTURE ASSURANCE MISSION Our energy infrastructure is critical to the nation's economic prosperity, national defense, and quality of life. In recent years, energy markets, industries, and regulatory regimes have changed, in some cases significantly. The energy infrastructure also has changed significantly with respect to its ownership, operation, and maintenance. Increased use of computer technology and telecommunications services has improved the reliability and economic efficiency of energy systems, but has also brought accompanying new vulnerabilities to disruption. Besides intentional attacks, accidents and natural disasters have long presented significant risks to the physical and cyber components of the energy infrastructure. The growing complexity of the energy system makes these familiar threats potentially more disruptive and unpredictable as well. DOE's infrastructure mission, as if affects the private sector, stems from Presidential assignment rather than specific statutory responsibility. Under Presidential Decision Directive 63, issued in 1998, DOE is the lead Federal agency designated to work with industry in improving our capacity to protect our nation's critical energy infrastructure, including electric power (with the exception of nuclear plants, where the NRC has the leading role), and the oil and gas industries. We are also charged with helping to devise ways to mitigate any significant vulnerabilities of the energy sector to physical and cyber attacks. It is important to understand, however, that DOE has no authority to require participation in any aspect of this process, let alone compliance with any proposals that may result from it. Rather, at present we are relying exclusively on voluntary participation and cooperation. DOE's Office of Critical Infrastructure Protection is the focal point of this activity. In cooperation with industry, State, local, and tribal governments, and other stakeholders, it carries out the following tasks: Assessing energy sector vulnerabilities to cyber or physical attacks; Identifying ways to mitigate vulnerabilities; Developing ways to alert to, contain, and divert attacks; Planning for a system to respond to energy sector attacks; and Identifying ways to facilitate rapid reconstruction. DOE has been collaborating extensively with industry through ``sector coordinators''--the North American Electricity Reliability Council and the National Petroleum Council--in developing a national critical energy infrastructure protection strategy. DOE also works closely with utilities, State and local governments, and other stakeholders on a regional, State, and local basis. Examples include collaboration with the City of Chicago, Commonwealth Edison, and 270 municipalities to assist local governments in better understanding the threats to, and vulnerabilities of, critical infrastructures and facilities in the region; working with the State of Utah, utility, local, county, State, and Federal officials on regional infrastructure assurance for the Salt Lake City Winter Olympic Games; and working with the California Energy Commission, utilities, and associations on regional infrastructure assurance needs and activities in California and the West. To reiterate, however, participation in all of these efforts is entirely voluntary. II. S. 1480 Let me now turn to S. 1480. At the end of last week, the Committee staff kindly shared with us a staff draft of an amendment in the nature of a substitute for S.1480. Sections 3 through 6 of the substitute relate to aspects of DOE's critical infrastructure program. I hope that you will appreciate that the very short time for review of the substitute, over a holiday weekend, has not afforded us the opportunity to develop a formal Administration position on the bill or on these provisions. Nevertheless, given that I understand that the Committee plans to mark up S. 1480 tomorrow, I thought it important to provide you with the Department's initial reaction to the sections in question. Section 3 Section 3 concerns law enforcement authority at DOE's Power Administrations (referred to in the bill as ``Power Marketing Administrations''). This provision would authorize the Secretary to contract with State, local, and tribal law enforcement personnel when the Secretary determines assistance is necessary in enforcing Federal laws and regulations. Regrettably, this section does not at present provide the authority we believe would be most helpful. Each of the Power Administrations uses GSA guards and relies upon State, local, and tribal law enforcement personnel now. All find the current arrangements satisfactory, with one exception. Bonneville Power Administration (BPA) presents a special case. As you may be aware, BPA owns and operates nearly 80% of the high-voltage electric transmission in the Pacific Northwest, including the most important interconnections with other regions of the Western United States and Canada. The economy of the Western United States depends on BPA's reliable operation of its electric power system, which includes more than 15,000 circuit miles of high-voltage transmission lines in 8 States. Given the unique nature of BPA's system, and its dominance in its service region (unmatched by other Power Administrations, but similar to TVA), BPA currently employs a very small number of security specialists who are thoroughly versed in BPA's system and the type of crime it attracts. Their principal responsibility is to monitor activities directed against BPA's infrastructure. DOE believes protection of BPA's system would be materially advanced by authorizing the Secretary to give this handful of employees the authority to carry firearms and limited Federal law enforcement authority. Similar authority already is provided under other statutes to DOE guard personnel involved with our nuclear weapons complex and defense activities and with our Strategic Petroleum Reserve. DOE has prepared a legislative proposal that is in the final stages of the interagency clearance process to allow the Secretary to provide the BPA security specialists with the required authority. We urge the Committee to consider that proposal when it is submitted, instead of section 3. In addition, the Committee may wish to consider extending to the other Power Administrations authority available to Bonneville to offer crime witness rewards as an incentive to gain valuable information regarding criminal attacks. Bonneville estimates its witness reward program has resulted in savings of almost $4 million over the last 4 years. The House Resources Committee has ordered reported H.R. 2924, which would grant the other Power Administrations this authority. Section 4 Section 4 would require the Secretary of Energy, in cooperation with the Attorney General, to establish a criminal background check system covering energy sector employees occupying ``sensitive'' positions at critical energy infrastructure facilities. I understand that this section is modeled on section 149 of the Atomic Energy Act of 1954, which established such a program for the Nuclear Regulatory Commission with respect to civilian nuclear power plant personnel. We have not had an opportunity to discuss this section yet with the Department of Justice, which would be deeply involved in such a program; nor do we know enough about the size of the program contemplated or the intended object of the program to take a position on it. We would note, however, that civilian nuclear power plants have since their inception been closely regulated by the federal government. That is not the case with respect to the entities that would be covered by this provision. Accordingly, it may be that such a program, to the extent it is needed, would be administered more appropriately at the State or local level, rather than the Federal level. I would point out that even the industry representatives who have called for action on this subject specifically note that they do not favor the substantial federal government role that this provision may contemplate. To reiterate, however, without more information and more input from the Department of Justice, we are not able to take a position on this provision at this time. Section 5 Section 5 would prohibit the disclosure by the Secretary of Energy or a Federal agency of information that would reveal a specific, identifiable weakness or vulnerability of a critical energy infrastructure facility to a physical attack, or that would compromise the physical security of a specific, identifiable energy infrastructure facility. Perhaps the loudest complaint from industry with regard to information that industry submits to the government is that government lacks the capacity to protect that information. Accordingly, companies can be, at best, reluctant to share it. The September 11 attacks have made our nation more acutely aware that there is a delicate balance that must be maintained between the protection and the release of information, particularly when it involves the nation's critical energy infrastructure. DOE believes that in order to facilitate the exchange of information that is the foundation of cooperation between the private sector and the federal government in protecting critical energy infrastructure, the government needs more ability than it has currently to protect the information we are given. We support legislation affording that protection. My staff has discussed informally with Committee staff relatively minor changes to section 5 that would extend its reach to cyber, as well as physical security. We have also noted that to accomplish its purpose, this section must contain a mechanism that would allow the government to disclose that information where disclosure is warranted, for instance for intelligence and law enforcement purposes, to enable the taking of corrective measures, and the like. I note that Senators Bennett and Kyl have introduced S. 1456, which addresses this information protection problem from a government-wide perspective. Without commenting on the particular provisions of that legislation, I would note that we believe there is government-wide concern about this subject that extends beyond energy-sector information, but that addressing energy-sector information would be an extremely useful step. Section 6 Section 6 would authorize the formation among companies in the energy sector of voluntary agreements to gather and analyze information to better understand security problems and to communicate or disclose information to avoid or correct security problems. The section would afford a limited anti-trust defense to the participating entities. This section is modeled on existing authority available to oil companies participating in International Energy Agency activities. DOE supports this section, and my staff has informally suggested some minor technical changes to bring the section more in line with similar authority available under the Defense Production Act, recently extended by Congress for two years. Section 6 would go a long way toward calming another of industry's oft-expressed fears--that the sharing of information among companies, which is essential to addressing and correcting critical infrastructure vulnerabilities, might subject them to anti-trust liability. In addition, DOE is interested in exploring whether it should be granted limited authority to certify private sector organizations that would have some authority to set critical infrastructure security standards for different portions of the energy sector. As we envision it, different organizations would be established for each sector of the energy industry--electric power, oil, and natural gas--although more than one organization might be appropriate for a given sector. In conclusion, I deeply appreciate having the opportunity to testify this morning on this important legislation, and I'd be pleased to respond to any questions you or other members of the Committee may have. The Chairman. Thank you very much. We are about half-way through this vote. I think what we will do at this point is to recess and come back and ask some questions at that point, so it will be about a 10-15 minute recess. [Recess.] The Chairman. Why don't we start again here. I have a few questions. I am sure Senator Carper will have some questions as well, and we start with you, Mr. Keys. I will just ask a couple of things that occurred to me. One relates to a concern I think that you expressed that you do not want to be setting up a new police force, you do not want to have authority to enforce criminal laws within the Bureau of Reclamation, is that correct? Mr. Keys. Yes, sir. That is a tough call, and in working with my Secretary and within the administration it appears that we can provide adequate protection with contract authority to get that done. The Chairman. We have in the Department of Energy parts of this bill, proposals that we give Bonneville Power Administration authority to do just what you are saying you do not want the authority to do, and that is to actually enforce criminal law, as I understand it. Mr. Keys. That is correct. I have corresponded and talked with the Bonneville Power folks, and with Western Area Power Administration. There is a difference of opinion there on how they would like to approach it. Our Secretary and our administration felt that we could do it better with what we have. The Chairman. Do you have the resources you need? Do you have a cost estimate for what you would like to see done, assuming this bill passes, and, if so, do you need more resources to do it? Mr. Keys. Senator Bingaman, this thing has come upon us very quickly, where we would provide that level of security at all of our facilities. As I said earlier, we have in excess of 400 sites that need some sort of protection at one level or the other. In providing that, what we would do is work with the other agencies of Interior that have law enforcement authority, and would enter into agreement with them to bring their folks into our facilities. We would teach them about our facilities, and then they would operate under our direction. It appears to us that it would take in excess of 200 people to do that, and the cost could exceed $25 million a year. Those are just rough estimates, certainly ones that we would be working to hone and then to come to the appropriations people to see how we could cover them. The Chairman. I know Sandia Labs did a report for you folks on cyber security. Mr. Keys. That is correct. The Chairman. Is there more work needed in that area, or do you think that was adequate to the purpose? Mr. Keys. The report we got from Sandia laid out a number of things for Reclamation to do, and we do have a cost estimate for accomplishing the levels of security that they recommended for our information technology. The estimate for that that is in our budget, about $17 million. I think for the current time that review is adequate. In the next level of security review that we will do in all of Interior, and especially in Reclamation, we will take another look at it, but we think what we got from Sandia right now is a good report. The Chairman. Ms. Otis, let me ask you a few questions about the Department of Energy position. As I understand it, the administration is preparing a proposal on this Bonneville Power Administration law enforcement authority, is that correct? Ms. Otis. That is correct. The Chairman. When can we expect to see that? Ms. Otis. Mr. Chairman, it is in the process of agency review, and so we will get back to you as soon as the hearing is over with more information about that. We did not have the opportunity to talk to anyone this morning about how that is coming along. [The following information was received for the record:] BONNEVILLE LAW ENFORCEMENT AUTHORITY The Administration conducted an interagency review of the Department of Energy proposed draft legislation for Bonneville armed security authority and determined that the proposed legislation should not be transmitted to the Congress. The Department of Justice (1) indicated that it is the Department of Justice policy to limit the number of statutorily authorized federal police forces and (2) determined that an administrative process would be available to Bonneville to arm its federal security specialists under the special deputations program of the U.S. Marshals Service. Bonneville is proceeding with this administrative approach for arming its federal security specialists. Bonneville's non-federal contract guards will continue to be armed under appropriate state law and regulations. The Chairman. Okay. Let me ask about the Strategic Petroleum Reserve. I know the Secretary of Energy has indicated that is a subject that is under very serious consideration at the Department of Energy. I guess there is some question about our ability to access the crude oil that is in there in order to turn it into refined product. What is DOE's position as to whether they have the authority they need to adequately fill the SPRO and make preparations for accessing the oil that is in the SPRO, and all those issues? Ms. Otis. I think that we do feel we have the authority that we need to fill it, and to access what is in it. I think the administration is looking right now at exactly how it would like to proceed, and it is giving very serious consideration to what it wants to do next on that score. The Chairman. I gather the House committee has moved ahead to propose, or to--I do not know if they have enacted or passed legislation on SPRO, calling for additional filling of SPRO and some things--you have no position on those provisions in the House bill? Ms. Otis. My understanding is it was a Sense of the Congress kind of resolution calling for filling SPRO, if we are talking about the same provision. We are currently reviewing exactly how we would like to proceed ourselves, and therefore a Sense of Congress provision is not something on which we would take a position at this time. The Chairman. Do you have any view, or does the administration have any view on the provisions in Senator Bennett's bill, the one he described to us here a few minutes ago? Ms. Otis. There is no official administration position on Senator Bennett's bill. But speaking for the Department of Energy, there are two questions about the bill's antitrust exemption. First, there is the scope of it--and it would cover more information than just the energy sector, and we do agree that there is concern about information beyond the information directly involving the energy sector. We also think, however, that doing something about the energy sector information is a very important step, and if that is the most that can be done right now, we would support doing that. The other issue about the antitrust exemption in the Bennett bill is that it does not use the model of the DPA, or of EPCA in terms of involving the Attorney General and the Federal Trade Commission (FTC) in the devising of the voluntary agreements at issue. I think it also contains exceptions saying if there is price-fixing going on, then the information-sharing would not be protected, and if there is market dividing going on, then the information-sharing would not be protected. The effect of that may be to lead to less certainty than is desirable, because you would not have the sign-off from the people who would be enforcing the antitrust laws on the proposed information-sharing activity, and there would be an exemption, with exceptions to the exemption. I am not sure that that would provide the certainty that you would need for industry to feel confident about sharing its information through the mechanism at issue. The Chairman. My time is up. Senator Carper. Senator Carper. Thank you, Mr. Chairman, and to our witnesses, thank you for joining us today, and I have a couple of questions. Let me just start--I missed your testimony, most all of your testimony, and I apologize for being late, but I would ask each of you to take just a minute or two just to crystallize for me what we ought to be doing with respect to marking up legislation this week on protecting our energy infrastructure, just crystallize it for me. Mr. Keys. Mr. Chairman, Senator Carper, we need law enforcement authority in Reclamation to be able to provide the necessary levels of security around our facilities, which are about 340-some-odd dams, in excess of 8 million acres that we administer. The administration would like to see you pass a bill that gives us the authority to contract for that. What we are looking to do is have Reclamation contract with other agencies within Interior to provide that service. It will take extra people, it will take more money to do that, but we think that is the best way to go. It does not create another police force. It does not give us the authority to carry guns and that sort of thing, but it gives us the ability to contract out that service. I would say that it gives us the ability to contract at several different levels. I think if you look at it, first we could contract with our sister agencies that already have that authority. If in a local situation we could go to a local government agency, the sheriff or the local police, or the State, and contract with them, this bill gives us the authority to pay them.That is what we do not have right now, is the ability to have one of those come in and do that for us. That is what this bill would do for us. Senator Carper. Is that Senator Bennett's bill? The Chairman. That is a bill the administration sent us which does incorporate the new authority the Bureau of Reclamation would like to have, and then we are considering whether to add Senator Bennett's bill to that, or other provisions that the Department of Energy has come up with to that. Senator Carper. Thank you. Mr. Keys. Senator Carper, I would add to what Senator Bingaman said, whether you all add those bills together or not does not matter, except that we need some quick action, because the people that are helping us from the Park Service, from the BLM, from the Bureau of Indian Affairs, from the Fish & Wildlife Service are stretched much too thin right now. Maybe bureaucrats looking for security is the same thing as visitors to your house, after 3 days they start to smell, and we are stretching our goodwill among agencies awfully thin right now, with them having to provide us with that service. Senator Carper. Three days? Mr. Keys. It is in excess of that now, so we are pretty ripe about now. [Laughter.] Senator Carper. And if I could, I would like to ask Ms. Otis, could I ask you just to respond to a similar question, just crystallize for me succinctly where you think we are? Ms. Otis. As I told the committee at the beginning of my testimony, because of the haste with which we are all trying to proceed here, I do not actually have an official administration position to offer on any of this at this time, but speaking for the Department of Energy, we reviewed a draft substitute that the committee staff shared with us to S. 1480 on Friday, and two of its provisions we think would address the most important areas where we would like to see action taken, and those relate to information-sharing regarding critical energy infrastructure between the private sector and the Government. Basically, the substitute would create a prohibition on disclosing that kind of information, and it would also exempt from the antitrust laws the sharing of that kind of information, and we think that kind of legislation along those lines would help us in our most important next steps in terms of trying to find out what needs to be done to help protect our energy infrastructure. Senator Carper. Where is that legislation? What is the status of that legislation? Ms. Otis. My understanding is, and the chairman can correct me, that there is a substitute which has been circulated among the committee members, or perhaps among the staff of the committee, I am not sure, that is being looked at. The coverage is similar to the coverage of the Bennett-Kyl bill, except that it is limited to energy infrastructure, as opposed to sweeping more broadly. We do think there is a Government-wide issue about protecting this kind of information, and we would like to see it addressed Government- wide, but we would not like to see the effort to address it Government-wide interfere with the effort to address it in the energy sector. As I was telling the chairman, I think that the model the committee is using for the antitrust exemption is one that has been tried in other contexts, and therefore one that it is likely that everyone has more experience with, and therefore may be more comfortable with. Senator Carper. Do either of you have a feel for how our security of our energy infrastructure in America compares with that of some other nations, particularly to our north or to our south? Ms. Otis. I do not really have a good feel for that. I would be happy to get back to you about that. This is obviously something everyone is looking at very intensely right now. It is not actually a subject matter over which the Energy Department has regulatory authority or responsibility at all right now. We are just basically trying to talk to people on a voluntary and cooperative basis. Mr. Keys. Senator Carper, we have not lately talked to our Canadian counterparts who we work with closely at times on our generation facilities, but about 3 years ago we did a review of our facilities and actually incorporated a lot of their ideas on security into the review of our facilities in the Northwest. We have not gone back and looked at that this time. We do have scheduled a more thorough security review of all of our facilities in the near future, and certainly that contact would be made again, especially BC Hydro. They are the ones that we have had very close ties with in the past. Senator Carper. Given the fact that we import a fair amount of energy, including some from the north in Canada and from the south in Mexico, should we be concerned at all about the protection of their energy infrastructure, or do we have enough--or are we just here in our own States? Mr. Keys. Senator Carper, that is a good question. I do not have a good answer for you. We do depend upon the exchanges of power across the border in meeting the Federal Columbia Power System obligations. To be very candid with you, our plate is full right now providing security for our own facilities. I would say that when we make contact with BC Hydro, we would inquire what further measures they are taking to see that they are comfortable with what they have. We just have not gotten that far yet. Senator Carper. I understand. The Chairman. Thanks very much. Let me just ask Ms. Otis one other question here. Both the Corps of Engineers and the Bureau of Reclamation, which operate the dams for the power marketing administrations, believe that they can rely upon State and local law enforcement officials to protect those dams. Why does Bonneville believe it needs new Federal police force authority to act as a Federal police force to protect transmission wires? Ms. Otis. My understanding is that--and I may not have this right, but my understanding is that the Corps actually does have some authority to protect its own structures, and I think that what my colleague is saying is that the Interior Department has other Federal officials who have these kinds of authorities whom it could cross-designate to exercise the law enforcement authorities that would be needed to allow it to protect its own structures. At Energy, we do not have anybody who we could cross- designate in that fashion, and we are basically not asking for broad authority at all, but there is a handful of security specialists that Bonneville hires to look out for its infrastructure, and we do think their ability to protect that infrastructure would be materially enhanced by giving just that handful of employees this kind of authority. The Chairman. All right. Well, I think that is useful testimony, and we appreciate both of you being here, and we will take that to heart and try to move forward if we are able to do that. Thank you very much. The hearing is adjourned. [Whereupon, at 11:15 a.m., the hearing was adjourned.]