[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] TERRORISM RISK ASSESSMENT AT THE DEPARTMENT OF HOMELAND SECURITY ======================================================================= HEARING before the SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK ASSESSMENT of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ NOVEMBER 17, 2005 __________ Serial No. 109-58 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html __________ U.S. GOVERNMENT PRINTING OFFICE 35-939 PDF WASHINGTON DC: 2007 --------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800 DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Peter T. King, New York, Chairman Don Young, Alaska Bennie G. Thompson, Mississippi Lamar S. Smith, Texas Loretta Sanchez, California Curt Weldon, Pennsylvania Edward J. Markey, Massachusetts Christopher Shays, Connecticut Norman D. Dicks, Washington John Linder, Georgia Jane Harman, California Mark E. Souder, Indiana Peter A. DeFazio, Oregon Tom Davis, Virginia Nita M. Lowey, New York Daniel E. Lungren, California Eleanor Holmes Norton, District of Jim Gibbons, Nevada Columbia Rob Simmons, Connecticut Zoe Lofgren, California Mike Rogers, Alabama Sheila Jackson-Lee, Texas Stevan Pearce, New Mexico Bill Pascrell, Jr., New Jersey Katherine Harris, Florida Donna M. Christensen, U.S. Virgin Bobby Jindal, Louisiana Islands Dave G. Reichert, Washington Bob Etheridge, North Carolina Michael McCaul, Texas James R. Langevin, Rhode Island Charlie Dent, Pennsylvania Kendrick B. Meek, Florida Ginny Brown-Waite, Florida ______ SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK ASSESSMENT Rob Simmons, Connecticut, Chairman Curt Weldon, Pennsylvania Zoe Lofgren, California Mark E. Souder, Indiana Loretta Sanchez, California Daniel E. Lungren, California Jane Harman, California Jim Gibbons, Nevada Nita M. Lowey, New York Stevan Pearce, New Mexico Sheila Jackson-Lee, Texas Bobby Jindal, Louisiana James R. Langevin, Rhode Island Charlie Dent, Pennsylvania Kendrick B. Meek, Florida Ginny Brown-Waite, Florida Bennie G. Thompson, Mississippi Peter T. King, New York (Ex (Ex Officio) Officio) (II) C O N T E N T S ---------- Page Statements The Honorable Rob Simmons, a Representative in Congress From the State of Connecticut, and Chairman, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment..................................................... 1 The Honorable Zoe Lofgren, a Representative in Congress From the State of California, and Ranking Member, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment..................................................... 4 The Honorable Bennie G. Thompson, a Rpresentative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 3 The Honorable Charlie Dent, a Representative in Congress From the State of Pennsylvania.......................................... 25 The Honorable Daniel E. Lungren, a Representative in Congress From the State of Caifornia.................................... 4 Witnesses Ms. Melissa Smislova, Acting Director, Department of Homeland Security, Homeland Infrastructure Threat and Risk Analysis Center (HITRAC): Oral Statement................................................. 5 Prepared Statement............................................. 6 Dr. Henry Willis, Policy Researcher, The RAND Corporation: Oral Statement................................................. 16 Prepared Statement............................................. 17 Dr. Detlof von Winterfeldt, Director, Center for Risk and Economic Analysis of Terrorism Events, University of Southern California: Oral Statement................................................. 13 Prepared Statement............................................. 14 Ms. Christine Wormuth, Senior Fellow--International Security Program, Center for Strategic and International Studies: Oral Statement................................................. 8 Prepared Statement............................................. 10 TERRORISM RISK ASSESSMENT AT THE DEPARTMENT OF HOMELAND SECURITY ---------- Thursday, November 17, 2005 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, Washington, DC. The subcommittee met, pursuant to call, at 3:05 p.m., in Room 311, Cannon House Office Building, Hon. Rob Simmons [chairman of the subcommittee] presiding. Present: Representatives Simmons, Lungren, Dent, Lofgren, and Thompson (ex officio). Mr. Simmons. The Committee on Homeland Security Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment, will come to order. The subcommittee is meeting today to hear testimony on terrorism risk assessment at the Department of Homeland Security. We will be hearing testimony from four witnesses today. We will first hear from Ms. Melissa Smislova, Acting Director, Department of Homeland Security, Homeland Infrastructure Threat and Risk Analysis Center. We will also hear from Ms. Christine Wormuth, Senior Fellow in International Security at the Center For Strategic and International Studies. We will hear from Dr. Detlof von Winterfeldt, Director of the Center for Risk and Economic Analysis of Terrorism Events at the University of Southern California. We will hear from Dr. Henry Willis, Policy Researcher with the RAND Corporation. I welcome you all here today. Preventing terrorist attacks and assuring the safety and survivability of our Nation's critical infrastructure and key resources remains at the core of the DHS mission. To accomplish this mission, it is not enough to simply develop a comprehensive understanding of what we are protecting and what it is that is important to us as a Nation. We must also complete the picture by accurately and quickly fusing that knowledge with an understanding of America's enemies and the threats we face. It is only when we are able to successfully bring these two elements together that we can accurately gauge and respond to the risks we are confronting in the war on terrorism. This challenge is at the heart of terrorism risk assessment at the Department of Homeland Security. The Department of Homeland Security, as stated in the Homeland Security Act of 2002, is required to, ``integrate relevant information, analyses and vulnerability assessments in order to identify priorities for protective and support measures by the Department, other agencies of the Federal Government, State and local agencies and authorities, the private sector and other entities.'' In other words, to understand the Nation's vulnerability, to understand the internal and external threats to our homeland, and to bring that information together and help ensure appropriate action is taken and policies enacted. To more effectively carry out this critical role, the Department stood up the Homeland Infrastructure Threat and Risk Analysis Center, or HITRAC. The Department of Homeland Security has the unenviable task of gathering vulnerability data from across the United States from a wide variety of critical infrastructures and key resources. That data must then be combined with a comprehensive consequence analysis and further coupled with the best threat information that Federal, State, local and tribal governments can provide. This is a vitally important task, and while it must be done as quickly as possible, it is also important to get it done right, putting the highest priorities first. We look forward to hearing your views on how the Department and the risk analysis community are meeting that challenge and working to ensure the security of the homeland. The Chair now recognizes the ranking minority member of the subcommittee, the gentlelady from California, Ms. Lofgren, for any comments she might have. Ms. Lofgren. Thank you, Mr. Chairman. I am glad that we are turning our attention today to the Department of Homeland Security's approaches, capabilities and plans regarding the third component of this subcommittee's oversight jurisdiction, terrorism risk assessment. This is the first time that we are addressing this risk assessment issue directly and, more specifically, the criteria the Department should consider as part of its work in this area. If done correctly, a coordinated terrorism risk assessment will go a long way to help the Department decide where to target investments in combating terrorism, what critical infrastructure to secure and how to set priorities on the basis of risk. Developing an effective risk assessment strategy is especially important as we acknowledge that our private sector partners now own approximately 85 percent of the critical infrastructure in this country. In order to get the private sector to buy in to what the Department is doing in this area, however, we need the Department to partner effectively to develop consistent and flexible risk assessment criteria and to create incentives to ensure private sector participation. While I am certain that the testimony today will address all of these issues, and while this hearing is clearly an important one, I nevertheless wonder if we are not putting the cart before the horse. Most risk analysts agree that before you can do meaningful risk and threat assessment, you must first know what it is that needs protecting. The administration began an effort to create a national database of potential terrorist targets such as dams, pipelines, chemical plants and the like, more than 2 years ago. It was supposed to use that database to prioritize assets in order of risk and to harden facilities and systems accordingly. I am sorry to report that the database is still full of holes and has not been finished. Because the Department lacks the methodology to rank critical assets contained in the database, incomplete as it is, the Department to date has essentially assembled a spreadsheet of targets that, for the most part, does not tell the Department or Congress what to protect first or why. Part of the problem stems from the Department's failure at the outset of the database project to set clear standards for which assets should and should not be considered critical for homeland security purposes. Indeed, this lack of standards resulted in a miniature golf course in my home district being included as a critical homeland security asset. This would be funny if the stakes were not so high. Without standards, how that miniature golf course ranks in priority against protecting the Capitol building or a chemical facility or subway system remains an important question that the Department can't answer. I am dismayed that as of late last week the Department still had not submitted a report on its progress in completing, first, risk and vulnerability assessments of the Nation's critical infrastructure; secondly, the accuracy of the government's plans to protect such infrastructure; and finally, the government's readiness to respond to threats against the United States. Pursuant to the Intelligence Reform Act, that report was due this past June. I look forward to hearing about HITRAC and how the Department might consider assessing risk on a going forward basis. I am also particularly interested in what the risk assessment experts with us today have to say about how the Department should do this important work and how effective terrorism risk assessment can really be without a prioritized dynamic list of critical assets to guide the Department's efforts. I look forward to your testimony, and I welcome your participation in this hearing. Thank you, Mr. Chairman. Mr. Simmons. I thank the ranking member. The Chair recognizes the ranking member of the full committee, the gentleman from Mississippi, Mr. Thompson, for any statement he may wish to make. Mr. Thompson. Thank you very much, Mr. Chairman. I look forward to the testimony of the witnesses for the hearing today. I have a written statement, and I will submit it for the record. Thank you. [The statement of Mr. Thompson follows:] Prepared Opening Statement of Hon. Bennie G. ThompsonI am very pleased that this Subcommittee is addressing the issue of how the Department conducts terrorism risk assessments. This function is critical to driving informed decisions about where to spend our homeland security dollars to protect our people, to secure our critical infrastructure, and--hopefully--to thwart terrorist attacks. I am very pleased that we have with us today a representative from HITRAC (``High-Track'')--the Department's Homeland Infrastructure Threat and Risk Analysis Center. Since it was created in January of this year, HITRAC has fused the talents of both intelligence analysts and infrastructure protection experts within the Department in order to separate the wheat from the chaff when it comes to terrorist risks and threats. I note that in many ways, HITRAC embodies what Congress had hoped the Information Analysis and Infrastructure Protection Directorate would be--a center for intelligence analysis and risk assessment devoted to protecting and securing the homeland. I sincerely hope that HITRAC can efficiently do what IAIP apparently could not, and I am interested in hearing about what lessons HITRAC has learned from the IAIP experience. This hearing, moreover, could not be more timely. On November 2nd, the Department finally released its draft National Infrastructure Protection Plan--which I note HITRAC's operations will support once the NIPP is finalized next year. Among its provisions, the draft NIPP addresses the need for a common approach to assess risk in order to set protection priorities. The draft NIPP likewise references the RAMCAP--a series of terrorist risk assessment tools that the Department is presently developing. Unfortunately, the draft NIPP is short on details about what criteria should apply to ensure effective assessments. It appears, however, that the Department may face significant hurdles in obtaining RAMCAP participation. Some in the private sector have complained that the Department has offered few incentives to the private sector for RAMCAP participation. Compliance with RAMCAP methodologies, moreover, is purely voluntary. And according to the NIPP, the Department is planning to create multiple versions of the RAMCAP applicable to different sectors--rather than a single, flexible standard. I look forward to hearing all of the witness' views of the draft NIPP and the RAMCAP generally, as well as suggestions for improving upon the Department's risk assessment approach on a going forward basis. Thank you for joining us today. Mr. Simmons. I thank the gentleman. I notice we also have the gentleman from California here today, Mr. Lofgren. As is our custom, you are free to insert any statements you may wish for the record. Mr. Lungren. I am Mr. Lungren. Ms. Lofgren. He is my cousin, not my brother. Mr. Lungren. Tomato, tomato, and I notice it is HITRAC, and as Ms. Lofgren and I both call it, HITRAC, because I think we were both English majors in college. Mr. Simmons. I thank the gentleman for his correction. The Chair now calls our panel of witnesses. What I will do is read a short bio for each witness before they make their statement. That way it will be fresh in our minds, their background and their experience. I will advise the witnesses that we do have their full statement in the record which we can read and follow. If they wish to summarize we will be providing 5 minutes for their statements, at which point we will then ask questions. Our first witness is Ms. Melissa Smislova, currently serving as Acting Director of the Homeland Infrastructure Threat and Risk Analysis Center. I call it HITRAC. I kind of like that better. It may be HITRAC. Maybe you can answer that question when you begin. Prior to joining DHS, she spent almost 20 years in the field of intelligence analysis, most recently at the Defense Intelligence Agency. She brings a wealth of intelligence and analytical experience to her current role, which will serve the Department of Homeland Security and HITRAC well as they work to fulfill the critical mission of protecting our homeland from terrorist attack. I thank you for being here today. Please begin your testimony. STATEMENT OF MELISSA SMISLOVA, ACTING DIRECTOR, DEPARTMENT OF HOMELAND SECURITY, HOMELAND INFRASTRUCTURE THREAT AND RISK ANALYSIS CENTER Ms. Smislova. Good afternoon, Mr. Chairman, and distinguished members of this committee. Thank you for having me here today to speak with you about the role of the Office of Intelligence and Analysis in the development of the DHS risk assessment process. As Secretary Chertoff has reinforced, DHS has adopted a risk-based approach in both our operations and in our philosophy. Because intelligence is a key component of risk analysis, the Office of Intelligence and Analysis, as well as the Office of Infrastructure Protection, did establish the Homeland Infrastructure Threat and Risk Analysis Center, which we do call HITRAC. HITRAC is meant to-- Mr. Simmons. Boy, what a terrific witness we have. Ms. Smislova. Thank you, sir. HITRAC is meant to institutionalize risk assessments, as well as to produce some tailored threat assessments that can support the protection of the national critical infrastructure and our key resources. HITRAC reports both to the Office of Intelligence and Analysis, as well as to the Office of Infrastructure Protection, and we are comprised of members that belong to both groups. Under this dual structure, the priority of our infrastructure work requirements does come from the Office of Infrastructure Protection under the Assistant Secretary, Robert Stephan, but the approval of all the intelligence-derived production does remain with Mr. Charlie Allen, the new Assistant Secretary for Intelligence and Analysis. The HITRAC mission represents a unique capability within the U.S. Government. Our threat analysts have access to traditional Intelligence Community reporting and the data, as well as to the DHS component intelligence and information reporting. Our HITRAC infrastructure protection sector specialists, on the other hand, who possess the private sector expertise and sector-specific incident data, identify the sector-specific vulnerabilities and the consequences of a possible terrorist attack. Our HITRAC analysts then integrate all of this available information into strategic level risk assessments for the Federal, State and local authorities, as well as the private sector. In addition, we believe that our intelligence products are more relevant to infrastructure owners and operators because we frame our analysis in the context and unique operating environment of our diverse and specific critical infrastructure partners. We receive information about United States critical infrastructure through our Information Sharing and Analysis Centers, the ISACs, as well as through our contacts through the private and public infrastructure owners that have already been established by our colleagues in the Office of Infrastructure Protection and throughout the Preparedness Directorate. In addition, we are able to refine our national level Intelligence Community collection requirements by working back through the Office of Intelligence. DHS defines risk as the determination of weighting the factors of threat, vulnerability and consequence. While inherently the most subjective component of this risk equation, the threat of the enemy attack is derived from a study of enemy intent and capability. The intent of this particular adversary is assessed after study of all available information that we have about what this adversary wants to accomplish by attacking the United States. We work with our partners in the Intelligence Community to understand as much as we are able about the terrorists' goals, plans and desires. We match what we know about the intentions of this adversary with information that we do have about how this enemy is capable of accomplishing an attack. For this part of the equation, we rely both on what we see the enemy discussing, recruiting and training, as well as the lessons that we are learning from his attacks overseas. We work all the pieces of this puzzle together. HITRAC's unique partnering with the infrastructure protection specialists that are not professional intelligence officers allows us a different view of the data than what we believe our Intelligence Community colleagues sometimes have. One example of the integration of how Department of Homeland Security integrates threat analysis into our risk assessments is shown in our HITRAC production plan to support the National Infrastructure Protection Plan. Directed by the Homeland Security Presidential Directive 7, the National Infrastructure Protection Plan is a unified national plan for the consolidation of critical infrastructure protection activities. We call that the NIPP. The NIPP is a collaborative effort between the private sector, State, local, territorial and tribal entities and all relevant departments and agencies of our government. The cornerstone of the National Infrastructure Protection Plan, the NIPP, is a risk management framework that combines threat, vulnerability and consequence information. Mr. Simmons. If you want to summarize? I have actually read your statement. I am sure we all have. Ms. Smislova. Yes. That is just why we have established a HITRAC, to accomplish those specific tasks. Thank you. [The statement of Ms. Smislova follows:] Prepared Statement of Melissa Smislova Introduction Good afternoon, Mr. Chairman and distinguished Members of this Committee. I am here to speak with you about the role of the Office of Intelligence & Analysis in the development of DHS risk assessments. As Secretary Chertoff has reinforced throughout his tenure, DHS has adopted a risk-based approach in both our operations and our philosophy. There is no question that intelligence is a key component of risk analysis. For this reason, the Office of Intelligence & Analysis and the Office of Infrastructure Protection established the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) to institutionalize strategic risk assessments and produce tailored threat documents in support of the protection of national critical infrastructure and key resources (CI/KR). Homeland Infrastructure and Risk Analysis Center The Homeland Infrastructure Threat and Risk Analysis Center (HITRAC ) reports to both the Office of Intelligence Analysis (OI & A) and the Office of Infrastructure Protection (OIP). It brings together members of the Intelligence Community under OI & A and infrastructure specialists from the OIP as well as experts from the National Communications System and the National Cyber Security Division, among others, to produce strategic-level risk assessments. Under this dual structure, priority of infrastructure work requirements come from the Assistant Secretary for Infrastructure Protection, Mr. Robert Stephan, while approval for all intelligence derived production remains with the Assistant Secretary for Intelligence and Analysis, Mr. Charlie Allen. The HITRAC mission represents a unique capability within the U.S. Government. HITRAC threat analysts have access to traditional intelligence community reporting and data as well as to DHS component- specific intelligence and information reporting (for example, information gathered at the ports of entry and transportation centers by DHS component members). HITRAC infrastructure protection sector specialists, who possess private sector expertise and sector specific incident data, identify sector-specific vulnerabilities and consequences of attack. HITRAC analysts then integrate all available information to produce strategic-level risk assessments for Federal, State and local authorities and the private sector. HITRAC crafts products that make intelligence information more relevant to infrastructure owners and operators by framing our analysis in the context and unique operating environment of all seventeen CI/KR sectors. HITRAC receives information about the critical infrastructure through our Information Sharing and Analysis Centers and through contacts with private and public infrastructure owners that have been established by the OIP and throughout the Preparedness Directorate. In addition we are able to refine national intelligence community collection requirements though working with OI&A. In addition, HITRAC produces threat products for infrastructure owners and operators to use in their own risk calculations and for DHS, state and local entities, and other Federal entities to use in their own planning and operations. DHS defines risk as a determination of weighing the factors of threat, vulnerability and consequence. While inherently the most subjective component of the risk equation, threat of enemy attack is derived from study of enemy intent and capability. Intent of this adversary is assessed after study of all available information about what they want to accomplish by attacking the United States. We work with our partners in the intelligence community to understand as much as we are able about the terrorists' goals, plans, and desires. We match what we know about the intentions of the adversary with information we have about what the enemy is capable of accomplishing. For this part of the equation we rely both on what we see the enemy discussing, recruiting and training for as well as lessons learned from overseas attacks. We work all the pieces of the information puzzle. HITRACs unique partnering with Infrastructure Protection specialists that are not professional intelligence officers allows us a different view of the data than our IC colleagues. Threat Products Supporting the National Infrastructure Protection Plan One example of the integration of threat analysis with DHS risk assessment efforts is in the HITRAC production plan to support the National Infrastructure Protection Plan. Directed by Homeland Security Presidential Directive 7 (HSPD-7), the National Infrastructure Protection Plan (NIPP) is a unified national plan for the consolidation of critical infrastructure protection activities. The NIPP is a collaborative effort between the private sector, State, local, territorial and tribal entities and all relevant departments and agencies of the Federal government. The cornerstone of the NIPP is a risk management framework that combines threat, vulnerability, and consequence information to produce a comprehensive, systematic, and informed assessment of national or sector risk that drives our protection efforts in the CI/KR sectors. This framework applies to the general threat environment as well as specific threats or incident situations. HITRAC's production plan supports the NIPP. The NIPP promises sector specific threat information to each sector following its finalization. Our analytic products are designed to provide threat information to the private and public infrastructure owners and operators. In particular we are producing: Sector Assessments for each CI/KR sector. HITRAC through the OI & A and in coordination with TSA and USCG intelligence entities will produce several sub-sector assessments due to the broad characteristics of some sectors (for example, HITRAC will produce sub-sector assessments for aviation and mass transit which are sub-sectors of the broader transportation sector). HITRAC leverages the expertise of several sector specific agencies, including the Transportation Security Administration, as well as our colleagues in the intelligence community to support our efforts. These products, written at multiple classification levels, provide DHS a vehicle to deliver long-term strategic assessments of sector risks by detailing HITRAC analysis of the intentions and capabilities of known terrorists and integrating relevant threat information with the unique vulnerabilities and consequence of each sector. HITRAC is also producing Common Threat Themes in support of the NIPP and other DHS and Federal risk assessments. These threat scenarios are descriptions of potential attack methods based on known or desired terrorist capabilities. These scenarios, which will be updated as needed, are detailed vignettes of the methods terrorist might use to attack the US infrastructure and are derived from the study of terrorist intentions and capabilities. These scenarios are intended to inform vulnerability and consequence analysis while ensuring that a given risk analysis has taken into account the minimum set of potential attack vectors and the associated vulnerabilities and consequences. These threat themes are used as the foundations to design and build the threat scenarios used by the Office of Domestic Preparedness. The scenarios used for ODP exercises are lengthy depictions of how a notional terrorist attack might unfold and they are drafted to test prevention and response capabilities. HITRAC's threat themes are specific descriptions of ways the enemy can attack and are for use by private and public infrastructure owners and state and local governments to develop their own risk assessments. For example, they describe in detail what we know about how the adversary can employ a vehicle borne improvised explosive device. Conclusion The Federal government and private sector owners and operators need intelligence-based risk assessments to best protect against and respond to potential terrorist attacks. DHS established HITRAC to provide integrated strategic risk assessments and tailored threat products in support of the protection of critical infrastructure and key resources throughout the nation. This is a very challenging mission, but with your support, we will succeed. Thank you. Mr. Simmons. Thank you very much. Our next witness is Christine Wormuth, Senior Fellow in International Security at the Center for Strategic and International Studies, where she focuses on homeland security policy, U.S. national security strategy and policy and defense requirements and resource issues. Prior to joining CSIS, she was a principal at DFI Government Services, a defense consulting firm, where she developed a methodology to assess homeland security risks, including an analytical tool that comprehensively evaluates homeland security risks in terms of their potential to occur and possible consequences. She works closely with elements of DHS and the Homeland Security Council on a wide range of implementation issues aimed at increasing the preparedness level of the United States. Thank you for being here. You may begin. STATEMENT OF CHRISTINE WORMUTH, SENIOR FELLOW, INTERNATIONAL SECURITY PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES Ms. Wormuth. Thank you, Mr. Chairman, and thank you other members of the subcommittee for asking me to testify here today on this important topic. Assessing homeland security riskS, which, of course, can come both from terrorism but also from natural disasters, is an enormously complex undertaking, but it is also, as you all know well, a critical task if the government seeks to marshal its finite resources effectively. I think Ms. Smislova has very well covered the basic components of risk assessment, so I will try to focus my comments on some of the challenges that I think are inherent in developing risk assessments for homeland security, as well as some observations about the broader strategic role that I think risk assessments can play in this field. The basic formula for risk assessment is simple. It is essentially probability, which is threats and vulnerabilities times the consequences of particular attacks, and that equals the risks. But in practice, I think analysts and experts face a lot of important practical challenges when they try to go about the task of assessing homeland security risks. One challenge, of course, is the lack of quantitative data. We can't determine the probability in a scientific sense of a terrorist attack, the percentage chance that a particular type of attack might occur, nor do we have extensive quantitative data at this point on the specific economic costs or the potential numbers of fatalities or serious injuries that are associated with different types of attack. One way to compensate, of course, for these challenges is to use expert judgment and to use computer modeling and simulation to extrapolate information based on what we do know. Another challenge I think that is important to note is how to handle intelligence in these types of assessments, and specifically by that I mean how can DHS develop models that factor in specific intelligence without skewing the assessment away from areas where we may not have specific information. Coming out of the Defense Department, I am fond of quoting Secretary Rumsfeld, who has said we don't know what we don't know. Just because the Intelligence Community doesn't know that a terrorist group doesn't have WMD does not mean that they don't in fact have some sort of capability. I think another policy challenge here is weighting the different pieces of a risk assessment. For example, should we weight different types of critical infrastructure targets or other critical assets more heavily in an assessment because a group like al-Qa'ida has expressed the intention to attack them, or should we weight human deaths and injuries more heavily than other elements of consequences. Those are policy decisions that I think we need to grapple with. Despite these challenges, I heartily believe that risk assessment is a very powerful tool for homeland security policymakers and should be at the heart of our approach. I do want to observe that I think DHS would serve not just itself as a department but the entire interagency, all of those cabinet agencies that have a role in homeland security, by taking the lead in developing what I like to call a National Homeland Security Risk Assessment. I see this as being something like a National Intelligence Estimate in that it would be developed on a regular basis, perhaps every couple of years, and it would serve as the authoritative assessment of risk and trends of significance in the area of homeland security. In my view, development of a National Risk Assessment should be actually an interagency undertaking, not just a DHS undertaking, although DHS should certainly be in the lead. But I think to really develop this kind of risk assessment it would be useful to draw on the expertise and the viewpoints of the other cabinet agencies that have a role in this field. I think a National Risk Assessment should focus on developing a strategic picture in the near term, at least in terms of setting broad priorities and directions, and then the details, all of those very important details, can be filled in over time with tools that are specifically developed to capture all of the nuances of the information. In my view, a risk assessment of this type could strengthen our homeland security policy development process and resource allocation process in three important ways: First, in guiding Homeland Security planning. At CSI, as noted in our recently released ``Beyond7 Goldwater-Nichols Phase II'' report, a strategic risk assessment really needs to be at the heart of developing concepts of operation for homeland security. It should also serve I believe as the basis for developing national homeland security planning scenarios. The 15 scenarios released by the Homeland Security Council are an important first step, but I think these scenarios would carry more weight across the interagency if they were based on a strategic risk assessment. Of course as you know, a risk assessment is very important in driving the resource allocation process. Again, I think a strategic risk assessment could harmonize our efforts, not just in DHS, but across the entire intergency, which would go a long way towards maximizing our unity of effort. Lastly, I think a risk assessment tool would help us evaluate the program options for mitigating consequences and enhancing our preparedness system, helping us think about where do we get our best bang for the buck. I will just conclude by noting that in my view, as you know, Secretary Chertoff has called on Congress to approve an Under Secretary for Policy. Assistant Secretary Baker sits in that chair right now. I believe one of his central responsibilities should be taking the lead in developing this kind of National Homeland Security Risk Assessment and then institutionalizing its results into the DHS resource allocation process and policy planning process. My colleagues at CSI have called on DHS to deliver a National Homeland Security Assessment by December 2006. I think this is still a very reasonable deadline. Obviously it would be wonderful to have more time, but I think given we are 4 years after September 11, it is very important to have a National Homeland Security Risk Assessment soon, even if it means that we as Americans, as you in Congress and our leaders in the executive branch, have to make choices based on less than perfect information. I think it is important not to let the best be the enemy of the good. I thank you very much for the opportunity to share my views. [The statement of Ms. Wormuth follows:] Prepared Statement of Christine E. Wormuth Mr. Chairman, Ranking Member Lofgren, members of the subcommittee, thank you for inviting me to testify before you today on assessing the risks of terrorism. Assessing homeland security risks, which can stem from both terrorism and natural disasters, is an enormously complex undertaking but is also a critical task if the federal government seeks to marshal its finite resources effectively. Before turning to the key policy issue of how to use risk assessments to maximize unity of effort at the federal level, I would like to briefly outline what makes a basic risk assessment and some of the challenges inherent in trying to assess homeland security risks. As Secretary Chertoff has emphasized since being named Secretary of Homeland Security, focusing on the ``trio of threat, vulnerability and consequence as a general model for assessing risk'' is at the heart of the DHS approach. It is worth peeling back the layers of the onion in those three areas a bit more fully to understand the complexities associated with assessing homeland security risks. In most formal discussions of risk assessment, risk is defined as the product of the probability that a certain event might occur--a suicide bomber attack on a hotel such as we saw take place last week in Jordan--and the consequences that could result from such an event. The probability side of the equation is basically a combination of threats and vulnerabilities. Threats could be assessed in terms of the different kinds of weapons and delivery systems that might be available to our enemies. In some cases weapons could be relatively difficult to acquire or develop, like the smallpox virus or a small nuclear device, or they could be much more common--an improvised explosive device carried on a delivery truck. Assessing vulnerabilities means establishing the pool of possible targets--which could include buildings that are vulnerable every day like chemical plants or once-a- year events like the Super Bowl--and determining how vulnerable they are to the full range of threats. The final piece of a basic risk assessment involves looking at the consequences that might result from different attacks. Consequences might include not only the deaths and injuries that could result, but also the economic and psychological costs of a given type of attack, and the length of time it takes to resume normal activity levels after the attack. The basic formula for a risk assessment is simple--probability times consequences equals risks--but in practice assessing homeland security risks poses some important practical challenges. One challenge is the lack of quantitative data on which to base assessments of probability and consequences. We cannot determine the probability of terrorist attacks--the ``percent chance'' that a specific type of attack might occur. Nor do we have extensive quantitative data to pinpoint the numbers of potential fatalities or economic costs that might be associated with particular kinds of attacks. And how should we begin to think about psychological consequences? Can they be expressed quantitatively? We can use expert judgment and computer models to extrapolate representations of probability and consequences but they will be just that-- representations rather than certainties. Another challenge is how to handle intelligence. Many of you on the committee have noted the importance of intelligence in developing homeland security risk assessments. But determining how to incorporate intelligence effectively is a challenge for analysts. How can DHS develop models that factor in specific intelligence we may have about particular targets or payloads without skewing an assessment toward only those risks on which we have intelligence? As Secretary Rumsfeld has often said, ``we don't know what we don't know,''--just because the intelligence community does not have information that suggests a terrorist group has a WMD capability does not mean that group doesn't have a WMD capability. Or vice versa. Whether to weight the different pieces of a risk assessment is another challenge. Should some kinds of targets be weighted more heavily if we know groups like al-Qa'ida have expressed the intention to attack them? Should human deaths be weighted more heavily than other types of consequences? By how much? Despite these formidable challenges, it is absolutely worth the time and effort to develop robust homeland security risk assessments that can guide our planning and policy development. Risk assessments-- even if they are based on imperfect intelligence, expert opinion, and computer simulations of potential consequences--give us the tools to examine many different pieces of complex information in a structured way. They focus attention on the specific judgments that cumulate into an overall risk ranking and hence they can be ``unpacked'' to better understand where differences of opinion may lie and how they affect the assessment. Policy makers can use the structure that risk assessments provide to understand clearly where there are disagreements in the expert community, and can then assess for themselves the different sides of the debate before coming to a policy judgment that may have profound implications down the road. DHS would serve all of the Cabinet agencies with homeland security responsibilities well by taking the lead in developing a ``National Homeland Security Risk Assessment'' that would assess and rank the full spectrum of plausible homeland security risks--an assessment that would look comprehensively across all of the kinds of critical infrastructure and other potential target types combined with the different weapon payloads and delivery systems that adversaries might seek to use against the United States. As this Committee knows well, the legislation that established DHS stipulated that the department would develop a comprehensive risk assessment. This assessment is still of paramount importance. This type of assessment, much like a National Intelligence Estimate, would be developed on a regular basis, perhaps every couple of years, and would serve as the authoritative assessment of homeland security risks, identify trends of significance for homeland security and if necessary, identify differences of views about risks among the principal senior leaders in the U.S. government homeland security arena. Development of a National Risk Assessment should be an interagency undertaking, with DHS in the lead, but with significant support from the broader intelligence community, DoD, HHS, the Department of Energy, other Cabinet agencies, and leaders from the private sector and industry. A National Risk Assessment would sacrifice examining the threats, vulnerabilities and consequences of every possible scenario in their fullest details for a process that could generate actionable results in the near-term, at least in terms of setting broad priorities and directions. Subsequent, more detailed risk assessments focused on specific threats or infrastructure sectors could then fill in the details over a longer period of time. A National Risk Assessment could strengthen the homeland security policy development and resource allocation process in at least three very important ways. Guiding homeland security planning.. As CSIS noted in its recently released Beyond Goldwater Nichols Phase II report, before the interagency can develop robust concepts of operations for homeland security, it needs to conduct a strategic risk assessment. A National Risk Assessment would not only serve as the basis for developing common interagency strategies for addressing specific homeland security challenges, it would also serve as the basis for developing national homeland security planning scenarios. Putting forth the fifteen Homeland Security Council scenarios was an important step toward harmonizing ongoing planning activities, but those scenarios could play a larger role in driving policy, planning, and programming if they were based on the results of an interagency-agreed National Risk Assessment. Driving the resource allocation process. Many have noted the importance of using risk assessments to set broad priorities for how DHS allocates resources. Looking beyond DHS, a National Risk Assessment could serve as the basis by which to harmonize not just DHS resource and policy decisions, but homeland security related resource and policy decisions across the entire interagency. This would go a long way toward creating maximum unity of effort across the USG in this critical area. Evaluating potential policy and programmatic options. Where should DHS and other agencies invest their marginal dollars? What will give us more bang for the buck, ten more bomb detector dog teams, 50 more handheld radiation detectors, or 100 more border patrol agents? These are the kinds of real world decisions DHS and other agencies have to grapple with in their budget processes, and risk assessment tools can help shed light on these choices in a structured way. Secretary Chertoff has asked Congress for the authority to establish an Under Secretary for Policy in DHS. This is a very important and much needed position, and it is good news that Mr. Stewart Baker was confirmed earlier this year at the Assistant Secretary level. In my view, one of his central responsibilities should be to lead the development of a National Risk Assessment, working closely with his peers in the other relevant Cabinet agencies, and then to institutionalize the results into DHS's broader strategic planning and resource allocation processes. The Under Secretary, with his direct access to Secretary Chertoff, can elevate and integrate the many useful risk assessment processes ongoing inside DHS to help build a coherent, comprehensive risk assessment picture that truly drives policy and programming at the strategic level. In DHS 2.0, Rethinking the Department of Homeland Security, my colleague David Heyman at CSIS and James Carafano of the Heritage Foundation called on DHS to deliver a comprehensive risk assessment to our top national security leaders by December 2006. I think this remains a reasonable deadline. Highly granular assessments will clearly be needed, and there are assessment tools in development that will help us make finely tuned adjustments to our prevention, response and preparedness programs over time. But today, more than four years after the September 11 attacks, we need a comprehensive National Risk Assessment--and we need it soon. That means senior leaders, in the Executive branch and here in Congress, will have to make choices and set priorities on less than perfect information. That said, I suspect most Americans would prefer to see the government make those tough choices rather than letting the best be the enemy of the good. I applaud this Committee for engaging on this issue and thank you for the opportunity to share my views. Mr. Simmons. Thank you for that testimony. That will lead to some interesting questions, I am sure. Our next witness is Dr. Detlof von Winterfeldt, who is the Director of the Center for Risk and Economic Analysis of Terrorist Events at the University of Southern California. He is also Professor of Public Policy and Management in the School of Policy Planning and Development. His research interests are in the foundation and practice of decision and risk analysis as applied to technology, environmental and security problems. He is the coauthor of two books and the author or coauthor of over 100 articles and reports on these topics. Thank you very much for being here. We look forward to hearing your testimony. STATEMENT OF DR. DETLOF von WINTERFELDT Mr. von Winterfeldt. Thank you very much, Chairman Simmons, Ranking Member Lofgren and distinguished members of the subcommittee. It is truly an honor to appear before you today to discuss the topic of terrorism risk assessment. I would like to cover three areas in this opening statement. I will briefly introduce you to the Center of Risk and Economic Analysis of Terrorism Events, called CREATE; I would like to provide some background on risk assessment and its uses over the last 30 years in various government agencies and private enterprises; and I would like to end by commenting on the uses, opportunities and important challenges of using risk assessment in the homeland security area. CREATE was the first university-based center of excellence funded by the Department of Homeland Security. It was selected in 2003 in a competition of 72 universities and we started operations in March 2004. CREATE is located at the University of Southern California and has partners at NYU and at the University of Wisconsin and other universities across the country. Our main goal is to develop advanced risk assessment tools and economic tools for homeland security decisions. Let me turn a little bit to risk assessment in the broader context. Risk assessment has a very long history, dating back to studies of nuclear power plant safety and spacecraft safety in the 1970s. Today, risk assessment is successfully applied in areas as diverse as medicine, business, environment, industrial safety and natural disasters. A typical risk assessment answers three questions: What can go wrong, how likely is it and what are the consequences? My overall impression is that risk assessment has been very successfully applied by identifying risks and by developing cost-effective solutions to reduce risks in these areas. The application of risk assessment to terrorism is fairly new, providing new opportunities and challenges. Natural and engineered systems are ``neutral'' agents who don't seek out our vulnerability. Terrorists, in contrast, are the adversaries who attempt to attack us where we are weak, and furthermore they adjust their actions in response to our defenses. This non-random nature of terrorism complicates risk assessment and requires the development of new tools. In spite of these challenges, risk assessment has made considerable progress in the terrorism area in the past few years. An important distinction, as mentioned earlier, in risk assessment for terrorism is the difference between threat assessment, vulnerability assessment and consequence assessment. I don't want to repeat what the previous speakers have said. I just want to bring one point clearly home, and that is that threat assessment is by far the hardest part of terrorism risk assessment. This deals with assessing terrorist motivations, capabilities and intent. Assessing vulnerabilities is somewhat easier, and we have developed tools based on project risk analysis to do this task. Finally, the assessment of consequences, given a successful attack, as terrible as these consequences may be, can be pursued with relatively off-the-shelf methods that are usually provided by the national laboratories. Another distinction is between the various levels of homeland security decision making. We typically distinguish between decisions on specific countermeasures; for example, specific decisions on MANPADS countermeasures. The second area is prioritizing and resource allocation within a threat area; for example, prioritizing infrastructure threat targets, which is much of the topic of this committee. Finally, the high level policy decisions having to do with resource allocation between broad threat areas; for example, within rad-nuke, biological and infrastructure threats. Our recent studies suggest that specific countermeasure decisions can well be supported with risk assessments, and CREATE has made some contributions in this area which I would be happy to discuss with you later. We also see some progress in the use of risk assessment within threat areas. For example, in the past few years, several commercial risk analysis tools have been developed for a session risk infrastructure targets and prioritizing them. Risk assessment at the highest policy level is difficult and will necessarily involve expert judgment and more qualitative forms of analysis. However, overall, I am very optimistic that risk assessment can improve our Nation's decisions to counter terrorism, and much progress has been made, but there are also many challenges ahead. I thank you very much for this opportunity to address you. [The statement of Mr. von Winterfeldt follows:] Prepared Statement of Detlof von Winterfeldt Chairman Simmons, Ranking Member Lofgren, distinguished members of the Subcommittee: It is an honor to appear before you today to discuss the topic of terrorism risk assessment. I'd like to cover three areas in this opening statement. First, I will briefly introduce you to the Center for Risk and Economic Analysis of Terrorism Events (CREATE); second, I'd like to provide some background on risk assessment and its uses in the past 30 years in government agencies and private enterprises; third, I'd like to comment on the uses, opportunities and challenges of risk assessment in the homeland security area. CREATE is the first university-based center of excellence funded by the Department of Homeland Security. It was selected in a competition of 72 universities and started operations in March of 2004. CREATE is located at the University of Southern California with partners at the University of Wisconsin, New York University and faculty affiliated with the Massachusetts Institute of Technology. CREATE researchers are developing advanced risk assessment models and tools for homeland security decisions. We also study the economic impacts of terrorist events and develop computer models and analysis tools to assist decision makers in government and industry to allocate funds to counter terrorism. Risk assessment has a long history--dating back to studies of nuclear power plant and spacecraft safety in the mid 70s. Today, risk assessment is successfully applied in areas as diverse as medicine, business, environment, industrial safety and natural disasters. A typical risk assessment answers three questions: 1. What can go wrong? 2. How likely is it? 3. What are the consequences? In addition, risk assessments examine what can be done to reduce the likelihood of failures and the magnitude of consequences and to evaluate the effectiveness of alternative investments in improving safety. My overall impression is that risk assessments in these applied areas have been very successful by identifying risks and by developing cost-effective solutions to reduce risks. The application of risk assessment to terrorism is relatively new providing new opportunities and challenges. Natural and engineered systems are ``neutral'' agents, who don't seek out our vulnerabilities. In these areas we also have a fair amount of experience and data that can be used to estimate probabilities and consequences. Terrorists, in contrast, are adversaries, who seek out our vulnerabilities and adjust their actions in response to our defenses. This non-random nature of terrorism complicates risk assessments and requires the development of new tools. In spite of these challenges, risk assessment has made considerable progress in the terrorism area in the past few years. An important distinction in terrorism risk assessment is between threat, vulnerabilities, and consequence. When considering threats, we need to consider the motivation, capabilities, and intent of terrorist groups. This is probably the hardest part of terrorism risk assessment and there are no off-the shelf solutions for this task. CREATE researchers are working together with another university center of excellence--the Center for the Study of Terrorism and Response to Terrorism (START) at the University of Maryland--to develop risk analysis models for this purpose. Assessing vulnerabilities is somewhat easier. The key is to consider a wide range of threats and to assess the probability that an attempted terrorist attack is successful. CREATE researchers are using project risk analysis methods for this purpose. Finally, the assessment of consequences, given a successful attack, is quite straightforward and we can use off-the-shelf methods, for example, for modeling the dispersions of materials, spreading of infectious diseases, and so forth. Another distinction is between the various levels of homeland security decision making. Recent studies by our CREATE researchers suggest that specific countermeasure decisions, for example regarding MANPADS countermeasures, can be supported quite well with risk assessments. At the next level are decisions on how to allocate funds within a specific threat area or across potential targets. We see some progress in this area as well. For example, in the past few years several commercial risk analysis tools have been developed for assessing risks of infrastructure targets. At the highest decision making level are questions about how much money to spend on, for example, radiological and nuclear defenses vs. biological defenses vs. infrastructure protection. Risk assessment at this level is difficult and will necessarily involve expert judgments and more qualitative analysis. Overall, I am very optimistic that risk assessment can improve our Nation's decisions to counter terrorism. In other areas it often has taken years from the initial uses of risk assessment to mature applications. I believe that we can do better in making risk assessments useful in the terrorism area, but we also need to be aware of the many challenges we face. Mr. Simmons. I thank you very much for those comments. Our fourth witness is Dr. Henry Willis, who is a policy researcher with the RAND Corporation, where his research applies decision, analytical tools and risk analysis to help decisionmakers choose among competing resource management strategies or policy actions and options. Examples of his recent research include assessing risk-based approaches to allocating homeland security preparedness resources, reviewing current and proposed countermeasures for protecting U.S. maritime transportation infrastructure, and assessing personal protective equipment needs of emergency responders working in a post-structural collapse environment. Dr. Willis, welcome. We look forward to hearing your testimony. STATEMENT OF DR. HENRY WILLIS, POLICY RESEARCHER, THE RAND CORPORATION Mr. Willis. Thank you, Chairman Simmons, Ranking Member Thompson, Ranking Member Lofgren and distinguished members. I would like to thank you for giving me the opportunity to speak with you today about terrorism risk assessment at the Department of Homeland Security. Many of my comments are based directly on a recently released RAND report entitled Estimating Terrorism Risk. I will make hard copies of this report available to the committee, and would like to request that the report be made part of the official record. Mr. Simmons. Without objection, so ordered. The information is maintained in the committee file. Mr. Willis. Over the last 4 years, Congress and the Department of Homeland Security have made tremendous progress in maturing homeland security policy. Shortly after September 11, 2001, decisions were dominated by the use of crude indicators, such as population, which approximated consequences of terrorist events. Subsequently, policy moved to vulnerability reduction. And, more recently, Secretary Michael Chertoff has called on DHS to adopt risk-based decision making. The next step in this process will be the focus on risk reduction and cost effectiveness, but the U.S. Government is currently in the early phases of this stage. With this as background, there are five recommendations from our work that are pertinent to today's hearing. First, the U.S. Government should consistently define terrorism risk in terms of metrics, like expected annual consequences. Critical infrastructure risk assessment is too often focused on potential consequences, either ignoring or under emphasizing factors that determine threat and vulnerability. Expected annual consequences take threat vulnerability and potential consequences into consideration in a rational way. Defining terrorism risk in terms of all these factors facilitates the incorporation of risk reduction as the goal of Homeland Security programs. Secondly, DHS should seek robust risk estimators that account for uncertainty about terrorism risk and variance in citizen values. Given the tremendous uncertainties surrounding terrorism risk assessment, it is prudent to plan for the range of plausible futures that may play out. Many different models exist, and experts disagree on terrorist capabilities and intentions. Risk assessment should reflect all critical models and expert judgments. The challenge is to support a single decision, while still being able to identify how risk is distributed differently across different outcomes, such as fatalities or property damage, and also explain how the decision would change if more emphasis were given to a single type of outcome or perspective on threats and vulnerabilities. Third, DHS should use event-based models to assess terrorism risk. Measuring and tracking levels of terrorism risk is an important component of homeland security policy. These data provide insights into how current programs are reducing risk and when and where new terrorist threats may be emerging. Only event-based models of terrorism risk provide insight into how changes in assumptions or actual levels of threat vulnerability and consequences affect risk levels. Fourth, relying on event-based models does not mean relying entirely on a top-down process. It is important to differentiate strategic risk assessment from risk assessment to support design or performance assessment or that to support tactical decisions. Strategic assessments might guide the distribution of resources that are not reallocated frequently. Design and performance assessment might be used to optimize or tune a response to a particular threat or protect a specific asset. Think of assessment used to reinforce the design of a nuclear power plant. Tactical assessments might be in response to intelligence regarding specific threats or events that have already occurred. Of course, all are needed. I recommend that a top-down approach is most practical for strategic risk assessment, and estimates need not be as detailed as design or tactical risk assessment. The goal is to distribute resources in roughly the right places and in correct proportion. On the other hand, I recommend a bottom-up approach to support design or tactical decisions. Here, more detailed models and analysis can be used to authorize spending on specific projects and justify current programs. Finally, the U.S. Government should invest resources to bridge the gap between risk assessment and resource allocation policies that are cost-effective. The first step in this process is implementing annual independent risk impact assessments to evaluate how risk reduction funds have succeeded in reducing risk. These assessments will provide a feedback mechanism that will ultimately help increase of risk. The second step is a capabilities-based assessment of the Nation's homeland security programs to document the unique contributions provided by each and ensure balance between the layered defenses that have been put in place. I would like to thank you for the opportunities to address the committee on this important subject, and I look forward to your questions. [The statement of Mr. Willis follows:] Prepared Statement of Henry Willis, Ph.D. \1\ Good afternoon, Mr. Chairman and distinguished Members of this Committee. I would like to thank you for the opportunity to speak with you today about terrorism risk assessment at the Department of Homeland Security (DHS). Many of my comments are based directly on a recently released RAND Corporation report entitled, ``Estimating Terrorism Risk,'' which has been made available to Members of the Committee. This report is part of RAND's program of self-initiated research that is funded through the independent research and development provisions of our Federally Funded Research and Development Centers. It is the latest release by the RAND Center for Terrorism Risk Management Policy, which was established in 2002 to study terrorism risk management, insurance, liability, and compensation. I would like to request that this report be made part of the official record.SPELL --------------------------------------------------------------------------- \1\ The opinions and conclusions expressed in this testimony are the author's alone and should not be interpreted as representing those of RAND or any of the sponsors of its research. This product is part of the RAND Corporation testimony series. RAND testimonies record testimony presented by RAND associates to federal, state, or local legislative committees; government-appointed commissions and panels; and private review and oversight bodies. The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND'S publications do not necessarily reflect the opinions of its research clients and sponsors. --------------------------------------------------------------------------- Over the last four years, Congress and the Department of Homeland Security have made tremendous progress in maturing homeland security policy. Shortly after September 11, 2001, decisions were dominated by the use of crude indicators, such as population, which approximated consequences of terrorist events. Subsequently, policy moved to vulnerability reduction and more recently, Secretary Michael Chertoff has called on the DHS to adopt risk-based decisionmaking. The next step in this process will be to focus on the risk reduction and cost effectiveness, but the U.S. Government currently is in the early phases of this stage. The recently released draft National Infrastructure Protection Plan (NIPP) reflects this progression by defining an aggressive and comprehensive approach to risk assessment across sectors that affect the U.S. economy. As compared to earlier drafts of this document, it reflects adoption of Secretary Chertoff's guidance to use risk-based decisionmaking and represents the state of the Department's thinking on critical infrastructure protection. Specifically, it tries to take a balanced approach to incorporate: risk assessment; information sharing, feedback, and training; organizing and partnership with private sector; resource allocation; and long-range sustainability of protection efforts. Finally, the draft NIPP describes a framework that follows the best practices of risk analysis that are outlined in, among other places, the National Research Council in its foundational reports Risk Assessment in the Federal Government: Managing the Process (1983) and subsequently Science and Judgment in Risk Assessment (1994). These best practices require that risk assessments be: a) analytic, b) deliberative, and c) practical. For homeland security policy, these statements have the following translation: a) Analytic An analytic process requires addressing all three of the factors that determine terrorism risk: 1) threat, 2) vulnerability, and 3) terrorism, and where feasible, to do so quantitatively. Risk assessments must be repeatable so all parties can replicate, analyze, and understand them. However, the uncertainty inherent in this problem, particularly in the terrorist threat, implies that unlike most of our successful experience with these tools in the past, some new thinking about all plausible threats, not just the most likely threat, will need to be taken into account. b) Deliberative A deliberative process is necessary because the notion of a cold, analytic risk assessment is a myth. Values and judgment are part and parcel to the process and require transparency and a comprehensive discussion of outcomes. This is the only way to credibly address tradeoffs between risks to people from risks to property and risks from a conventional bomb, nuclear attack, biological attack, or even hurricane or other natural disaster. c) Practical Finally, risk assessment must be practical, meaning that data collection and management requirements must not be untenable and estimates should not be overly reliant on a single perspective or tool. This last point is where concerns may arise with the draft NIPP. These concerns relate more to implementing what is outlined rather than concerns with the content of the plan itself. Implementation will need to address natural disasters as well as terrorist threat as the plan is used. Questions remain about the practicality of implementing risk analysis and information sharing given limitations in the real world as to funding, time, and staff available. These issues have not been ironed out. With this as background, there are 5 recommendations from our work that are pertinent to today's hearing. First, the U.S. Government should consistently define terrorism risk in terms of metrics like expected annual consequences. Critical infrastructure risk assessment is too often focused on potential consequences, either ignoring or under emphasizing factors that determine threat and vulnerability. Expected annual consequences take threat, vulnerability and potential consequences into consideration in a rational way. Defining terrorism risk in terms of all of these factors facilitates the incorporation of risk reduction as the goal of homeland security programs. Second, DHS should seek robust risk estimators that account for uncertainty about terrorism risk and variance in citizen values. Given the tremendous uncertainties surrounding terrorism risk assessment, it is prudent to plan for the range of plausible futures that may play out. Many different models exist and experts disagree on terrorists' capabilities and intentions. Risk assessment should reflect all credible models and expert judgments. The challenge is to support a single decision, while still being able to identify how risk is distributed differently across different outcomes, such as fatalities or property damage, and also explain how the decision would change if more emphasis were given to a single type of outcome or perspective on threats and vulnerabilities. Third, DHS should use event-based models to assess terrorism risk. Measuring and tracking levels of terrorism risk is an important component of homeland security policy. These data provide insight into how current programs are reducing risk and when and where new terrorist threats may be emerging. Only event-based models of terrorism risk provide insight into how changes in assumptions or actual levels of threat, vulnerability, and consequences affect risk levels. There are many types of event-based models in existence. In our report, we relied on the Risk Management Systems (RMS) Terrorism Risk Model. This and other insurance industry models could also be used to support homeland security policy. The national laboratories have made progress on detailed models of critical infrastructures and their interdependencies. Colleagues in academia are applying economic input- output analysis to understand these same dependencies. Finally, the NIPP points to RAMCAP, or Risk Assessment Methodology for Critical Asset Protection, which is based on a foundation for risk analysis consistent for methods used in reliability analysis and also with the National Research Council framework. Fourth, relying on event-based models does not mean relying entirely on a top down process. It is important to differentiate strategic risk assessment from risk assessment to support design or performance assessment or that to support tactical decisions. Strategic assessments might guide the distribution of resources that are not reallocated frequently. Design and performance assessment might be used to optimize or tune a response to a particular threat or protect a specific asset. Think of assessment used to reinforce the design of a nuclear power plant. Tactical assessments might be in response to intelligence regarding specific threats (actionable intelligence) or events that have already occurred. Of course all are needed. I recommend that a top-down approach is most practical for strategic risk assessment; and estimates need not be as detailed as design or tactical risk assessment. The goal is to distribute resources in roughly the right place and correct proportion. On the other hand, I recommend a bottom-up approach to support design or tactical decisions. Here more detailed models and analysis can be used to authorize spending on specific projects and justify current programs. Strategic risk assessment ultimately needs event-based models. Until event-based models are more widely used to assess terrorism risk, density-weighted population is preferred over population as a simple risk indicator. Density-weighted population is simply a regions population multiplied by its population density. Our report found this metric to be reasonably correlated with the distribution of terrorism risk across the United States, as estimated by event-based models like the RMS Terrorism Risk Model. In contrast, our results suggest that population offers a remarkably weak indicator of risk, not much superior to estimating risk shares at random. Finally, the U.S. Government should invest resources to bridge the gap between terrorism risk assessment and resource allocation policies that are cost effective. As I intimated earlier, Congress and DHS are only in the position to estimate risks and distribute resources where the risks are believed to be the largest. Ultimately, the goal should be to distribute those resources where they most effectively reduce risk. The first step in this process is implementing annual, independent risk impact assessments to evaluate how risk reduction funds have succeeded in reducing risk. These assessments will provide a feedback mechanism that will ultimately help increase reduction of risk. Such assessments would benefit the DHS grant programs as well as border and maritime security programs like US-VISIT, C-TPAT, the MTSA, and TSA's baggage and passenger screening and profiling programs. The second step is a capabilities-based assessment of the nation's homeland security programs to document the unique contribution provided by each program and ensure appropriate balance to the layered defenses that have been put in place. I would like to thank you again for the opportunity to address the committee on this important subject and I look forward to answering any questions you may have. Mr. Simmons. Thank you all very much. I have a couple of questions that I would like to ask, and then we will go back and forth in accordance with our regular order. My first questions are to Ms. Smislova. Critically important to the success of your mission and your organization is information sharing, information sharing with the Intelligence Community to make sure you are getting the terrorist risk assessments with regard to intents and capabilities, but also information sharing with those private sector entities that manage the infrastructure that we are trying to protect, whether it be nuclear power plants or bridges or chemical facilities. It occurs to me that traditionally the Intelligence Community does not like to share information. I am sorry about that, but they like secrets. If you really like secrets, you don't tell anybody your secrets. Secondly, private sector industries may not be willing to share information on vulnerabilities for fear that if there is an incident they may be held financially liable for the consequences. So, how are you doing with these twin sets of challenges to information sharing? What is your status report as of this moment? Ms. Smislova. Yes, sir. We in the Intelligence Community like to just share, as you know, with each other, and we are accomplishing that through the Office of Intelligence and Analysis. We believe that through HITRAC, actually putting the infrastructure protection specialists together with those Intelligence Community professionals, is the best way to enhance that relationship and that communication. Our infrastructure protection specialists through the other offices in the Office of IP communicate daily with the infrastructure sectors. They are the ones who have developed the relationships and the contacts with the infrastructures and what their situation is on the ground and their daily information about what is happening in their sector. So every day when we are working on common goals and common work projects, the intelligence analyst is working with the infrastructure protection person. So we actually are receiving that information that is not traditionally looked at by intelligence. Mr. Simmons. And with regard to that interaction or that activity, what sort of products are you producing and how are they disseminated? Ms. Smislova. Yes, sir. We are actually producing a basic foundation document for every critical infrastructure or key resource that obviously is expanded beyond the critical infrastructure of transportation and would include one on aviation, maritime, railroads, mass transit and highways. So there are about 24 different products that we are producing. We are doing these in conjunction with our actual infrastructure operators and owners, and I think that is what does make us quite unique. While we have the benefit of actually all the information that our Intelligence Community colleagues have about the enemy, we are actually looking at everything that is available for the U.S. Government in all different classified areas of what the adversary wants to accomplish and how. We also at the same time have a dialogue, because we are this hybrid of intel professionals and non-intel professionals, we have a dialogue with the actual infrastructures. So through the framework of the NIB, we have committed to producing these foundation documents on what the terrorist threat to that particular structure or infrastructure might be. Mr. Simmons. Thank you. Dr. Winterfeldt, you made an interesting comment. The non- random nature of terrorism complicates risk assessment and requires the development of new tools. For a number of years I served as a military intelligence officer in Vietnam, and we would collect information and make predictions about enemy attacks. The military units in responding to those predictions would take defensive measures, which would be observed by the other side and when they would see the defensive measures being taken they would realize it was a tip-off so they wouldn't conduct the attack. Then our own side would say you guys are wrong again. It occurs to me in a free and open society, such as ours, where we discuss our vulnerabilities and our efforts to protect our infrastructure, that the opposition is fully aware of those efforts and can adjust for that. How do we account for that in our risk assessment? Mr. von Winterfeldt. Thank you very much. That was a very interesting question, and something that we are grappling with in many ways. We actually have some of our team members who are looking at this from a red team and blue team perspective. They are looking at it from a game theoretic perspective. Actually, I see the greatest hope in sequential games, very much playing out in a modeling form the situation you described, which can even lead you in some cases to protect information about defensive measures, or, potentially, I hate to say this, provide misleading information about protective measures. I will just give you one example. Should we always say that we are doing 10 percent or 5 percent inspections of our cargo? Well, maybe we can do 10 percent and then claim we use 50 percent. You remember the case of the cameras at the intersections, half of which never worked. So there are a lot of interesting issues. We certainly have no silver bullet nor simple answer to that. But that is exactly the kind of topics we are studying as we are working at CREATE. Mr. Simmons. Thank you. I see my time has run out. Ms. Lofgren. Ms. Lofgren. Thank you. I am glad to have Ms. Smislova here, because I have a continuing interest, as I mentioned in my opening statement, in the National Asset Database. I will just express some frustration. I am not alone in this frustration. But this has now gone on for a couple of years, and we have had several classified discussions, and I remember the first time it was a bipartisan group and informal, and I asked to see the database for my county because I know it well and the members from other parts of the country did the same, and all of us were struck by how preposterous the list was. I recently received an updated list, and it was still preposterous. So my question is, when do you think this National Asset Database will be complete, at least in its--I realize it will be updated, but delivered? When do you think that delivery will be to the Congress? Ms. Smislova. I am sorry, ma'am. I actually don't know the answer to that particular question. What I do know is that the National Asset Database is intended to catalogue all of the assets in this enormous country of ours. I know from notes I took during your opening statement that your goal here is to conclude what to protect first and why, and that is actually the issue that we are trying to start with in HITRAC. From my perspective as the senior intelligence person assigned to HITRAC, that is the focus of what we have put our efforts towards, trying to get a better understanding of this particular enemy, this adversary who we know wants to attack us here in the United States, what does he want to attack and how? By using information that is available through the National Asset Database, we have been able to crosswalk and narrow some things down. So we try to determine what does the adversary want to accomplish, what are his goals, and then how can he accomplish this. And because we don't have specific data that he wants to hit this building or another building or a specific mass transit fleet or anything that granular, we try to crosswalk it and say these are the things we think we need to protect first and why. But I will bring your other question back for the record, ma'am. Ms. Lofgren. I appreciate that. Along with that, and if you don't know today, that is fine, but if you can get back I would appreciate it. Part of the problem I discovered was--I met not only with DHS staff, but also with--we all go home every week-- with people in local government, with the State officials, trying to find out what was happening from their point of view, and learned in doing so that there had been an asset limit on how many assets could be reported, which is a preposterous way to proceed because in Santa Clara County, for example, it is a county of just shy of 2 million people. It is Silicone Valley. There are many, many assets. To be limited to 18 in Santa Clara and 18 in Shasta County, where you might be hard pressed to come up with 18, is ridiculous. So I am hoping I can get information on whether that that policy has been changed as we urged that it be. Let me ask a question for Dr. von Winterfeldt. We are being asked, and we agree, that Homeland Security dollars should be spent in a strategic way to protect our assets best, and I think all of us agreed with the Secretary that it automatically ought to be risk-based, it shouldn't be some formula like an entitlement program, that is not the way to do. But it seems to me central to that effort is the development of this National Asset Database and the database is not complete, it doesn't prioritize critical infrastructure assets across the 17 sectors identified in HSPD-7. In your view, how significant an obstacle is the failure to complete this database to meaningful terrorism risk assessment at the Department? Mr. von Winterfeldt. Well, I believe that it will be very useful to have that database as a start. Let me also say where I see this heading down the road, and that is to do a good job on critical infrastructures with the database, or even with part of the database, is you have to work yourself from the specific infrastructure assets up and roll it up. You can't do a risk analysis on the high level, not even at the county level, not even at the State level, unless you know what is going on with the particular assets and what you can do with it. So CREATE, for example, is now engaging with the California Department of Homeland Security to look from the bottom-up at the assets and the infrastructures that California has identified as important and start to build a risk analysis at that level and going up. Of course, the ultimately comparison between the States or even the urban initiatives in the urban areas can only be done if you have a complete set of assets and infrastructure elements. Ms. Lofgren. My time has expired, so I will save my further questions for the second round. Mr. Simmons. The gentleman from California, Mr. Lungren. Mr. Lungren. Thank you very much, and I understand what Ms. Lofgren says when she compares her county to Shasta County, but I do hope that Shasta Dam is on that list of critical infrastructures and so is the headwaters of the Sacramento River, which provides about one-third of the water for our whole state. Ms. Lofgren. I love Shasta County. Let me clarify that. I think Shasta County is a wonderful place. Mr. Lungren. I keep calling it HITRAC, but you want to call it HITRAC. See, when you are an English major, you divide things into proper syllables, and HITRAC sounds better than HITRAC. As I understand, HITRAC or HITRAC is a point of contact for summary and trend analysis for suspicious activity reporting, which I guess we call SARS, even though that has other indications these days, and they are supposed to be sent in by public and private individuals at local levels to provide warning signs of potential terrorist attack. How effective is this program? How much is it really on? To put it another way, if I happen to be a manager of an asset in northern California, private or public, how well am I informed of these suspicious activity reports? How do you see that reflected in what you receive in your shop? Ms. Smislova. The suspicious activity reports typically are coming from industry through the Information Sharing Advisory Councils, the ISACs, or directly to our operations center. Sometimes we get suspicious activity reporting just from American citizens. They will call them in and they are called Patriot reports. Mr. Lungren. My question is, how do I know that? How do people know that? Ms. Smislova. We distribute, disseminate, our products back again through that same vehicle, through the ISACs, through the Homeland Security advisers. We do send our reports to the JTTFs. That is all distributed. Mr. Lungren. I guess my question is, how comfortable are you in the belief that there is a high level of understanding of your activity and the need to report these things? Ms. Smislova. It is spotty, sir. Some industries we have been able to dialogue with and we have been able to discuss with them what we are trying to accomplish with the suspicious activity reporting, and some industries or entities we have not. It is easier at this point to have outreached to ones that are more organized. So for example, the electrical power grid, we have a dialogue with the people that run that particular infrastructure. It is more difficult with the shopping malls of America. We are trying to tailor our products to make sense to those that are protecting the different critical infrastructure, but we do realize that each group that runs the infrastructure is diverse, and that is again where I would get back to the requirement for the Department to outreach and dialogue with the individuals. Mr. Lungren. Let me ask you this question: This weekend there are literally going to be millions of people attending football games at major colleges, universities and in the NFL. Can you tell me from what you know, are people who run those operations cooperating with the Department of Homeland Security such that you are getting reports of any suspicious activity of this nature? Ms. Smislova. We actually do deal with the commercial services sector. I also sent a HITRAC employee to brief the security people that do the college football, all the college football security thing, have been briefed by us on what to look for or what we believe would be suspicious activity that might indicate an attack was pending. Mr. Lungren. You have told them that you have got this. Do you get reports from them? Ms. Smislova. We get reports from the commercial services sector, yes. Mr. Lungren. I guess I still have a little bit of time. For the whole panel, this seems to be a crucial part of protecting critical infrastructure, making owners and operators aware of what to look for in terms of suspicious activity. For the other panelists, what is your sense of the awareness of this program and do you have any recommendations on what we would do to make it more effective? Ms. Wormuth. I certainly can't speak to the public or industry's awareness of HITRAC in particular. Mr. Lungren. That is not what I am talking about. I appreciate listening to all of what you have to say, and it sounds good in theory. But if it breaks down, if all we are doing is talking about it and no one knows what information needs to get to us for this--I am just trying to find out if any of you have a sense of how broadly understood this is, how much is this actually working? Are we sitting here talking theoretically about what would sound like a great idea, but you can't analyze anything unless you get data to analyze? Ms. Wormuth. Congressman, I would say I am aware of at least New York City, and I would suspect some other major cities, have programs that are focused on going out and talking to businesses, industry owners, and again it sounds like very similar to what Ms. Smislova was speaking to, which is talking to those folks in the private sector about what to look for and what type of activity to report. I believe the program in New York City is called Hercules. My memory may be wrong, but some major cities certainly have programs designed to try to make the private sector aware and alert them to either report in to city governments or the State Homeland Security managers. Mr. von Winterfeldt. At CREATE we work a lot with local government officials, and I know there are many mechanisms for them to report at the local level. I don't know how the reporting works from there to the Department of Homeland Security or back, so I can't comment on that. But I do believe that the local level works well. Just recently in L.A. there was a discovery of two events, a discovery of two suspicious females that were taking pictures. They were pursued and eventually apprehended, and it turned out to be a false alarm. So some things seem to be working at the local level. I am not sure how the national and local level are communicating. Mr. Lungren. Thank you. Mr. Simmons. The gentleman from Pennsylvania, Mr. Dent. Mr. Dent. Thank you, Mr. Chairman. Ms. Smislova, I get a lot of comments from my folks back home in Pennsylvania, from the Homeland Security folks and others at the local level, and my main question to you is this: Are any local Homeland Security agencies detailed to HITRAC, or HITRAC, whatever the case may be? Ms. Smislova. Not at this time, no, sir. Mr. Dent. Regarding your evaluation of risk, what sort of input do you get from State Homeland Security or local first responders, I guess you don't get any, in making these evaluations? Do you get any input from them? Ms. Smislova. Yes, sir, we are. We are trying to outreach to different customer sets as we are developing them, and we also are briefing some States and first responders and then incorporating their comments or their suggestions. Mr. Dent. So I guess the broader question is what do you see as the role of these local groups in helping determine threat vulnerability and consequences? Ms. Smislova. We see the role as large and expanding. We have connectivity with every State and we talk to every State. We hope that would be our goal, to expand our production efforts to deal with at least all the major metropolitan areas. Mr. Dent. I guess my question is, my main comment is, these folks at the State and local level really want to be I think a greater part of this process. Sometimes I feel as if the information they receive is not helpful, that they just don't have the ability to process what gets sent down to them from Washington. This information sharing, something gets lost between the Federal and State and local levels, and they really want to be involved more than they have been. I guess the question would be, how do you go about disseminating risk evaluations to local communities that may in fact be vulnerable to attack, and how do you ensure that risk assessments are timely, relevant and helpful to local communities that must ultimately be forced to respond to any such attacks? They worry about the timeliness and relevance of the information they receive. How do you address that? Ms. Smislova. Again, our goal is to interact more often with the State and the local governments. We do have people from the State and local entities deployed in our operations center. We deal with them on a regular basis. We travel out to States and local places. I have two people today in Chicago discussing some risk assessments and plans for additional products. So that is just how we have begun with our work. Mr. Dent. I have raised these same questions to the folks from the ASSOC and elsewhere, and anybody else feel free to chime in if you have any points on this issue. I would be glad to hear it. Mr. Willis. I would like to say that I agree with the assertions that have been made that local intelligence is a very important part of understanding threat. I think it also points to one of the observations we found in our report, that risk assessment can't be done only from the top-down, but also sometimes from the bottom-up. My colleague, Dr. Winterfeldt, talked about work they are doing in California that is very much bottom-up where a lot of the information is. So there is a need to look at doing these risk assessments from both directions. Mr. Dent. No further questions. I yield back. Mr. Simmons. I thank the gentleman. We are going to go a second round, if that is all right. Let me pick up where my colleague left off on the issue of top-down versus bottom-up. First of all, Dr. Willis, you said in your statement that tremendous progress has been made in maturing Homeland Security policy, and I would agree with that, even though I certainly understand my colleagues' frustration when miniature golf appears on a list somewhere. But I would hope that is an anomaly and not characteristic. I think progress has been made. I think it is an impossible task to secure everything from everybody. If you try to do that, you will certainly fail. So you have to prioritize. I think information sharing is very difficult to do, but I think people at a local level are somewhat aware, in some cases more than somewhat aware, of what we are attempting to accomplish. So the challenge to me really is have we put in place a system that is sophisticated enough that not only does information come down from the top, presumably sensitive information or analytical products that the local community does not have the capacity to produce, but does the system allow local information and observation to go back up? Do we have a dynamic or a virtual system, in other words? And do the local folks have the tools and the networks to interact with the State and the Federal folks? Are we there yet or are we not? Mr. Willis. That is a very good question. I will try to comment first broadly on where I think these tools and approaching networks are for risk analysis, and then also in terms of threat and passing threat information. I have not studied that as much but will check back with my colleagues at RAND. In terms of risk analysis, what I have seen in all the States is organizations to try to link regionally to the State and make connections. In terms of tools, recently the Department of Homeland Security has released the draft National Infrastructure Protection Plan. In my written testimony I have included a few comments about that. I will try to summarize a few of the key points because I think it highlights some of the important points about the tools that are starting to be provided. I would like to say, acknowledge, that RAND Corporation has been providing support to the Department of Homeland Security in developing that plan. I myself have not personally been involved in that but have been asked to comment on it. The key points I make about the NIPP is that it is comprehensive and it addresses all sectors. It is realistic in that it points out that you can't treat these sectors with a cookie cutter approach. Water is different than telecommunications, et cetera. Where there might be--it is also laying out a common framework for doing risk analysis. This will help provide some structure to the local people who would be doing the analysis and also aid in comparison across assessments that come. Where there might be concerns is on implementation, because this is a very complex and resource-intensive approach, and that is where I would go back to my comments that we need to look for ways to trim the tree, we can't wait until we get all the assessments in to respond, and a combination of a bottom-up and top-down approach is necessary. Mr. Simmons. In the brief time I have remaining for Ms. Wormuth, you made comments about National Intelligence Estimates and you made comments about a National Risk Assessment. The National Intelligence Estimate on Iraq's WMD of October 2002 was wrong, inadequate information, in my opinion, analysis based on inadequate information. So now we shift quickly to National Risk Assessment. Again, we don't know what we don't know. Is this an exercise that is going to save the country, or is this an exercise that we engage in because we sort of know how to do it so we are going to do it? Ms. Wormuth. Thank you, Mr. Chairman. I knew when I made a comparison to a National Intelligence Estimate that I was opening myself up into a risky area, because not only can NIEs be wrong, they are also often viewed as relatively watered down and sort of lowest common denominator products. That said, in my opinion, I think the only alternative to trying to come up with some sort of strategic level homeland security risk assessment is to not use a risk-based approach at all, which to me seems more perilous than trying to go through a structured risk assessment process and perhaps getting it only 80 percent right. So I would argue that yes, there are dangers, but I think that there is not a better alternative. I think two broad advantages to risk assessments are that they will force policymakers to go through the myriad sets of threats and vulnerabilities in a structured way, and it really allows you to unpack some very difficult problems, as opposed to what I think many have observed is a tendency sometimes to try and allocate our resources to essentially the last war or sort of the new sexy thing. Lots of money went towards aviation security because 9/11 was essentially an aviation-based event. Biological threats are very much in the news and a lot of resources are spent there, although for very good reasons. One other thing I would emphasize is that I think while certainly factoring in very specific intelligence and looking at motivations and looking at intentions is very important, I also think there is a lot of wisdom to taking perhaps what I would call more of a capabilities-based approach, again, perhaps coming out of my DOD background. But to a certain extent, I think there is some utility at looking at threats from the perspective of simply what is available in terms of different weapons systems, in terms of different delivery systems, to somewhat more generic terrorist groups that are fairly well resourced, and at least thinking very broadly, because--I think because it is so difficult once you start getting into intentions. Many, many people weren't even particularly aware of al- Qa'ida before 9/11. So I think there are definitely challenges in trying to do a strategic level assessment, but to me it is very much still--the benefits far outweigh the risks. Mr. Simmons. Thank you for that answer. Ms. Lofgren. Ms. Lofgren. I want to get back to the National Asset Database, because I am hoping we can make some progress on it. Before I do, I just want to say I actually did check with people in the know and found out that there was no reason why the miniature golf course was on the list and that the people of San Jose should not worry about playing miniature golf. It could be dangerous in terms of the balls hitting people, but there is no other apparent threat. In looking at how this has been put together, I think the chairman is right, we need to look at the systems in place to see whether they are going to yield information that is valuable. One of the things that became apparent to me was that we had passed really local police departments to come up with the list of critical infrastructure, and they are doing a terrific job, their very best. This is not critical of their efforts, but there are certain things that they are just not in a position to know; for example, telecommunications physical infrastructure or certain cybersecurity issues. It is just not within the purview of the police department for the most part. There were some things actually that the fire department might know that the police department would not know, and they were not included, and the health people were not included, and the private sector people were not included. So I am wondering if there has been a change in the structure of who is included so that we can make sure that the critical infrastructure, all of it, is actually in this database. Does anyone know the answer to that? Ms. Smislova. Ma'am, we would be happy to come back and give you and your staff a briefing on the NADB. We can arrange that for you. Ms. Lofgren. But you don't know the answer to that? Ms. Smislova. No, ma'am, I do not. Ms. Lofgren. Maybe Dr. Winterfeldt would know this. At one point the Department asked the--I believe it was the sheriff's department, it might have been the police department, in the City of Los Angeles to lead a pilot project, to change how the database, the National Asset Database is put together. Are you familiar with that? Mr. von Winterfeldt. No, I am not specifically familiar with that. Ms. Lofgren. I would like to know-- Ms. Smislova. Is that Project Archangel or Constellation? Ms. Lofgren. Archangel. Ms. Smislova. Yes, ma'am, I was actually briefed on that today by the Los Angeles Police Department, who was visiting. It is not a National Asset Database, but it is a way to map the infrastructure of Los Angeles, and that actually is being done by the police department in conjunction with the Department of Homeland Security. Again, it is not a system to prioritize, but rather to actually come up with a map so that when information is received, intelligence information, and it says something specific, that you are able to more quickly and rapidly come up with a facility list. Ms. Lofgren. That is different than the briefing I got. So perhaps it is more. But it seems to me that there needs to be some strategy. When I saw the list, there is shopping centers and there is a check cashing office in L.A. and stuff like that. I thought why would this stuff be there? I can see if you received a threat that had something to do with shopping centers, you would want to know where all the shopping centers are. That is a good thing to know. But since our risk assessment really relates to our vulnerabilities and the consequences of activities, if you don't have a different list for--if you want to take down the water supply of southern California, there is three or four different ways you can do it, none of which are on the list. So it seems to me that there needs to be--and I haven't seen it yet in the Department--any kind of a strategy for what would have a cascading both economic and also physical harm consequence that is connected with infrastructure so that as threats come in, we can lay those threats across what is a critical-- Ms. Smislova. Right. We do, ma'am, work with the sector specific agencies to identify their top priority places. We have several of those sectors actually completed. That is a different effort, ma'am, yes. We can come backSec. Ms. Lofgren. It is very mysterious, because we were told one thing about this database in the Congress and now apparently it has morphed into something else. So long as the job is getting done, I assume that is fine, but we have to really become convinced that the job has been done, and it is a long time since 9/11. We have wasted a lot of time, and I have some real concerns that we are not yet really ready and where we should be. So I will look forward to getting a further briefing on this. I see that the red light is on, and I yield back, Mr. Chairman. Mr. Simmons. The gentleman from California, Mr. Lungren. Mr. Lungren. Thank you very much, Mr. Chairman. In your testimony, I notice you talk about the formal challenges involved in risk assessment in the area of terrorism, but you say despite these formal challenges, it is absolutely worth the time and effort to develop robust homeland security risk assessments that can guide our planning and policy development. Then, Dr. Winterfeldt, you talk about how successful risk assessments have been in medicine, the business environment, industrial safety, natural disasters, how it is relatively new in the area of terrorism, but in spite of these challenges, risk assessments have made considerable progress in the terrorism area in the past few years. I would therefore say you indicate it is a tool that is automatically to be utilized at the present time. Here is my question: It is easy for us once we have determined what the risks are and what the most vulnerable targets are, if they are publicly owned, for us to command certain things to be done or for us to put as much money, government money as we can to it. But within the universe of critical infrastructure, a lot of stuff is owned by the private sector. A couple of years ago, Congress felt it necessary to pass TRIA, a back-up to the regular insurance program. We are considering now to reauthorize it. I happen to be one of the people who thinks it is necessary given the still existing uncertainties in a terrorist scenario for the private sector. But one of our obligations here is to utilize something like try to see what the insurance industry, how the insurance industry plays in all of this, so that perhaps instead of us regulating something or mandating certain best practices or providing government incentives by way of tax policy, the private sector makes some adjustments in terms of what insurance companies are supposed to do, risk assessment. How satisfied are you that the kind of information we have talked about that goes to DHS and is supposed to help drive policy, that that information is available such that private sector owners and the insurance industry can make the kind of judgments that will drive us towards the best business practices for a security purpose in light of what the true risks are out there? Mr. von Winterfeldt. Perhaps I could give it a start. Actually CREATE put together a conference just a few weeks ago on the reissuing of TRIA and we are fairly familiar with these issues, together with RAND by the way. It is a real difficult question of how you transfer the risk issues from the public back to the private sector. There ought to be self-interest in the private sector to protect themselves against terrorist events and I do not see it happening right now. This may be lack of information, it may be that they do not have the money or the capital to do it so they are looking to terrorism insurance. I am not sure that is a right solution either. The insurance only covers the asset when an event occurs. It does not do much in terms of protecting the asset against terrorist attacks, although properly implemented with insurance breaks and things like that it ought to do that. Mr. Lungren. You have fluctuating premiums depending on what you are doing with respect to security. At the same time I could construct an idea of a hotel, for instance, which we know are targets of terrorists, American-identified hotels. And the more that we protect public sector assets it seems to me if I am an terrorist, I look at the softer targets of the private sector. We could drive the hotel industry in such a direction that they basically make all of their hotels look like fortresses and moats and destroy the industry because no one wants to go to a moat--a fortress for a vacation. And what I was trying to figure out is how we establish a balance. And if we do not have the information available, it is even more difficult for us to get to the point as to where we want to go. And so my question really goes to the issue of are we in your judgment--have you seen, are we in the government when we gather this information, are we doing a good enough job of getting that out to the private sector, including the insurance industry, such that they can start to make rational judgments as to where they want to go and have some guideposts and where we can sort of push people to best business practices? Mr. von Winterfeldt. Very quickly and then I will pass it on to my colleague to my right. The insurance industry increasingly is turning to private companies to do these risk assessments for them. There are several companies, one is the one that Dr. Willis worked with, that do the risk assessments before the assets. So I do not see it necessarily happening only through information exchange between the Department and the private assets, but they are particularly interested in finding out which assets are threatened and make decisions about risk and premiums and insurance and things like that. Let me stop right here and ask Ms. Wormuth. Ms. Wormuth. Congressman, certainly the fine points of the issues related to the insurance industry are well outside of my expertise. I would say one thing. I do think that--two things, I think Dr. Winterfeldt noted that there should be some self- interest on the part of industry to themselves take on some of the preventive measures. Because, of course, if they are attacked and their operations are essentially grounded for a period of time, that is not in their own interests. But I think part of the challenge, we would be helped I think in convincing our colleagues in industry of the types of steps they need to be taking. If we could again walk them through in a logical, structured way, here is how we have come to this assessment and this is why--and I am just posing this as a hypothetical, which is why, chemical industry, we believe that you all do pose a high risk versus another particular industry which may be a lesser risk and we would like you all to consider these types of measures. I think we would be able to better make that case to partners in industry if again we had a structured, defensible strategic assessment that we could walk them through in broad terms to help them see how they compared to other folks in industry. Mr. Lungren. One of the concerns I have is how do we make sure that the information flows in both directions? How do we encourage industry and other people to get information to DHS and how do we encourage DHS and government entities to share enough of the analysis and information that people understand in an intelligent way what the risks are so that it will be in their self-interest to do that? Because as the chairman has suggested, we have a culture in government which is not to share information. Give me the information and I can trust myself, but you are not going to get any of that out there. And I think it is a continuing problem because of the nature of the different functions we have. But in this area, if all we do on the government side is believe that government action is the sole universe in which we can deal with the threat, we are going to short ourselves from so much more activity that could be done of self-help and ultimately protecting us collectively, and I am just trying to raise these issues and look for as much information as I can. Ms. Wormuth. Sir, I take your point completely and I am sure Ms. Smislova can speak to it in more detail than I can. But in my experience working with organizations that work with DHS, I have actually been pleasantly surprised in many instances at how much DHS is doing to try to reach out to industry and my outside observation is that there has been a lot of emphasis on that. They are working with folks through the HITRACs. I know that other elements of DHS are trying to work with State and local and private sector organizations and I think certainly that framework is not fully in place but my experience has been that DHS is very much trying to seek input from the private sector and from the public. Mr. Lungren. Thank you. Mr. Simmons. Please. Mr. Willis. May I add one point on that? Mr. Simmons. Please. Mr. Willis. I agree with Representative Lungren that these are very important questions you are raising and since this panel is about risk analysis, I would say that I think risk analysis can answer many of these questions. In fact, RAND, through the Center for Terrorism Risk Management Policy, has been working with Risk Management Solutions as one of the insurance modeling groups that does some of this, and we would be happy to share with you some of the work that we have been doing to try to share that information. The information sharing actually goes both ways. I have been working with Risk Management Solutions and the Department of Homeland Security HITRAC to see how the type of modeling used in the private sector can inform DHS's risk assessment. Thank you. Mr. Simmons. Do any members of the panel have any additional questions they would like to ask? Any additional comments that the panel of witnesses would like to offer for the good of the order. Doctor? Anybody? Mr. von Winterfeldt. I just wanted to make one comment. It is very important, and you raise very important issues. In many agencies that started risk assessment, starting with the Nuclear Regulatory Commission in the 1970s, this is when it was new stuff. It took years for risk assessment to mature to, filter through all parts of the agencies and to become a truly useful tool. So maybe we are hoping for too much. Maybe we are expecting for things to come too quickly. We are pushing. But I am certainly hopeful that risk assessment will be useful and used down the road in the Department more and more effectively. Mr. Simmons. Anybody else have a final comment they would like to make? Ms. Smislova. Only to point out that Secretary Chertoff has appointed a new Assistant Secretary for the Private Sector as one of his developments under the reorganization and hopefully that will assist us in enhancing our outreach as a department to the private sector. Mr. Simmons. Thank you all very much. I appreciate your coming here and your testimony. If members of the committee have additional questions for the witnesses, we will ask you to respond to those in writing and the hearing record will be held open for 10 days. I would also like to conclude with an observation. On the week of September 11th I traveled to New York on a Friday with the President, and I represent the State of Connecticut. We lost people on 9/11. My daughter actually was living in New York at the time and never returned back to her apartment because of the damage of 9/11. As I stood there and looked at the devastation I was overwhelmed by the immense scope of it. Standing and looking at the burning remains of the World Trade Center, even as a Vietnam veteran, I would say it was probably one of the most devastating things I ever experienced. And then as we went back to the airport, took off and flew back to Washington we circled once and came over the top of the New York City and from that perspective the World Trade Center was simply a very small spot with a very small wisp of smoke coming up from it and the great expanse of New York, New Jersey and Long Island as well as Westchester County and Fairfield County, Connecticut seemed like an immense piece of property or real estate. I guess what came across in that was how truly huge our country really is. What an extraordinary set of infrastructure we have and how difficult it is to refine our risk assessment to the point where we can cover it successfully. It is not easy. And I think, Doctor, you put your finger on it. This is going to take time. Now we as Americans are impatient people. We like our food in 15 minutes or less. We like everything to be very quick. But working on this problem is not easy to do. So we thank you for the expertise that you bring to the table and wish you all the best as we pursue this issue into the future. Without objection, the subcommittee stands adjourned. [Whereupon, at 4:30 p.m., the subcommittee was adjourned.]