[Senate Hearing 112-586]
[From the U.S. Government Publishing Office]
S. Hrg. 112-586
THE FREEDOM OF INFORMATION ACT: SAFEGUARDING CRITICAL INFRASTRUCTURE
INFORMATION AND THE PUBLIC'S RIGHT TO KNOW
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
MARCH 13, 2012
__________
Serial No. J-112-63
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
76-357 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York JON KYL, Arizona
DICK DURBIN, Illinois JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas
AL FRANKEN, Minnesota MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
Bruce A. Cohen, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Counsel and Staff Director
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa...... 2
prepared statement........................................... 98
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 1
prepared statement........................................... 102
WITNESSES
Bunting, Kenneth F., Executive Director, National Freedom of
Information Coalition, Columbia, Missouri...................... 17
Ensminger, J.M. (Jerry), Retired marine Master Sergeant, Camp
Lejeune Marine Base, Elizabethtown, North Carolina............. 15
Nisbet, Miriam, Director, Office of Government Information
Services, National Archives and Records Administration,
Washington, DC................................................. 5
Pustay, Melanie Ann, Director, Office of Information Policy, U.S.
Department of Justice, Washington, DC.......................... 7
Rosenzweig, Paul, Red Branch Consulting, PLLC, Professorial
Lecturer in Law, George Washington University, and Visiting
Fellow, The Heritage Foundation, Washington, DC................ 19
QUESTIONS AND ANSWERS
Responses of Miriam Nisbet to questions submitted by Senators
Grassley and Klobuchar......................................... 26
Responses of Paul Roaenzweig to questions submitted by Senators
Grassley, Sheldon, Whitehouse and Klobuchar.................... 29
Responses of Melanie Pustay to questions submitted by Senators
Leahy, Cornyn, Grassley and Klobuchar.......................... 33
SUBMISSIONS FOR THE RECORD
Bunting, Kenneth F., Executive Director, National Freedom of
Information Coalition, Columbia, Missouri, statement........... 60
Epic.org, Electronic Privacy Information Center, Washington, DC,
statement...................................................... 66
Ensminger, J.M. (Jerry), Retired Marine Master Sergeant, Camp
Lejeune Marine Base, Elizabethtown, North Carolina, statement.. 77
New York Times, March 10, 2012, article.......................... 104
Nisbet, Miriam, Director, Office of Government Information
Services, National Archives and Records Administration,
Washington, DC:
statement.................................................... 107
April 13, 2012, letter....................................... 112
April 24, 2012, letter and attachment........................ 114
Pustay, Melanie Ann, Director, Office of Information Policy, U.S.
Department of Justice, Washington, DC, statement............... 119
Rosenzweig, Paul, Red Branch Consulting, PLLC, Professorial
Lecturer in Law, George Washington University, and Visiting
Fellow, The Heritage Foundation, Washington, DC, statement..... 134
Sunshine in Government Initiative, Rick Blum Coordinator;
National Freedom of Information Coalition, Kenneth Bunting,
Executive Director; Project on Government Oversight (POGO),
Angela Canterbury, Director of Public Policy; American Society
of News Editors, Kevin Goldberg, Counsel;
OpenTheGovernment.org, Patrice McDermott, Executive Director;
and Citizens for Responsibility and Ethics in Washington, Anne
Weismann, Chief Counsel, February 16, 2012, letter............. 146
THE FREEDOM OF INFORMATION ACT: SAFEGUARDING CRITICAL INFRASTRUCTURE
INFORMATION AND THE PUBLIC'S RIGHT TO KNOW
----------
TUESDAY, MARCH 13, 2012
U.S. Senate,
Committee on the Judiciary,
Washington, D.C.
The Committee met, pursuant to notice, at 10:55 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Patrick J.
Leahy, Chairman of the Committee, presiding.
Present: Senators Leahy, Whitehouse, Grassley, and Cornyn.
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM
THE STATE OF VERMONT
Chairman Leahy. I apologize for the late start. We had the
beginning of debate on judicial nominations on the floor, the
Majority and Minority Leaders and myself. I may be No. 2 in
seniority for the Senate, but when I have the Majority and
Minority Leaders who are there engaging in the colloquy, you
tend to stay around and finish it. So I do apologize.
We are holding an important hearing on one of our most
cherished open-government laws, the Freedom of Information Act.
Incidentally, I spoke to the Judicial Conference this
morning at the Supreme Court and made a pitch again to open up
our courts to cameras and full, instantaneous coverage. When I
finished saying that, we had the chief judges of all the
circuit courts there and the Chief Justice, and I said I was
going to pause for the thundering applause. But, instead, I
paused for the thundering silence.
In the decade since September 11th, we have had to wrestle
with how best to maintain the careful balance between what is
legitimate Government secrecy and the public's right to know
even as new national security threats emerge. Does government
secrecy have its place? Of course. We were not about to
announce, for example, to the press a week before the raid on
Osama bin Laden. But I worry that since September 11th there
has been overuse of the secrecy stamp. It is too easy to say,
well, this is secret. And it may be secret because, boy, did we
screw up. And when that happens, excessive government secrecy
can come at an unacceptable price: harm to the American
public's interests in safety, healthy living, a clean
environment, and so on.
Sunshine Week is a timely reminder that as the Congress
considers how best to safeguard critical infrastructure
information in cyberspace, we have to safeguard the American
public's right to know about threats to their health and
safety. Last year, the Supreme Court held in Milner v. Navy
that the Government could not rely upon Exemption 2 under FOIA
to withhold explosives maps from the public. That was an
important victory. But now in its wake, Congress is considering
several new legislative exemptions to FOIA. We should do that
pretty carefully.
In January, President Obama signed into law a carefully
balanced, narrow exemption to FOIA for Department of Defense
critical infrastructure information, and I helped craft that.
It requires Government officials to affirmatively determine
that withholding critical infrastructure information from the
public outweighs other interests, such as ensuring that we have
information that may concern our health and safety. Truly
sensitive things can be withheld, but not as a knee-jerk
reaction. So I intend to continue to work with other members on
both sides of the aisle as we try to fulfill this goal.
I am going to put my full statement in the record, but I
commend the Obama administration for taking a number of
important steps to improve transparency, such as the
`ethics.gov' portal.
Senator Cornyn and I, and before him, other Republican
Senators, have done a lot of the legislation on FOIA. It should
not be a partisan issue because I do not care whether you have
a Democratic or Republican administration, there is always
going to be some who are going to want to say, ``Why do we have
to release this information? '' Well, my response would be,
``Because you represent all Americans, and we have a right to
it.''
[The prepared statement of Chairman Leahy appears as a
submission for the record.]
Chairman Leahy. Senator Grassley.
STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM THE STATE
OF IOWA
Senator Grassley. Mr. President--or, Mr. Chairman, before--
--
[Laughter.]
Senator Grassley. That was a slip. I was not trying to be--
--
Chairman Leahy. I must admit that I am one of the very few
Senators who has never had the desire to be President. Go
ahead.
Senator Grassley. Before I read, I agree with what you have
said except one little part, and I think I will preface my
remarks with this: You know, I do not care whether we have a
Republican or Democrat President, it is very, very difficult
not only under FOIA but under our constitutional responsibility
of oversight to get information. It is just a culture in the
executive branch that is difficult to overcome. And the only
reason I would separate out President Obama a little bit
different from others is, as you said, he has put in place some
statements and policies that are for more transparency and more
openness. But I find it difficult, if I measure what he said he
wanted to do, with what has actually materialized as either he
did not mean it or--and I think he did mean it--and, No. 2, the
people below him are not carrying out his policies.
So I thank you for holding this hearing. Open government
and transparency are essential for our democratic form of
government. And I think James Madison had something very good
to say about this: ``a people who mean to be their own
Governors must arm themselves with the power which knowledge
gives.'' And, of course, that knowledge comes from knowing what
is going on in our Government, among other things.
The Freedom of Information Act codifies this fundamental
principle which our Founders found so valuable. So it is
important to talk about the Act and the need for American
citizens to be able to obtain information about how their
Government is operating.
Although it is Sunshine Week, I am sorry to report that,
contrary to the President's proclamations when he took office,
after 3 years I do not believe the sun is shining commensurate
with his statements that he wanted to be the most transparent
of any administration in history.
Based upon my experience in trying to pry information from
the executive branch, I am disappointed to report that agencies
under the control of President Obama's political appointees
have been more aggressive than ever in withholding information
from the public and Congress.
There is a complete disconnect between the President's
grand pronouncements about transparency and the actions of his
political appointees.
On his first full day in office, the President issued a
memorandum on FOIA. In it, he wrote that Executive agencies
should ``adopt a presumption in favor of disclosure, in order
to renew their commitment to the principles embodied in FOIA,
and to usher in a new era of open government.'' All you can say
to that is, ``Amen.''
But, unfortunately, it appears that in the eyes of the
President's political appointees--and maybe for this the
President has a big, big job, maybe he cannot keep track of
what everybody does or the trends in his administration--but
his proclamations about open government and transparency are
being ignored.
Indeed, FOIA requesters appear to have reached the same
conclusion. I will give you an example. When recently asked
about President Obama and FOIA, Katherine Meyer, an attorney
who has been filing FOIA cases since 1978, said, that the Obama
administration ``is the worst on FOIA issues. The worst. There
is just no question about it. This administration is raising
one barrier after another. It has gotten to the point where I
am stunned. I am really stunned.''
The problem is more than just a matter of backlogs with
answering FOIA requests. Based on investigative reports, we
have learned of inappropriate actions by the President's
political appointees.
In March of last year, 2 weeks after this Committee held a
hearing on FOIA, the House Committee on Oversight and
Government Reform released a 153-page report on its
investigation of the political vetting of FOIA requests by the
Department of Homeland Security. The Committee reviewed
thousands of pages of internal e-mails and memoranda and
conducted six transcribed interviews.
The Committee, under Chairman Issa, learned that political
staff under the Secretary of Homeland Security corrupted the
agency's FOIA compliance procedures, exerted pressure on FOIA
compliance officers, and undermined the Federal Government's
accountability to the American people. The report's findings
are disturbing, and I will just summarize four of them.
First, the report finds that by the end of September 2009,
copies of all significant FOIA requests had to be forwarded to
Secretary Napolitano's political staff for review. The career
staff in the FOIA office were not permitted to release
responses to these requests without approval from political
staff.
Second, career FOIA professionals were burdened by the
intrusive political staff and blamed for delays, mistakes, and
inefficiencies for which the Secretary's political staff was
responsible. The Chief Privacy Officer, herself a political
appointee, did not adequately support and defend career staff.
To the contrary, in one of her e-mails, she referred to her
career staff as ``idiots.''
Third, political appointees displayed hostility toward
career staff. In one e-mail, political staff referred to a
senior career FOIA employee as a ``lunatic'' and wrote of
attending a FOIA training session organized by the career
staffer for the ``comic relief.'' Moreover, three of the four
career staff interviewed by the Committee have been
transferred, demoted, or relieved of certain responsibilities.
Last, the report finds that the Secretary's office and the
General Counsel's office can still withhold and delay
significant responses. Although the FOIA office no longer needs
an affirmative statement of approval, the Secretary's political
staff retains the ability to halt the release of FOIA
responses.
The conduct of the political appointees at Homeland
Security involved the politically motivated withholding of
information about the very conduct of our Government from our
citizens. In particular, it was the withholding of information
about the administration's controversial policies and about its
mistakes. That was a direct violation of the President's
orders.
I am disappointed that there was not more coverage of
Chairman Issa's report and the inappropriate conduct by
political appointees at Homeland Security. I am also
disappointed that the Justice Department has not conducted an
investigation of this scandal.
I have to say that I am a bit surprised that some open-
government and privacy groups appear to be accepting the
dramatic regulatory power that Homeland Security and Secretary
Napolitano will have under the Lieberman-Collins cybersecurity
bill and under President Obama's proposal. Given the FOIA
scandal at Homeland Security, I would have thought that they
would have more reservations.
I am also sorry to say that the Department of Homeland
Security is not alone when it comes to questionable actions.
Recently, the National Security Archive gave its annual
Rosemary Award to the Department of Justice for the worst open-
government performance in 2011.
The charges the Archive makes against the Justice
Department include:
One, proposing regulations that would allow the Government
to lie about the existence of records sought by FOIA
requesters, and that would further limit requesters' ability to
obtain information;
Two, using recycled legal arguments for greater secrecy,
including questionable arguments before the Supreme Court in
2011 in direct contradiction to President Obama's presumption
of openness;
And, three, backsliding on the key indicator of the most
discretionary FOIA exemption, Exemption 5 for deliberative
process. In 2011, the Justice Department cited Exemption 5 to
withhold information 1,500 times, and that is up from 1,231
times in 2010.
According to the Archive, the Justice Department edged out
a crowded field of contending agencies that seem to be in
``practical rebellion'' against President Obama's open-
government orders.
So there is a disturbing contradiction between President
Obama's grand pronouncements and the actions of his political
appointees. The Obama administration does not understand that
open government and transparency must be about more than just
pleasant sounding words in memos. Ultimately, the President is
responsible for the conduct of his political appointees,
especially after 3 years in office. And both he and Attorney
General Holder certainly know what is going on.
Throughout my career I have been actively conducting
oversight of the executive branch regardless of who controls
the Congress or the White House. Open government is not a
Republican or a Democrat issue. It has to be a bipartisan
issue. It is about basic good government and accountability--
not party politics or ideology.
I started out my remarks by quoting James Madison. Madison
understood the danger posed by the type of conduct we see in a
lot of administrations, but this one has not lived up to what
they said that they intended to do. He explained that ``[a]
popular government without popular information or the means of
acquiring it, is but a prologue to a farce, or a tragedy, or
perhaps both.''
So I am looking forward to hearing the testimony. I want to
thank all the witnesses for coming in today, and taking time.
I also want to thank Sergeant Ensminger for his service to
our country. I am very sorry about the loss of his daughter. I
am also cosponsoring the Caring for Camp Lejeune Veterans Act,
and this was brought to my attention about 4 years ago. People
in my constituency that I did not even know existed came to my
town meetings and came to Iowa. They were very much injured by
what happened at Camp Lejeune, and I thank them for bringing
that to my attention. And they were not leading a very high
quality of life.
Thank you, Mr. Chairman.
Chairman Leahy. Thank you.
Our first witness is Melanie Pustay, who is the Director of
the Office of Information Policy at the Department of Justice.
I am sorry. Actually, our first witness is Miriam Nisbet,
the Director of the Office of Government Information Services
at the National Archives. She served as the Director of the
Information Society Division for UNESCO in Paris. She earned
her bachelor's degree and law degree from the University of
North Carolina.
I appreciate having you here. I apologize for my voice. It
worked fine in Vermont yesterday. I got off the airplane
yesterday and found that we have a few more pollens in the air
than snow-covered Vermont. Go ahead, Dr. Nisbet.
STATEMENT OF MIRIAM NISBET, DIRECTOR, OFFICE OF GOVERNMENT
INFORMATION SERVICES, NATIONAL ARCHIVES AND RECORDS
ADMINISTRATION, WASHINGTON, DC
Ms. Nisbet. Thank you, Mr. Chairman, Senator Grassley.
Thank you for having me this morning. And, yes, I can feel that
pollen a little bit, too, so bear with me, please.
As both of you have mentioned this morning, the Freedom of
Information Act is a cornerstone of our democracy, and we at
the National Archives are proud to display the original Freedom
of Information Act in the Rotunda of the Archives this week
during Sunshine Week. For the first time, it is being
displayed, and we would like to invite you to come and visit
us.
An important part of the Freedom of Information Act is
protecting sensitive information even as the Government strives
to give the public the greatest access to records under the
law.
I am here to provide you with a sense of what we are
hearing from requesters and agencies about safeguarding
critical infrastructure information and other records
previously protected under Exemption 2 of the FOIA. In our work
at the Office of Government Information Services, or OGIS, as
the FOIA ombudsman, we talk every day with agency FOIA
professionals and FOIA requesters. In fact, we have worked with
requesters and agencies on more than 1,500 specific matters
since we opened in September 2009. When Congress created OGIS
as part of FOIA, the statutory mandate for our office included
working to improve the FOIA process. We do that as we fulfill
our two-pronged mission: reviewing agency FOIA policies,
procedures, and compliance, which allows us to see how agencies
carry out the law; and working to resolve FOIA disputes between
agencies and requesters, which shows us where there are trouble
spots. We regularly meet with and hear from requesters and
agency professionals to discuss trends, problems, complaints,
and improvements to FOIA's implementation.
Chairman Leahy. Dr. Nisbet, we have all this and your whole
statement is part of the record, but if you could direct us to
which agencies are actually complying with FOIA as they should,
which ones are not, and why.
Ms. Nisbet. I would be happy to do that, and if I could,
let me supplement the record with information about that. In
fact, we are releasing a report on our activities for fiscal
year 2011 this week, Mr. Chairman, and there will be a great
deal of information about precisely what we have seen.
Chairman Leahy. Which agency does the best job and which
does the worst?
Ms. Nisbet. I do feel like I am in the hot seat. I would
say that there are a number of agencies that we have seen that
are working very hard. We see that every day. The Department of
the Interior, for example, is one that we have worked with. Not
only has it been working on improving its FOIA process overall,
but it has begun working with us to train its FOIA
professionals in dispute resolution skills in order to help
them do their job better and to carry out the FOIA in a very
collaborative way that would avoid litigation. So I think that
is really a good example.
Chairman Leahy. Which ones are the worst? You are the
expert.
Ms. Nisbet. I think there are a number of agencies that are
still working very hard with overcoming their backlog problems,
and that is in some part due to resources. That is a perennial
problem, as you know. And I really would prefer not to get too
much into detail about the ones that are not doing a good job.
Senator Grassley. Just remember, you are not elected. We
are elected. We can get in trouble for answering that question.
You cannot get in trouble.
[Laughter.]
Ms. Nisbet. I do not know about that, Senator Grassley.
Chairman Leahy. Thank you.
[The prepared statement of Ms. Nisbet appears as a
submission for the record.]
Chairman Leahy. Ms. Pustay is Director of the Office of
Information Policy, OIP, at the Department of Justice. Before
becoming the office's Director, she served for 8 years as
Deputy Director. She earned her law degree from American
University's Washington College of Law where she served on law
review, and disregard her B.A. from George Mason.
Again, I apologize for the voice. Please go ahead.
STATEMENT OF MELANIE ANN PUSTAY, DIRECTOR, OFFICE OF
INFORMATION POLICY, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC
Ms. Pustay. No problem. Thank you. Good afternoon, Chairman
Leahy and Ranking Member Grassley and members of the Committee.
I am pleased to be here during Sunshine Week to address the
effect of the Supreme Court's decision in Milner v. Department
of the Navy and also to discuss the Department of Justice's
continuing efforts to ensure that President Obama's Memorandum
on the FOIA, as well as Attorney General Holder's FOIA
Guidelines, are fully implemented.
As you know, the Attorney General issued his new FOIA
Guidelines during Sunshine Week 3 years ago, and based on our
review of the Chief FOIA Officer reports and agency annual FOIA
reports, it is clear to us that agencies are continuing to make
significant, tangible progress in implementing the guidelines.
In fiscal year 2011, despite being faced with a noticeable
increase in the number of incoming requests, agencies overall
were able to process over 30,000 more requests than last fiscal
year. And, most significantly, when agencies processed those
requests, they increased the amount of material they provided.
The Government released records in response to 93 percent of
requests where records were located and processed for
disclosure. This marks the third straight year we have had such
a significantly high release rate.
Agencies are also continuing to meet the demand for
information by proactively posting information of interest to
the public on their websites. Many agencies have taken steps to
make the information on their websites more useful to the
public by redesigning the websites, adding enhanced search
capabilities, utilizing online portals and dashboards.
I am also pleased to report in particular on the successes
achieved by the Department of Justice. This past fiscal year,
the Department increased the number of responses to requests
where records were released, and for the second straight year,
we maintained a record high release rate of 94 percent for all
requests involving responsive records that were processed for
disclosure.
And perhaps even more significantly, of those requests we
released records in full 79 percent, which means that the
requester got everything they asked for with no excisions.
Despite 3 straight years of receiving over 60,000 requests,
the Department reduced its backlog of pending requests by 26
percent. We also improved the average processing time for
simple and complex requests.
Now, my office also carries out the Department's statutory
responsibility to encourage compliance with the FOIA. And, of
course, this guidance was particularly needed in the wake of
the dramatic narrowing of Exemption 2 that occurred when the
Supreme Court issued its opinion in Milner.
As you know, in Milner, the Supreme Court overturned 30
years of established FOIA precedent by restricting the scope of
Exemption 2 to matters that relate solely to personnel rules
and practices. Prior to Milner, agencies had long followed the
interpretation of Exemption 2 provided by the D.C. Circuit,
which applied a two-part test that was announced in the Crooker
case. Under Crooker, information first had to qualify as
``predominantly internal'' and, second, it had to be either of
no public interest, which was referred to as ``Low 2,'' or be
more substantial in nature where disclosure would risk
circumvention of the law, and that was referred to as ``High
2.'' We had a substantial body of case law developed over the
years concerning High 2, with courts upholding protection for
many different types of sensitive information when disclosure
would risk circumvention of the law. But as a result of the
Supreme Court's rejection of High 2 as inconsistent with the
plain language of the exemption, there is a wide range of
sensitive material whose disclosure could cause harm and which
had previously been protected and which is now at risk.
The Supreme Court was sympathetic in its decision to the
policy concerns raised by the Government regarding the need to
protect information when its disclosure risked harm. And the
Court even acknowledged that it might be necessary for the
Government to seek relief from Congress.
Now, in the months since the Milner decision, some agencies
have sought statutory relief under the FOIA for discrete
categories of information. However, this piecemeal approach
does not sufficiently ensure protection for all agencies and
for all categories of information that were long protected
under High 2. And we believe that the preferred course of
action would be to amend Exemption 2 so that its plain language
addresses the need to protect against disclosure where that
disclosure would risk circumvention of the law.
Open-government groups, reporters, and other interested
members of the FOIA requester community are understandably
interested in this issue as well, and the precise contours of a
legislative amendment to Exemption 2 will need to take into
account both the interests of the agencies in making sure that
there is no circumvention of the law and the interests of the
requesters and open-government groups in ensuring that
exemptions are precisely crafted so as not to unnecessarily
sweep too broadly.
In closing, the Department of Justice looks forward to
working together with the Committee on all matters pertaining
to the governmentwide administration of the FOIA, including
efforts to address the effect of the Milner decision.
[The prepared statement of Ms. Pustay appears as a
submission for the record.]
Chairman Leahy. Well, thank you. You have mentioned the
Milner case; what guidance is DOJ giving to agencies about how
they should respond, and how they should treat FOIA requests
seeking critical infrastructure information?
Ms. Pustay. In the wake of the Supreme Court's decision, we
issued extensive guidance to agencies to help walk them through
the changed landscape that occurred as a result of the Supreme
Court's decision. First of all, of course, we had to explain
what Exemption 2--what was left of the exemption--covered and
what would fit within it. But pragmatically, because High 2 is
now no longer a part of the protection afforded by Exemption 2,
agencies really have two alternatives: to try to see if other
exemptions will safeguard the information, and that is
certainly an option that was discussed and contemplated in the
Milner case itself, the information that----
Chairman Leahy. Of course, in the National Defense Act, we
tried to put in a very, very narrow exemption.
Ms. Pustay. Exactly. And the other alternative, if existing
exemptions do not cover the information--let me actually first
say, as part of our guidance, we instructed agencies to first
consider whether or not the information needed to be protected.
We made a point of highlighting the Attorney General's FOIA
guidelines and the presumption of openness, and we always make
sure that we use that as our starting point before we even get
to the point of protecting. But assuming there is risk of
circumvention, if existing FOIA exemptions----
Chairman Leahy. It was too easily used before.
Ms. Pustay. Right now the alternatives would be using other
FOIA exemptions or seeking relief through specific statutory
provisions that are covered under Exemption 3.
Chairman Leahy. Dr. Nisbet, how do you see agencies
handling these requests for critical infrastructure
information? Are they following the Milner decision?
Ms. Nisbet. Well, of course, they are following the Milner
decision, and they are using language that the Supreme Court
used to suggest to them that they do look for other exemptions.
And in some cases, that certainly does work. But it does not
work in all cases.
For example, Exemption 7, which applies to records or
information compiled for law enforcement information, certainly
could apply to certain sensitive information, particularly as
it relates to security measures or preventing crime. But
Exemption 7 is not available to all agencies.
Similarly, Exemption 1 would not be a good choice.
Certainly, some agencies do not have classification authority
nor, as this Committee has recognized, is expanding the
universe of classified information something that we want to
see.
Chairman Leahy. Also, back in 2007, Senator Cornyn and I
authored the Open Government Act to strengthen FOIA, and in it
we have the Office of Government Information Services regularly
reporting to Congress on recommendations to improve FOIA
compliance within the Government. We have not seen those
reports. What is the current status of the reports that the law
requires?
Ms. Nisbet. Let me distinguish between reporting on our
activity, which we have done and we have made public----
Chairman Leahy. I am talking about the report that is
required to be made to Congress on recommendations to improve
FOIA compliance within the Government.
Ms. Nisbet. Yes, Mr. Chairman, as to recommendations which
we have put through the process for review with OMB, we have--
--
Chairman Leahy. When did you put it through the process to
be reviewed?
Ms. Nisbet. Well, the first set of recommendations were
given just a little over a year ago. Those did get held up. I
am not sure that I can explain why. But I can tell you that we
are working with OMB now to get that process going on.
Chairman Leahy. Recommendations were made over a year ago,
and we have not received them yet. The law requires us to
receive them. When will we receive them?
Ms. Nisbet. I hope you will receive something very shortly.
However, I will tell you that we are working with OMB actively
to see whether or not some of the suggestions that we had might
be able to be addressed administratively without asking
Congress to make any legislative changes.
Chairman Leahy. Well----
Senator Grassley. Mr. Chairman, what I would like to know
is: Is it her fault or OMB's fault that they are not----
Chairman Leahy. The law is pretty clear about us getting
the reports. We have not gotten the reports. Who is at fault?
Senator Grassley. We run into this. Just recently, with an
agricultural rule, they studied it for 2 years, and it was
sitting in OMB. Finally, after we wrote a letter, OMB released
it.
Chairman Leahy. So my question is: Who is not following the
law?
Ms. Nisbet. Well, one question I might ask you, Mr.
Chairman, is the law does not state how often these
recommendations need to be made.
Chairman Leahy. I think if the recommendations were made a
year ago, even if mail has been kind of slow--I mean, I am
happy to drive down there and pick it up if that would speed
things up.
[Laughter.]
Chairman Leahy. You know, I would be happy to, if they
would let me in the building.
Ms. Nisbet. Thank you, Mr. Chairman.
Chairman Leahy. When will we get it?
Ms. Nisbet. I will have something to you--how about within
a month we will have something? I will work actively with OMB
to make that happen.
Chairman Leahy. Tell them at OMB that this is not a
partisan thing. Both Senator Grassley and I would kind of like
to hear from them. I know they are very busy, but----
Senator Grassley. Would it help you if we would write a
letter to OMB and tell them to get off the pot?
Ms. Nisbet. I think your statements here today will really
say what you mean.
Chairman Leahy. You know, I just would like to have people
be happy to respond to us rather than having to subpoena
things.
Ms. Nisbet. Thank you.
Chairman Leahy. We do have that alternative.
OK. Earlier this year, the National Archives and Records
Administration, the Environmental Protection Agency, and the
Department of Commerce announced the creation of a multi-agency
FOIA portal that automates FOIA processing, stores FOIA
requests, and responds in electronic format. If it works as it
should, it would make it easier for FOIA requesters. Does the
Department of Justice support this kind of a FOIA portal
concept?
Ms. Pustay. Yes, we absolutely do. The EPA is launching a
pilot to build on those capabilities. What I think is important
and what you will be happy to hear is that we have over 100
different offices across the Government that already have
online request capability. We do think it is an important
improvement to FOIA. And just this week, my office--actually,
the Attorney General announced this yesterday at our Sunshine
Week event--that we have an online portal for the senior
management offices of the Justice Department. So requesters can
go online at the website in my office, set up a personal
account, make their request online, be able to track the status
of their request online any time day or night, and to get their
responsive documents back through the portal.
Chairman Leahy. Of course, that is an easier way. I have a
6-year-old grandson who showed me how he goes online, although
I am telling him not to go on Google because they now have a
new plan to spy on Americans. That is just a personal concept.
Senator Grassley.
Senator Grassley. Thank you, Mr. Chairman. And if I can
help you in any way, make sure that you call on me on that
request.
Ms. Pustay. We still accept requests the old-fashioned way
as well, Senator Leahy.
Senator Grassley. My first question is going to be asked
for Senator Cornyn because he was here for a while but had to
go to a meeting at 11. It is to Ms. Pustay. A March 9th article
in Atlanticwire.com raises questions about the way the Justice
Department is actually calculating reporting ``backlogs'' and
``pending requests.'' How do you explain the almost 50-percent
discrepancy between claimed backlogs, 3,816, and the pending
requests, 6,897? Now, Senator Cornyn says, ``I can understand
not counting a few pending requests at the end of the year as
backlog, especially if the statutory deadlines have not run.
But I cannot imagine that you received 3,000 new requests at
the end of fiscal year 2011 that fit that criteria. Could you
explain the standards and definitions that are applied? And
then, more importantly, isn't it appropriate to treat all
requests alike for backlog purposes once the agency's response
is overdue? ''
Ms. Pustay. I am happy to address that question. There is a
difference between pending and backlogged. Pending just means a
request is open at the moment that the fiscal year closes on
September 30th. Backlogged means it has been pending beyond the
statutory time period.
The FOIA itself actually requires agencies to report the
number of requests that are pending. The Department of Justice
added the requirement that agencies report the number of
requests that are backlogged because we think it is a more
accurate measurement to know not just how many requests came in
literally on September 30th, but how many of those requests
were backlogged. So that is why we track both statistics,
backlog and pending.
But we get at the Department of Justice 5,000 requests
every single month, so having numbers of 3,000 and 5,000 as our
pending and backlog is totally logical. We get 5,000 requests
every single month.
Senator Grassley. I would ask you for myself, Ms. Pustay,
the National Security Archives recently gave the Rosemary Award
to Justice for the worst open-government performance last year.
As part of the award, the Archive stated that you presided over
the development of a series of proposed regulations that would
have changed the FOIA process in more than a dozen regressive
ways. A two-part question, and I will ask both of them.
First, what is your response to the Archive's citing of the
Justice Department as having this performance record?
And, second, what is your response to the Archive's
statement about the proposed FOIA regressive regulations?
Ms. Pustay. I will take it in reverse order. The regulation
comment is very straightforward. Our regulations were--the
changes that we made were simply designed to streamline,
simplify, and update the regulations. The comments that we
received showed that people misinterpreted what we were trying
to do, misconstrued some of the provisions, and also did not
necessarily understand the fee guidelines that govern the fee
categories that are put out by--that are governed by OMB's fee
guidelines. So all of those issues regarding the regulations,
we are happy to have the comments because we can now explain,
walk requesters through, walk the public through, what we were
intending to do with our regulations. So the comment period
itself I think will clear that up very easily.
As to my overall reaction, of course, I am happy to be able
to stand by our record at the Department of Justice. I am very
proud of our record. We passed out before the hearing a list of
our accomplishments to all the members, and I think it is a
really stellar example of the work that has been done by the
Justice Department. We have reduced our backlogs. We released--
79 percent of requests got a full release of information. Our
release rate for 2 years in a row is 94.5 percent, which means
that requesters who come to the Department of Justice and ask
for information are getting information 94.5 percent of the
time. We have also done a lot of work with proactive
disclosures, making more information available on our website.
We have worked with agencies to try to help spread the word of
transparency, to help further implement the Attorney General's
guidelines. We have built FOIA.gov, a brand-new website that
breathes life into all the dry FOIA statistics and lets them be
interactable and much more accessible to the public.
So I can go on and on. I feel like we have a really strong
record, and I stand by it.
Senator Grassley. After Senator Whitehouse gets done, I
would like to ask for another 5 minutes, if I could.
Chairman Leahy. Yes, but the vote is coming up. We are
going to have to keep it short because otherwise, we are not
going to get the other panel in.
Dr. Nisbet, I should note that my concern--and I hope you
realize both my concern and Senator Grassley's are directed at
OMB, not at you. We are trying to give you a little [clicking
sound, swings hand].
[Laughter.]
Chairman Leahy. It is going to be great to see how that is
reported in the record.
[Laughter.]
Chairman Leahy. Senator Whitehouse.
Senator Whitehouse. T-L-O-C-K, perhaps? Who knows?
I am interested in the manner in which the FOIA requests
can be aggregated across the system and the FOIA data can be
centralized across the system. For a long time, FOIA requests
have been agency by agency, and for a long time, FOIA answers
are sent out and then they kind of disappear, and if somebody
asks the same question later, particularly if it is to another
agency, it goes back and it gets re-created.
I think it is important that there be a central FOIA
request, you know, portal that people can go to. I think it is
important that there be a central FOIA data base so that once
something has been disclosed under FOIA, you can go and find it
again and it is searchable and it is a resource. You have got
the FOIA module coming along. It is kind of a pilot in that
direction. Could you let me know a little bit the status of
that and what you expect--give me a couple of benchmarks that
you are looking for in the near future to show the success of
that and the commitment to that.
Ms. Pustay. What I can tell you first on FOIA.gov--and then
you could talk about the portal.
Ms. Nisbet. Yes.
Ms. Pustay. FOIA.gov, which is our governmentwide website,
which is designed to be a one-stop shop for FOIA, we added
several things just this past year to help meet the concerns or
the interests that you are expressing. For one thing, we have a
find function, a search function that we put on FOIA.gov, the
website, which allows an interested member of the public to
enter a search term. If they are interested in Al Capone or the
BP oil spill, they can put that search term into FOIA.gov. It
launches a search across all agency websites. So everything
that an agency has posted to date, not just their responses to
FOIA requests but everything they have posted, would be
captured by this search. That is particularly important because
we are encouraging agencies to make proactive disclosures of
information, to put things on their website separate and apart
from FOIA requests. And we want the public to have access to
all that information. So the find button is what is designed to
help you locate information and maybe not even have to make a
FOIA request.
In terms of the online capability to make requests, as I
said, we have got over 100 offices that have that capability so
far. Many others are working on developing them. What we did,
again on FOIA.gov to facilitate access to those portals was we
now have hyperlinks to all those portals so that when you are
on FOIA.gov and you decide you want to make a request to the
National--well, let us pick an agency that has it, our office,
or Treasury has an online request portal, or NASA, you can go
right from FOIA.gov and get right in, onto their online request
form.
So we have taken steps right now to make that happen, and
then we are going to continue to add those functionalities to
FOIA.gov as we go forward.
Senator Whitehouse. And how is the module coming, Dr.
Nisbet?
Ms. Nisbet. The FOIA module is a project that is being run
jointly by--under the lead of the Environmental Protection
Agency, but with the Department of Commerce and with the
National Archives as partners. It is being built right now with
input from FOIA professionals throughout the Government and
from requesters and is due to launch October 1st. And it will
be indeed a one-stop shop. In the beginning, of course, we do
not have all agencies participating, but it is going to be
something Version 1 can easily be moved into Version 2 as other
agencies want to join, and it would be both a place where a
requester can come to one place, make a request to one agency
or many agencies or all agencies, and that will at the end also
provide access to any records that have been disclosed under
FOIA. So we think it has a lot of promise and cost savings for
the Government as well as a collaborative effort and good for
requesters as well.
Senator Whitehouse. Good. Well, we look forward to October
1st, and I thank the Chairman and the Ranking Member who have
both over many years shown intense interest in making sure that
the American people have access to these public records, and
today's hearing is another example of their commitment.
Chairman Leahy. Thank you very much.
Senator Grassley. One question?
Chairman Leahy. You have one question? Go ahead.
Senator Grassley. Ms. Pustay, I want to refer to the Milner
case. It was released more than a year ago. Some believe that
the impact of the decision will be to endanger public safety.
The Justice Department has not approached me or my staff about
legislation to address the impact of the decision, so maybe you
could tell me why the Justice Department has not submitted a
legislative proposal. If, in fact, there is a threat to public
safety, as people indicate, isn't it irresponsible to ignore
the problem?
Ms. Pustay. We are actively working and look forward to
continuing to work to with this Committee on the issue. As I
said, the impact of Milner is quite significant. The Supreme
Court really dramatically limited the scope of protection that
had previously been afforded. And since the time of the
decision, we have certainly had legislative assistance from you
all in terms of protecting discrete categories of information.
As I said in my testimony, though, I think the next step is
to go beyond a piecemeal approach and to work on a more
comprehensive approach to the problem.
Senator Grassley. I will have written questions for the
record.
Chairman Leahy. Thank you. We will have further questions.
I thank you both for being here.
[The questions appears under questions and answers.]
Chairman Leahy. Good morning. The first witness will be
Jerry Ensminger. He is the public face of what may be one of
the worst drinking water contamination cases in U.S. history.
This retired Marine gunnery sergeant lost his 9-year-old
daughter, Janey, to leukemia in 1985, taken by what Gunnery
Sergeant Ensminger and many others believe was tainted water at
Camp Lejeune, the base where she was conceived.
I might say parenthetically, my son, Lance Corporal Mark
Patrick Leahy, also went through Camp Lejeune, and it raises
even more the personal stakes. Then I read the terrible things
that you went through. Mr. Ensminger retired from the military
13 years ago. He has traveled the country raising public
awareness about this issue. I say retired Marine. There are no
ex-Marines, as you know. Gunnery Sergeant, I am glad you are
here, so please go ahead, sir.
STATEMENT OF J.M. (JERRY) ENSMINGER, RETIRED MARINE MASTER
SERGEANT, CAMP LEJEUNE MARINE BASE, ELIZABETHTOWN, NC
Sergeant Ensminger. Thank you, Mr. Chairman.
Just to set the record straight, somebody demoted me. I am
a retired master sergeant.
[Laughter.]
Chairman Leahy. I apologize for that. Please do not tell
that former lance corporal, or I would be in really deep
trouble. I had heard it both ways, and I do apologize. Either
way, I am darn glad you are here.
Sergeant Ensminger. Yes, sir, thank you.
Good morning. I would like to take the opportunity to thank
the Chairman and Ranking Member for offering me this
opportunity to appear here today. I am here to testify on why
access to information through the Freedom of Information Act
matters to me and others from Camp Lejeune and about the
extreme secrecy we have encountered in trying to expose the
truth.
My name is Jerry Ensminger, and I served my country
faithfully for 24 years in the United States Marine Corps. My
daughter Janey, the only one of my four children to either be
conceived, carried or born while living aboard Camp Lejeune,
was diagnosed with leukemia in 1983 at the age of 6. Janey went
through hell, and all of us who loved her went through hell
with her. I watched my daughter die a little bit at a time for
nearly 2\1/2\ years before she finally lost her fight. The
leukemia won. Janey died on 24 September 1985.
Shortly after Janey's diagnosis, I began to wonder why. Why
was she stricken with this disease? I researched mine and her
mother's family histories, and I could find no other child that
had been diagnosed with leukemia or any other type of cancer.
It was not until August 1997, 3 years after I had retired from
the Marine Corps, that I heard of a report indicating that the
drinking water at Camp Lejeune had been contaminated during the
time that we had lived there with chemicals suspected of
causing childhood cancers and birth defects. That was the
beginning of my journey on a search for answers and the truth.
Little did I realize how difficult it would be getting the
truth out of an organization which supposedly prides itself on
honor and integrity.
None of what I am about to say is speculation. It is all
facts which are borne out by the Department of the Navy and
United States Marine Corps' own documents. Throughout the
history of this situation and to this very day, representatives
of the Department of the Navy and Marine Corps have knowingly
provided investigating or studying agencies with incorrect
data, they have omitted data, they have obfuscated facts and
told many half-truths and total lies.
The Department of the Navy and the Marine Corps' last
attempt to block the truth and foil justice is being done by
redefining key information being utilized by the Agency for
Toxic Substances and Disease Registry in their study reports
concerning the base's contaminated tap water as critical
infrastructure information, or CII. They just recently slapped
a label of ``For Official Use Only,'' or FOUO, on all documents
relating to the contamination. Most of these documents and
information they are labeling CII have been in the public
domain for more than a decade and some for nearly 50 years. Mr.
Chairman, the ATSDR estimates that as many as 1 million people
were exposed to horrendous levels of carcinogenic chemicals
through their drinking water at Camp Lejeune. These people need
the uncensored truth concerning their exposures so they can be
more vigilant about their and their family's health.
The most recent attempt by the Department of the Navy and
Marine Corps to suppress the public's knowledge regarding
ATSDR's Camp Lejeune studies came on 5 January of this year in
the form of a letter from the Marine Corps to ATSDR. Without
any public interest balancing test having been executed, key
information was redacted from a critical report which experts
are now saying will greatly diminish its scientific value or
credibility. This was labeled CII by the Department of the Navy
and Marine Corps, but the legal justifications that they cited
for requesting these redactions were dubious at best. They
notably did not mention the new law now governing what
ultimately can be withheld from the public under the Freedom of
Information Act by DOD to protect CII.
It has also been reported that the ATSDR, at the behest of
the Marine Corps, is currently scrubbing their Camp Lejeune
website of key data and information published in previously
released reports. This is all being done without any
consideration of the public's need, interest, or right to know.
For many of the exposed Camp Lejeune population, this
information could literally mean life or death.
Mr. Chairman, the last thing we need is more secrecy
disguised as a concern for security of critical infrastructure.
Any exemption must be very narrowly defined as it is in the new
CII FOIA exemption for DOD. There must be an enforced public
interest balancing test to ensure that any security interests
outweigh other public interests, like health and safety--and
there must be adequate reporting and oversight on how the
exemption is used.
I want to thank Chairman Leahy and Representative Maloney
for narrowing the blanket exemption to FOIA for critical
infrastructure information that DOD was seeking in the NDAA for
fiscal year 2012. Now all we need is oversight to ensure the
law is implemented and followed. The hearing today is a good
start.
Thank you.
[The prepared statement of Sergeant Ensminger appears as a
submission for the record.]
Chairman Leahy. Well, thank you, Sergeant. And let me tell
you, I will carry my interest in this matter beyond this
hearing. We Vermonters are sometimes known as being pretty
tenacious, and I will be. And I will not demote you next time,
I apologize.
[Laughter.]
Sergeant Ensminger. That is all right, sir.
Chairman Leahy. Thank you very much.
Our next witness is Kenneth Bunting, the first full-time
executive director of the National Freedom of Information
Coalition created in 2010. Before joining that, he spent parts
of four decades as a journalist and newspaper industry leader,
and ranking editor of the Seattle Post Intelligencer, which
during that time won more national and regional awards for
journalistic excellence than at any other time in its 146-year
history, including the Pulitzer in 1999 and 2003.
Congratulations. He has his B.S. from Texas Christian
University.
Mr. Bunting, we are delighted to have you here, and I am
stepping out for a moment while you testify, and that is not
from a lack of interest, I can assure you. Senator Grassley
will be here. I have read your testimony, and I will be back.
STATEMENT OF KENNETH F. BUNTING, EXECUTIVE DIRECTOR, NATIONAL
FREEDOM OF INFORMATION COALITION, COLUMBIA, MISSOURI
Mr. Bunting. I am Ken Bunting, executive director of the
National Freedom of Information Coalition. We are a nonpartisan
network of State and regional groups that work to promote open
government and accountability. I am here today, early in the
annual recognition of Sunshine Week, to ask that the principles
of transparent, accountable government not become collateral
damage as you wrestle with policy issues about critical
infrastructure information and matters related to
cybersecurity.
We recognize that there are circumstances under which
information and details about the Nation's critical
infrastructure need to be shielded from public dissemination.
We also recognize that one of the legitimate goals of the
various cybersecurity bills before you is creating a private
industry comfort level with important information sharing.
But wherever exceptions to public access related to these
matters reside in statute, we feel that they should include
narrow definitions, a balancing test of the public interest in
disclosure, and a sunset review process. I commend the Chairman
for inserting narrowing language into the National Defense
Authorization Act last December. Unfortunately, none of the
cybersecurity measures before us now have similar provisions.
Nine years ago, a retired electrician named Glen Milner
tried to find out something about the potential dangers he and
his neighbors faced living near naval installations in the
Puget Sound region of Washington State. Mr. Milner wanted to
know which parts of the coastal peninsulas and islands might
see the greatest devastation in the event of an accidental
explosion at the Navy's Indian Island facility. As you know,
the Navy refused to provide that information, but the Supreme
Court, in a ruling handed down last March, discredited the
Navy's expansive interpretation of FOIA's Exemption 2. That
case has now been remanded, and Mr. Milner and his lawyers are
still doing battle in the legal arena for records he first
requested in 2003 and over which he filed suit in 2006.
Now, I saw inescapable parallels as I watched the excellent
MSNBC documentary about Master Sergeant Ensminger and the
effects of three decades of toxic contamination at the Camp
Lejeune Marine base in North Carolina. As the documentary crew
portrayed it, Master Sergeant Ensminger and those who worked
with him eventually came to recognize the shameful coverup,
although they had begun with the expectation that the Marine
Corps would do the right thing of its own volition.
The moral of this powerful story and so many others is that
informed citizens with information to hold Government
accountable provide the best incentive for things being done
right.
We certainly do not belittle the concerns the legislative
proposals before you seek to address. But please be leery of a
broad, ill-defined sweep in closing off information. We believe
any new cybersecurity or critical infrastructure exemptions
should contain, at a minimum, a tight definition of the
information to be exempted; a sunset for the law and for the
protection attached to the information; and a public interest
balancing test that allows legitimately protected information
to remain protected, but not information being withheld
primarily to protect the Government from embarrassment.
Under several proposals that have been put forth in the
past 8 months, a 1995 ``Dateline NBC'' report that showed
thousands of the Nation's dams close to collapse might not have
been possible. Nor likely would a local TV report by University
of Missouri students that showed only 33 of that State's 1,200
dams had the Emergency Action Plans required by law. And after-
the-fact reporting by my old newspaper and others in Washington
State--following a massive pipeline explosion that killed three
innocent youths--would have been severely limited, reporting,
by the way, that culminated, perhaps with a causal connection,
in new pipeline safety legislation and a seven-count criminal
indictment against two pipeline companies.
Without balancing tests and sunset provisions, health and
safety information imprudently hidden from public view might
remain shrouded in secrecy forever.
Just last week, nearing the 1-year anniversary of the
Fukushima nuclear accident in Japan, the NRC released a heavily
redacted report that used the ridiculously non-descriptive term
``Generic Issue'' to describe seismic and flooding hazards
surrounding 35 domestic nuclear facilities. Given new criteria
for withholding, their refusal to provide intelligible
information will only get worse.
Please do not accept that cybersecurity and appropriate
protections for critical infrastructure information pose a
Hobson's choice with the people's right to know.
Senators, thank you for your invitation and for your
attention. I look forward to your questions.
[The prepared statement of Mr. Bunting appears as a
submission for the record.]
Senator Grassley. [Presiding.] Thank you, Mr. Bunting.
For the Chairman, I will introduce Paul Rosenzweig, a
visiting fellow at the Heritage Foundation's Center for Legal
and Judicial Studies and Douglas and Sarah Allison Center for
Foreign Policy Studies. Mr. Rosenzweig is also former Deputy
Assistant Secretary for Policy at the Department of Homeland
Security and Acting Assistant Secretary for International
Affairs. He is a senior editor of the ``Journal of National
Security Law & Policy'' and adjunct professor, Homeland
Security at the National Defense University. He is a cum laude
graduate of the University of Chicago Law School. He also has a
M.S. in chemical oceanography from Scripps Institution of
Oceanography, University of California at San Diego, and his
B.A. is from Haverford College.
Thank you, Paul, for coming. Proceed.
STATEMENT OF PAUL ROSENZWEIG, RED BRANCH CONSULTING, PLLC,
PROFESSORIAL LECTURER IN LAW, GEORGE WASHINGTON UNIVERSITY, AND
VISITING FELLOW, THE HERITAGE FOUNDATION, WASHINGTON, DC
Mr. Rosenzweig. Thank you very much, Senator Grassley. I
was checking my records, and this is the sixth time in the last
10 years that I have been in front of this Committee. It is
always a pleasure to return to testify here.
Perhaps equally germane to my testimony today, I both teach
cybersecurity law and policy at George Washington University
and as a private consultant often speak of these issues with
private sector clients who are vitally interested in pending
cyber legislation.
My testimony today is restricted to the cybersecurity
issues in front of us. I have no general issue at all with the
premise that FOIA is an important aspect of transparency and
should be broadly construed to promote the transparency of
Government activity. I think, however, that the cyber threat is
demonstrably different and that the pending proposals to
provide for FOIA exemptions in the context of enhanced
information sharing are right on point and, in my judgment,
actually essential.
The cyber threat is real and likely quite enduring, and
virtually everyone who has examined the issue in the private
sector has concluded that the cheapest, most cost-effective way
to get a running start at addressing that threat is through
enhanced information sharing of cyber threat and vulnerability
information, both between and amongst the private sector
themselves and from the private sector to the Government, with
the Government then being enabled to further share that
information with others, both in Government and beyond.
Information sharing about cyber threat and vulnerability
information is a bit like vaccination in the public health
context. When one community knows of a virus threat and learns
of how to cure it, it is essential for that information to be
widely communicated throughout our community and throughout the
world. Cyber threat information is fundamentally a public good.
In this context, it seems to me that the application of
FOIA to cyber threat and vulnerability information voluntarily
shared by the private sector with the Government turns FOIA on
its head. The purpose behind FOIA, as demonstrated quite
clearly both in the Milner case and in Sergeant Ensminger's
case, is the transparency of Government functions. Thus, the
main ground of a FOIA request is to seek information from the
Government about Government and its operations.
Here, in the cyber context, the FOIA exemption contemplated
is in relation to a private sector information sharing that
would not otherwise--sharing of information that would not
otherwise come into the Government's possession in the first
instance. If we are serious about the cyber threat and if we
seek the voluntary sharing of information in order to foster
the creation of a clear and manifest public good, then the
voluntary agreement of private sector actors to provide that
information will, in the first instance, be contingent upon the
Government's agreement not to subject them to adverse
consequences.
Private sector actors, rightly, would see the absence of a
FOIA exemption as a form of Government hypocrisy. We need the
information, you will say, badly enough that we are asking you
to provide it for the common good, but not so badly that we are
willing to prevent that information from being shared with
other private sector actors who, as your competitors or
opponents in litigation, might wish you ill.
In my judgment, in the absence of a FOIA exemption, you
will not get the private sector information sharing that is
deemed essential, and it is not really just my judgment. The
information-sharing provisions with accompanying FOIA
exemptions are part of the Lieberman-Collins bill that has been
introduced in this body, the McCain bill that has been
introduced in this body, the bipartisan Rogers-Ruppersberger
bill on the other side of the Hill, the bipartisan Lungren bill
on the other side of the Hill, and I think most significantly
is an integral part of the Obama administration's own
legislative submission that they made to you in May of this
past year.
Finally, I would close by saying that there is a real
danger in subjecting cybersecurity threat and vulnerability
information to the FOIA. Allowing public disclosure of such
information would be identifying publicly which cyber threats
are known risks, in effect drawing a road map of what threats
are not known. That would have the substantive effect of
drawing a target around the higher vulnerabilities, something
that I think nobody would want to foster. Complete
transparency, in my judgment in this instance, would defeat the
very purpose of the disclosures that we are seeking voluntarily
from the private sector and might even make us less secure.
Thank you very much.
[The prepared statement of Mr. Rosenzweig appears as a
submission for the record.]
Chairman Leahy. [Presiding.] Thank you very much.
Let me start with Sergeant Ensminger. First off, I, like
all of us, thank you for your service to the country, but also
as a parent and as a grandparent, I offer you my sympathy for
what you went through with Janey. I think what you tell us is
that the transparency that we are supposed to have in FOIA is a
promise to everybody in this country because it impacts the
lives of Americans all across the Nation.
The public interest balancing test that Congress recently
enacted in the National Defense Authorization Act, will that
help you and others learn more about the well water
contamination at Camp Lejeune?
Sergeant Ensminger. Yes, sir, but only if it is applied. In
this instance, the National Defense Authorization Act was
signed by the President at the end of December, and the United
States Marine Corps sent a letter off on the 5th of January to
another Government agency, which is part of the CDC, and that
other Government agency did not question it. They just, for
lack of a better term, rolled over into a fetal position and
said, ``Kick me again,'' and redacted--did everything in their
bidding.
Chairman Leahy. It is important that you make that point
because, as I said, I intend to continue to follow up on this.
Whether it is Senator Grassley or myself, Senator Cornyn or
anybody else, we can pass all the legislation in the world with
the right intentions. If it is not followed, then you are hurt,
but so is everybody else. Is that correct?
Sergeant Ensminger. Yes, sir. And the information that they
are trying to hold back from is the location of water supply
wells, water towers, the water treatment plants aboard the
base. I mean, for lack--I asked one of the Senate Committees--
not a Committee but staffs the other day, they held a meeting
with the Office of the Secretary of Defense and some of the
representatives from the Marine Corps and the Department of the
Navy concerning these redactions, and I jokingly asked them,
before they went into the meeting, to please ask them if they
perfected their Klingon-type cloaking device to cloak these
100-and-some-foot tall towers.
Chairman Leahy. You see them when you drive by on the road.
Sergeant Ensminger. Yes, sir, and they are painted red and
white checkered. I mean, what are they----
Chairman Leahy. It is not a new form of camouflage.
Sergeant Ensminger. No, sir. And the water supply wells,
many of them are out--not even within the gates of the base.
They are along public highways, and the only physical security
they have around them is a chain-link fence and a locked door
to the pumphouse. Now, any terrorist that wanted access to
those without physical security, they do not need to protect
the information, the infrastructure information. They need more
physical security, if they really, truly want to protect their
people.
Chairman Leahy. Well, when I am here in Washington, because
of the house I have got in this area, I drive by a place with a
big sign, ``CIA.'' Well, that is fine. Everybody knows where it
is. But it is protected.
Professor Bunting, you have experienced the FOIA process
from the perspective of an academic, but also as a journalist.
Do you have an idea how we could protect on the one hand the
public's right to know while also protecting the Nation's
cybersecurity? Mr. Rosenzweig talked about that before. Go
ahead, sir.
Mr. Bunting. Mr. Chairman, first of all, Professor
Rosenzweig is the only cybersecurity expert at this panel. I do
not pretend to be one. But with regard to FOIA, I think the
worst thing would be a sweeping definition that was too broad,
too loosely defined, where the words could be made to be
whatever they wanted it to be, that gave too much unchecked
power to the Government.
The reason we also ask that there be a review process, a
sunset review process, in any new exemptions is exactly what
Master Sergeant Ensminger just told you. It was only a couple
of months ago that you put language in the NDAA to try and
write a narrow definition and also a public interest balancing
test. But, you know, is it going to be enforced? Time will
tell.
Given any leeway, agencies will find a way to make it say
what they want it to say, and so the key thing in protecting
the public interest to know and not just tossing it out the
window as you address these very real issues is to write a
definition that is narrow enough, to make sure that the public
interest is considered, and that you review it periodically
going forward.
Chairman Leahy. Thank you.
A vote has started. I will yield first to Senator Grassley
and then Senator Whitehouse.
Senator Grassley. Has it started? The light is not on up
there yet.
Chairman Leahy. Somebody will check.
Senator Grassley. I will hurry along here then so that
Senator Whitehouse can ask questions.
Chairman Leahy. It started.
Senator Grassley. OK.
Mr. Rosenzweig, I have a two-part question. First, when a
business shares cyber threat information with the Government,
what type of information are we talking about, a general
description on your part? And, second, describe for us the type
of damage that you believe would be done to the business
sharing information and to our country if that cyber threat
information was made public?
Mr. Rosenzweig. Well, thank you for the question. I will be
brief in the interest of time, though obviously the answer to
your first question is quite complex. But you can, broadly
speaking, divide cyber threat information that would be shared
into two bundles. One piece would be the actual malicious code
and information, the IP protocols and ports that are being
used, the websites, something that is quite specific to the
threat itself. I can see no reason why we would ever want that
information to be subject to FOIA because we would never want
to broadcast more widely than is already shared that kind of
threat information.
The other bundle of information is the data stream in which
the threat resides, and that can be anything. It can be an e-
mail attachment that is masquerading as an Excel spreadsheet.
It can be the header information. It can be virtually any sort
of content data. But that content data is really generally
independent of the malicious code itself. It helps us identify
the target that it is coming in Excel spreadsheets, but the
content of that Excel spreadsheet, which could be a human
resources spreadsheet or the company's salary data--it could be
anything. In other words, malicious code can hide literally
anywhere. So those are the two bundles.
The damage in the disclosure to the business obviously
comes in the content information on the second side, which is,
if they think that that content information is going to be
subject to onward disclosure through FOIA, they are not going
to provide it because that is usually CBI, confidential
business information, proprietary information of some form. So
what they are looking for is some assurance that the
information they provide, which cannot be disassociated from a
malicious code, will, in fact, be protected.
Senator Grassley. In regard to that first part, you said if
you could have a longer explanation. Maybe you could submit
something in writing that would be more thorough than what you
had time to give.
Mr. Rosenzweig. Sure.
[The information appears as a submission for the record.]
Senator Grassley. My second question, and probably the last
one----
Senator Whitehouse. Senator Grassley, would you mind if I
climbed onto that request so I get an answer as well? I am very
interested in that same response.
Senator Grassley. Of course, yes. So that will come from
the two of us.
Mr. Rosenzweig. My pleasure.
Senator Grassley. A two-part question. First, do you
believe that the actually cyber threat information shared by a
private company with the Federal Government provides no
insights into how the Government operates as a Government? And,
second, why should an open-government group ever need to have a
copy of actual malicious code or virus given to the Federal
Government by a private company?
Mr. Rosenzweig. As to the first of those, I can see no
interest in an insight-into-government operation in having
access to the underlying information from the private sector. I
can see interest in learning how the Government treats what it
does and whether or not we are responding well. But on the
information itself, no. And as for the malicious code, I would
say assuredly not. There is, in fact, a market--a black market,
of course--in the sale of malicious code exploits because they
are not generally widely known or used. When one is discovered,
it is precious to the bad actor. It would be, to my mind,
contrary to all sense of good public policy to make that more
generally widely available so that it could be more readily
exploited by a larger number of people.
Senator Grassley. For you I have got two more questions,
but I will yield back my time so Senator Whitehouse can ask
questions and still get over to vote.
Chairman Leahy. Senator Whitehouse.
Senator Whitehouse. Thank you. I just wanted to follow up
on Senator Grassley's line of questioning. The sort of
information that would be provided from the private company in
an information-sharing regime, would that ordinarily--if it had
not been provided to the Government, would it ordinarily be
amenable to any kind of FOIA access?
Mr. Rosenzweig. Not to my knowledge. FOIA does not run to
the private sector, so if the wastewater treatment facility in
Providence, Rhode Island, is under some sort of threat--unless
it is a publicly operated one. I do not actually know about
Providence. But if it is a private sector one, it is not
generally subject to FOIA, unless there is some State law that
might apply that, again, I am not familiar with all 50 State
laws, but generally no.
Senator Whitehouse. So nothing that would otherwise be
available to the public is taken from the public if information
sharing is protected from FOIA.
Mr. Rosenzweig. That would be my understanding. We use the
same model of protecting that type of critical infrastructure
information that would not otherwise be available because it is
voluntarily shared. In the PCII, the Protected Critical
Infrastructure Information, that is shared under the Homeland
Security Act, under the Chemical Facilities Antiterrorism
Standards, sensitive security information about aviation, we
use that model for private sector voluntary information quite
frequently, and in general, the rule is it would not otherwise
be available so we are not taking away something.
Senator Whitehouse. Master Sergeant Ensminger raises the
very good point that bureaucracies have not been unknown to use
a variety of techniques to try to dodge disclosure--
overclassification or unnecessary classification being one. Do
you see a way in which legitimately available information could
be shielded from public disclosure by some strategic use of the
information-sharing regime? Somebody decides--I mean, I suppose
the scenario would be an entity or organization that would
otherwise have to make a disclosure of some kind, just sends
the stuff in as information sharing even if it is not really
legitimate to a cybersecurity complaint, and then says, Aha,
you see, now I do not have to disclose it because I submitted
it as the information sharing. Because of the nature of the
beast, that strikes me as a phenomenon that we could probably
guard against pretty successfully because it is not the natural
purpose of the information-sharing effort. But what are your
thoughts on that point of strategic abuse of the information
sharing to quell public disclosure?
Mr. Rosenzweig. Your point is well taken, that is, that one
could imagine a systematic effort by somebody to hide their own
private sector malfeasance. That is going to be very unlikely
and rare in the cybersecurity realm. There is not a lot of
incentive that I see for trying to maintain vulnerabilities.
The natural incentive is going to be for people who are aware
of their own vulnerabilities to fix them because they suffer--
the private sector suffers their own consequences for failing
to fix that.
It strikes me that at this juncture, given the imminence of
the cyber threat as we understand it, the value judgment that
you need to make is whether or not that small likelihood means
that you want to develop an exemption that would otherwise
probably retard a lot of the sharing that is the plus value, or
if you can come up with--my main answer to you, I think there
is probably a mechanism for some sort of substituted
transparency, which is not the full transparency of FOIA to the
press and the public in this context, but institutions like the
President's Civil Liberties and Oversight Board that you have
already created or IGs or----
Senator Whitehouse. Certainly you would want some form of
ombudsman or IG to report on whether this was being abused in
any way, wouldn't you?
Mr. Rosenzweig. I would certainly see room for something
like that as a constructive proposal. I have not really thought
it through that much.
Senator Whitehouse. All right. I am about to be late to
vote, so I am going to disappear.
Thank you, Chairman.
Chairman Leahy. Thank you all very much. I will keep the
record open for a couple days for follow-up questions. I did
not mean to hurry you. You were asking perfect questions, and I
apologize.
Thank you all very much.
Mr. Bunting. Thank you, Mr. Chairman.
Mr. Rosenzweig. Thank you, Mr. Chairman.
[Whereupon, at 12:19 p.m., the Committee was adjourned.]
[Questions and answers and submissions for the record
follow.]
[GRAPHIC] [TIFF OMITTED] T6357.001
[GRAPHIC] [TIFF OMITTED] T6357.002
[GRAPHIC] [TIFF OMITTED] T6357.003
[GRAPHIC] [TIFF OMITTED] T6357.004
[GRAPHIC] [TIFF OMITTED] T6357.005
[GRAPHIC] [TIFF OMITTED] T6357.006
[GRAPHIC] [TIFF OMITTED] T6357.007
[GRAPHIC] [TIFF OMITTED] T6357.008
[GRAPHIC] [TIFF OMITTED] T6357.009
[GRAPHIC] [TIFF OMITTED] T6357.010
[GRAPHIC] [TIFF OMITTED] T6357.011
[GRAPHIC] [TIFF OMITTED] T6357.012
[GRAPHIC] [TIFF OMITTED] T6357.013
[GRAPHIC] [TIFF OMITTED] T6357.014
[GRAPHIC] [TIFF OMITTED] T6357.015
[GRAPHIC] [TIFF OMITTED] T6357.016
[GRAPHIC] [TIFF OMITTED] T6357.017
[GRAPHIC] [TIFF OMITTED] T6357.018
[GRAPHIC] [TIFF OMITTED] T6357.019
[GRAPHIC] [TIFF OMITTED] T6357.020
[GRAPHIC] [TIFF OMITTED] T6357.021
[GRAPHIC] [TIFF OMITTED] T6357.022
[GRAPHIC] [TIFF OMITTED] T6357.023
[GRAPHIC] [TIFF OMITTED] T6357.024
[GRAPHIC] [TIFF OMITTED] T6357.025
[GRAPHIC] [TIFF OMITTED] T6357.026
[GRAPHIC] [TIFF OMITTED] T6357.027
[GRAPHIC] [TIFF OMITTED] T6357.028
[GRAPHIC] [TIFF OMITTED] T6357.029
[GRAPHIC] [TIFF OMITTED] T6357.030
[GRAPHIC] [TIFF OMITTED] T6357.031
[GRAPHIC] [TIFF OMITTED] T6357.032
[GRAPHIC] [TIFF OMITTED] T6357.033
[GRAPHIC] [TIFF OMITTED] T6357.034
[GRAPHIC] [TIFF OMITTED] T6357.035
[GRAPHIC] [TIFF OMITTED] T6357.036
[GRAPHIC] [TIFF OMITTED] T6357.037
[GRAPHIC] [TIFF OMITTED] T6357.038
[GRAPHIC] [TIFF OMITTED] T6357.039
[GRAPHIC] [TIFF OMITTED] T6357.040
[GRAPHIC] [TIFF OMITTED] T6357.041
[GRAPHIC] [TIFF OMITTED] T6357.042
[GRAPHIC] [TIFF OMITTED] T6357.043
[GRAPHIC] [TIFF OMITTED] T6357.044
[GRAPHIC] [TIFF OMITTED] T6357.045
[GRAPHIC] [TIFF OMITTED] T6357.046
[GRAPHIC] [TIFF OMITTED] T6357.047
[GRAPHIC] [TIFF OMITTED] T6357.048
[GRAPHIC] [TIFF OMITTED] T6357.049
[GRAPHIC] [TIFF OMITTED] T6357.050
[GRAPHIC] [TIFF OMITTED] T6357.051
[GRAPHIC] [TIFF OMITTED] T6357.052
[GRAPHIC] [TIFF OMITTED] T6357.053
[GRAPHIC] [TIFF OMITTED] T6357.054
[GRAPHIC] [TIFF OMITTED] T6357.055
[GRAPHIC] [TIFF OMITTED] T6357.056
[GRAPHIC] [TIFF OMITTED] T6357.057
[GRAPHIC] [TIFF OMITTED] T6357.058
[GRAPHIC] [TIFF OMITTED] T6357.059
[GRAPHIC] [TIFF OMITTED] T6357.060
[GRAPHIC] [TIFF OMITTED] T6357.061
[GRAPHIC] [TIFF OMITTED] T6357.062
[GRAPHIC] [TIFF OMITTED] T6357.063
[GRAPHIC] [TIFF OMITTED] T6357.064
[GRAPHIC] [TIFF OMITTED] T6357.065
[GRAPHIC] [TIFF OMITTED] T6357.066
[GRAPHIC] [TIFF OMITTED] T6357.067
[GRAPHIC] [TIFF OMITTED] T6357.068
[GRAPHIC] [TIFF OMITTED] T6357.069
[GRAPHIC] [TIFF OMITTED] T6357.070
[GRAPHIC] [TIFF OMITTED] T6357.071
[GRAPHIC] [TIFF OMITTED] T6357.072
[GRAPHIC] [TIFF OMITTED] T6357.073
[GRAPHIC] [TIFF OMITTED] T6357.074
[GRAPHIC] [TIFF OMITTED] T6357.075
[GRAPHIC] [TIFF OMITTED] T6357.076
[GRAPHIC] [TIFF OMITTED] T6357.077
[GRAPHIC] [TIFF OMITTED] T6357.078
[GRAPHIC] [TIFF OMITTED] T6357.079
[GRAPHIC] [TIFF OMITTED] T6357.080
[GRAPHIC] [TIFF OMITTED] T6357.081
[GRAPHIC] [TIFF OMITTED] T6357.082
[GRAPHIC] [TIFF OMITTED] T6357.083
[GRAPHIC] [TIFF OMITTED] T6357.084
[GRAPHIC] [TIFF OMITTED] T6357.085
[GRAPHIC] [TIFF OMITTED] T6357.086
[GRAPHIC] [TIFF OMITTED] T6357.087
[GRAPHIC] [TIFF OMITTED] T6357.088
[GRAPHIC] [TIFF OMITTED] T6357.089
[GRAPHIC] [TIFF OMITTED] T6357.090
[GRAPHIC] [TIFF OMITTED] T6357.091
[GRAPHIC] [TIFF OMITTED] T6357.092
[GRAPHIC] [TIFF OMITTED] T6357.093
[GRAPHIC] [TIFF OMITTED] T6357.094
[GRAPHIC] [TIFF OMITTED] T6357.095
[GRAPHIC] [TIFF OMITTED] T6357.096
[GRAPHIC] [TIFF OMITTED] T6357.097
[GRAPHIC] [TIFF OMITTED] T6357.098
[GRAPHIC] [TIFF OMITTED] T6357.099
[GRAPHIC] [TIFF OMITTED] T6357.100
[GRAPHIC] [TIFF OMITTED] T6357.101
[GRAPHIC] [TIFF OMITTED] T6357.102
[GRAPHIC] [TIFF OMITTED] T6357.103
[GRAPHIC] [TIFF OMITTED] T6357.104
[GRAPHIC] [TIFF OMITTED] T6357.105
[GRAPHIC] [TIFF OMITTED] T6357.106
[GRAPHIC] [TIFF OMITTED] T6357.107
[GRAPHIC] [TIFF OMITTED] T6357.108
[GRAPHIC] [TIFF OMITTED] T6357.109
[GRAPHIC] [TIFF OMITTED] T6357.110
[GRAPHIC] [TIFF OMITTED] T6357.111
[GRAPHIC] [TIFF OMITTED] T6357.112
[GRAPHIC] [TIFF OMITTED] T6357.113
[GRAPHIC] [TIFF OMITTED] T6357.114
[GRAPHIC] [TIFF OMITTED] T6357.115
[GRAPHIC] [TIFF OMITTED] T6357.116
[GRAPHIC] [TIFF OMITTED] T6357.117
[GRAPHIC] [TIFF OMITTED] T6357.118
[GRAPHIC] [TIFF OMITTED] T6357.119
[GRAPHIC] [TIFF OMITTED] T6357.120
[GRAPHIC] [TIFF OMITTED] T6357.121
[GRAPHIC] [TIFF OMITTED] T6357.122
[GRAPHIC] [TIFF OMITTED] T6357.123
[GRAPHIC] [TIFF OMITTED] T6357.124
[GRAPHIC] [TIFF OMITTED] T6357.125
�