[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] THE IMPACT OF FOREIGN OWNERSHIP AND FOREIGN INVESTMENT ON THE SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE ======================================================================= HEARING before the SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ MAY 16, 2007 __________ Serial No. 110-36 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html __________ U.S. GOVERNMENT PRINTING OFFICE 48-911 WASHINGTON : 2009 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gov Phone: toll free (866) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY BENNIE G. THOMPSON, Mississippi, Chairman LORETTA SANCHEZ, California, PETER T. KING, New York EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut JANE HARMAN, California MARK E. SOUDER, Indiana PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia NITA M. LOWEY, New York DANIEL E. LUNGREN, California ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama Columbia BOBBY JINDAL, Louisiana ZOE LOFGREN, California DAVID G. REICHERT, Washington SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania Islands GINNY BROWN-WAITE, Florida BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida HENRY CUELLAR, Texas DAVID DAVIS, Tennessee CHRISTOPHER P. CARNEY, Pennsylvania YVETTE D. CLARKE, New York AL GREEN, Texas ED PERLMUTTER, Colorado VACANCY Jessica Herrera-Flanigan, Staff Director & General Counsel Rosaline Cohen, Chief Counsel Michael Twinchek, Chief Clerk Robert O'Connor, Minority Staff Director ______ SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION SHEILA JACKSON LEE, Texas, Chairwoman EDWARD J. MARKEY, Massachusetts DANIEL E. LUNGREN, California PETER A. DeFAZIO, Oregon GINNY BROWN-WAITE, Florida ELEANOR HOLMES NORTON, District of MARSHA BLACKBURN, Tennessee Columbia GUS M. BILIRAKIS, Florida YVETTE D. CLARKE, New York PETER T. KING, New York (Ex ED PERLMUTTER, Colorado Officio) BENNIE G. THOMPSON, Mississippi (Ex Officio) Mathew Washington, Director Erin Daste, Counsel Natalie Nixon, Deputy Chief Clerk Coley O'Brien, Senior Counsel (ii) C O N T E N T S ---------- Page Statements The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas, and Chairwoman, Subcommittee on Transportation Security and Infrastructure Protection.......... 1 The Honorable Daniel E. Lungren, a Representative in Congress From the State of California, Ranking Member, Subcommittee on Transportation Security and Infrastructure Protection.......... 2 The Honorable Yvette D. Clarke, a Representative in Congress From the State of New York.......................................... 26 Witnesses Mr. Richard T. Garcia, Global Security Advisor, Corporate Affairs Security, Shell International: Oral Statement................................................. 6 Prepared Statement............................................. 7 Mr Michael Pfister, Senior Vice President and Chief Information Officer, Halliburton Company: Oral Statement................................................. 10 Prepared Statement............................................. 12 Mr. David Marchick, Covington and Burling LLP: Oral Statement................................................. 14 Prepared Statement............................................. 16 THE IMPACT OF FOREIGN OWNERSHIP AND FOREIGN INVESTMENT ON THE SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE ---------- Wednesday, May 16, 2007 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure Protection, Washington, DC. The subcommittee met, pursuant to call, at 2:50 p.m., in Room 1539, Longworth House Office Building, Hon. Sheila Jackson Lee [chairwoman of the subcommittee] presiding. Present: Representatives Jackson Lee, DeFazio, Clarke, and Lungren. Ms. Jackson Lee. Good afternoon. Let me first of all thank all of the witnesses for their patience. There is quite a bit of activity on the floor of the House, and Members must be engaged in that activity. Our ranking member is en route. Let me acknowledge the presence of Mr. DeFazio of Oregon. I thank him, and members are coming, but with the importance of this hearing and the presence of the witnesses, we will begin. Let me first of all ask the subcommittee to come to order. The subcommittee is meeting today to receive testimony on the impact of foreign ownership and foreign investment on our Nation's critical infrastructure. Under the rules of the House of Representatives and the rules of the committee, visitors and guests are not permitted to make undue noise or to applaud or in any way show their pleasure or displeasure as to the actions of the Members of the House. The Chair will continue to abide by those rules as we proceed in this hearing so that all of the witnesses may be heard, as well as the members of the committee. Let me begin with my opening statement, I yield myself 5 minutes. I would like to take this opportunity, as I said earlier, to thank all of you for joining with us this afternoon so that we can continue to address the questions of security and the security of our Nation. In this hearing, we will continue our exploration of foreign ownership and investment and how it intersects with national security. As we all know, early this year, this subcommittee took a thorough look into how the Federal Government monitors and evaluates foreign ownership of our critical infrastructure. Today, the subcommittee is taking a different approach to this issue. I think it is important to note that the challenge of the Department of Homeland Security and the challenge, of this committee is to be proactive. It is important that we imagine the possible and the impossible; and what that means is that every hearing that may in some areas be viewed as impossible are the actions that would generate from the testimony or the suggestion of the title to be impossible. We who have the responsibility of securing America can never consider that the possible or the impossible is too small or too narrow for us to review. Today, we are exploring the vulnerabilities of critical infrastructure owned by U.S. companies that have a significant number of foreign investors and how it may compromise homeland security preparedness, as well as the question of investment and access and control. I think we all understand that when a foreign entity establishes a lasting financial interest in a country, it is able to exert influence on that country. According to 2005 CEA data, foreign investors own over 9 trillion in stock in U.S. assets. These assets are composed of four basic types and the largest portion is foreign direct investment. This type of investment goes directly into companies and infrastructures. The other three types of foreign investment are corporate stocks, private bonds and the U.S. Treasury bonds and bills. Each of these types comprises about 2 trillion of the total investment stocks. It is also important to note that these investments have accumulated over decades, even centuries. Like most Americans, I wholeheartedly support capitalism and free trade, of course, with various requirements that would help all Americans. Yet, as events have shown, we need to pursue a vigorous oversight agenda, especially in the area of foreign investment and critical infrastructure. Dubai Ports taught us that we need to not just focus on one area of infrastructure, but we need to focus on all areas. And we need to be open minded because we know the capitalistic system is enormously creative. There are any number of subsets of what can be sold and what can be invested in. As the chairwoman of this subcommittee which bears the term ``infrastructure protection'' in its title, I intend to do just that, evaluate how infrastructure is being protected to ensure it is here and available when America needs it most in a time of crisis. As we all know, terrorists do not signal or call ahead before they attack. We saw this in Madrid and London, amongst other horrible incidents. Terrorists are creative, especially in the ways in which they will attack us. It is not inconceivable that a terrorist might try to attack us not with brute force, but simply by pressing a computer button or by crippling a key asset or some other nonstated, but possibly unimaginable-type act. Another example, foreign investment deals with energy. Current European wind companies have been keen on investing in the U.S. market. In fact, several of the largest turbine producers are now selling to U.S. developers for projects, and opening offices and manufacturing plants in the U.S. Now, I know many will say that it is just wind turbines. What is the big deal? Well, being from Houston, I can tell you that energy is an important issue, and the security of energy is important. We must make sure that these companies take the necessary steps to protect new infrastructure as it becomes more prevalent. Today, we will address these basic questions. What are the U.S. companies doing to control access to sensitive information that if compromised, could possibly cripple our economy? What steps are taken to protect information when U.S. corporations operate outside the U.S.? For example, Halliburton recently set up operations in Dubai. This committee is eager to know how sensitive material or information that is housed in those offices in a foreign land are to be protected. I and other members of this subcommittee certainly are, hopefully, perceived as being responsible and serious and seriously committed to protecting the critical infrastructure and understanding how the private sector is protecting our vital assets. The chairman of the full committee and the ranking member of the full committee have had one voice on the question of ensuring the security of this Nation. As I work with my ranking member, we hope that as we work through many issues, that voice will be one voice on the questions of securing the Nation. Again, today, we want to explore what steps the private sector has taken to protect its infrastructure, and I look forward to witnesses' testimony learning how these different entities protect themselves from threats and what role Congress can play to fortify and protect the United States' assets. Let me close by simply saying that, in addition to the witnesses who are here, we know that many States have found in the public sector a source of revenue by utilizing public entities for investment of foreign operators, investors, and sometimes owners. In the course of our work, we will be looking at those issues as well, because frankly, the ability to lose control during a time of crisis or tragedy has to be the concern of this committee. So, in the course of this hearing, I will put some of these thoughts into the comments and questions that I will make. We must stand ready and we must be prepared. The Chair now recognizes the ranking member of the subcommittee, the gentleman from California, for an opening statement. Mr. Lungren. Thank you very much, Madam Chairwoman. And I noted you talked about the possible and the impossible. It may be impossible for us to hold this hearing because of all of the comings and goings that we are having on the floor of the House today, and if we could just get the germaneness rule figured out between now and the end of the day, we might be able to get back to regular work. I thank you for holding this hearing, and I welcome the opportunity to discuss foreign ownership and foreign investment, its impact on the critical infrastructure of the country. This Homeland Security Committee is all too familiar with the concerns and fears that foreign ownership of U.S. critical infrastructure assets create in our citizens. The 2006 purchase of the operating rights at six U.S. ports, including the Ports of New York, New Jersey, and Baltimore by the Dubai Ports World Company, owned by the UAE, created a firestorm of public and congressional opposition. I may be one of the few Members of Congress who was not so worried at the time. Perhaps because I was born and raised in a large port city, the city of Long Beach, California, and for 10 years represented both Long Beach and L.A. ports, it had dawned on me at an early age that ports had foreign ships, foreign workers, and foreign investment; and without that foreign investment in our ports of the United States, we would not be in as good shape as we were otherwise. I was one of those who thought that it is good that people think it is good to be investing in the United States. I would rather have them think this is the place to invest than somewhere else. But nonetheless, the Dubai Ports World controversy focused attention on the governmental process established to review such sales and determine whether review protects our economic and national security. Of course, I am referring to the CFIUS, or Committee on Financial Investment in the United States. Amid growing concerns over foreign acquisition of American businesses in 1988--that was my last year in Congress during my first tour of duty here--Congress passed the Exon-Florio provision, which gives the President the authority to block proposed foreign acquisitions that threaten our national security. Foreign acquisitions of U.S. Government assets do pose a challenge to our government. It does create a delicate balancing act in the worldwide economy. How do we attract vital foreign investment to the U.S. without sacrificing or diminishing our national security? I do believe we have the proper procedures in place to protect our critical infrastructure and assets by requiring foreign acquisition to be closely reviewed and scrutinized by CFIUS. For over 30 years, this process has worked effectively, guarding our capital markets, our high-valued infrastructure assets, and most importantly, our national security. On only one occasion of which I am aware, in 1990, the President intervened and ordered a divestiture by a Chinese aerospace company of a U.S. aircraft parts manufacturer. Last year's debate on the Dubai purchase raised a number of problems with the CFIUS review process. It demonstrates the changes needed to be made in light of 9/11 and our Nation's growing concern for security. I believe important improvements were included in the legislation we passed last year, H.R. 5337, and again in February of this year, H.R. 556, at that time by a vote of 423 to zero. One of the important things it does is, it elevates the Secretaries of Homeland Security and Commerce to Vice Chairs of CFIUS, which will ensure a broader definition of national security threats in the CFIUS review. This legislation also limits delegating these important CFIUS decisions below the under secretary level. I would just say with respect to American businesses that operate overseas or bring some of their corporate structure overseas, it is important for us to see how they protect assets that we don't want to be revealed to others. But this is not something new; this is what we did throughout the entire Cold War. And then, in some cases, the most important technology we were working with were computers, but it also had to do with things as mundane as that which we used for offshore drilling, that which we used for exploration of oil around the world. We believed that some of those things ought to be limited at that time because of it. But we have to remember how fast the world works. I can remember back in the 1980s, when we had something called a global positioning satellite as a DOD project, and they were coming around telling us that we ought to vote for it because it would allow us to be able to determine where our military people were, within 100 feet of where they were. For Mother's Day, I just bought my wife a GPS. That shows how fast that which we want to protect from suspicious eyes of others become commonplace. So that is the challenge we have, and I would be very interested to find out how we deal with that from the standpoint of our witnesses. And I thank the gentlelady for yielding me this time. Ms. Jackson Lee. I thank the gentleman for his remarks. Other members of the subcommittee will be reminded, under the committee rules, opening statements may be submitted for the record. Ms. Jackson Lee. At this time I would like to welcome our panel of witnesses. Our first witness will be Mr. Richard T. Garcia, Global Security Advisor, Corporate Affairs Security, Shell International. Mr. Garcia began his position on August 1, 2005, after retiring from the Federal Bureau of Investigation with 25 years of service as the Assistant Director for the Los Angeles field office. Welcome, Mr. Garcia. As the Global Security Advisor, Mr. Garcia coordinates with other intelligence and law enforcement agencies, both domestic and foreign, in an effort to obtain strategic intelligence regarding potential criminal terrorist attacks against Shell assets globally. Mr. Garcia also manages security advisors in North America and in Latin America, as well as the intelligence and assessment team with offices in Washington, D.C., and London. Our second witness is Mr. Michael Pfister, Senior Vice President and Chief Information Officer at Halliburton. Mr. Pfister was named Senior Vice President and Chief Information Officer for Halliburton in January 2007. Previously, Mr. Pfister was President and Chief Operating Officer in a privately held health care firm in New Braunfels, Texas. The final witness of this panel is David Marchick, Partner at Covington & Burling. Mr. Marchick's practice focuses on complex international trade, investment, transportation and legislative matters. Mr. Marchick is also a leading expert on the Exon-Florio amendment and has an active practice advising U.S. and foreign companies on security approvals from the Committee on Foreign Investment in the United States. He is a coauthor of the book, National Security in Foreign Direct Investments. He has testified in Congress on numerous occasions on implementation of the legislation and played an active role in congressional consideration of the legislation that would amend the legislation in question. Without objection, the witnesses' full statements will be inserted in the record. I now ask each witness to summarize his statement for 5 minutes, beginning with Mr. Garcia from Shell, if you would. STATEMENT OF RICHARD T. GARCIA, GLOBAL SECURITY ADVISOR, CORPORATE AFFAIRS SECURITY, SHELL INTERNATIONAL Mr. Garcia. Madam Chair, members of the subcommittee, I am pleased to appear before you today to testify on the impacts of foreign ownership investment and the security of our Nation's infrastructure. Shell is active in more than 130 countries with 109,000 employees worldwide. Security plays a vital role in every one of our operations. When we operate politically in stable, geologically challenging regions, leading-edge security is critical to our success. Shell has a century-old history in the United States; one-third of Shell's assets and shareholders are here in the United States. Shell Oil Company, through its U.S. affiliates, owns more than 10,000 miles of pipeline, 59 product terminals, nearly 1,000 storage tanks, as well as chemical facilities and oil refineries. Shell U.S. operates oil and gas rigs onshore and offshore around the country. We have 22,000 people working in Shell offices from New York to Los Angeles, from the Arctic Circle to the Gulf of Mexico. We invest heavily in the personnel training systems and tools we need to protect our people and our assets. Since September 11th of 2001, Shell has invested in facility protection, training, access monitoring, and communications. Since 9/11, we have brought people into our corporate affairs security office from the Federal Government, law enforcement, military, and the Coast Guard. Shell U.S. maintains strong ties with these and other agencies that allow us to share information. We also receive briefings from DHS and the State Department's Overseas Security Advisory Council on security issues important to Shell in the energy industry. Our security team participates in various information- sharing programs from the U.S. Government such as the FBI's Texas coastal regional alert system, the intelligence of terrorism network, which work with our information-sharing programs in Houston and Los Angeles. We also participate in the FBI's information-sharing program, which is currently where I am a member of the national board. Shell Oil Company, which operates in the United States, is a subsidiary of the Royal Dutch/Shell Group, a group global company incorporated in the United Kingdom and headquartered in the Netherlands. I am here today because you would like Shell's perspective on how foreign ownership or foreign investment impacts critical infrastructure. Let me say, as far as Shell is concerned, it does not affect us. I am aware of no instance where our foreign ownership or foreign investment has had any negative impact on keeping Shell's infrastructure and keeping it safe. I believe our energy infrastructure is secure as it would be as if Royal Dutch/Shell were based here in the United States. A diplomatic relationship between the United States and the Netherlands is one of the strongest unbroken relationships in the world. The Netherlands was the first country to recognize the American flag in November 1776, only 4 months after we declared independence. Shell has always had strong security measures in place protecting our people and infrastructure. Within months of 9/ 11, the oil and gas industry developed security protocols and procedures for all segments of the industry, including pipelines and terminals. Shell participates fully with the Homeland Security Information Network, which allows DHS to get information quickly and easily to those responsible for the security of critical infrastructure. Shell also participates fully in Homeport. Homeport has the same function, but is focused on the maritime aspect of the critical infrastructure, facilities with docks and wharves. It is a Web-based portal for industry to access necessary information or for the Coast Guard to push data quickly should a threat materialize. As you may be aware, the Federal Government has also developed a credentialing program which will document transportation workers who have access to sensitive areas and equipment. In addition, Shell maintains a global network and helps with the relationship between the government and agencies around the world to protect our people and assets because a threat to our infrastructure is as likely to come from the outside as it is to come from inside. Shell's network helps us protect our U.S. infrastructure. Finally, Shell's security measures here are strengthened by the challenges being encountered around the world. Shell's experience in keeping our people and our assets secure in politically unstable regions and difficult climates sharpens our expertise in keeping our people and our assets safe here in the U.S. What we learn around the world, we apply here. Shell is proudest of the safety and reliability of our U.S. infrastructure, and it remains dedicated and committed to our security. Thank you for allowing me to be here to answer the questions that you. [The statement of Mr. Garcia follows:] Prepared Statement of Richard T. Garcia Chairwoman Jackson-Lee, Ranking Member Lungren and Members of the Subcommittee: My name is Richard Garcia and I am an employee of Shell Oil Company and serve as the Global Security Advisor for Shell International. In that capacity, I coordinate with law enforcement agencies in the United States and abroad to prevent attacks--both criminal and terrorist--against Shell's personnel or assets. I manage Shell's security advisors in North and Latin America. I also direct Shell's Information and Assessment Team, which has offices in Washington, D.C. and London. Prior to joining Shell, I was with the FBI for 25 years. I headed both the Houston and Los Angeles FBI field offices. I am pleased to appear before you today to testify on the impact of foreign ownership and foreign investment on the security of U.S. infrastructure. Shell is committed to protecting our assets and our people around the world. Shell companies produce oil, gas, chemicals, lubricants and alternative energies like wind and hydrogen around the globe. Security plays a vital role in every one of our operations. When we operate in politically unstable or geologically challenging regions, security is mission critical to our success. Shell has a century-old history in the United States. One third of Shell's assets, and shareholders are here in the United States. Shell Oil Company, through its U.S. affiliates, (Shell US) owns and operates 5,000 miles of pipeline and has partial ownership of 10,500 miles of pipeline. We wholly or partially own 59 products terminals and 960 storage tanks with more than 67.8 million barrels of capacity. Shell US owns and operates five refineries in the United States with a combined capacity of 753,000 barrels per day. Six plants produce 15 billion pounds of chemicals annually for industrial use. Seven blending and packaging facilities around the country prepare our automotive consumer products like engine oils and lubricants. Shell US operates oil and gas rigs onshore and offshore around the country. We have 22,000 employees working at Shell sites and Shell offices from New York to Los Angeles and from the Arctic Circle to the Gulf of Mexico. Shell US invests heavily in the training, employees, systems and tools we need to protect our people and our assets. Since September 11, 2001, we have invested in facility protection, training and communications all the way from wellheads and offshore platforms to tankers, ports, pipelines, refineries and storage tanks. All of these steps were carried out in close partnerships with law enforcement and security officials. Shell US maintains strong relationships with federal, state and local law enforcement agencies in the United States. Shell hires skilled security professionals who have the experience, training and professional relationships to protect Shell's people and infrastructure. -------------------------------------------------------- Note: The companies in which Royal Dutch Shell plc directly and indirectly owns investments are separate entities. In this Statement, the expressions ``Shell'', ``Group'' and ``Shell Group'' are sometimes used for convenience where references are made to Group companies in general. Likewise, the words ``we'', ``us'' and ``our'' are also used to refer to Group companies in general or those who work for them. These expressions are also used where there is no purpose in identifying specific companies. Since 9-ll, Shell Oil Company has recruited professionals into our Corporate Affairs Security office from the State Department, the police and military and the Coast Guard. Shell US maintains strong ties with these and other agencies that allow us to share information back and forth. Shell Oil Company's security team also receives briefings from Department of Homeland Security (DHS) and the State Department's Overseas Security Advisory Council on security issues important to Shell and the energy industry. The U.S. security team participates in various information-sharing programs from the U.S. Government such as the FBI's Texas Coastal Regional Alert System and the Intelligence and Terrorism Alert Network, which are information-sharing programs in Houston and Los Angeles. In my previous employment with the FBI, I was responsible for the expansion and enhancement of these two programs. The U.S. Security team also participates with the FBI's InfraGard information sharing program where I am currently on the National Board of Directors for InfraGard. Shell Oil Company, which operates in the United States, is a subsidiary the Royal Dutch Shell Group, a global energy company incorporated in the United Kingdom and headquartered in The Netherlands. I am here today because you would like Shell's perspective on whether foreign ownership or foreign investment impacts the security of critical infrastructure. Let me say simply: It does not. I am aware of no instance where our foreign ownership or foreign investment has had any negative impact on keeping Shell's infrastructure and people safe in the United States. I believe our energy infrastructure is as secure as it would be if Royal Dutch Shell plc were headquartered here in the United States. The Dutch-American friendship goes back more than 200 years. The Netherlands was the first country to recognize the American flag in November 1776--four months after our nation declared independence. The diplomatic relationship between the United States and The Netherlands is one of the longest, unbroken diplomatic relationships in the world. Before 9-11, She had strong security measures in place to protect our people and infrastructure. But the world of corporate security changed forever on 9/11, as we had to more seriously address the possibility of intentional acts to harm our facilities and employees instead of just accidental events. Since 9-11, the oil and gas industry has forged a partnership with government at all levels to protect hundreds of facilities across the country from the potential of terrorist attacks. Shell is a full participant in that partnership. Within months of the attack, the oil and gas industry developed security measures for all segments of the oil and gas network-- including pipelines, refineries, terminals, and others. The American Petroleum Institute and the National Petrochemical and Refiners Association produced an industry-wide method for managers to identify security vulnerabilities in their operations. The Security Vulnerability Assessment methodology is a sophisticated, risk-based tool used to identify the security hazards, threats and vulnerabilities of a facility, and to evaluate the best measures to provide secure facility operations. In other words, it provides the framework for a complete security analysis of the facility and its operations. The SVA covers both physical and cyber security, process safety, facility and process design and operations, emergency response, management and law enforcement. In 2004, the oil and natural gas industry expanded the SVA methodology to include pipeline, truck, rail and liquefied natural gas (LNG) operations. DHS has recognized the SVA methodology and even uses it to train its own employees and Shell US has provided personnel to DHS to assist in this training. Shell US has participated fully in the use and expansion of the SVA methodology. The oil and gas industry and federal security personnel also completed the ``Security Guidelines for the Petroleum Industry,'' to help employers protect facilities and respond to changes in the threat level. This guidance is now in routine use as a roadmap for companies in deciding how best to protect all sectors of the industry against the threat of attack. These are the working methods and countermeasures the oil sector uses to protect all segments of the industry. The guidelines are important because they allow companies to manage security risks and provide a reference to federal security laws and regulations that have an impact on petroleum operations. The Secretary of Energy and later the Undersecretary for the Department of Homeland Security have endorsed the industry guidelines. These security protocols are constantly being updated. A third edition was published in April 2005. Shell continues to use these guidelines. As you may be aware, a new program currently being developed by the US Government will aid in securing certain Shell US facilities even further by the implementation of the Transportation Worker Identification Credential (TWIC). With the TWIC program, appropriate government background checks can be conducted to aid in identifying the insider threat to Shell US facilities by properly clearing the workers who have access to sensitive areas and equipment. Shell US participates in the Homeland Security Information Network. HSIN is a web-based portal that allows DHS to pass security related information to the Critical Infrastructure Community. It is managed by DHS. All members must be vetted by the Oil and Gas Sector Committee of the DHS to be admitted. HSIN allows DHS to push data to the sector quickly and easily. Shell also participates fully in Homeport. Homeport has the same function but is focused on the maritime aspect of the critical infrastructure, facilities with docks and wharves. It is a web-based portal for industry to access necessary information or for the Coast Guard to push data should a threat materialize. Membership in HSIN is focused at the corporate level for Shell whereas Homeport is geared to the facility owner and operator. In addition to Shell US' extensive security work within the oil and gas industry and with law enforcement agencies, Shell has built a global network that allows us to leverage our relationships with governments and law enforcement agencies around the world to protect Shell employees and assets. We exchange information, forge partnerships, design systems and implement procedures in partnership with governments and companies in other countries just as we do here. Because a threat to our U.S. infrastructure is as likely to come from outside the United States, as it is to come from the inside, Shell's network helps us protect our U.S. infrastructure. Finally, Shell's security measures in the United States are strengthened by the challenges we encounter around in the world. Shell's experience in keeping our people and our assets secure in politically unstable region, geologically-challenging areas and difficult climates sharpens our expertise in keeping our people and infrastructure safe here in the United States. What we learn around the world we apply here, just as what we learn here we apply around the world. I believe Shell's global presence strengthens the security of our U.S. assets. Shell is committed to providing a reliable supply of fuels and products to keep the economy growing. We are proud of the reliability of our oil and gas infrastructure and remain committed to its security. Thank you. Ms. Jackson Lee. We are going to try to have you begin your testimony and then recess after your testimony. Mr. Marchick, if you will be patient, we would appreciate it; and Mr. Ranking Member, I would like to ask unanimous consent that we could continue this hearing without a quorum so we can at least get through. Mr. Lungren. Thanks. STATEMENT OF MICHAEL PFISTER, SENIOR VICE PRESIDENT AND CHIEF INFORMATION OFFICER, HALLIBURTON Mr. Pfister. Thank you, Chairwoman Jackson Lee and Ranking Member Lungren, members of the Committee on Homeland Security. I am Michael Pfister, Senior Vice President and Chief Information Officer of Halliburton Company. I am here today to witness on behalf of Halliburton Company, founded by Earl P. Halliburton in 1919 and incorporated in the State of Delaware. Halliburton received correspondence by committee Chairman Bennie Thompson, offering us an opportunity to testify before this committee. That correspondence indicated that the topic of the hearing would be the impact of foreign ownership and foreign investment on the security of our Nation's critical infrastructure. Halliburton is not foreign owned, and we do not possess critical infrastructure as we understand it. However, we would like to be of whatever help we can to this committee, and we might be of assistance relative to your introduction if we describe how we protect our technology and our information from being obtained and used by those who might wish to do our country harm. Halliburton and the energy industry for some time have been responding to the reality of the global business environment for which key employees travel around the world and need to have access to very sensitive information in order to do their jobs correctly. It also a given in today's world that threats to the security of vital information comes from almost every location around the globe. Hackers do not need to be near important computer resources. The IT security landscape for Halliburton assumes that all of our important IT assets, regardless of which data center they are located in, are under constant attack by hackers from every location around the globe. In fact, in our world, we intercept 16,000 viruses every day, and we respond to about 12,000 attacks per day upon our network perimeter. So we have no choice but to take this information--information security extremely seriously. The IT industry has established security standards practiced by the Federal Government and by corporations like us that protect the perimeters of our networks, that protect the transmission of our information through public carriers, and it protects the centers that host the servers that run our applications and store our important raw data. Like the rest of the energy sector, Halliburton's IT security relies on what we call defense in depth. It is multiple layers of defense that are placed throughout the IT system, and the idea behind this defense in depth is the idea that any attacker would have to break through multiple defensive countermeasures in order to successfully hack into the system. Modeled much after the security systems that have evolved over the years, Halliburton operates industry standard firewalls, antivirus and intruder prevention systems to separate our internal network and all of the information on it from the Internet. We perform perimeter audits to ensure that our firewalls are doing their jobs. We regularly monitor for suspicious activity, and we isolate that activity before it can do any harm. We utilize third-party security experts to test our security systems' effectiveness, and we encrypt our digital communications before we transport them through public communication networks. In addition to all of the technical security we deploy to protect our information assets, there are other steps taken by Halliburton to physically secure its confidential data and its facilities. Our facilities have physical barriers such as fencing, locked doors, locked traffic gates. We employ security guards to prevent unauthorized access and entry to both tangible and intangible property. We restrict access to our facilities to persons having proper credentials, such as electronic badges, and badge access records are automatically retained and maintained and reviewed from time to time. Visitors to our Halliburton facilities are required to sign in and are escorted as they make their way through our facilities. We store our trade secret information, such as drawings and specifications that make us competitive, in a digital vault that is referred to as the matrix database. And the control access to this important trade secret information, the matrix database, recognizes the degree of authorization that has been granted to a user, and it appropriately limits the user's access to authorize data in the system. In addition, there are federally mandated export controls that impact our security assets as well. Halliburton has complex procedures in place to manage the export of our company's technical data. These movements are screened either through our company's system or by a member of the law department's trade compliance group. And in doing so, we believe that we may be helping to protect our country's critical infrastructure while keeping assets out of the hands of individuals who should not have them. There is also a need in our business to control to the best of our ability, the activities of employees that are entering and leaving our company. We have thousands of patents and many skills that we use to remain one of the finest energy service companies in the world. In our industry, there is a fairly constant turnover rate of talented and educated individuals, and for that reason, we have developed the following methods to protect Halliburton's intellectual property: new employee packages, provided by our H.R. department, include an intellectual property assignment and a confidentiality agreement that requires the employee to assign to Halliburton any IT that was developed during his employment and that relates to company business, and to maintain the secrecy and the confidentiality of any information to which they might have been exposed. Ms. Jackson Lee. Your time has expired. Would you be kind enough to summarize or respond to our questions? Mr. Pfister. I want to close by saying that our success depends upon a well-trained workforce. We provide a bunch of training options to teach people how to take good care of our proprietary information. Some of them are online; others are instructor-led. I want to thank you for allowing me to appear here today, and I hope that we have provided some information that will be of help to the committee. We take very seriously our responsibility for protecting data and trade secrets and intellectual property. I will be happy to answer any questions after we get done, and if I don't possess the information, we will get it for you for the record. [The statement of Mr. Pfister follows:] Prepared Statement of Michael Pfister Chairwoman Jackson-Lee, members of the Committee on Homeland Security, I am Mike Pfister, Senior Vice President and Chief Information Officer of Halliburton Company. I am here today as a witness on behalf of Halliburton Company, founded by Earl P. Halliburton in 1919 and incorporated in Delaware. Halliburton received correspondence on May 9th from Committee Chairman, Congressman Bennie Thompson, offering us an opportunity to testify before this committee. That correspondence indicated that the topic of the hearing would be ``The Impact of Foreign Ownership and Foreign Investment on the Security of Our Nation's Critical Infrastructure.'' Halliburton is not foreign owned and does not possess critical infrastructure. However, we would like to be of whatever help we can to this committee and I believe that we might be able to be of assistance if we describe how we protect our technology and information from being obtained and used by those who might wish to do our country harm. With that in mind, I would like to take a few minutes of your time to address Halliburton's Information Technology and the safeguards we employ to protect our assets. Halliburton, and the energy industry--along with the Information Technology (IT) industries--have, for some time, been responding to the reality of a global business environment in which key employees travel around the world and need to have access to very sensitive information in order to do their job correctly. It is also a given in today's world that threats to the security of vital business information come from almost every location around the globe. Hackers do not need to be near important computing resources. They take the path of least resistance and use the power of the Internet to locate information, regardless of where in the world it might be. The frequency and approaches that they use are independent of where key information stores reside, or where key employees office. For that reason, international business companies that have key corporate leaders, such as our CEO, Mr. Dave Lesar, who spend significant time outside the borders of the United States do not materially increase the risk that through IT methods, important information might be compromised. The IT security landscape for Halliburton assumes that ``all important IT assets'', regardless of which data center they are located in, are under constant attack by hackers from every location. That assumption is already in place, and preventive security measures are geared to that reality, regardless of where key employees are at any moment. Our customers do control most of the critical energy infrastructure and we have worked with those customers and IT security vendors to develop robust products and approaches to protect the information stored in our databases and other data repositories. The IT industry has established security standards, practiced by the federal government and by corporations, that protect the perimeters of our networks, the transmission of our information through public carriers, and the centers that host the servers that run our applications and store our raw data. Like the rest of the energy sector, Halliburton's IT Security relies on ``Defense in Depth''--multiple layers of defense are placed throughout an IT system and address personnel, technology, and operations for the duration of the system's lifecycle. The idea behind the Defense in Depth approach is that any attacker should have to break through multiple defensive countermeasures, in order to successfully hack into the system. This increases the likelihood of being able to identify and prevent an attack from occurring. Halliburton operates industry--standard firewalls, antivirus, and intrusion prevention systems to separate our internal network from the Internet. Halliburton performs perimeter audits to ensure the firewalls are doing their jobs. We regularly monitor for suspicious activity and isolate that activity before it can do any harm. We utilize third party security experts to test our security system's effectiveness. We encrypt digital communications before transporting them through public communications networks. It is worth noting at this point that the energy sector participates in the National Infrastructure Protection Plan. There is a sector-focused project called LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security). However, its focus has been on Supervisory Control and Data Acquisition (SCADA) and other ``control systems'' that control production and distribution of hydrocarbons. Halliburton does not operate these systems. We also share industry best practices each quarter through the American Petroleum Institute's Information Technology Security Forum. In additional to all the technical security we deploy to protect our information assets, there are other steps taken by Halliburton to physically secure its confidential data and its facilities.Halliburton facilities have physical barriers (fencing, locked doors, and locked traffic gates) and security guards to prevent unauthorized entry and access to both tangible and intangible property. Halliburton restricts access to facilities to persons having proper credentials, such as electronic badges. Badge access records are automatically made and maintained. Visitors to Halliburton facilities are required to sign-in and then are escorted throughout the facility. Halliburton marks certain documents as ``confidential'' or uses other appropriate headers / legends when such documents contain confidential information of the company. Warning labels appear on computer log-in screens to inform users that the system contains business confidential information and is for company use. Halliburton stores trade secret information (drawings, specifications, etc.) in an electronic vault that is referred to as the Matrix database. To control access to the trade secret information, the Matrix database recognizes the degree of authorization that has been granted to a user and appropriately limits the user's access to authorized data in the system. Our internal controls over our own vital assets are engendered largely to keep us competitive with others in the energy service field and of the most benefit to our clients. However, there are federally mandated export controls that impact our security practices as well. Halliburton has procedures in place to screen the export of our Company's technical data. These movements are screened either through the Company's SAP system or manually by a member of the Law Department's Trade Compliance Group. In so doing, we believe we may be helping to protect critical infrastructure while keeping assets out of the hands of individuals that should not have them. So, I hope this brief technical disclosure helps this committee to appreciate the significant investment that we have made to protect information about our business from those with bad intentions. There is also a need in our business to control, to the best of our ability, the activities of employees that are entering and leaving the company. We have thousands of patents and many skills that we use to remain one of the finest energy service companies in the world. In our industry, there is a fairly constant turn over rate of very talented and educated individuals. For that reason, we have developed the following methods to protect Halliburton's intellectual property. New employee packages provided by Halliburton's Human Resources (HR) department include an intellectual property assignment and confidentiality agreement that requires the employee to assign to Halliburton intellectual property developed during his/her employment that relates to company business; and to maintain the secrecy of proprietary confidential information he/she develops or to which he/she is exposed. When an employee who had access to Halliburton's valuable proprietary information leaves the company, Halliburton's Law Department works closely with the HR Department and the business units, seeking to prevent the employee from taking that information for his or her own benefit or that of another, e.g., a competitor. When appropriate, access to our computer systems is disabled immediately. At other times during exit interviews, key employees are reminded of their continuing obligations under any applicable intellectual property and confidentiality agreements, and are requested to return any Halliburton proprietary information in their possession. When circumstances warrant, the company will send a letter to the departing employee, and possibly his new employer, formally reminding the ex-employee of his obligations to the company. If Halliburton suspects that the departing employee intends to or will be in a position to use Halliburton information in violation of those obligations, the company will consider taking legal action against the ex-employee and other responsible parties. There is a Dispute Resolution Agreement in place between the company and its employees that normally will require such disputes with ex-employees to be submitted to binding arbitration. In addition, when Halliburton engages a third party to provide goods or services and Halliburton is required to disclose confidential information to the third party, the third party is contractually obligated to maintain the confidentiality of such information. Typically, when a third party is engaged in Halliburton technology development, all rights to the developed technology are assigned to Halliburton, and again, the third party is required to maintain the confidentiality of Halliburton's proprietary information. In some cases, the developed technology could be jointly owned by Halliburton and a co-developer, but in those cases as well, the parties will be obligated to maintain the confidentiality of proprietary information shared by one with the other. The company provides a number of courses in its ``I-Learn'' catalog that relate to protecting Halliburton's valuable proprietary information, and to the proper handling of confidential information of third parties that is lawfully in the company's possession. Some of these courses are fully electronic, or on-line; others are instructor- led. The ``I-Learn'' system has been developed by Halliburton to allow its employees to easily learn about many topics often while sitting in the comfort of their own offices. I again thank you for allowing me to appear here today and hopefully I have provided information that will be of help to this committee. I would be happy to answer any questions you might have and if I do not posses the information you want with me today, I will be happy to provide it for your record. Ms. Jackson Lee. Thank you very much. The committee stands in recess. [Recess.] Ms. Jackson Lee. Thank you. Mr. Marchick, would you please begin your testimony? STATEMENT OF DAVID MARCHICK, COVINGTON & BURLING LLP Mr. Marchick. Thank you, Madam Chairman, and it is a pleasure to be here. I know from personal meetings with you how much you have focused on this issue, how deeply you have investigated this issue, and I appreciate the leadership you have shown on this. I would like to make four points, Madam Chair. The first is that we want more foreign investment, not less. Foreign investment is part of the lifeblood of the U.S. economy. Employees, foreign companies employ about 5 million Americans, paying higher wage jobs than American-owned companies. It is critical to our technology and manufacturing base. Foreign-owned companies own about 5 percent of all U.S. assets, but they employ about 20 percent of all manufacturing jobs, so it is critical to our manufacturing base. And as long as we spend more than we save, we need the money to come from somewhere, and it is better for foreign entities to invest in fixed assets than in liquid assets because you simply can't dump fixed assets like you can liquid assets. So we want them to invest. It is good for our economy. It is good for R&D. Second is the issue of critical infrastructure. This committee, the Homeland Security Department and its predecessors, going back for almost 15 years, have really struggled with the concept of what critical infrastructure is. During the Clinton administration, the Clinton administration put out a study that the critical infrastructure covers about eight sectors. In 2001, Congress passed the PATRIOT Act and defined critical infrastructure as systems and assets that are so vital to the U.S. national and economic security that their destruction would have a debilitating impact on U.S. national security. Since that time, there have been four different reports that have come out from the executive branch with four different definitions of critical infrastructure and four different lists of sectors. Now why is this important? It is important because investors and security managers, like Mr. Garcia, take guidance from the government on what is critical infrastructure and what is not; and foreign investors take guidance on that as well. And so, unless there is clear guidance from the government as to what critical infrastructure is, it will make it more difficult and there will be more insufficiency for investors in deciding whether to invest with the United States. Because if a transaction--if a foreign investment implicates or covers critical infrastructure, then there is a greater likelihood that it has to go through the CFIUS review process. And if companies don't know whether they have to go through that process, it creates uncertainty, and uncertainty chills investment. So the third issue is that the CFIUS process since Dubai Ports has changed significantly. Transactions are now regularly going to very, very high levels in the government, sometimes all the way up to the Secretary, sometimes all the way up to the President, there is additional scrutiny. There has been an increase in the number of mitigation agreements or conditions imposed by the government. The Homeland Security Department has taken a very active role in this. Last year they negotiated--they required companies to commit to 15 mitigation agreements, which is three times the number of agreements required the previous year and equal to all of the mitigation agreements in the previous 3 years. So, as a result of the increased oversight from this committee and others, there has been additional scrutiny of foreign investments in the United States. Frankly, in my view, not all of that is good, because overregulating investment has a chilling impact; and I know, from my practice, that there are investors who have decided not to pursue investments because of the CFIUS process. So the balance, the pendulum shifted dramatically after the Dubai Ports controversy, and hopefully that pendulum will swing back towards the middle. The final issue is legislation. Mr. Frank and Mr. Bachus and the Financial Services Committee put together a very good bill with Mrs. Maloney and Ms. Pryce. This committee and Chairman Thompson and Mr. King played a very important role in shaping that legislation; they were original cosponsors. You and Mr. Lungren played a very important role as well. It gives the Homeland Security Department additional authority. That legislation, I think, is very good legislation. It passed unanimously in the House. Today, in the Senate, Senator Dodd and Senator Shelby marked up similar legislation based on the House bill with a few changes. Hopefully, that will go through the Senate quickly and come back to the House with a conference, and hopefully, we can get a good bill. That legislation further increases the scrutiny that transactions will have to go through under the CFIUS process. It requires additional scrutiny of government-owned acquisitions. It requires additional reporting to Congress; Congress will have a much greater oversight role. And it requires additional factors to be considered in every transaction, factors that now are much more relevant after September 11th including investment in critical infrastructure. So the hearing that you are pursuing today is a very important hearing. Congressional oversight is very important, and the most important thing is that, through hearings like this, there is additional confidence in the integrity of the CFIUS process, so we don't have another Dubai Ports, which is not good for our country and not good for our relationships with other countries. [The statement of Mr. Marchick follows:] Prepared Statement of David Marchick \1\ Chairman Jackson-Lee and Ranking Member Lungren Thank you for the opportunity to testify before your committee today on the important subject of foreign ownership of critical infrastructure. --------------------------------------------------------------------------- \1\ David Marchick is a partner at Covington & Burling LLP, a Washington-based law firm. He has an active CFIUS practice and is co- authored the book ``U.S. National Security and Foreign Direct Investment (Peterson Institute, May 2006). Mr. Marchick represents U.S. and foreign investors before the Committee on Foreign Investment in the United States and the Congress. The views in this testimony are Mr. Marchick's views and not those of Covington & Burling LLP or the firms clients. --------------------------------------------------------------------------- I plan to discuss three issues in my testimony: First, the concept of ``critical infrastructure'' and the implications of foreign ownership thereof; Second, recent developments in the Committee on Foreign Investment in the United States; Third, CFIUS-reform legislation moving through the Congress. Foreign Ownership of Critical Infrastructure A significant amount of work has been undertaken in this Committee, in the Department of Homeland Security and its predecessor agencies, and in the private sector with respect to defining and protecting critical infrastructure. This work dates back to the mid-1980s and continues to evolve today. There have been many iterations of the government's definition of ``critical infrastructure'' over the years. In 1996, for example, President Clinton issued Executive Order 13010, which stated that ``certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.'' EO 13010 listed eight sectors as critical infrastructure, including telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, and transportation. Building on this initial concept, the USA PATRIOT Act, and later the Homeland Security Act, defined ``critical infrastructure'' as: ``[S]ystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.'' \2\ --------------------------------------------------------------------------- \2\ Section 1016(e) of the USA PATRIOT Act, codified at 42 U.S.C. Sec. 5195c. --------------------------------------------------------------------------- This definition, by setting a high threshold, implies that a relatively narrow list of assets would be deemed to ``have a debilitating effect.'' Core communications assets or the electrical grid certainly would meet this definition. But in the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, the White House identified twelve very broad sectors as critical infrastructure, including agriculture and food, water, and public health.\3\ In the book that I co-authored with Monty Graham of the Peterson Institute, Mr. Graham estimated that these twelve sectors cover some 25% of U.S. employment.\4\ Taking this effort one step further, the Department of Homeland Security created a ``national assets database,'' which contains tens of thousands of entries compiled from various sources, including state and local officials. The Information Assurance and Infrastructure Protection Division of DHS reported that it had identified 1,700 ``critical assets'' in 2004. And since 2001, there have been four different executive orders or reports, each of which included different sectors as critical infrastructure.\5\ --------------------------------------------------------------------------- \3\ See National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, (February 2003), available at www.whitehouse.gov (last visited May 20, 2006). \4\ U.S. National Security and Foreign Direct Investment, by Edward M. Graham and David M. Marchick, Peterson Institute, May 2006, p. 149. \5\ See, E.O. 13228; the National Strategy for Homeland Security, July 2002; the National Strategy for Physical Infrastructure Protection, February 2003; and Homeland Security Presidential Directive 7, December 2003. --------------------------------------------------------------------------- The definition of critical infrastructure matters because the private sector makes key decisions--investment and resource allocation decisions--based on guidance from the federal government. Yet the evolving and increasingly broad definition of critical infrastructure, coupled with little guidance from the government on the national security issues associated with investment and management of such infrastructure, has created ambiguity and uncertainty for U.S. companies looking to increase their value by attracting foreign partners as well as for direct foreign investors. To be sure, we know from CFIUS practice, from statements by Homeland Security officials, and from H.R. 556 and the Dodd/Shelby bill, that protection of critical infrastructure is a top priority. And, for investment in certain sectors--including the defense industrial base, telecommunications carriers, and certain energy assets, including nuclear--there is a clear nexus to national security, there are established paradigms for assessing and, where necessary, mitigating national security risks posed by foreign investors. Foreign investors might reasonably expect to incur some national security- related mitigation costs associated with their investment in these sectors, and they should have some sense of what those costs will be (especially for investments in the defense industrial base where there are fairly standard terms for mitigation). But these cases represent only a small percentage of investment in critical infrastructure, as that term has been broadly defined. It is far less clear that foreign ownership of other assets deemed to be ``critical infrastructure'' has any measurable impact on U.S. national and homeland security. Let me offer three examples of how the absence of guidance in this area is both troubling from a policy perspective and potentially costly in the marketplace. First, there are certain areas of ``critical infrastructure,'' broadly defined, that in the ordinary course simply should not raise national security concerns. For example, there has been great controversy in certain states regarding the privatization of toll roads. While that debate is understandable, it would be far more difficult to see how foreign ownership of a toll road would raise national security issues. The same logic applies to most investments in agriculture and food. Ben and Jerry's is owned by a Dutch company, and Haagen-Dazs is owned by Diageo, a British company. I can think of many great ways to describe Cherry Garcia, but central to national security isn't one of them. Second, regulations that preserve and protect the national interest already govern a number of sectors identified as ``critical infrastructure.'' For example, there already exist myriad federal, state and local regulations to protect the food supply, to ensure the integrity of the banking system, and to facilitate high-quality public health services. This also is now true of investment in the chemical sector. Ambiguity as to whether investment in such sectors might also require a national security review because they technically are ``critical infrastructure'' unnecessarily complicates the investment and resource allocation calculus of both sellers and buyers. Third, there is a real risk of ``critical infrastructure'' mission creep, particularly with respect to information technology products and services. Increasingly, in practice, the government is defining critical infrastructure to include not only the specifically identified sectors, but also any product or service sold into that sector. This produces a slippery analytic slope. An IT product that serves the exact same function for Ben & Jerry's as it does for AT&T may, because its customer is AT&T, be deemed part of critical infrastructure. This, in turn, creates unequal costs for foreign investors. For example, take two products that serve the same function on the IT networks of Ben & Jerry's and AT&T. Both products have source code that is written by engineers in Eastern Europe. Both products are incorporated into hardware assembled in China, with the hardware comprised of component parts made in a number of other countries all over the world. Both products are sold by publicly traded U.S. companies, and both companies use direct sales as well as distributors to reach their customers. One company is then bought by a foreign, publicly-traded company with no government ownership. Should that investment require a national security review simply because, among the many diverse customers of the product, some are located in ``critical infrastructure'' sectors? To be sure, the answer to that question may be ``yes'' in some instances. Moreover, Exon-Florio and the CFIUS process can adequately identify and mitigate risks in those cases. However, even sophisticated counsel frequently have difficulty identifying which instances these concerns may arise, or the potential costs associated with those issues. And this uncertainty is itself very costly, both for U.S. sellers who have an interest in creating the largest possible market for bidding and certainty with respect to closing, and for foreign investors who, in formulating their bid, must assess additional costs associated with their investment and how potential regulatory uncertainty both in timing and result might affect their competitive position vis-a-vis other bidders. More can be done to provide clear guidance to foreign investors, U.S. companies and their investment advisors. While the definitions and classes of assets I described earlier may work for the physical protection of critical infrastructure, they do not work for foreign investment considerations. The Administration and Congress should work together to determine how best to protect critical infrastructure, regardless of who owns a particular company or asset. Security policies and guidance could be developed on a sector-by-sector basis. A baseline level of security requirements should be established. Then, if there are particular national security issues associated with foreign ownership in a particular asset, U.S. interests will be further preserved by CFIUS, which is well equipped to mitigate the risk or block the investment. Recent Developments in CFIUS Simultaneous with progress on CFIUS reform legislation in the Congress, CFIUS has undertaken a number of changes in response to concerns on the hill. These include: Committing additional resources to staffing CFIUS cases. Treasury has added a new CFIUS Deputy Assistant Secretary and DHS has added case officers and lawyers to focus on reviews and enforcement; Involving more senior level officials within CFIUS; Enhancing communications with Congress; Expanding coordination among intelligence agencies; Expanding the use of mitigation agreements and introducing new, tougher terms in such agreements; and, Enhancing enforcement of mitigation agreements, including through on-site audits and consultations with parties to such agreements. In many respects, CFIUS has taken a much more cautious attitude toward their work post-DPW. This caution has had a ripple effect on the private sector, leading to more filings. In 2006, there were 113 filings (up 73 percent over 2005), 7 second-stage investigations (up 250 percent) and 5 withdrawals (up 150 percent) during the second-stage investigation period. A number of other transactions were withdrawn during the initial 30-day period. The dramatic increase in the number of second-stage investigations and withdrawals suggests that foreign investors are having a more difficult time closing transactions in a timely fashion. The stakes are high--the value of just one-third of the transactions that were submitted to CFIUS exceeded $95.5 billion in 2006. CFIUS has also increased the number of ``mitigation'' or ``national security'' agreements negotiated as a condition for approval. From 2003-2005, the Department of Homeland Security (DHS) was a party to just 13 mitigation agreements, compared with 15 such agreements in 2006 alone. Foreign investors--particularly in the IT sector and other sectors considered ``critical infrastructure''--now face a greater likelihood of being compelled to enter into a mitigation agreement in order to secure CFIUS approval. The trend in filings has continued this year--there have been 54 to date, putting CFIUS on track for almost 150 filings this year, a 130 percent increase over 2005. Transactions that raise real national security issues should be filed and reviewed by CFIUS. But uncertainty about what cases should be filed will cause more transactions to be submitted for review than necessary. In turn, this forces CFIUS and the intelligence agencies to conduct a full analysis of inconsequential transactions, taking their focus off the transactions that really matter to national security. I suspect that over time this dramatic increase in filings post-DPW will level off to more normal levels, and that some caution in the agencies at this time is to be expected. The pendulum has swung too far post-DPW. For U.S. national security and economic interests, I hope the pendulum will soon swing back toward the middle. Legislative Efforts to Amend Exon-Florio In the wake of the Dubai Ports World controversy just over a year ago, more than 20 bills were introduced in the House and Senate that would have restricted or blocked foreign investment in one way or another. Certain of these bills would have simply prohibited foreign investment in critical infrastructure; others would have prohibited foreign government ownership of certain assets in the United States. Several bills would have amended Exon-Florio, the statute that gives the President the power to block certain transactions that threaten U.S. national security. One bill amending Exon-Florio passed the House, and another passed the Senate, but the 109th Congress ran out of time before the bills could be reconciled. On February 28, the House passed unanimously H.R. 556, the National Security Foreign Investment Reform and Strengthened Transparency Act of 2007, which was pulled together by Chairman Frank, Ranking Member Bachus, Congresswoman Maloney and Congresswoman Pryce, among others, and co-sponsored by Chairman Thompson and Ranking Member King of this committee. Today, in the Senate, Chairman Dodd and Ranking Member Shelby are marking up a bill based in large part upon H.R. 556. Credit goes to you, Madame Chairman and Mr. Lundgren, and to Chairman Thompson and Mr. King, for helping to shape a bipartisan, balanced bill that enhances protection of national security while not impeding foreign investment in the United States. This Committee had an important role in shaping that legislation. H.R. 556 would address many of the perceived shortcomings with the CFIUS process without chilling foreign investment. It would: Enhance Congressional oversight and reporting to Congress without politicizing transactions; Require higher-level involvement in CFIUS decisions; Expand the factors that CFIUS must consider to reflect post-September 11 imperatives, including protection of critical infrastructure; Heighten scrutiny for government-owned transactions without impeding investments that don't raise real national security issues; and, Allow for transactions to be reopened based on material intentional breaches of mitigation agreements where no other adequate remedy exists. This provision--the so-called ``evergreen'' provision--is tough medicine and a provision which foreign investors and key elements of the U.S. business community oppose. Chairman Dodd and Senator Shelby are marking up a bill in the Senate Banking Committee that is substantially similar on H.R. 556, making some modifications that in my view are very good changes. Among other things, the Dodd/Shelby bill: Adopts the concept of rotating lead agencies and vests enhanced authority in those agencies to negotiate, monitor and enforce mitigation agreements. For example, DOD would take the lead on defense acquisitions; Homeland Security would lead on investments in ports, airports and transportation companies; Justice would take the lead where law enforcement issues were paramount; and Commerce would take the lead on transactions with significant export control issues; Eliminates some of the unnecessary bureaucratic provisions of H.R. 556, such as requiring two-thirds votes in CFIUS for certain decisions. Unlike Congressional committees, agencies don't typically vote; and, Imposes the same confidentiality requirements on Congress that exist within CFIUS. I was pleased that the Senate decided to use the House bill as the baseline. If the Dodd/Shelby bill passes the Senate without significant changes, I am confident and hopeful that the House and the Senate could work together, in a bipartisan fashion, to send sensible CFIUS reform legislation to the President for signature. The key, however, is that legislation advance U.S. national security interests without impeding foreign direct investment that we want and need. No bill would be better than a bad bill, but I am hopeful that the House and Senate can put together a good bill for the benefit of our economy and national security. Conclusion The United States very much needs additional investment in critical infrastructure from both domestic and foreign sources. The more investment, the more durable and resilient our telecommunications, energy and other critical infrastructure will be. According to the Treasury Department: Foreign companies in the U.S. employed more than 5 million U.S. workers in 2005, providing 4.5% of all private sector employment in the United States. Manufacturing jobs accounted for 33% of the jobs created by foreign companies in the U.S. (2004 data). The manufacturing sector accounts for just 12% of overall U.S. private sector employment. Thus, FDI is disproportionately bolstering this important sector. An additional 4.6 million U.S. jobs indirectly depend on foreign investment in the U.S. (2005 data). Foreign companies in the U.S. buy 80% of their inputs from U.S. companies. This additional business indirectly supports almost as many U.S. jobs as FDI creates directly. Compensation at foreign companies in the U.S. is on average 30% higher than the U.S. national average. Foreign- owned firms paid U.S. workers an average of $63,428 in 2004. Further, in 2000, foreign firms directly employed 5.7 million people in the U.S. (5.1% of the private sector workforce) and indirectly supported 6.5 million more jobs. In 2005, those figures had fallen to 5.1 million (4.7% of the private sector workforce) and 4.6 million, respectively. Foreign firms? R&D spending as a share of total R&D spending in the U.S. has also slightly declined since 2000. We need more foreign investment, not less. In some cases--a very narrow set of circumstances--foreign investment does raise real national security issues. In those cases, the CFIUS process works, and works well. Through hearings like this, Madam Chairman, I am hopeful that the Congress will have additional confidence in the integrity of the CFIUS process. And with good legislation, the business uncertainty that has come in the wake of Dubai Ports will be reduced or eliminated, facilitating enhanced investments, new jobs and more economic activity in the United States. Thank you for the opportunity to testify before your committee. Ms. Jackson Lee. I thank the gentleman. We allowed you to pontificate a little bit longer, and we thank you for your expressions. Let me thank the witnesses for their testimony--I thank them for statements that open the door. And we are here to do some fact-finding. We are not here to prejudge or presuppose, and there are members on the committee who, I know, would have differing opinions. And let me indicate that we are going to move quickly. I understand there are certain flight obligations, and I understand also that we are in between and betwixt activities on the floor. But let me then pose a question in the context, as quickly as I can, to indicate that we have a no--if you will, an environment that we are in now, Mr. Garcia, Mr. Pfister, Mr. Marchick, that is stable and steady; and your testimony suggests somewhat that all is well. And I started out by indicating that we don't deal with the wellness of security; we deal with the fractures and the possibility of fractures. And I think we have made it very clear that we are not interested in violating or at least undermining the free flow of the economy. Frankly, another viable hearing would be the question of China's dominance, and I know that Financial Services has probably engaged in that in terms of the sizable investment that they have here in the United States, particularly in the financial institutions. That is not this committee's jurisdiction per se unless we discuss issues involving critical infrastructure. But these are very large questions that have to be asked and answered, so I hope the witnesses will answer my questions in the context that this is not an indictment of the witnesses as much as it is a fact-finding effort. And I will start first with Mr. Garcia. I have had the pleasure of working with Mr. Garcia in working with the management and leadership of the FBI. So I imagine you have a fuller understanding, and I would like you to--and I hope Shell will give you that latitude--to broaden your answers and how it relates really to, your background in the FBI. Just to lay the groundwork, we know that you stated in your testimony that one-third of Shell's assets and shareholders are in the U.S., thereby implying that two-thirds of your assets and shareholders are foreign. In addition to being a foreign- owned company, Shell is global, which operates in more than 130 companies and employs 108,000 people. And I would assume some of them are foreign nationals worldwide. Would you please elaborate on the specific additional security measures you take, both in terms of physical security over critical infrastructure and data security over information, because Shell is both foreign owned and a global company. And may I ask this question right here before so that we can separate some of the issues that you will be answering as it relates to Shell? But the foreign ownership and foreign investment issue sometimes relates to countries whose relationships with the United States are not as long-standing as those that we have with the Netherlands. Would you agree to that? Mr. Garcia. That is correct. Ms. Jackson Lee. Therefore, when you raise these questions, when our committee raises these questions, we are not just necessarily thinking that Shell has to be before us as a witness, but we have to address it as it relates to investments that may come from countries who have a short-term friendship with us versus a long-term. And if I can yield to you now for a response to my question on the security measures. Mr. Garcia. Thank you. When I retired from the FBI and took employment with Shell security, Shell security at that time was addressing all of the issues since 9/11, addressing all of the regulatory issues and regulatory information that was coming from Congress and other governments to the U.S. for protection of infrastructure. When I came on board, the position that I took, it was brand new; it had not been there before. And the purpose of that, my position in coming in there, was to look at the United States infrastructure, look at how Shell is operating in order to do what you are asking about: protection of the infrastructure, protection of the critical assets that are here and then how we interact with the rest of our partners around the world, the two-thirds, as you mentioned there. We have very strict procedures on how we deal with information, how we deal with information-sharing between agencies in the U.S. Government, information we share with our expats or foreign nationals that work with Shell. All of our facilities are controlled. All of our facilities, as far as the people that are there, we know who they are, we have background on them. We have no--we know exactly the access that they have, and one facility in the U.S. cannot be accessed by another person, even by a U.S. person unless they have authorization, escorted if they do not have authorization to be there on their own, or for what type of reason they are going to be there. The information we receive from these different things, we look at it, we vet it, and we keep it within the close realm of the security group. And also maintained in its information in a classified type of PKI encrypted system to where--and we only have access--that is not just open to the Shell Group in the U.S. or even overseas. We try to maintain these proper controls and limit what the information is so that, therefore, it does not get into the wrong hands. Only authorized personnel have access to this information, and that is only a handful of people and, some places, dependent on what exactly the information is. Ms. Jackson Lee. Is everyone carded and everyone vetted around your critical infrastructure in places other than the United States and in the United States? Mr. Garcia. That is correct. In those facilities they have credentialing that goes into facilities there. I, myself, cannot go to another foreign country, go into a facility and just walk in; they cannot do it in our facility. Ms. Jackson Lee. You might recall when Russia froze its gas exports into Europe, the critical impact that occurred. Would you imagine the possibility, the way you are structured now, that happening by an individual act of an employee? Because we have established that, at this point, our relationship with the Netherlands is certainly a, collaborative, cooperative relationship. But would you envision--or would you have the ability if that was an individual act of an employee or set of employees? Mr. Garcia. The possibility to have it happen here in the United States is slim. To have one employee just turn off a particular major gas line takes more than just an individual doing that. There are checks and balances that are established that I am aware of, from the process at the refineries; and the gas plants have some type of deviation from that. There is a work blot-out; those who work are advised as--security, as well--to make a determination as to what is going on here. Nothing is 100 percent. You always have that lone wolf. You always have that individual who can do something on their own because you cannot be in the minds of everybody. But the procedures and the checks and balances that they have in each facility and how they do things help to try to mitigate that. Ms. Jackson Lee. Thank you. Mr. Pfister, let me raise the question of access and control. And thank you very much for focusing most of your testimony on technology. But let us go back to the question of Dubai and the relocation or joint location, if you will, of corporate headquarters. As I understand, it is being reinterpreted to being jointly--two joint locations, Houston and Dubai. But in the course of your leadership, being in Dubai would suggest that there would be lead space. There would also be the appropriate resources for the joint corporate office to function. What procedures do you have in place that would give us comfort that any actions in Dubai by anyone who would be in that particular area would not have access to critical infrastructure that could impact America? Mr. Pfister. Thank you for giving me the chance to clear that up because there was a lot of misperception around that. We didn't plan on moving the company to Dubai. We are a proud American company, incorporated here since-- Ms. Jackson Lee. I am glad to allow you to restate that again. Mr. Pfister. The reality--the way the IT security environment works is that, for decades, key employees have been moving all over the world and where they move and where they office and where they sit doesn't necessarily mean that the information that they need to have access to sits in that same location. In fact, it is much more likely for you to have your key information, your critical information, to be stored in data centers that have been physically secured in locations. You are comfortable around the environmentals, you are comfortable around access, you are comfortable about the security that you can put around that. And, in fact, that is the case in our computing environment. We take very good care of all of our digital crown jewels, and we put them in places where we have the fullest confidence that they will be well protected and access will be controlled. Ms. Jackson Lee. Would some of those be housed in the offices in Dubai? Mr. Pfister. Very few. Our particular security model is to put as little technology as possible in those locations. Generally we will put in, obviously, end-user devices such as PCs and laptops, and then we will put in local networks to allow them to talk to each other; but very seldom in other locations, other than our major data centers, which for us today, in an HP-managed facility in Toronto, in a Halliburton- managed facility in Houston. Very seldom do we push anything more complex than that. Ms. Jackson Lee. I will raise some more questions with you later. Mr. Marchick, your testimony focused on the value of investment, and I don't think we have a disagreement in that. But I did note that you gave short shrift to the concept of the purchase, or the proliferation of the purchase of roads, toll roads, et cetera, noticing that this had been a phenomenon in Europe for a long time. However, the framework of this hearing is we must think of what could happen. Do you still want to give short shrift to the idea of loss of access and control or the interest that should be established as to have certain markers, certain criteria, certain oversight in terms of making sure that during a time of crisis, man-made disaster or natural disaster, that the people of the United States have access to these facilities or to these roads? Mr. Marchick. Madam Chairwoman, the first thing I want to do is learn the critical lesson in Washington: Never disagree with the Chairwoman. Ms. Jackson Lee. We welcome your opinion. Mr. Marchick. My view is that the government has a responsibility to ensure that security is in place whether it is a U.S. or a foreign investor, a U.S. or a foreign owner. And with a toll road, that starts with the regulatory structure that is in place or the structure that is in place for that asset. So, for example, if there are concerns about access to a road in a time of emergency, there should be provisions in place so that either the owner follows instructions of the government in times of emergency or the government gets out of the way and the State, local, Federal Government can take over the entrance and exits to a toll road at a time of emergency; but that the government should only intervene if there is a marginal increase in the risk as associated with a foreign investment. And with a toll road, I frankly think it is hard to see how a foreign investor could have a negative impact on a road. I think there is a very legitimate policy debate, which I want to stay out of, about whether roads should be privatized or not. But whether it is owned by a Canadian company or a U.S. company, or an Australian company or a U.S. company, I am not sure makes that big of a difference. If it does, the government should intervene and put security measures in place. Ms. Jackson Lee. Let me yield to the distinguished gentleman from California for 5 minutes. Mr. Lungren. Mr. Garcia, when were you with the FBI in L.A.? Mr. Garcia. June of 2001 was when I first arrived there as a special agent in charge, and I lived in Long Beach. Not to mention that-- Mr. Lungren. You obviously have good judgment. I appreciate that. Ms. Jackson Lee. I won't take from your time, Mr. Lungren, but he is now back in Houston, and he started in Houston. Mr. Lungren. I know. I understand. Mr. Garcia. I am a Texan. Mr. Lungren. I understand that. You miss the humidity and the sweat. I understand that. In your testimony, you note that Shell participates in the Homeland Security Information Network and Homeport. Is there any difference that you can ascertain between the cooperation and the relationship you have with the Department of Homeland Security here as opposed to if you were not a subsidiary of a foreign-owned corporation? Mr. Garcia. If I understand your question: If we were a foreign corporation strictly, not have U.S. ties, as Shell has here in the United States, would there be any difference on how DHS works with you? I would imagine that DHS is limited on what they can share with anybody, depending on their nationality, depending on the information that they have and that they are actually trying to put out. Mr. Lungren. But as a wholly owned subsidiary of a corporation, do you have any-- Mr. Garcia. We have no restrictions whatsoever on how they deal with us because of the fact that we are U.S. persons, too. Mr. Lungren. Mr. Pfister, could you clear up for me, I don't understand this idea of dual corporate structure Dubai, Houston. What is--what do you have in Houston and what do you have in Dubai in terms of corporate headquarters? Mr. Pfister. Well, Houston is our principal place of business. It is where we have the majority of our corporate officers; it is where we conduct the majority of the strategy settings and the design making of our company. So it is our corporate headquarters. Mr. Lungren. What is Dubai? Mr. Pfister. Dubai is going to be the location of our chairman and chief executive officer. It is our opinion that it is in the best interest of the country for Halliburton to be as strong in the energy business, and in order for us to do that, we have to be as strong in the Eastern Hemisphere. You have probably seen some of the statistics that are there; 60 percent of the oil reserves are in the Eastern Hemisphere, so he is moving over to Dubai. We will probably consolidate some of the other managers that are in that general region, and that will be his base. Mr. Lungren. So you have got more business over there than you have here? Mr. Pfister. No, that is not the case now. We conduct well into the majority of our business in North America today, but we need more valuable portfolios because that is where most of the reserves are. Mr. Lungren. And reserves you can go after, I presume. Mr. Pfister. Yes. Mr. Lungren. Last time I checked, you can't go offshore, Florida, California, offshore in the eastern part of the United States. You can't go in ANWR. Am I right in those things? Mr. Pfister. It is better probably to ask our Shell representative, because we don't get involved in this debate, but I think it is accurate. Mr. Lungren. I can't understand why you would move to where the business is. That is just bothersome. No. I mean, you know, we have made it almost impossible for us to go after new resources in the United States in our environs, and I always remember the people who used to drive to the protests against offshore drilling in California. Very few of them came there via skateboard or walking. I guess it was magically produced for them. That is just a little thing I have. I mean, I grew up in Long Beach, as you know, and Long Beach, we have manmade oil islands. We have 2 billion proven reserves. We actually do slant drilling there. We had the first, the beginnings of injection wells for the purpose of boosting the city back up, and then we got into the whole idea of using it for secondary and tertiary recovery. We are looking at the Signal Hill reserve, which I think is the fourth oldest continuous operating reserve in the country, and we actually have potential for opening up wells there because we put more money into it. It is kind of interesting. A lot of people get in their car and figure that comes there. Anyway, Mr. Marchick, you were talking about the CFIUS process and the ambiguity in which infrastructure will have an impact on national security, complicating foreign investment. We in the Congress responded to a concern that was expressed that we needed to bring CFIUS up to date. One of the concerns I had as we did that was, we should--would we be bringing too many transactions within that ambit? Would that cause us to spend too much time and attention and have our intelligence communities focusing across the board on what would end up being nonimportant issues, and therefore, not being able to give the appropriate analysis to those which truly had a national security interest within what we know have to be some sort of reasonable time limits; otherwise, you are not going to have the investment because we make it impossible. How do you suggest we balance that? You talk about ambiguity, which means you think we ought to have more particularity. What kind of particularity would you talk about? Mr. Marchick. The first thing to do is define what critical infrastructure is for the purposes of foreign investments. As I mentioned, during the Clinton administration there were eight sectors defined as critical infrastructures. Now there are 12, but there have been four different reports in the last 4 years that define it differently and give different sectors. That is all for the purpose of physical protection of critical infrastructure. Take a stadium, for example. You want to protect that from being blown up or from some tragic circumstance, but who owns a stadium, you know, doesn't have any impact on security. So I think the most important thing to do---- Mr. Lungren. You obviously haven't been involved in the debate on building a stadium in DC. Mr. Marchick. Building or not building is a key issue, but who owns it doesn't raise any security issues. The key issue is for the government to provide guidance on what they mean by critical infrastructure for the purposes of foreign investment. They define agriculture as critical infrastructure. Who owns a farm, whether it is owned by a Canadian or an American, I can't see the difference from a security perspective. So in the Senate bill that passed the Senate today, the Senate Banking Committee, there is a requirement for the CFIUS agencies to provide guidance to the investment communities on the type of transactions they are seeing. That would be very helpful. Because right now there is a lot of ambiguity, and you are forcing a lot of transactions into the CFIUS process that don't need to be there. And you are requiring the intelligence community, the Homeland Security Department and others to spend a lot of time on those when they should be focused on the transactions that really matter. Ms. Jackson Lee. Thank you. The gentleman's time has expired. It is my pleasure to yield to the distinguished gentlelady from New York, Brooklyn, New York for her 5 minutes. Ms. Clarke. Thank you, Madam Chair. It has been somewhat of a hectic day today, but I thought it was very important to be at this subcommittee hearing. I just want to share a couple of thoughts and raise a couple of questions. Since the very beginning, foreign investment has played a vital role in the development of the United States; as the world becomes increasingly global and the businesses around the world find new ways to integrate, maintaining a strong level of foreign investment will be as important as ever. There is also a great deal that foreign companies can't do to keep America secure. By working with the government and reducing their vulnerabilities, companies can both improve the economy and help maintain security. This, however, is dependent on a strong, cooperative relationship with the government and on maintaining sensitive information and systems in a safe way. We must also keep in mind that not all investors have the best interest of the U.S. at heart. Therefore, the government must continue to play a role in determining which investments could cause harm to come to Americans. I wanted to direct my question to you, Mr. Pfister. How exactly would you define critical infrastructure? That has been a lot of the challenge. You know, I come from New York State where, of course, the big issue around Dubai Ports became a national issue and national concern. And I think defining critical infrastructure and what it means in this global environment that we are in, is really important. Because I notice that you comment in your testimony that Halliburton does not possess any critical infrastructure or assets, I want to know whether you would consider various energy facilities--you operate critical infrastructure; or what about operations which involve supplying or building facilities for our military overseas? Can you just sort of give me a sense? Mr. Pfister. Yes, ma'am. I would be happy to do that. Let me kind of start off--all right. Is it better now? This must be the microphone. I would be happy to answer those questions. Let me explain kind of what our assets are that we do own. We own people, obviously, with intellectual property between their ears. We have got manufacturing plants all over the world that build equipment, heavy equipment and tools that are mobile enough to then drop-ship into different parts of the world, so the big trucks and the skids and the boats that go out and provide services in the more permanent critical infrastructure that Homeland Security has appeared to focus more attention on in the past. We have technology centers where we do--we have laboratories where we do research and development of our products. And then again, we have the equipment, the actual equipment. So when we made the statement up at the--in my opening statement that we were really not the owners or the operators of critical infrastructure, we were using the more classical definition that Homeland Security has had of refineries, pipelines, LNG terminals, et cetera. We don't operate or own any of those. What we operate and own are tools that fit in trucks that we drive around or we float to different locations to actually help us. And the complexity around them is that our primary technology is in better understanding rock properties and fluid properties, deep underground, and figuring out how to make hydrocarbons flow faster out of that and get to the surface. So our equipment is very specific, very niche-oriented to that. So I don't know if that answers your question or not. Ms. Clarke. It does to a certain degree. But being an avid watcher of the television program 24, I will submit to you that the tools that you utilize getting into the wrong hands or being exposed to the wrong environment could pose a threat. Just FYI Let me follow up with this question: If Halliburton's operations were run by an entity that wished to do harm to America or shift U.S. policy, do you feel they would have a means through your operations to accomplish this? Mr. Pfister. Can you clear up the question just a little bit? If Halliburton's operations were bought by someone else and then controlled? Ms. Clarke. By that entity. Mr. Pfister. Well, it wouldn't be too different than some of our competitors today. Schlumberger is not an American corporation and yet we allow them to operate in the United States and in other places around the world. I guess you are asking me for my advice on whether foreign ownership of the sort of business that we operate today would create any incremental concerns. Ms. Clarke. Vulnerabilities. Mr. Pfister. I have a hard time seeing that being a large increase in risk. Ms. Clarke. OK. Mr. Marchick. I would just note, it was the microphone of the foreign company that didn't work. Ms. Clarke. That is a good one. Mr. Marchick, in your testimony, you express several definitions for critical infrastructure. Which do you feel is most appropriate, or do you have a separate definition you feel would better fit? Mr. Marchick. I think the definition in the PATRIOT Act is a very good definition because it focuses on those systems and assets whose destruction would have a debilitating impact on the United States. We know that, for example, in some sectors there is an incremental risk in foreign investment. For example, in the telecom sector because the Department of Justice wants to have access to wiretaps that we want--they have a legitimate interest in ensuring that they can conduct those wiretaps without foreign persons knowing about them or without foreign governments knowing about them, so you want to have American citizens handling those wiretap processes. Similarly, you want American citizens handling classified information in defense companies. But I think there is a very narrowly defined set of sectors where there really is an incremental risk for foreign investments, and in most of those sectors, if not all of them, there are ways to mitigate that risk through, for example, requiring that American citizens operate in key functions at a port facility or in a telecommunications control center or in the defense sector by making sure that all of the people that have access to sensitive assets have background checks and security screens, and there are access controls and badging and escorts. So I think that we shouldn't seek to ban foreign investment. We should seek to mitigate the marginal increase in risk associated with foreign ownership in those very narrow sets of sectors where foreign ownership matters. Ms. Clarke. Just to follow up, Madam Chair. Mr. Marchick, in your experience, do you feel that CFIUS takes into account the country in which the potential foreign owners are based? Does it treat various countries differently, and are you aware of any situations where CFIUS denied a filing purely on the nationality of the company? Mr. Marchick. CFIUS looks at a variety of factors in their national security analysis. They start with looking at the threat and whether there--if the buyer had harmful intent and the capability, would they do something to harm the interest of the United States. They would then look at the vulnerability. What are the assets that the company is buying and how could a person or entity that has the intent to harm the United States take action to harm the United States? The country where the buyer comes from is a factor. British companies are treated differently than companies from other countries. Privately owned companies are treated differently than government-owned companies. And the ownership does have a significant impact on the national security risk analysis that the CFIUS agencies undertake. I am not aware of any specific ban outside of existing law on companies from certain countries investing in the United States, but I do know that certain countries that make investments in the United States have higher scrutiny than others. Ms. Clarke. Thank you very much, Madam Chair. I yield back the rest of my time. Ms. Jackson Lee. I thank you. I am aware of your schedule. We will be back before that time. And we will recess for the last time. When we come back, we will conclude the hearing. [Recess.] Ms. Jackson Lee. The subcommittee hearing is called to order. Thank you so very much for your patience. I know it will add to your happenings here on the Hill. Let me first, in the absence of my ranking member--I know that he has been called to another hearing which I am called to, so we will finish at this time. Just--in his absence, as well, I will make sure that he knows that he has a few friends in Texas who believe in the energy industry and the value and importance that it has for the United States. With that in mind, Mr. Garcia, let me just quickly get a quick question to you. Plain and simple, how are these lessons applied to assets that are or affect critical infrastructure in the United States? The lessons that we are talking about, of course, are the fact that you are a global company. If you could, just restate for us how the lessons of being global can impact on the securing of assets here in the United States which happen to be under the control of foreign investors. Mr. Garcia. Since 9/11, the United States has really tightened its security measures on all aspects of life here. Everybody is more conscious of what is going on--law enforcement as well as companies, if they can take stringent measures to try to protect against another attack since 9/11. For attacks that take place overseas, we are in countries where security measures are not as strict as in the United States. The insurgents in Iraq and places in other locations, we see what they do. We learn from what they are trying to do and how to do it, and see what we can do to ensure that that does not happen here in the United States. We take those lessons learned by looking at and studying what they do to ensure that we are covering our procedures, that we have to plug that gap. We always try to look at the ``what ifs,'' as you suggested earlier. We do not just take things for granted. Anything can possibly happen, so we always look at the impossible and say, ``Do we have a coverage for that or not?'' Using the overseas incidents that take place, we look at that as well. Ms. Jackson Lee. Mr. Marchick, let me just, as we excuse you and thank you for your testimony, raise this last question with you. I, frankly, believe that we need legislation that is geared toward the question of actual security of the infrastructure, of the critical infrastructure; and certainly CFIUS has a lot of elements in it. I will certainly be looking very closely at the markup that the Senate has done today. Give us, if you will again, your parameters or where you believe there should be government intervention, and we hope that you will not be inhibited by your clients. We are asking for your wisdom and so--frankly, I think you started out by saying, where there was a crisis or where there shows to be some inconsistency or problems, there might be a need for government intervention. Would you expand on that, please? Mr. Marchick. Thank you very much. Let me just state for the record that these are my opinions. My clients have opinions all over the map, and hopefully, I will not get fired by any of them after what I say today. It seems to me that the Federal Government, working with industry, should develop security guidelines, security mechanisms, security standards on a sector-by-sector basis, addressing the risk that is inherent in that sector. The Department of Homeland Security is doing that now in the chemical sector, coming up with chemical security guidelines and chemical security regulations, working with industry. That is a very healthy exercise. On top of that, if there are marginal increases in risk to our national security associated with foreign investment, those should be addressed through CFIUS; and CFIUS, I think, is well- equipped to address those particular concerns, but it is that marginal increase, that delta in security risk that is the only thing that CFIUS should focus on. The general vulnerabilities that exist in our energy sector, for example, or our chemical sector should be addressed across the board regardless of who owns the asset. And then on top of that, if there are particular issues associated with a particular foreign owner who raises issues, those should be addressed through CFIUS. And I think that this committee and the CFIUS committee and the Homeland Security Department can work together to accomplish those twin goals. Ms. Jackson Lee. So, if you will, as to an established conflict that may generate between the United States and another sovereign nation that might interfere with critical assets or with that country's investment in the United States, you are suggesting that that should be looked at isolated or it should be looked at separately? Mr. Marchick. I think it should be looked at with great rigor to see if there are risks that a foreign owner would do anything that would harm the security of the United States. And we should never allow that to happen, but we should start by ensuring that we have strong security measures in place across the board; then--going back to the security philosophy that Mr. Pfister and Mr. Garcia articulated--have a layered approach, have additional security conditions to address particular concerns that are associated with a foreign investment. So you start with a basic building block of security for our critical infrastructure, and if there are additional risks associated with foreign investors, CFIUS should impose conditions on that transaction to make sure that those security issues are addressed. Ms. Jackson Lee. So you add to CFIUS or you may look also at a more narrow focus on homeland security? Mr. Marchick. Exactly. Ms. Jackson Lee. Let me thank you, Mr. Marchick. I understand you have a flight. Let me conclude with Mr. Pfister. Let us try to probe again, just as we close this hearing, to have a better understanding, because Dubai has created a great deal of interest, and the presence of your CEO and other personnel have created a great deal of interest. That, in essence, Mr. Pfister, is an investment of sorts. I assume that you are leasing property or buying a building. You are possibly having access and control. So our inquiry is equally, certainly for the safety of the personnel and for the safety of whatever resources you utilize. Can you again frame for us how you provide the protection of any critical infrastructure that might be necessary to ensure your work in Dubai or in Doha or wherever you might happen to be? Mr. Pfister. Yes, ma'am, I would be happy to. To be quite frank with you, Dubai is one of the easier places to secure and protect infrastructure, particularly of the information technology. They are one of the more advanced countries around the world in terms of providing capabilities and digital technologies, once you have figured out how to provide acceptable security in places like Africa and other places--in Russia, Falkland Islands, and other places that the energy industry operates. Ms. Jackson Lee. So how do you proceed in those difficult areas? Mr. Pfister. So it is using the standards. One of the phenomena around information technology security is that security improvements are cumulative. The financial industry creates new ways of protecting financial data, and it immediately becomes available in commercial products that then other industries are able to deploy. The health care industry creates new technology approaches and commercial products that we then embed in other industries. So, you know, this is not a brand-new phenomenon. With the advent of the Internet and when companies started hooking their computer networks up to, you know, the globe, that risk was introduced at that point in time; and so the commercial IT security industry and companies participating in groups like the API and others have been designing firewall systems, prevention systems, approaches to secure computers and assets that are almost mainstream at this point in time. So Mr. Lesar's move to Dubai really does not materially increase at all the risk that any of our key technologies or our key intellectual property is going to be exposed to, any more than it was in the last decade as we have had people traveling all over the world, many times much more and to more desolate places than Dubai. Ms. Jackson Lee. Do you have enhanced security measures of personnel? Do you have reinforced buildings? Do you do anything differently? Mr. Pfister. Well, we do the same types of security, from the physical security aspects, that you heard about from our Shell associate: guards; you know, big cement blocks as you enter the building so that car bombs and things like that would not get into the core of the building; the same card key access; the same logging; those types of things. So it is really not any different than the way we protect any other location that has computers that might have access to critical information. Ms. Jackson Lee. Let me say that I think the test may be the word ``rigor'' in that we should be rigorous when we are looking at foreign ownership and foreign investors as it relates to our security. My last question to you, Mr. Garcia, is that--again, using your expertise--we do know that oil companies--many of them are in and invest in continents--South America, the continent of Africa. We know in particular that there has been some well- known publicized seizing of assets in the delta of Nigeria. That obviously has a life of its own, but I want to pose a question which is similar to the Russian incident that occurred that impacted Europe. If the resources were stymied such that there would be the foreign investment by a foreign company but they would be impacting the United States, what kind of intervention are you all looking toward to prevent that kind of major impact? Even though resources go all over the world, what are you looking toward to prevent that kind of major impact on energy resources coming to the United States? Mr. Garcia. Congresswoman, the actual dynamics of the oil flow's being cut off in various countries outside the United States would probably be answered best by somebody in the company that deals with that. As far as the security issues there in Nigeria, I monitor that with the Shell security group to see what measures can be done and to see what assistance can be provided to them either through the host country or through other types of training and activities that can be done with the various U.S. embassy personnel who are there, to help alleviate some of those problems and some of those issues so that we do not get to this position where it is not safe to do any business at all in that particular country. As far as the impact, I would imagine the impact of cutting off any kind of reserves coming to the United States can be detrimental to the United States economy depending on how much is cut. As far as how and specifically what the impact would be, some other witness will probably have to answer that on the economics part. Ms. Jackson Lee. Do you think, in the whole idea of security and critical infrastructure around the world, that the Federal Government, beyond the existing legislation, can be more helpful? Mr. Garcia. Well, the Federal Government right now is working a lot with the Coast Guard on the international port security program where they actually go to the various ports around the world that service ships that come to the United States--our tankers and other things that do come here. They are doing a big push in working with the various countries that these vehicles or vessels come from in order to try to ensure that the security measures that are taken on in those host ports overseas are helpful for what is coming to the United States. Some of the exceptions that are done are that the Coast Guard will do inspections and boardings offshore well within the safety region away from the United States so as to ensure that the vessel itself is not something that is going to be detrimental or dangerous to the United States when it comes to our ports. So the United States and the Federal Government are doing a lot of things overseas to help in that aspect, and we, as an industry, are trying to assist them on identifying weaknesses and vulnerabilities that they should be looking at and are trying to ensure that they search and look at those areas to try to prevent some sort of an act. Ms. Jackson Lee. Let me conclude and thank you very much for the response. Just in summary, this has been a challenging time to have a hearing, but I thank you for giving us at least the beginnings of our discussion on this issue. As I indicated, I think there is more to explore. This hearing was to begin the discussion, as we have started under the full committee with Chairman Thompson. How do you protect foreign infrastructure that may be in the hands of a foreign owner that impacts the United States, our national security or a foreign investor? There are a lot of nuances that will take several panels and very long hours, but I will end as I started. Our challenge is to imagine the possible and the impossible, and it is also to accept the premise of our economy, which is an economy that welcomes investors, but at the same time, as for the persons who we have the responsibility of protecting, we have to ask the hard questions. So I believe that we have been given, even from your testimony, a range of issues to think about and a range of issues to look at--expanded legislation--in light of the long list of critical infrastructure that we have, to be able to at least give guidance to public entities, which are separate from Mr. Garcia and Mr. Pfister. And also to our corporate entities, which already probably have a major leg forward, because statistics show that you have about 85 percent of our critical infrastructure, both domestically and then those that are owned by foreign investors that are in the private sector; and you certainly have concern about your own property and the needs and protection of your own employees. We know you are forward-thinking, and I think it is crucial that we take up the responsibility for those issues that may not be as far ahead as the private sector is, and I count that as the raging new, if you will, basis of securing funding for public entities, and that is the selling of the very roads upon which we travel. That is a major issue, and I think that we should certainly look at that. You have given us a great deal of insight. We thank you for your appearance here before our committee, and I believe that I will follow up with my concluding remarks so that we can finish. As I have indicated, I thank the witnesses for their very valuable testimony, and the members of the subcommittee may have additional questions for the witnesses, and we will ask you to respond expeditiously in writing to those questions, and we will look forward to the answers in the response. Ms. Jackson Lee. I am going to put into the record, with the existing quorum, an article by a Times reporter in Philadelphia, ``Foreign Companies Buying American Roads and Bridges''--it happens to be a positive article--and an article from the Dallas Morning News, ``Foreign Companies Buying U.S. Roads and Bridges.'' Those are some of the other aspects of the work that we have before us in this committee. So let me thank all of the witnesses. With that, the hearing is adjourned. [Whereupon, at 5 p.m., the subcommittee was adjourned, subject to the call of the Chair.]