[Senate Hearing 112-586] [From the U.S. Government Publishing Office] S. Hrg. 112-586 THE FREEDOM OF INFORMATION ACT: SAFEGUARDING CRITICAL INFRASTRUCTURE INFORMATION AND THE PUBLIC'S RIGHT TO KNOW ======================================================================= HEARING before the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED TWELFTH CONGRESS SECOND SESSION __________ MARCH 13, 2012 __________ Serial No. J-112-63 __________ Printed for the use of the Committee on the Judiciary U.S. GOVERNMENT PRINTING OFFICE 76-357 WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]. COMMITTEE ON THE JUDICIARY PATRICK J. LEAHY, Vermont, Chairman HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah CHUCK SCHUMER, New York JON KYL, Arizona DICK DURBIN, Illinois JEFF SESSIONS, Alabama SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas AL FRANKEN, Minnesota MICHAEL S. LEE, Utah CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma RICHARD BLUMENTHAL, Connecticut Bruce A. Cohen, Chief Counsel and Staff Director Kolan Davis, Republican Chief Counsel and Staff Director C O N T E N T S ---------- STATEMENTS OF COMMITTEE MEMBERS Page Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa...... 2 prepared statement........................................... 98 Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 1 prepared statement........................................... 102 WITNESSES Bunting, Kenneth F., Executive Director, National Freedom of Information Coalition, Columbia, Missouri...................... 17 Ensminger, J.M. (Jerry), Retired marine Master Sergeant, Camp Lejeune Marine Base, Elizabethtown, North Carolina............. 15 Nisbet, Miriam, Director, Office of Government Information Services, National Archives and Records Administration, Washington, DC................................................. 5 Pustay, Melanie Ann, Director, Office of Information Policy, U.S. Department of Justice, Washington, DC.......................... 7 Rosenzweig, Paul, Red Branch Consulting, PLLC, Professorial Lecturer in Law, George Washington University, and Visiting Fellow, The Heritage Foundation, Washington, DC................ 19 QUESTIONS AND ANSWERS Responses of Miriam Nisbet to questions submitted by Senators Grassley and Klobuchar......................................... 26 Responses of Paul Roaenzweig to questions submitted by Senators Grassley, Sheldon, Whitehouse and Klobuchar.................... 29 Responses of Melanie Pustay to questions submitted by Senators Leahy, Cornyn, Grassley and Klobuchar.......................... 33 SUBMISSIONS FOR THE RECORD Bunting, Kenneth F., Executive Director, National Freedom of Information Coalition, Columbia, Missouri, statement........... 60 Epic.org, Electronic Privacy Information Center, Washington, DC, statement...................................................... 66 Ensminger, J.M. (Jerry), Retired Marine Master Sergeant, Camp Lejeune Marine Base, Elizabethtown, North Carolina, statement.. 77 New York Times, March 10, 2012, article.......................... 104 Nisbet, Miriam, Director, Office of Government Information Services, National Archives and Records Administration, Washington, DC: statement.................................................... 107 April 13, 2012, letter....................................... 112 April 24, 2012, letter and attachment........................ 114 Pustay, Melanie Ann, Director, Office of Information Policy, U.S. Department of Justice, Washington, DC, statement............... 119 Rosenzweig, Paul, Red Branch Consulting, PLLC, Professorial Lecturer in Law, George Washington University, and Visiting Fellow, The Heritage Foundation, Washington, DC, statement..... 134 Sunshine in Government Initiative, Rick Blum Coordinator; National Freedom of Information Coalition, Kenneth Bunting, Executive Director; Project on Government Oversight (POGO), Angela Canterbury, Director of Public Policy; American Society of News Editors, Kevin Goldberg, Counsel; OpenTheGovernment.org, Patrice McDermott, Executive Director; and Citizens for Responsibility and Ethics in Washington, Anne Weismann, Chief Counsel, February 16, 2012, letter............. 146 THE FREEDOM OF INFORMATION ACT: SAFEGUARDING CRITICAL INFRASTRUCTURE INFORMATION AND THE PUBLIC'S RIGHT TO KNOW ---------- TUESDAY, MARCH 13, 2012 U.S. Senate, Committee on the Judiciary, Washington, D.C. The Committee met, pursuant to notice, at 10:55 a.m., in room SD-226, Dirksen Senate Office Building, Hon. Patrick J. Leahy, Chairman of the Committee, presiding. Present: Senators Leahy, Whitehouse, Grassley, and Cornyn. OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE STATE OF VERMONT Chairman Leahy. I apologize for the late start. We had the beginning of debate on judicial nominations on the floor, the Majority and Minority Leaders and myself. I may be No. 2 in seniority for the Senate, but when I have the Majority and Minority Leaders who are there engaging in the colloquy, you tend to stay around and finish it. So I do apologize. We are holding an important hearing on one of our most cherished open-government laws, the Freedom of Information Act. Incidentally, I spoke to the Judicial Conference this morning at the Supreme Court and made a pitch again to open up our courts to cameras and full, instantaneous coverage. When I finished saying that, we had the chief judges of all the circuit courts there and the Chief Justice, and I said I was going to pause for the thundering applause. But, instead, I paused for the thundering silence. In the decade since September 11th, we have had to wrestle with how best to maintain the careful balance between what is legitimate Government secrecy and the public's right to know even as new national security threats emerge. Does government secrecy have its place? Of course. We were not about to announce, for example, to the press a week before the raid on Osama bin Laden. But I worry that since September 11th there has been overuse of the secrecy stamp. It is too easy to say, well, this is secret. And it may be secret because, boy, did we screw up. And when that happens, excessive government secrecy can come at an unacceptable price: harm to the American public's interests in safety, healthy living, a clean environment, and so on. Sunshine Week is a timely reminder that as the Congress considers how best to safeguard critical infrastructure information in cyberspace, we have to safeguard the American public's right to know about threats to their health and safety. Last year, the Supreme Court held in Milner v. Navy that the Government could not rely upon Exemption 2 under FOIA to withhold explosives maps from the public. That was an important victory. But now in its wake, Congress is considering several new legislative exemptions to FOIA. We should do that pretty carefully. In January, President Obama signed into law a carefully balanced, narrow exemption to FOIA for Department of Defense critical infrastructure information, and I helped craft that. It requires Government officials to affirmatively determine that withholding critical infrastructure information from the public outweighs other interests, such as ensuring that we have information that may concern our health and safety. Truly sensitive things can be withheld, but not as a knee-jerk reaction. So I intend to continue to work with other members on both sides of the aisle as we try to fulfill this goal. I am going to put my full statement in the record, but I commend the Obama administration for taking a number of important steps to improve transparency, such as the `ethics.gov' portal. Senator Cornyn and I, and before him, other Republican Senators, have done a lot of the legislation on FOIA. It should not be a partisan issue because I do not care whether you have a Democratic or Republican administration, there is always going to be some who are going to want to say, ``Why do we have to release this information? '' Well, my response would be, ``Because you represent all Americans, and we have a right to it.'' [The prepared statement of Chairman Leahy appears as a submission for the record.] Chairman Leahy. Senator Grassley. STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM THE STATE OF IOWA Senator Grassley. Mr. President--or, Mr. Chairman, before-- -- [Laughter.] Senator Grassley. That was a slip. I was not trying to be-- -- Chairman Leahy. I must admit that I am one of the very few Senators who has never had the desire to be President. Go ahead. Senator Grassley. Before I read, I agree with what you have said except one little part, and I think I will preface my remarks with this: You know, I do not care whether we have a Republican or Democrat President, it is very, very difficult not only under FOIA but under our constitutional responsibility of oversight to get information. It is just a culture in the executive branch that is difficult to overcome. And the only reason I would separate out President Obama a little bit different from others is, as you said, he has put in place some statements and policies that are for more transparency and more openness. But I find it difficult, if I measure what he said he wanted to do, with what has actually materialized as either he did not mean it or--and I think he did mean it--and, No. 2, the people below him are not carrying out his policies. So I thank you for holding this hearing. Open government and transparency are essential for our democratic form of government. And I think James Madison had something very good to say about this: ``a people who mean to be their own Governors must arm themselves with the power which knowledge gives.'' And, of course, that knowledge comes from knowing what is going on in our Government, among other things. The Freedom of Information Act codifies this fundamental principle which our Founders found so valuable. So it is important to talk about the Act and the need for American citizens to be able to obtain information about how their Government is operating. Although it is Sunshine Week, I am sorry to report that, contrary to the President's proclamations when he took office, after 3 years I do not believe the sun is shining commensurate with his statements that he wanted to be the most transparent of any administration in history. Based upon my experience in trying to pry information from the executive branch, I am disappointed to report that agencies under the control of President Obama's political appointees have been more aggressive than ever in withholding information from the public and Congress. There is a complete disconnect between the President's grand pronouncements about transparency and the actions of his political appointees. On his first full day in office, the President issued a memorandum on FOIA. In it, he wrote that Executive agencies should ``adopt a presumption in favor of disclosure, in order to renew their commitment to the principles embodied in FOIA, and to usher in a new era of open government.'' All you can say to that is, ``Amen.'' But, unfortunately, it appears that in the eyes of the President's political appointees--and maybe for this the President has a big, big job, maybe he cannot keep track of what everybody does or the trends in his administration--but his proclamations about open government and transparency are being ignored. Indeed, FOIA requesters appear to have reached the same conclusion. I will give you an example. When recently asked about President Obama and FOIA, Katherine Meyer, an attorney who has been filing FOIA cases since 1978, said, that the Obama administration ``is the worst on FOIA issues. The worst. There is just no question about it. This administration is raising one barrier after another. It has gotten to the point where I am stunned. I am really stunned.'' The problem is more than just a matter of backlogs with answering FOIA requests. Based on investigative reports, we have learned of inappropriate actions by the President's political appointees. In March of last year, 2 weeks after this Committee held a hearing on FOIA, the House Committee on Oversight and Government Reform released a 153-page report on its investigation of the political vetting of FOIA requests by the Department of Homeland Security. The Committee reviewed thousands of pages of internal e-mails and memoranda and conducted six transcribed interviews. The Committee, under Chairman Issa, learned that political staff under the Secretary of Homeland Security corrupted the agency's FOIA compliance procedures, exerted pressure on FOIA compliance officers, and undermined the Federal Government's accountability to the American people. The report's findings are disturbing, and I will just summarize four of them. First, the report finds that by the end of September 2009, copies of all significant FOIA requests had to be forwarded to Secretary Napolitano's political staff for review. The career staff in the FOIA office were not permitted to release responses to these requests without approval from political staff. Second, career FOIA professionals were burdened by the intrusive political staff and blamed for delays, mistakes, and inefficiencies for which the Secretary's political staff was responsible. The Chief Privacy Officer, herself a political appointee, did not adequately support and defend career staff. To the contrary, in one of her e-mails, she referred to her career staff as ``idiots.'' Third, political appointees displayed hostility toward career staff. In one e-mail, political staff referred to a senior career FOIA employee as a ``lunatic'' and wrote of attending a FOIA training session organized by the career staffer for the ``comic relief.'' Moreover, three of the four career staff interviewed by the Committee have been transferred, demoted, or relieved of certain responsibilities. Last, the report finds that the Secretary's office and the General Counsel's office can still withhold and delay significant responses. Although the FOIA office no longer needs an affirmative statement of approval, the Secretary's political staff retains the ability to halt the release of FOIA responses. The conduct of the political appointees at Homeland Security involved the politically motivated withholding of information about the very conduct of our Government from our citizens. In particular, it was the withholding of information about the administration's controversial policies and about its mistakes. That was a direct violation of the President's orders. I am disappointed that there was not more coverage of Chairman Issa's report and the inappropriate conduct by political appointees at Homeland Security. I am also disappointed that the Justice Department has not conducted an investigation of this scandal. I have to say that I am a bit surprised that some open- government and privacy groups appear to be accepting the dramatic regulatory power that Homeland Security and Secretary Napolitano will have under the Lieberman-Collins cybersecurity bill and under President Obama's proposal. Given the FOIA scandal at Homeland Security, I would have thought that they would have more reservations. I am also sorry to say that the Department of Homeland Security is not alone when it comes to questionable actions. Recently, the National Security Archive gave its annual Rosemary Award to the Department of Justice for the worst open- government performance in 2011. The charges the Archive makes against the Justice Department include: One, proposing regulations that would allow the Government to lie about the existence of records sought by FOIA requesters, and that would further limit requesters' ability to obtain information; Two, using recycled legal arguments for greater secrecy, including questionable arguments before the Supreme Court in 2011 in direct contradiction to President Obama's presumption of openness; And, three, backsliding on the key indicator of the most discretionary FOIA exemption, Exemption 5 for deliberative process. In 2011, the Justice Department cited Exemption 5 to withhold information 1,500 times, and that is up from 1,231 times in 2010. According to the Archive, the Justice Department edged out a crowded field of contending agencies that seem to be in ``practical rebellion'' against President Obama's open- government orders. So there is a disturbing contradiction between President Obama's grand pronouncements and the actions of his political appointees. The Obama administration does not understand that open government and transparency must be about more than just pleasant sounding words in memos. Ultimately, the President is responsible for the conduct of his political appointees, especially after 3 years in office. And both he and Attorney General Holder certainly know what is going on. Throughout my career I have been actively conducting oversight of the executive branch regardless of who controls the Congress or the White House. Open government is not a Republican or a Democrat issue. It has to be a bipartisan issue. It is about basic good government and accountability-- not party politics or ideology. I started out my remarks by quoting James Madison. Madison understood the danger posed by the type of conduct we see in a lot of administrations, but this one has not lived up to what they said that they intended to do. He explained that ``[a] popular government without popular information or the means of acquiring it, is but a prologue to a farce, or a tragedy, or perhaps both.'' So I am looking forward to hearing the testimony. I want to thank all the witnesses for coming in today, and taking time. I also want to thank Sergeant Ensminger for his service to our country. I am very sorry about the loss of his daughter. I am also cosponsoring the Caring for Camp Lejeune Veterans Act, and this was brought to my attention about 4 years ago. People in my constituency that I did not even know existed came to my town meetings and came to Iowa. They were very much injured by what happened at Camp Lejeune, and I thank them for bringing that to my attention. And they were not leading a very high quality of life. Thank you, Mr. Chairman. Chairman Leahy. Thank you. Our first witness is Melanie Pustay, who is the Director of the Office of Information Policy at the Department of Justice. I am sorry. Actually, our first witness is Miriam Nisbet, the Director of the Office of Government Information Services at the National Archives. She served as the Director of the Information Society Division for UNESCO in Paris. She earned her bachelor's degree and law degree from the University of North Carolina. I appreciate having you here. I apologize for my voice. It worked fine in Vermont yesterday. I got off the airplane yesterday and found that we have a few more pollens in the air than snow-covered Vermont. Go ahead, Dr. Nisbet. STATEMENT OF MIRIAM NISBET, DIRECTOR, OFFICE OF GOVERNMENT INFORMATION SERVICES, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION, WASHINGTON, DC Ms. Nisbet. Thank you, Mr. Chairman, Senator Grassley. Thank you for having me this morning. And, yes, I can feel that pollen a little bit, too, so bear with me, please. As both of you have mentioned this morning, the Freedom of Information Act is a cornerstone of our democracy, and we at the National Archives are proud to display the original Freedom of Information Act in the Rotunda of the Archives this week during Sunshine Week. For the first time, it is being displayed, and we would like to invite you to come and visit us. An important part of the Freedom of Information Act is protecting sensitive information even as the Government strives to give the public the greatest access to records under the law. I am here to provide you with a sense of what we are hearing from requesters and agencies about safeguarding critical infrastructure information and other records previously protected under Exemption 2 of the FOIA. In our work at the Office of Government Information Services, or OGIS, as the FOIA ombudsman, we talk every day with agency FOIA professionals and FOIA requesters. In fact, we have worked with requesters and agencies on more than 1,500 specific matters since we opened in September 2009. When Congress created OGIS as part of FOIA, the statutory mandate for our office included working to improve the FOIA process. We do that as we fulfill our two-pronged mission: reviewing agency FOIA policies, procedures, and compliance, which allows us to see how agencies carry out the law; and working to resolve FOIA disputes between agencies and requesters, which shows us where there are trouble spots. We regularly meet with and hear from requesters and agency professionals to discuss trends, problems, complaints, and improvements to FOIA's implementation. Chairman Leahy. Dr. Nisbet, we have all this and your whole statement is part of the record, but if you could direct us to which agencies are actually complying with FOIA as they should, which ones are not, and why. Ms. Nisbet. I would be happy to do that, and if I could, let me supplement the record with information about that. In fact, we are releasing a report on our activities for fiscal year 2011 this week, Mr. Chairman, and there will be a great deal of information about precisely what we have seen. Chairman Leahy. Which agency does the best job and which does the worst? Ms. Nisbet. I do feel like I am in the hot seat. I would say that there are a number of agencies that we have seen that are working very hard. We see that every day. The Department of the Interior, for example, is one that we have worked with. Not only has it been working on improving its FOIA process overall, but it has begun working with us to train its FOIA professionals in dispute resolution skills in order to help them do their job better and to carry out the FOIA in a very collaborative way that would avoid litigation. So I think that is really a good example. Chairman Leahy. Which ones are the worst? You are the expert. Ms. Nisbet. I think there are a number of agencies that are still working very hard with overcoming their backlog problems, and that is in some part due to resources. That is a perennial problem, as you know. And I really would prefer not to get too much into detail about the ones that are not doing a good job. Senator Grassley. Just remember, you are not elected. We are elected. We can get in trouble for answering that question. You cannot get in trouble. [Laughter.] Ms. Nisbet. I do not know about that, Senator Grassley. Chairman Leahy. Thank you. [The prepared statement of Ms. Nisbet appears as a submission for the record.] Chairman Leahy. Ms. Pustay is Director of the Office of Information Policy, OIP, at the Department of Justice. Before becoming the office's Director, she served for 8 years as Deputy Director. She earned her law degree from American University's Washington College of Law where she served on law review, and disregard her B.A. from George Mason. Again, I apologize for the voice. Please go ahead. STATEMENT OF MELANIE ANN PUSTAY, DIRECTOR, OFFICE OF INFORMATION POLICY, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC Ms. Pustay. No problem. Thank you. Good afternoon, Chairman Leahy and Ranking Member Grassley and members of the Committee. I am pleased to be here during Sunshine Week to address the effect of the Supreme Court's decision in Milner v. Department of the Navy and also to discuss the Department of Justice's continuing efforts to ensure that President Obama's Memorandum on the FOIA, as well as Attorney General Holder's FOIA Guidelines, are fully implemented. As you know, the Attorney General issued his new FOIA Guidelines during Sunshine Week 3 years ago, and based on our review of the Chief FOIA Officer reports and agency annual FOIA reports, it is clear to us that agencies are continuing to make significant, tangible progress in implementing the guidelines. In fiscal year 2011, despite being faced with a noticeable increase in the number of incoming requests, agencies overall were able to process over 30,000 more requests than last fiscal year. And, most significantly, when agencies processed those requests, they increased the amount of material they provided. The Government released records in response to 93 percent of requests where records were located and processed for disclosure. This marks the third straight year we have had such a significantly high release rate. Agencies are also continuing to meet the demand for information by proactively posting information of interest to the public on their websites. Many agencies have taken steps to make the information on their websites more useful to the public by redesigning the websites, adding enhanced search capabilities, utilizing online portals and dashboards. I am also pleased to report in particular on the successes achieved by the Department of Justice. This past fiscal year, the Department increased the number of responses to requests where records were released, and for the second straight year, we maintained a record high release rate of 94 percent for all requests involving responsive records that were processed for disclosure. And perhaps even more significantly, of those requests we released records in full 79 percent, which means that the requester got everything they asked for with no excisions. Despite 3 straight years of receiving over 60,000 requests, the Department reduced its backlog of pending requests by 26 percent. We also improved the average processing time for simple and complex requests. Now, my office also carries out the Department's statutory responsibility to encourage compliance with the FOIA. And, of course, this guidance was particularly needed in the wake of the dramatic narrowing of Exemption 2 that occurred when the Supreme Court issued its opinion in Milner. As you know, in Milner, the Supreme Court overturned 30 years of established FOIA precedent by restricting the scope of Exemption 2 to matters that relate solely to personnel rules and practices. Prior to Milner, agencies had long followed the interpretation of Exemption 2 provided by the D.C. Circuit, which applied a two-part test that was announced in the Crooker case. Under Crooker, information first had to qualify as ``predominantly internal'' and, second, it had to be either of no public interest, which was referred to as ``Low 2,'' or be more substantial in nature where disclosure would risk circumvention of the law, and that was referred to as ``High 2.'' We had a substantial body of case law developed over the years concerning High 2, with courts upholding protection for many different types of sensitive information when disclosure would risk circumvention of the law. But as a result of the Supreme Court's rejection of High 2 as inconsistent with the plain language of the exemption, there is a wide range of sensitive material whose disclosure could cause harm and which had previously been protected and which is now at risk. The Supreme Court was sympathetic in its decision to the policy concerns raised by the Government regarding the need to protect information when its disclosure risked harm. And the Court even acknowledged that it might be necessary for the Government to seek relief from Congress. Now, in the months since the Milner decision, some agencies have sought statutory relief under the FOIA for discrete categories of information. However, this piecemeal approach does not sufficiently ensure protection for all agencies and for all categories of information that were long protected under High 2. And we believe that the preferred course of action would be to amend Exemption 2 so that its plain language addresses the need to protect against disclosure where that disclosure would risk circumvention of the law. Open-government groups, reporters, and other interested members of the FOIA requester community are understandably interested in this issue as well, and the precise contours of a legislative amendment to Exemption 2 will need to take into account both the interests of the agencies in making sure that there is no circumvention of the law and the interests of the requesters and open-government groups in ensuring that exemptions are precisely crafted so as not to unnecessarily sweep too broadly. In closing, the Department of Justice looks forward to working together with the Committee on all matters pertaining to the governmentwide administration of the FOIA, including efforts to address the effect of the Milner decision. [The prepared statement of Ms. Pustay appears as a submission for the record.] Chairman Leahy. Well, thank you. You have mentioned the Milner case; what guidance is DOJ giving to agencies about how they should respond, and how they should treat FOIA requests seeking critical infrastructure information? Ms. Pustay. In the wake of the Supreme Court's decision, we issued extensive guidance to agencies to help walk them through the changed landscape that occurred as a result of the Supreme Court's decision. First of all, of course, we had to explain what Exemption 2--what was left of the exemption--covered and what would fit within it. But pragmatically, because High 2 is now no longer a part of the protection afforded by Exemption 2, agencies really have two alternatives: to try to see if other exemptions will safeguard the information, and that is certainly an option that was discussed and contemplated in the Milner case itself, the information that---- Chairman Leahy. Of course, in the National Defense Act, we tried to put in a very, very narrow exemption. Ms. Pustay. Exactly. And the other alternative, if existing exemptions do not cover the information--let me actually first say, as part of our guidance, we instructed agencies to first consider whether or not the information needed to be protected. We made a point of highlighting the Attorney General's FOIA guidelines and the presumption of openness, and we always make sure that we use that as our starting point before we even get to the point of protecting. But assuming there is risk of circumvention, if existing FOIA exemptions---- Chairman Leahy. It was too easily used before. Ms. Pustay. Right now the alternatives would be using other FOIA exemptions or seeking relief through specific statutory provisions that are covered under Exemption 3. Chairman Leahy. Dr. Nisbet, how do you see agencies handling these requests for critical infrastructure information? Are they following the Milner decision? Ms. Nisbet. Well, of course, they are following the Milner decision, and they are using language that the Supreme Court used to suggest to them that they do look for other exemptions. And in some cases, that certainly does work. But it does not work in all cases. For example, Exemption 7, which applies to records or information compiled for law enforcement information, certainly could apply to certain sensitive information, particularly as it relates to security measures or preventing crime. But Exemption 7 is not available to all agencies. Similarly, Exemption 1 would not be a good choice. Certainly, some agencies do not have classification authority nor, as this Committee has recognized, is expanding the universe of classified information something that we want to see. Chairman Leahy. Also, back in 2007, Senator Cornyn and I authored the Open Government Act to strengthen FOIA, and in it we have the Office of Government Information Services regularly reporting to Congress on recommendations to improve FOIA compliance within the Government. We have not seen those reports. What is the current status of the reports that the law requires? Ms. Nisbet. Let me distinguish between reporting on our activity, which we have done and we have made public---- Chairman Leahy. I am talking about the report that is required to be made to Congress on recommendations to improve FOIA compliance within the Government. Ms. Nisbet. Yes, Mr. Chairman, as to recommendations which we have put through the process for review with OMB, we have-- -- Chairman Leahy. When did you put it through the process to be reviewed? Ms. Nisbet. Well, the first set of recommendations were given just a little over a year ago. Those did get held up. I am not sure that I can explain why. But I can tell you that we are working with OMB now to get that process going on. Chairman Leahy. Recommendations were made over a year ago, and we have not received them yet. The law requires us to receive them. When will we receive them? Ms. Nisbet. I hope you will receive something very shortly. However, I will tell you that we are working with OMB actively to see whether or not some of the suggestions that we had might be able to be addressed administratively without asking Congress to make any legislative changes. Chairman Leahy. Well---- Senator Grassley. Mr. Chairman, what I would like to know is: Is it her fault or OMB's fault that they are not---- Chairman Leahy. The law is pretty clear about us getting the reports. We have not gotten the reports. Who is at fault? Senator Grassley. We run into this. Just recently, with an agricultural rule, they studied it for 2 years, and it was sitting in OMB. Finally, after we wrote a letter, OMB released it. Chairman Leahy. So my question is: Who is not following the law? Ms. Nisbet. Well, one question I might ask you, Mr. Chairman, is the law does not state how often these recommendations need to be made. Chairman Leahy. I think if the recommendations were made a year ago, even if mail has been kind of slow--I mean, I am happy to drive down there and pick it up if that would speed things up. [Laughter.] Chairman Leahy. You know, I would be happy to, if they would let me in the building. Ms. Nisbet. Thank you, Mr. Chairman. Chairman Leahy. When will we get it? Ms. Nisbet. I will have something to you--how about within a month we will have something? I will work actively with OMB to make that happen. Chairman Leahy. Tell them at OMB that this is not a partisan thing. Both Senator Grassley and I would kind of like to hear from them. I know they are very busy, but---- Senator Grassley. Would it help you if we would write a letter to OMB and tell them to get off the pot? Ms. Nisbet. I think your statements here today will really say what you mean. Chairman Leahy. You know, I just would like to have people be happy to respond to us rather than having to subpoena things. Ms. Nisbet. Thank you. Chairman Leahy. We do have that alternative. OK. Earlier this year, the National Archives and Records Administration, the Environmental Protection Agency, and the Department of Commerce announced the creation of a multi-agency FOIA portal that automates FOIA processing, stores FOIA requests, and responds in electronic format. If it works as it should, it would make it easier for FOIA requesters. Does the Department of Justice support this kind of a FOIA portal concept? Ms. Pustay. Yes, we absolutely do. The EPA is launching a pilot to build on those capabilities. What I think is important and what you will be happy to hear is that we have over 100 different offices across the Government that already have online request capability. We do think it is an important improvement to FOIA. And just this week, my office--actually, the Attorney General announced this yesterday at our Sunshine Week event--that we have an online portal for the senior management offices of the Justice Department. So requesters can go online at the website in my office, set up a personal account, make their request online, be able to track the status of their request online any time day or night, and to get their responsive documents back through the portal. Chairman Leahy. Of course, that is an easier way. I have a 6-year-old grandson who showed me how he goes online, although I am telling him not to go on Google because they now have a new plan to spy on Americans. That is just a personal concept. Senator Grassley. Senator Grassley. Thank you, Mr. Chairman. And if I can help you in any way, make sure that you call on me on that request. Ms. Pustay. We still accept requests the old-fashioned way as well, Senator Leahy. Senator Grassley. My first question is going to be asked for Senator Cornyn because he was here for a while but had to go to a meeting at 11. It is to Ms. Pustay. A March 9th article in Atlanticwire.com raises questions about the way the Justice Department is actually calculating reporting ``backlogs'' and ``pending requests.'' How do you explain the almost 50-percent discrepancy between claimed backlogs, 3,816, and the pending requests, 6,897? Now, Senator Cornyn says, ``I can understand not counting a few pending requests at the end of the year as backlog, especially if the statutory deadlines have not run. But I cannot imagine that you received 3,000 new requests at the end of fiscal year 2011 that fit that criteria. Could you explain the standards and definitions that are applied? And then, more importantly, isn't it appropriate to treat all requests alike for backlog purposes once the agency's response is overdue? '' Ms. Pustay. I am happy to address that question. There is a difference between pending and backlogged. Pending just means a request is open at the moment that the fiscal year closes on September 30th. Backlogged means it has been pending beyond the statutory time period. The FOIA itself actually requires agencies to report the number of requests that are pending. The Department of Justice added the requirement that agencies report the number of requests that are backlogged because we think it is a more accurate measurement to know not just how many requests came in literally on September 30th, but how many of those requests were backlogged. So that is why we track both statistics, backlog and pending. But we get at the Department of Justice 5,000 requests every single month, so having numbers of 3,000 and 5,000 as our pending and backlog is totally logical. We get 5,000 requests every single month. Senator Grassley. I would ask you for myself, Ms. Pustay, the National Security Archives recently gave the Rosemary Award to Justice for the worst open-government performance last year. As part of the award, the Archive stated that you presided over the development of a series of proposed regulations that would have changed the FOIA process in more than a dozen regressive ways. A two-part question, and I will ask both of them. First, what is your response to the Archive's citing of the Justice Department as having this performance record? And, second, what is your response to the Archive's statement about the proposed FOIA regressive regulations? Ms. Pustay. I will take it in reverse order. The regulation comment is very straightforward. Our regulations were--the changes that we made were simply designed to streamline, simplify, and update the regulations. The comments that we received showed that people misinterpreted what we were trying to do, misconstrued some of the provisions, and also did not necessarily understand the fee guidelines that govern the fee categories that are put out by--that are governed by OMB's fee guidelines. So all of those issues regarding the regulations, we are happy to have the comments because we can now explain, walk requesters through, walk the public through, what we were intending to do with our regulations. So the comment period itself I think will clear that up very easily. As to my overall reaction, of course, I am happy to be able to stand by our record at the Department of Justice. I am very proud of our record. We passed out before the hearing a list of our accomplishments to all the members, and I think it is a really stellar example of the work that has been done by the Justice Department. We have reduced our backlogs. We released-- 79 percent of requests got a full release of information. Our release rate for 2 years in a row is 94.5 percent, which means that requesters who come to the Department of Justice and ask for information are getting information 94.5 percent of the time. We have also done a lot of work with proactive disclosures, making more information available on our website. We have worked with agencies to try to help spread the word of transparency, to help further implement the Attorney General's guidelines. We have built FOIA.gov, a brand-new website that breathes life into all the dry FOIA statistics and lets them be interactable and much more accessible to the public. So I can go on and on. I feel like we have a really strong record, and I stand by it. Senator Grassley. After Senator Whitehouse gets done, I would like to ask for another 5 minutes, if I could. Chairman Leahy. Yes, but the vote is coming up. We are going to have to keep it short because otherwise, we are not going to get the other panel in. Dr. Nisbet, I should note that my concern--and I hope you realize both my concern and Senator Grassley's are directed at OMB, not at you. We are trying to give you a little [clicking sound, swings hand]. [Laughter.] Chairman Leahy. It is going to be great to see how that is reported in the record. [Laughter.] Chairman Leahy. Senator Whitehouse. Senator Whitehouse. T-L-O-C-K, perhaps? Who knows? I am interested in the manner in which the FOIA requests can be aggregated across the system and the FOIA data can be centralized across the system. For a long time, FOIA requests have been agency by agency, and for a long time, FOIA answers are sent out and then they kind of disappear, and if somebody asks the same question later, particularly if it is to another agency, it goes back and it gets re-created. I think it is important that there be a central FOIA request, you know, portal that people can go to. I think it is important that there be a central FOIA data base so that once something has been disclosed under FOIA, you can go and find it again and it is searchable and it is a resource. You have got the FOIA module coming along. It is kind of a pilot in that direction. Could you let me know a little bit the status of that and what you expect--give me a couple of benchmarks that you are looking for in the near future to show the success of that and the commitment to that. Ms. Pustay. What I can tell you first on FOIA.gov--and then you could talk about the portal. Ms. Nisbet. Yes. Ms. Pustay. FOIA.gov, which is our governmentwide website, which is designed to be a one-stop shop for FOIA, we added several things just this past year to help meet the concerns or the interests that you are expressing. For one thing, we have a find function, a search function that we put on FOIA.gov, the website, which allows an interested member of the public to enter a search term. If they are interested in Al Capone or the BP oil spill, they can put that search term into FOIA.gov. It launches a search across all agency websites. So everything that an agency has posted to date, not just their responses to FOIA requests but everything they have posted, would be captured by this search. That is particularly important because we are encouraging agencies to make proactive disclosures of information, to put things on their website separate and apart from FOIA requests. And we want the public to have access to all that information. So the find button is what is designed to help you locate information and maybe not even have to make a FOIA request. In terms of the online capability to make requests, as I said, we have got over 100 offices that have that capability so far. Many others are working on developing them. What we did, again on FOIA.gov to facilitate access to those portals was we now have hyperlinks to all those portals so that when you are on FOIA.gov and you decide you want to make a request to the National--well, let us pick an agency that has it, our office, or Treasury has an online request portal, or NASA, you can go right from FOIA.gov and get right in, onto their online request form. So we have taken steps right now to make that happen, and then we are going to continue to add those functionalities to FOIA.gov as we go forward. Senator Whitehouse. And how is the module coming, Dr. Nisbet? Ms. Nisbet. The FOIA module is a project that is being run jointly by--under the lead of the Environmental Protection Agency, but with the Department of Commerce and with the National Archives as partners. It is being built right now with input from FOIA professionals throughout the Government and from requesters and is due to launch October 1st. And it will be indeed a one-stop shop. In the beginning, of course, we do not have all agencies participating, but it is going to be something Version 1 can easily be moved into Version 2 as other agencies want to join, and it would be both a place where a requester can come to one place, make a request to one agency or many agencies or all agencies, and that will at the end also provide access to any records that have been disclosed under FOIA. So we think it has a lot of promise and cost savings for the Government as well as a collaborative effort and good for requesters as well. Senator Whitehouse. Good. Well, we look forward to October 1st, and I thank the Chairman and the Ranking Member who have both over many years shown intense interest in making sure that the American people have access to these public records, and today's hearing is another example of their commitment. Chairman Leahy. Thank you very much. Senator Grassley. One question? Chairman Leahy. You have one question? Go ahead. Senator Grassley. Ms. Pustay, I want to refer to the Milner case. It was released more than a year ago. Some believe that the impact of the decision will be to endanger public safety. The Justice Department has not approached me or my staff about legislation to address the impact of the decision, so maybe you could tell me why the Justice Department has not submitted a legislative proposal. If, in fact, there is a threat to public safety, as people indicate, isn't it irresponsible to ignore the problem? Ms. Pustay. We are actively working and look forward to continuing to work to with this Committee on the issue. As I said, the impact of Milner is quite significant. The Supreme Court really dramatically limited the scope of protection that had previously been afforded. And since the time of the decision, we have certainly had legislative assistance from you all in terms of protecting discrete categories of information. As I said in my testimony, though, I think the next step is to go beyond a piecemeal approach and to work on a more comprehensive approach to the problem. Senator Grassley. I will have written questions for the record. Chairman Leahy. Thank you. We will have further questions. I thank you both for being here. [The questions appears under questions and answers.] Chairman Leahy. Good morning. The first witness will be Jerry Ensminger. He is the public face of what may be one of the worst drinking water contamination cases in U.S. history. This retired Marine gunnery sergeant lost his 9-year-old daughter, Janey, to leukemia in 1985, taken by what Gunnery Sergeant Ensminger and many others believe was tainted water at Camp Lejeune, the base where she was conceived. I might say parenthetically, my son, Lance Corporal Mark Patrick Leahy, also went through Camp Lejeune, and it raises even more the personal stakes. Then I read the terrible things that you went through. Mr. Ensminger retired from the military 13 years ago. He has traveled the country raising public awareness about this issue. I say retired Marine. There are no ex-Marines, as you know. Gunnery Sergeant, I am glad you are here, so please go ahead, sir. STATEMENT OF J.M. (JERRY) ENSMINGER, RETIRED MARINE MASTER SERGEANT, CAMP LEJEUNE MARINE BASE, ELIZABETHTOWN, NC Sergeant Ensminger. Thank you, Mr. Chairman. Just to set the record straight, somebody demoted me. I am a retired master sergeant. [Laughter.] Chairman Leahy. I apologize for that. Please do not tell that former lance corporal, or I would be in really deep trouble. I had heard it both ways, and I do apologize. Either way, I am darn glad you are here. Sergeant Ensminger. Yes, sir, thank you. Good morning. I would like to take the opportunity to thank the Chairman and Ranking Member for offering me this opportunity to appear here today. I am here to testify on why access to information through the Freedom of Information Act matters to me and others from Camp Lejeune and about the extreme secrecy we have encountered in trying to expose the truth. My name is Jerry Ensminger, and I served my country faithfully for 24 years in the United States Marine Corps. My daughter Janey, the only one of my four children to either be conceived, carried or born while living aboard Camp Lejeune, was diagnosed with leukemia in 1983 at the age of 6. Janey went through hell, and all of us who loved her went through hell with her. I watched my daughter die a little bit at a time for nearly 2\1/2\ years before she finally lost her fight. The leukemia won. Janey died on 24 September 1985. Shortly after Janey's diagnosis, I began to wonder why. Why was she stricken with this disease? I researched mine and her mother's family histories, and I could find no other child that had been diagnosed with leukemia or any other type of cancer. It was not until August 1997, 3 years after I had retired from the Marine Corps, that I heard of a report indicating that the drinking water at Camp Lejeune had been contaminated during the time that we had lived there with chemicals suspected of causing childhood cancers and birth defects. That was the beginning of my journey on a search for answers and the truth. Little did I realize how difficult it would be getting the truth out of an organization which supposedly prides itself on honor and integrity. None of what I am about to say is speculation. It is all facts which are borne out by the Department of the Navy and United States Marine Corps' own documents. Throughout the history of this situation and to this very day, representatives of the Department of the Navy and Marine Corps have knowingly provided investigating or studying agencies with incorrect data, they have omitted data, they have obfuscated facts and told many half-truths and total lies. The Department of the Navy and the Marine Corps' last attempt to block the truth and foil justice is being done by redefining key information being utilized by the Agency for Toxic Substances and Disease Registry in their study reports concerning the base's contaminated tap water as critical infrastructure information, or CII. They just recently slapped a label of ``For Official Use Only,'' or FOUO, on all documents relating to the contamination. Most of these documents and information they are labeling CII have been in the public domain for more than a decade and some for nearly 50 years. Mr. Chairman, the ATSDR estimates that as many as 1 million people were exposed to horrendous levels of carcinogenic chemicals through their drinking water at Camp Lejeune. These people need the uncensored truth concerning their exposures so they can be more vigilant about their and their family's health. The most recent attempt by the Department of the Navy and Marine Corps to suppress the public's knowledge regarding ATSDR's Camp Lejeune studies came on 5 January of this year in the form of a letter from the Marine Corps to ATSDR. Without any public interest balancing test having been executed, key information was redacted from a critical report which experts are now saying will greatly diminish its scientific value or credibility. This was labeled CII by the Department of the Navy and Marine Corps, but the legal justifications that they cited for requesting these redactions were dubious at best. They notably did not mention the new law now governing what ultimately can be withheld from the public under the Freedom of Information Act by DOD to protect CII. It has also been reported that the ATSDR, at the behest of the Marine Corps, is currently scrubbing their Camp Lejeune website of key data and information published in previously released reports. This is all being done without any consideration of the public's need, interest, or right to know. For many of the exposed Camp Lejeune population, this information could literally mean life or death. Mr. Chairman, the last thing we need is more secrecy disguised as a concern for security of critical infrastructure. Any exemption must be very narrowly defined as it is in the new CII FOIA exemption for DOD. There must be an enforced public interest balancing test to ensure that any security interests outweigh other public interests, like health and safety--and there must be adequate reporting and oversight on how the exemption is used. I want to thank Chairman Leahy and Representative Maloney for narrowing the blanket exemption to FOIA for critical infrastructure information that DOD was seeking in the NDAA for fiscal year 2012. Now all we need is oversight to ensure the law is implemented and followed. The hearing today is a good start. Thank you. [The prepared statement of Sergeant Ensminger appears as a submission for the record.] Chairman Leahy. Well, thank you, Sergeant. And let me tell you, I will carry my interest in this matter beyond this hearing. We Vermonters are sometimes known as being pretty tenacious, and I will be. And I will not demote you next time, I apologize. [Laughter.] Sergeant Ensminger. That is all right, sir. Chairman Leahy. Thank you very much. Our next witness is Kenneth Bunting, the first full-time executive director of the National Freedom of Information Coalition created in 2010. Before joining that, he spent parts of four decades as a journalist and newspaper industry leader, and ranking editor of the Seattle Post Intelligencer, which during that time won more national and regional awards for journalistic excellence than at any other time in its 146-year history, including the Pulitzer in 1999 and 2003. Congratulations. He has his B.S. from Texas Christian University. Mr. Bunting, we are delighted to have you here, and I am stepping out for a moment while you testify, and that is not from a lack of interest, I can assure you. Senator Grassley will be here. I have read your testimony, and I will be back. STATEMENT OF KENNETH F. BUNTING, EXECUTIVE DIRECTOR, NATIONAL FREEDOM OF INFORMATION COALITION, COLUMBIA, MISSOURI Mr. Bunting. I am Ken Bunting, executive director of the National Freedom of Information Coalition. We are a nonpartisan network of State and regional groups that work to promote open government and accountability. I am here today, early in the annual recognition of Sunshine Week, to ask that the principles of transparent, accountable government not become collateral damage as you wrestle with policy issues about critical infrastructure information and matters related to cybersecurity. We recognize that there are circumstances under which information and details about the Nation's critical infrastructure need to be shielded from public dissemination. We also recognize that one of the legitimate goals of the various cybersecurity bills before you is creating a private industry comfort level with important information sharing. But wherever exceptions to public access related to these matters reside in statute, we feel that they should include narrow definitions, a balancing test of the public interest in disclosure, and a sunset review process. I commend the Chairman for inserting narrowing language into the National Defense Authorization Act last December. Unfortunately, none of the cybersecurity measures before us now have similar provisions. Nine years ago, a retired electrician named Glen Milner tried to find out something about the potential dangers he and his neighbors faced living near naval installations in the Puget Sound region of Washington State. Mr. Milner wanted to know which parts of the coastal peninsulas and islands might see the greatest devastation in the event of an accidental explosion at the Navy's Indian Island facility. As you know, the Navy refused to provide that information, but the Supreme Court, in a ruling handed down last March, discredited the Navy's expansive interpretation of FOIA's Exemption 2. That case has now been remanded, and Mr. Milner and his lawyers are still doing battle in the legal arena for records he first requested in 2003 and over which he filed suit in 2006. Now, I saw inescapable parallels as I watched the excellent MSNBC documentary about Master Sergeant Ensminger and the effects of three decades of toxic contamination at the Camp Lejeune Marine base in North Carolina. As the documentary crew portrayed it, Master Sergeant Ensminger and those who worked with him eventually came to recognize the shameful coverup, although they had begun with the expectation that the Marine Corps would do the right thing of its own volition. The moral of this powerful story and so many others is that informed citizens with information to hold Government accountable provide the best incentive for things being done right. We certainly do not belittle the concerns the legislative proposals before you seek to address. But please be leery of a broad, ill-defined sweep in closing off information. We believe any new cybersecurity or critical infrastructure exemptions should contain, at a minimum, a tight definition of the information to be exempted; a sunset for the law and for the protection attached to the information; and a public interest balancing test that allows legitimately protected information to remain protected, but not information being withheld primarily to protect the Government from embarrassment. Under several proposals that have been put forth in the past 8 months, a 1995 ``Dateline NBC'' report that showed thousands of the Nation's dams close to collapse might not have been possible. Nor likely would a local TV report by University of Missouri students that showed only 33 of that State's 1,200 dams had the Emergency Action Plans required by law. And after- the-fact reporting by my old newspaper and others in Washington State--following a massive pipeline explosion that killed three innocent youths--would have been severely limited, reporting, by the way, that culminated, perhaps with a causal connection, in new pipeline safety legislation and a seven-count criminal indictment against two pipeline companies. Without balancing tests and sunset provisions, health and safety information imprudently hidden from public view might remain shrouded in secrecy forever. Just last week, nearing the 1-year anniversary of the Fukushima nuclear accident in Japan, the NRC released a heavily redacted report that used the ridiculously non-descriptive term ``Generic Issue'' to describe seismic and flooding hazards surrounding 35 domestic nuclear facilities. Given new criteria for withholding, their refusal to provide intelligible information will only get worse. Please do not accept that cybersecurity and appropriate protections for critical infrastructure information pose a Hobson's choice with the people's right to know. Senators, thank you for your invitation and for your attention. I look forward to your questions. [The prepared statement of Mr. Bunting appears as a submission for the record.] Senator Grassley. [Presiding.] Thank you, Mr. Bunting. For the Chairman, I will introduce Paul Rosenzweig, a visiting fellow at the Heritage Foundation's Center for Legal and Judicial Studies and Douglas and Sarah Allison Center for Foreign Policy Studies. Mr. Rosenzweig is also former Deputy Assistant Secretary for Policy at the Department of Homeland Security and Acting Assistant Secretary for International Affairs. He is a senior editor of the ``Journal of National Security Law & Policy'' and adjunct professor, Homeland Security at the National Defense University. He is a cum laude graduate of the University of Chicago Law School. He also has a M.S. in chemical oceanography from Scripps Institution of Oceanography, University of California at San Diego, and his B.A. is from Haverford College. Thank you, Paul, for coming. Proceed. STATEMENT OF PAUL ROSENZWEIG, RED BRANCH CONSULTING, PLLC, PROFESSORIAL LECTURER IN LAW, GEORGE WASHINGTON UNIVERSITY, AND VISITING FELLOW, THE HERITAGE FOUNDATION, WASHINGTON, DC Mr. Rosenzweig. Thank you very much, Senator Grassley. I was checking my records, and this is the sixth time in the last 10 years that I have been in front of this Committee. It is always a pleasure to return to testify here. Perhaps equally germane to my testimony today, I both teach cybersecurity law and policy at George Washington University and as a private consultant often speak of these issues with private sector clients who are vitally interested in pending cyber legislation. My testimony today is restricted to the cybersecurity issues in front of us. I have no general issue at all with the premise that FOIA is an important aspect of transparency and should be broadly construed to promote the transparency of Government activity. I think, however, that the cyber threat is demonstrably different and that the pending proposals to provide for FOIA exemptions in the context of enhanced information sharing are right on point and, in my judgment, actually essential. The cyber threat is real and likely quite enduring, and virtually everyone who has examined the issue in the private sector has concluded that the cheapest, most cost-effective way to get a running start at addressing that threat is through enhanced information sharing of cyber threat and vulnerability information, both between and amongst the private sector themselves and from the private sector to the Government, with the Government then being enabled to further share that information with others, both in Government and beyond. Information sharing about cyber threat and vulnerability information is a bit like vaccination in the public health context. When one community knows of a virus threat and learns of how to cure it, it is essential for that information to be widely communicated throughout our community and throughout the world. Cyber threat information is fundamentally a public good. In this context, it seems to me that the application of FOIA to cyber threat and vulnerability information voluntarily shared by the private sector with the Government turns FOIA on its head. The purpose behind FOIA, as demonstrated quite clearly both in the Milner case and in Sergeant Ensminger's case, is the transparency of Government functions. Thus, the main ground of a FOIA request is to seek information from the Government about Government and its operations. Here, in the cyber context, the FOIA exemption contemplated is in relation to a private sector information sharing that would not otherwise--sharing of information that would not otherwise come into the Government's possession in the first instance. If we are serious about the cyber threat and if we seek the voluntary sharing of information in order to foster the creation of a clear and manifest public good, then the voluntary agreement of private sector actors to provide that information will, in the first instance, be contingent upon the Government's agreement not to subject them to adverse consequences. Private sector actors, rightly, would see the absence of a FOIA exemption as a form of Government hypocrisy. We need the information, you will say, badly enough that we are asking you to provide it for the common good, but not so badly that we are willing to prevent that information from being shared with other private sector actors who, as your competitors or opponents in litigation, might wish you ill. In my judgment, in the absence of a FOIA exemption, you will not get the private sector information sharing that is deemed essential, and it is not really just my judgment. The information-sharing provisions with accompanying FOIA exemptions are part of the Lieberman-Collins bill that has been introduced in this body, the McCain bill that has been introduced in this body, the bipartisan Rogers-Ruppersberger bill on the other side of the Hill, the bipartisan Lungren bill on the other side of the Hill, and I think most significantly is an integral part of the Obama administration's own legislative submission that they made to you in May of this past year. Finally, I would close by saying that there is a real danger in subjecting cybersecurity threat and vulnerability information to the FOIA. Allowing public disclosure of such information would be identifying publicly which cyber threats are known risks, in effect drawing a road map of what threats are not known. That would have the substantive effect of drawing a target around the higher vulnerabilities, something that I think nobody would want to foster. Complete transparency, in my judgment in this instance, would defeat the very purpose of the disclosures that we are seeking voluntarily from the private sector and might even make us less secure. Thank you very much. [The prepared statement of Mr. Rosenzweig appears as a submission for the record.] Chairman Leahy. [Presiding.] Thank you very much. Let me start with Sergeant Ensminger. First off, I, like all of us, thank you for your service to the country, but also as a parent and as a grandparent, I offer you my sympathy for what you went through with Janey. I think what you tell us is that the transparency that we are supposed to have in FOIA is a promise to everybody in this country because it impacts the lives of Americans all across the Nation. The public interest balancing test that Congress recently enacted in the National Defense Authorization Act, will that help you and others learn more about the well water contamination at Camp Lejeune? Sergeant Ensminger. Yes, sir, but only if it is applied. In this instance, the National Defense Authorization Act was signed by the President at the end of December, and the United States Marine Corps sent a letter off on the 5th of January to another Government agency, which is part of the CDC, and that other Government agency did not question it. They just, for lack of a better term, rolled over into a fetal position and said, ``Kick me again,'' and redacted--did everything in their bidding. Chairman Leahy. It is important that you make that point because, as I said, I intend to continue to follow up on this. Whether it is Senator Grassley or myself, Senator Cornyn or anybody else, we can pass all the legislation in the world with the right intentions. If it is not followed, then you are hurt, but so is everybody else. Is that correct? Sergeant Ensminger. Yes, sir. And the information that they are trying to hold back from is the location of water supply wells, water towers, the water treatment plants aboard the base. I mean, for lack--I asked one of the Senate Committees-- not a Committee but staffs the other day, they held a meeting with the Office of the Secretary of Defense and some of the representatives from the Marine Corps and the Department of the Navy concerning these redactions, and I jokingly asked them, before they went into the meeting, to please ask them if they perfected their Klingon-type cloaking device to cloak these 100-and-some-foot tall towers. Chairman Leahy. You see them when you drive by on the road. Sergeant Ensminger. Yes, sir, and they are painted red and white checkered. I mean, what are they---- Chairman Leahy. It is not a new form of camouflage. Sergeant Ensminger. No, sir. And the water supply wells, many of them are out--not even within the gates of the base. They are along public highways, and the only physical security they have around them is a chain-link fence and a locked door to the pumphouse. Now, any terrorist that wanted access to those without physical security, they do not need to protect the information, the infrastructure information. They need more physical security, if they really, truly want to protect their people. Chairman Leahy. Well, when I am here in Washington, because of the house I have got in this area, I drive by a place with a big sign, ``CIA.'' Well, that is fine. Everybody knows where it is. But it is protected. Professor Bunting, you have experienced the FOIA process from the perspective of an academic, but also as a journalist. Do you have an idea how we could protect on the one hand the public's right to know while also protecting the Nation's cybersecurity? Mr. Rosenzweig talked about that before. Go ahead, sir. Mr. Bunting. Mr. Chairman, first of all, Professor Rosenzweig is the only cybersecurity expert at this panel. I do not pretend to be one. But with regard to FOIA, I think the worst thing would be a sweeping definition that was too broad, too loosely defined, where the words could be made to be whatever they wanted it to be, that gave too much unchecked power to the Government. The reason we also ask that there be a review process, a sunset review process, in any new exemptions is exactly what Master Sergeant Ensminger just told you. It was only a couple of months ago that you put language in the NDAA to try and write a narrow definition and also a public interest balancing test. But, you know, is it going to be enforced? Time will tell. Given any leeway, agencies will find a way to make it say what they want it to say, and so the key thing in protecting the public interest to know and not just tossing it out the window as you address these very real issues is to write a definition that is narrow enough, to make sure that the public interest is considered, and that you review it periodically going forward. Chairman Leahy. Thank you. A vote has started. I will yield first to Senator Grassley and then Senator Whitehouse. Senator Grassley. Has it started? The light is not on up there yet. Chairman Leahy. Somebody will check. Senator Grassley. I will hurry along here then so that Senator Whitehouse can ask questions. Chairman Leahy. It started. Senator Grassley. OK. Mr. Rosenzweig, I have a two-part question. First, when a business shares cyber threat information with the Government, what type of information are we talking about, a general description on your part? And, second, describe for us the type of damage that you believe would be done to the business sharing information and to our country if that cyber threat information was made public? Mr. Rosenzweig. Well, thank you for the question. I will be brief in the interest of time, though obviously the answer to your first question is quite complex. But you can, broadly speaking, divide cyber threat information that would be shared into two bundles. One piece would be the actual malicious code and information, the IP protocols and ports that are being used, the websites, something that is quite specific to the threat itself. I can see no reason why we would ever want that information to be subject to FOIA because we would never want to broadcast more widely than is already shared that kind of threat information. The other bundle of information is the data stream in which the threat resides, and that can be anything. It can be an e- mail attachment that is masquerading as an Excel spreadsheet. It can be the header information. It can be virtually any sort of content data. But that content data is really generally independent of the malicious code itself. It helps us identify the target that it is coming in Excel spreadsheets, but the content of that Excel spreadsheet, which could be a human resources spreadsheet or the company's salary data--it could be anything. In other words, malicious code can hide literally anywhere. So those are the two bundles. The damage in the disclosure to the business obviously comes in the content information on the second side, which is, if they think that that content information is going to be subject to onward disclosure through FOIA, they are not going to provide it because that is usually CBI, confidential business information, proprietary information of some form. So what they are looking for is some assurance that the information they provide, which cannot be disassociated from a malicious code, will, in fact, be protected. Senator Grassley. In regard to that first part, you said if you could have a longer explanation. Maybe you could submit something in writing that would be more thorough than what you had time to give. Mr. Rosenzweig. Sure. [The information appears as a submission for the record.] Senator Grassley. My second question, and probably the last one---- Senator Whitehouse. Senator Grassley, would you mind if I climbed onto that request so I get an answer as well? I am very interested in that same response. Senator Grassley. Of course, yes. So that will come from the two of us. Mr. Rosenzweig. My pleasure. Senator Grassley. A two-part question. First, do you believe that the actually cyber threat information shared by a private company with the Federal Government provides no insights into how the Government operates as a Government? And, second, why should an open-government group ever need to have a copy of actual malicious code or virus given to the Federal Government by a private company? Mr. Rosenzweig. As to the first of those, I can see no interest in an insight-into-government operation in having access to the underlying information from the private sector. I can see interest in learning how the Government treats what it does and whether or not we are responding well. But on the information itself, no. And as for the malicious code, I would say assuredly not. There is, in fact, a market--a black market, of course--in the sale of malicious code exploits because they are not generally widely known or used. When one is discovered, it is precious to the bad actor. It would be, to my mind, contrary to all sense of good public policy to make that more generally widely available so that it could be more readily exploited by a larger number of people. Senator Grassley. For you I have got two more questions, but I will yield back my time so Senator Whitehouse can ask questions and still get over to vote. Chairman Leahy. Senator Whitehouse. Senator Whitehouse. Thank you. I just wanted to follow up on Senator Grassley's line of questioning. The sort of information that would be provided from the private company in an information-sharing regime, would that ordinarily--if it had not been provided to the Government, would it ordinarily be amenable to any kind of FOIA access? Mr. Rosenzweig. Not to my knowledge. FOIA does not run to the private sector, so if the wastewater treatment facility in Providence, Rhode Island, is under some sort of threat--unless it is a publicly operated one. I do not actually know about Providence. But if it is a private sector one, it is not generally subject to FOIA, unless there is some State law that might apply that, again, I am not familiar with all 50 State laws, but generally no. Senator Whitehouse. So nothing that would otherwise be available to the public is taken from the public if information sharing is protected from FOIA. Mr. Rosenzweig. That would be my understanding. We use the same model of protecting that type of critical infrastructure information that would not otherwise be available because it is voluntarily shared. In the PCII, the Protected Critical Infrastructure Information, that is shared under the Homeland Security Act, under the Chemical Facilities Antiterrorism Standards, sensitive security information about aviation, we use that model for private sector voluntary information quite frequently, and in general, the rule is it would not otherwise be available so we are not taking away something. Senator Whitehouse. Master Sergeant Ensminger raises the very good point that bureaucracies have not been unknown to use a variety of techniques to try to dodge disclosure-- overclassification or unnecessary classification being one. Do you see a way in which legitimately available information could be shielded from public disclosure by some strategic use of the information-sharing regime? Somebody decides--I mean, I suppose the scenario would be an entity or organization that would otherwise have to make a disclosure of some kind, just sends the stuff in as information sharing even if it is not really legitimate to a cybersecurity complaint, and then says, Aha, you see, now I do not have to disclose it because I submitted it as the information sharing. Because of the nature of the beast, that strikes me as a phenomenon that we could probably guard against pretty successfully because it is not the natural purpose of the information-sharing effort. But what are your thoughts on that point of strategic abuse of the information sharing to quell public disclosure? Mr. Rosenzweig. Your point is well taken, that is, that one could imagine a systematic effort by somebody to hide their own private sector malfeasance. That is going to be very unlikely and rare in the cybersecurity realm. There is not a lot of incentive that I see for trying to maintain vulnerabilities. The natural incentive is going to be for people who are aware of their own vulnerabilities to fix them because they suffer-- the private sector suffers their own consequences for failing to fix that. It strikes me that at this juncture, given the imminence of the cyber threat as we understand it, the value judgment that you need to make is whether or not that small likelihood means that you want to develop an exemption that would otherwise probably retard a lot of the sharing that is the plus value, or if you can come up with--my main answer to you, I think there is probably a mechanism for some sort of substituted transparency, which is not the full transparency of FOIA to the press and the public in this context, but institutions like the President's Civil Liberties and Oversight Board that you have already created or IGs or---- Senator Whitehouse. Certainly you would want some form of ombudsman or IG to report on whether this was being abused in any way, wouldn't you? Mr. Rosenzweig. I would certainly see room for something like that as a constructive proposal. I have not really thought it through that much. Senator Whitehouse. All right. I am about to be late to vote, so I am going to disappear. Thank you, Chairman. Chairman Leahy. Thank you all very much. I will keep the record open for a couple days for follow-up questions. I did not mean to hurry you. You were asking perfect questions, and I apologize. Thank you all very much. Mr. Bunting. Thank you, Mr. Chairman. Mr. Rosenzweig. Thank you, Mr. Chairman. [Whereupon, at 12:19 p.m., the Committee was adjourned.] [Questions and answers and submissions for the record follow.] [GRAPHIC] [TIFF OMITTED] T6357.001 [GRAPHIC] [TIFF OMITTED] T6357.002 [GRAPHIC] [TIFF OMITTED] T6357.003 [GRAPHIC] [TIFF OMITTED] T6357.004 [GRAPHIC] [TIFF OMITTED] T6357.005 [GRAPHIC] [TIFF OMITTED] T6357.006 [GRAPHIC] [TIFF OMITTED] T6357.007 [GRAPHIC] [TIFF OMITTED] T6357.008 [GRAPHIC] [TIFF OMITTED] T6357.009 [GRAPHIC] [TIFF OMITTED] T6357.010 [GRAPHIC] [TIFF OMITTED] T6357.011 [GRAPHIC] [TIFF OMITTED] T6357.012 [GRAPHIC] [TIFF OMITTED] T6357.013 [GRAPHIC] [TIFF OMITTED] T6357.014 [GRAPHIC] [TIFF OMITTED] T6357.015 [GRAPHIC] [TIFF OMITTED] T6357.016 [GRAPHIC] [TIFF OMITTED] T6357.017 [GRAPHIC] [TIFF OMITTED] T6357.018 [GRAPHIC] [TIFF OMITTED] T6357.019 [GRAPHIC] [TIFF OMITTED] T6357.020 [GRAPHIC] [TIFF OMITTED] T6357.021 [GRAPHIC] [TIFF OMITTED] T6357.022 [GRAPHIC] [TIFF OMITTED] T6357.023 [GRAPHIC] [TIFF OMITTED] T6357.024 [GRAPHIC] [TIFF OMITTED] T6357.025 [GRAPHIC] [TIFF OMITTED] T6357.026 [GRAPHIC] [TIFF OMITTED] T6357.027 [GRAPHIC] [TIFF OMITTED] T6357.028 [GRAPHIC] [TIFF OMITTED] T6357.029 [GRAPHIC] [TIFF OMITTED] T6357.030 [GRAPHIC] [TIFF OMITTED] T6357.031 [GRAPHIC] [TIFF OMITTED] T6357.032 [GRAPHIC] [TIFF OMITTED] T6357.033 [GRAPHIC] [TIFF OMITTED] T6357.034 [GRAPHIC] [TIFF OMITTED] T6357.035 [GRAPHIC] [TIFF OMITTED] T6357.036 [GRAPHIC] [TIFF OMITTED] T6357.037 [GRAPHIC] [TIFF OMITTED] T6357.038 [GRAPHIC] [TIFF OMITTED] T6357.039 [GRAPHIC] [TIFF OMITTED] T6357.040 [GRAPHIC] [TIFF OMITTED] T6357.041 [GRAPHIC] [TIFF OMITTED] T6357.042 [GRAPHIC] [TIFF OMITTED] T6357.043 [GRAPHIC] [TIFF OMITTED] T6357.044 [GRAPHIC] [TIFF OMITTED] T6357.045 [GRAPHIC] [TIFF OMITTED] T6357.046 [GRAPHIC] [TIFF OMITTED] T6357.047 [GRAPHIC] [TIFF OMITTED] T6357.048 [GRAPHIC] [TIFF OMITTED] T6357.049 [GRAPHIC] [TIFF OMITTED] T6357.050 [GRAPHIC] [TIFF OMITTED] T6357.051 [GRAPHIC] [TIFF OMITTED] T6357.052 [GRAPHIC] [TIFF OMITTED] T6357.053 [GRAPHIC] [TIFF OMITTED] T6357.054 [GRAPHIC] [TIFF OMITTED] T6357.055 [GRAPHIC] [TIFF OMITTED] T6357.056 [GRAPHIC] [TIFF OMITTED] T6357.057 [GRAPHIC] [TIFF OMITTED] T6357.058 [GRAPHIC] [TIFF OMITTED] T6357.059 [GRAPHIC] [TIFF OMITTED] T6357.060 [GRAPHIC] [TIFF OMITTED] T6357.061 [GRAPHIC] [TIFF OMITTED] T6357.062 [GRAPHIC] [TIFF OMITTED] T6357.063 [GRAPHIC] [TIFF OMITTED] T6357.064 [GRAPHIC] [TIFF OMITTED] T6357.065 [GRAPHIC] [TIFF OMITTED] T6357.066 [GRAPHIC] [TIFF OMITTED] T6357.067 [GRAPHIC] [TIFF OMITTED] T6357.068 [GRAPHIC] [TIFF OMITTED] T6357.069 [GRAPHIC] [TIFF OMITTED] T6357.070 [GRAPHIC] [TIFF OMITTED] T6357.071 [GRAPHIC] [TIFF OMITTED] T6357.072 [GRAPHIC] [TIFF OMITTED] T6357.073 [GRAPHIC] [TIFF OMITTED] T6357.074 [GRAPHIC] [TIFF OMITTED] T6357.075 [GRAPHIC] [TIFF OMITTED] T6357.076 [GRAPHIC] [TIFF OMITTED] T6357.077 [GRAPHIC] [TIFF OMITTED] T6357.078 [GRAPHIC] [TIFF OMITTED] T6357.079 [GRAPHIC] [TIFF OMITTED] T6357.080 [GRAPHIC] [TIFF OMITTED] T6357.081 [GRAPHIC] [TIFF OMITTED] T6357.082 [GRAPHIC] [TIFF OMITTED] T6357.083 [GRAPHIC] [TIFF OMITTED] T6357.084 [GRAPHIC] [TIFF OMITTED] T6357.085 [GRAPHIC] [TIFF OMITTED] T6357.086 [GRAPHIC] [TIFF OMITTED] T6357.087 [GRAPHIC] [TIFF OMITTED] T6357.088 [GRAPHIC] [TIFF OMITTED] T6357.089 [GRAPHIC] [TIFF OMITTED] T6357.090 [GRAPHIC] [TIFF OMITTED] T6357.091 [GRAPHIC] [TIFF OMITTED] T6357.092 [GRAPHIC] [TIFF OMITTED] T6357.093 [GRAPHIC] [TIFF OMITTED] T6357.094 [GRAPHIC] [TIFF OMITTED] T6357.095 [GRAPHIC] [TIFF OMITTED] T6357.096 [GRAPHIC] [TIFF OMITTED] T6357.097 [GRAPHIC] [TIFF OMITTED] T6357.098 [GRAPHIC] [TIFF OMITTED] T6357.099 [GRAPHIC] [TIFF OMITTED] T6357.100 [GRAPHIC] [TIFF OMITTED] T6357.101 [GRAPHIC] [TIFF OMITTED] T6357.102 [GRAPHIC] [TIFF OMITTED] T6357.103 [GRAPHIC] [TIFF OMITTED] T6357.104 [GRAPHIC] [TIFF OMITTED] T6357.105 [GRAPHIC] [TIFF OMITTED] T6357.106 [GRAPHIC] [TIFF OMITTED] T6357.107 [GRAPHIC] [TIFF OMITTED] T6357.108 [GRAPHIC] [TIFF OMITTED] T6357.109 [GRAPHIC] [TIFF OMITTED] T6357.110 [GRAPHIC] [TIFF OMITTED] T6357.111 [GRAPHIC] [TIFF OMITTED] T6357.112 [GRAPHIC] [TIFF OMITTED] T6357.113 [GRAPHIC] [TIFF OMITTED] T6357.114 [GRAPHIC] [TIFF OMITTED] T6357.115 [GRAPHIC] [TIFF OMITTED] T6357.116 [GRAPHIC] [TIFF OMITTED] T6357.117 [GRAPHIC] [TIFF OMITTED] T6357.118 [GRAPHIC] [TIFF OMITTED] T6357.119 [GRAPHIC] [TIFF OMITTED] T6357.120 [GRAPHIC] [TIFF OMITTED] T6357.121 [GRAPHIC] [TIFF OMITTED] T6357.122 [GRAPHIC] [TIFF OMITTED] T6357.123 [GRAPHIC] [TIFF OMITTED] T6357.124 [GRAPHIC] [TIFF OMITTED] T6357.125