the speaker pro tempore: without objection, so ordered. mr. camp: mr. speaker, last february when the president submitted his budget for 2012 he did not provide any plan for reining in deficits and debt. and the administration called for a clean increase in the debt limit or an increase in the debt limit that had -- that was unconditional, that had no spending reductions or structural reforms to troy to address the problems we face. -- totry to address the problems we face. and to increase the debt limit of about $2.4 trillion. 104 democrats have asked for an unconditional vote on the debt limit. and i would say that my colleagues on the other side have been very reminiscent about the bush years and i wod just say thatn four years the debt under the obama administration will exceed the bush administration in eight years. another way of putting it, the

debt uer this president is going up at twice the rate as it did under president bush. . i would just say it's important we send a clear signal, that there wi not be an unconditional increase in the debt limit and we're serious about dressing our debt limits in the country and we've seen the signals from the financial markets and heard what our constituents have said and it's very important we bring the kind of spending reductions and reforms that we need to this debate. i urge antntntntntntntntntntntnt >> how did the vote to raise the debt limit turnout? >> it was resoundingly defeated in the house. every republican voted against, as did 82 democrats. there was a high number of democrats who voted in favor of

the measure, 97, a lot higher than people expected. earlier in the day steny hoyer at a press event had basically urged members to vote president -- present if they had any qualms. it was a way to cast a vote without stating a preference. in the end, only seven did so. -- 97 did so. in never had a chance of succeeding in the house. it was seen as entirely a political gesture by the republican majority. >> why did democrats vote the way that they did? >> 114 had signed a letter by peter welch which called for the clean debt ceiling vote, unencumbered by any spending controls are spending reduction. they had said that debt ceiling is too important, the country's

full faith and credit is too important to be held hostage to debates about how one fixes the budget. they had signed this letter and perhaps they felt that even though the vote was purely a political one and not one that they had been pushing for, they have to follow through with their intentions. they could not very well but no having publicly called for a vote. perhaps they felt they were left with no choice. >> you mentioned that the vote was political. why did they go ahead with the vote knowing it would fail? >> the art two theories here. they were giving political cover to some of their members to down the line when the deal is struck with democrats and the obama white house, they are giving cover to guys who will have to vote in favor of whatever that deal is in order to get the compromise effort. the other theory is that they were hoping that they got a

large number of democratic yeses. they can use that to campaign against them. you consider commercials running now, congressional member x voted to raise the debt ceiling with no spending measures. >> what impact will this have on negotiations between congress and the white house on debt reduction and propose spending cuts? >> very little. the talks with vice-president by and go on. the next meeting is later this week. this vote for people in washington was widely telegraphed as being at political thing giving covering -- giving cover two republican members. no real impact on the talks that are ongoing. we are far from clear as to what the outcome of those talks are going to be and what the parameters of the ultimate deal reached will be. i do not think that this vote

will have any impact on those talks. >> corey boles, thank you. >> in a few moments, a hearing on securing the electric grid. in a little less than two and a half hour, a look at the future of nuclear power in the u.s. and europe, including details of germany's plan to phase out its nuclear power plants. after that, we will reappear the house debate on raising the debt ceiling. a couple of live events to tell you about the mark. the house homeland security subcommittee on counterterrorism and intelligence held a hearing on how the department of homeland security gather, analyze, and disseminates intelligence. that is on c-span3 at 2:00 p.m. eastern. after that, at 2:30 p.m. eastern

on c-span2, a hearing on the transition in iraq. the house foreign affairs subcommittee will hear from the departments of state and defense. >> today marks the first time when our legislative branch in its entirety will appear on that medium of communication through which most americans get their information about what our government and our country does. several times to date this has been referred to as an historic occasion. whether or not it will be an historic occasion is, i think, a subject for the judgment of history. >> this week marks 25 years of televised coverage of the congress. c-span was carried then and only 6.5 million homes. today it is 89 million homes. watch the senate coverage online at the c-span video library. it is all searchable and three.

the peabody award-winning c-span video library -- it is washington your way. >> now hearing on securing the electric grid from cyber attacks and other threats. the house passed a bill last year aiming to secure the airing of transmission lines but was never considered by the full senate. this is a lot less than two and a half hours. -- this is a little less than 2.5 hours.

a today's hearing focuses on critical national security issue, protecting the nation's electrical grid from physical and cybersecurity threats and vulnerabilities. threats have increased in recent years and were the subject of several hearings and 110th and 111th congresses. there is evidence that bad actors have conducted cyber probes of u.s. grid systems, and that cyber attacks have been conducted against critical electric infrastructure and other -- in other countries. this past february, a cyber attack dubbed night dragon which is believed to have emanated from china targeted the critical infrastructure of energy and petrochemical companies in the u.s. the night dragon attack was not overly sophisticated, but was nevertheless successful in breaching the computer systems of key assets.

this example is one of several, and is the tip of the icebergs, and illustrates that we must be more vigilant in securing the nation's critical energy infrastructure. including the electric grid. beyond potential cyber attacks, the bulk power system remains exposed to physical vulnerabilities and threats, including direct terrorist attack. weapons that can create an electromagnetic pulse, and geomagnetic storms. federal and state agencies and industry stakeholders have sought to address many of these concerns. in particular, through an extensive stakeholder process, the north american electric reliability corp., pursuant to its authority under section 212 -- 215 of the federal power act, has worked over the last several years to develop and implement reliability standards and to address grid security,

vulnerabilities, in a timely manner. to address these shortcomings, the committee recently released a discussion draft entitled the grid reliability and infrastructure defense-or the grid act. the bill is identical to bipartisan legislation developed by this committee last congress by chairman upton and mr. markey. the grid act provides the federal energy regulatory commission with emergency authority to respond to imminent physical and cyber threats to the bulk power system and electric infrastructure of that serves facilities vital to our national defense. this emergency authority can be triggered only upon a directive from the president. the discussion draft also provides for with the authority to identify -- ferc with the

authority to identify and and remedy weaknesses that leave the grid vulnerable to cyber attacks and electromagnetic pulse events. it also directs ferc to develop regulations to facilitate the sharing of information as a pro be between governmental agencies, nerc, and owners and operators of the bulk power system. doing so will improve communication among affected stakeholders which will result in a more secure grid. if all the discussion draft is identical to last year's bills, we expect that input and insight provided by today's witnesses will help) approved a bill to reflect current conditions and any changed circumstances. i know for example that congressman franks has introduced legislation that is more narrowly focused than this broader approach. we look forward to his testimony to explain his views in this area. he has done a great -- he has

been a great deal of time on it as as congressman langevin. we want to thank the witnesses in advance for being with us today. i will introduce them later. at this time i like to yield to mr. rush, the ranking member. >> i want to thank you, mr. chairman, and the distinguished guests for being here today. mr. chairman, today we are holding a hearing on the grid reliability and infrastructure defense act, for the grid act for short. this bipartisan piece of legislation is identical to the buildup was favorably reported out of the hearing unanimously last year and went on to pass the house by a voice vote before getting stalled in the senate. mr. chairman, this bill represents the type of legislation that advances the

security interests of all americans and shows what can be accomplished when we choose to work together in a bipartisan manner. i appreciate you conducting the hearing today, mr. chairman. and i hope and expect that we will move into this bill with the same type of cooperation and collaboration that we experienced last season -- last session, as this legislation moves through committee. mr. chairman, the u.s. electric grid consist of interconnected transmission lines and local distribution systems that deliver electricity to our homes, schools, our offices, facilities, and related communications systems. the intricate design of the grid makes all of our components highly independent so

that problems in one location can lead to a domino effect of reliability concerns in other areas. in today's highly digitized world, the operational controls over the transmission grid are increasingly managed by computer systems. such is the supervisory control and data acquisition, horseback, systems. but ask for scat -- scocada system. the inquiries use of how metering systems, and other smart grid capability, leads our a lecture guesde's the dead our

electric grid even more open to attack. this bill will amend the federal power act to add a new system which will give the federal energy regulatory commission, ferc, new authority to prevent cyberattacks including those from geomagnetic storms, solar activities. additionally this bill will provide ferc with the authority to issue emergency orders to protect against a grid security threat, whether militias, and geomagnetic storm, or by physical attacks. when the president notifies the commission that such a threat

exists. mr. chairman, we are all aware of the constant threat that our nation faces. like countries such as china and russia, who are already conducting cyber probes of u.s. grid system, all by terrorist organizations looking for ways to weaken our capabilities. cyberattacks can cause untold and it our nation's grid can be done from far away locations at very low cost and with little ability to trace the source of the threat. and so it is imperative that we provide those agencies that are responsible for protecting us, protecting our nation's grid, protecting all americans, with

all the tools, all the authority, and all the resources that they need to keep us safe. mr. chairman, i thank you for holding this hearing today. i look forward to hearing from our witnesses on this critical issue. with that, i yield back all the time that i have, which is one second. thank you for being so generous. i recognize mr. waxman for the purposes of an opening statement. >> thank you, mr. chairman. this legislation is a is bipartisan as it comes. this legislation was born at of the bipartisan realization that our electric grid is in adequately protected from a range of potential threats. and the current process for addressing vulnerabilities in the electric grid is not

sufficient in an emergency situation where the grid faces an imminent threat. the federal energy regulatory commission currently lacks authority to require the necessary protective measures. there are also an ever growing number of grid security vulnerabilities. these are weaknesses in the grid that could be exploited by criminals, terrorists, and other countries to damage our electric grid. the same weaknesses make the grid vulnerable to naturally occurring geomagnetic storms. during the last congress, chairman upton, representative upton, joe martin and i developed this on a bi-partisan basis. we had discussions with stakeholders and work with many members to answer their questions, address their concerns and consider constructive suggestion. this cooperative process led to strong bipartisan legislation. we reportedly but as we reported

the bill and in june the grid that passed the house by voice vote on the spins and can couch -- on the suspension calendar did, but it did not become law. i thank you for taking it up in this congress. this bipartisan legislation will provide ferc the afforded that it needs to protect from imminent threat an emergency orders. it also directs the commission to direct -- address longer- term grid vulnerability. in addition, the bill includes provisions that focused specifically on the portions of the grid that serves facilities critical to the defense of the u.s., and the bill is budget neutral. these are important issues, and in the last congress we heard from the defense department and from former defense secretary

and national-security advisers and cia directors. the changes made by this bill are critical for a national security. i looked forward to hearing from today's witnesses. although we are likely to hear some in industry argue against further authority to deal with these threats, we work with them last time to develop workable legislation. i hope today marks the beginning of a similar process in this congress. the grid act is too important to allow special interest to weaken its effectiveness. the committee needs to act to protect -- protect the nation's electric grid from cyber attacks, direct physical attacks, and electromagnetic pulses, and solar storms. thank you, mr. chairman. >> thank you, and would you like to make an opening statement? today we have three panels of witnesses. on the first panel we have to members of congress, the honorable trent franks of arizona and mr. jim langevin of

rhode island. we appreciate both of you being here very much. mr. franks, i will recognize you for a five minute opening statement. >> that you mr. chairman, and that afternoon to you and to ranking members rush and waxman, and the rest of the fellow members are on the committee. i believe the subject of today's hearing is one of profound implication and importance to western civilization. i hope that the members will feel inclined to read my written testimony. i thank you for line me to testify today. mr. chairman, and our technological investment, we of now captured the electron and transported its utility into nearly every business, home, and industrial endeavor throughout the civilized war. we of advanced our standard of living beyond dreams. we are also grown profoundly dependent upon electricity and its many accoutrements. in keeping one of humanity's most reliable harmonics, we now find among our greatest friends and unsettling vulnerability,

emp, electromagnetic pulse. the effects of geomagnetic storms on the electorate infrastructure are well- documented. every expert recognizing the dramatic disruptions and cataclysmic collapses these pulses can bring to electric grids. in 2008 the emp commission testified before the armed services committee that the u.s. aside and economy are so critically dependent on the availability of electricity that a significant collapse of the grid, precipitated by a major natural or man-made emp event, could result in catastrophic civilian casualties. this conclusion is echoed by separate reports recently compiled by the dod, dhs, doe, and the national academy of sciences along with various other government agencies and independent researchers. all of them came to similar conclusions. the sobering reality is that this vulnerability if left unaddressed could have grave, societal-altering consequences.

like many of you, i believe the federal regulation should be very limited. our first nationalists priority is national security, and to protect our national security, we must protect our major transformers from cascading destruction. to that end, i've introduced the shield act, which differs primarily from your discussion draft in three critical areas. unlike the grid at, which i commend this committee deeply for passing last year, the shield act authorizes ferc to promulgate standards necessary to protect the infrastructure against natural and man-made electromagnetic pulse events if the standards developed by the ero are inadequate to provide national security. the steel deck additionally requires automated hardware- based solutions rather than procedural safety measures alone. and she'll that does not contain cyber security provisions,

leaving the conflicting approaches to that extremely important issue among the senate in particular to be debated in a separate bill. automated our way is particularly important when one considers the shortcomings of procedural and operational safety measures alone in response to an emp event. according to solar weather experts, there is only 20 to 30 minutes warning from the time we predict a solar storm that may affect us to the time it actually does. this is simply not enough time to implement procedures that will adequately protect the grid. furthermore, these predictions are only accurate one out of three times. this places a crushing dilemma on industry who must decide whether or not to heed the warning with the knowledge that a wrong decision either way could result in a loss of thousands or even millions of lives and massive legal ramifications beyond expression. mr. chairman, the we are now 65 years into the nuclear age. the ominous intersection of

jihadist terrorism and nuclear proliferation has been hurtling toward america and the free world for decades. when you add the dimension of asymmetric electromagnetic pulses to the question, we face a menace that may reflect the gravest short term threat to the peace and security of the human family in the world today. certainly there those the belief that the likelihood of terrorists to obtain nuclear weapons and using them in an emp attack is remote. it may remain a reasonable conclusion for the moment. but our intelligence apparatus did not foresee the arab spring. it shows that arab regimes can change very quickly. if terrorists or rogue states do acquire nuclear weapons, it would become a national priority. that process will take several years and wall regime change only takes a few weeks, a missile launch only takes a few minutes. the fact that we are now 100% vulnerable means that we should

start securing our electric infrastructure now. indeed by reducing our vulnerability to, we may reduce the likelihood that terrorists or rogue states would attempt such an attack in the first place. thankfully there is a moment in the life of nearly every problem when it is big enough to be seen by responsible, reasonable people and still small enough to be solved. you and i live in a moment when there may be time for the free world to address and mitigate the vulnerability is of naturally occurring or man-made emp is. your actions today to protect america may gain you no fame or fanfare in the annals of history. however, it may happen that in your lifetime a natural or man- made events obey has an effect so small that none but a few will recognize the disaster that was averted. for the sake of our children and future generations, i pray exactly happens that way. thank you and god bless you all.

>> thank you, mr. franz. mr. lang 7, you're recognized for an opening statement. >> thank you, chairman whitfield and ranking member russia and ranking member waxman, fort-lamy to testify on what i believe to be one of the most critical national security issues facing our country today -- securing our electric grid from cyber vulnerabilities. this is you have devoted several years of my time and effort, and i wanted be here with my colleague, mr. frank's. as a member of the house armed services committee as well as the house permanent subcommittee on intelligence, i said in an interesting nexis, the national security challenges that face our nation today. i previously testified on this issue in 2009 after bill that i had drafted with then-homeland security chairman bennie thompson which was adapted into

then-chairman markey possible for that, and won a thank the committee for including me in this discussion again today. we know that there are a number of actors that seek to do harm to our networks, foreign nation states, to disgruntled employees. as the threat and capabilities grow, so does the threat to our infrastructure. this threat is not new. in the 110th congress, i conducted a detailed examination of cyber threats to our critical of recession. i want to reiterate what i made clear in my previous testimony bore the subcommittee. i believe we remain formal tuz cyberattacks that could cause severe damage to our critical infrastructure, our economy, our security, and even american lives. the vast majority of our critical assets are in private hands. fixing vulnerabilities could be

costly, security can find a seventh conflict with other priorities like profit and accountability to shareholders. the american people once placed at risk when the owners are critical infrastructure. to -- fail to prepare for worst- case scenarios. i was pleased by the early attention paid to the issue of cybersecurity by the obama administration. in spite of some delays to the process, i like to commend them taking serious steps in the right direction. on the leader nation of howard schmidt and his staff, it is released standards and best practices for cyber protection across all sectors of our critical infrastructure. this mayor is philosophically the language of legislation i introduced earlier this year. dhs has become more involved in securing our critical infrastructure. the establishment of the investor control systems computer emergency response team formalized a group of

experts and fly away teams that could respond to cyber instance across all sectors of our utilities. but companies still first request help from the government before it can be deployed. and the simple act of having to ask often forces decision makers in industry to steer clear of any government help for these complex problems. i see them increasingly stepping up to the plate but they cannot move fast enough or far enough under the current system. as michael assante, the president of the national board of a permissive security examiners and former security officer at the north american electric reliability corp. testified last year, we're not only susceptible, but we're not very well prepared. i have supported the grid act as a move the house last year because it featured -- had sought to address some of the

unique regulatory dresses -- challenges in our power industry today. currently we live under a system that does not prioritize security. it actively penalizes open reporting and cooperation. the legislation that we report today aims to correct this by allowing federal regulations greater authority to protect americans during times of imminent crisis. it also provides for the issuance of orders to identify and mitigate the vulnerability is to protect the bulk power system from cyber attack. while this is a step forward, i would encourage the committee to consider provisions in my legislation and in senate and administration proposals that expands this model to other sectors of critical infrastructure and enhances the ongoing efforts of dhs to quickly respond to a major crisis. also note my concern that by specifying only the ball power system, this legislation excludes critical distribution systems that would leave major cities like new york and

washington unprotected by the broader provisions of this bill. i will conclude by cautioning again that inaction on this issue will make our nation increasingly more vulnerable to cyber attacks from both outside and within. we know the threat exists and we have an opportunity to address it before any further damage is caused. it is the responsibility of congress and the administration to take the proper steps that will protect this nation. once again, i would thank you, chairman whitfield and ranking member rise, as well as the ranking member waxman, for your attention to this very important issue and for the opportunity to testify. i look for to working with the energy and commerce committee and supporting your efforts to raise awareness about securing our critical infrastructure and protecting our citizens from cyber attack. thank you and i go back. >> if thank you, mr. lang 7. >> lane 7.

-- langevin. last year it was unable to get through the senate. we are quite familiar with that. we pass a lot things here that do not get through the senate. familiar with that. we pass a lot of things here that don't get through the senate, but our objective is to get something through the house and the senate and signed by the president. basically reflects the administration's proposal. is that correct? or not? >> i wouldn't go so far as to say that, but they both move in awe similar direction. >> okay. i would like for maybe both of

you to just give advice to this committee on what you think we need to do to maximize our opportunity to get this passed in the senate. mr. franks? >> mr. chairman, as it happened last year i personally lobbied the senate as hard as i could on the grid act, even though as i've laid out today i think there's critically important things that need to be added to it or changed, met with senator murkowski and others there in the chamber, and the big challenge was that they had differing strategies on what should be done about cyber security. now, let me make it so desperately clear here i believe that cyber security is a critically important issue, and i think i would find myself largely in mr. longevin's camp on that issue. but the problem is the personalities there had a little different strategy on how to addresses it. i'm trying to maintain protocol here, mr. chairman.

they couldn't get together on that, and that's why we felt like the issue should be separated, not because that one is more important than the other per se, but because i just think it's going to be especially difficult -- that's complicated this year, you know the white house just a few weeks ago released a legislative proposal for nationwide cross-sector cyber security efforts and the senate is working to produce a goal to meet those needs. and my concern is that, if we tie them together, we may weaken both of them because there's very little disagreement on the emp aspects of it. the senators were very supportive of being able to protect the grid itself, just had some very seriously differing approaches to the cyber security element of it. >> mr. langevin? >> i would just say that last year we were a bit frustrated by the senate still contemplating

which path forward they were going to take. i was fortunate to get an amendment included in the house armed services defense authorization bill last year that would have established a white house office on cyber security with a director's position that would have been senate confirmed and would have included updates to the fisma law. that did not get through the conference committee last year. the senate was still struggling to determine which direction they were going to take, whether it was rockefeller/o rockefeller/or --/lieberman. i believe the senate is moving in the direction of resolving those issues and i'm hopeful that now that the white house has come out with its guidance on their views on cyber security going forward that that will clear some of the hurdles in the senate and they'll be able to come together and reach broader

agreement, which hopefully will allow the grid act, which is obviously an aspect, important aspect, of securing our bulk power system, will allow these issues to clear the hurdles that remain ahead. so i would say perseverance. we're going to have to keep the pressure on the senate, but hopefully -- and i would say that i'm in close contact with senator sheldon whitehouse, who's also from rhode island and who's also one of the leaders in the senate on cyber security, he believes that we will see bipartisan progress on the issue of cyber security in the senate. i'm hopeful we'll see a lot of these issues addressed and we'll be able to get them through conference. >> thank you all very much. we do look forward to continue working with you because both of you have been leaders in this area. we hope to be able to continue to call on you for your input. at this time, we'll recognize

the gentleman from illinois. >> thank you, mr. chairman. i'm ing to be brief. mr. langevin, you have expressed a level of restraint regarding this bill, in that if you think we strengthen in certain areas and i'm curious to say i know that we want to send the best bill that we can to the senate, and then again we can persevere as you have indicated. how do you think we can strengthen this bill? >> well, a couple of things, congressman rush. i'd like to see the approach that we're taking here addressing the challenges to the bulk power system broadened to include other areas of critical

infrastructu infrastructure. because some of them would be in this jurisdiction of the full energy and commerce committee. others may be in the area of the financial services area committee. but i think the approach that you're taking here is a positive one, with respect to the electric grid. in addition to that, i would like to see this bill address distribution systems, not just transmission but distribution systems. as i said, it's my understanding that because distribution is not dealt with in the bill, that areas like washington, d.c., and new york would be left out of the intent and hopefully the coverage that this legislation would provide. protection it would provide to our electric grid. so i'd encourage the committee to look further at that issue. >> congressman franks, do you have any suggestions along the same lines? >> well, i think that

congressman langevin has it absolutely right. i know we have pictures of new york and washington but we want to keep them around for a while. i think that's wise to extend that to the transmission lines. again, my focus is to try to focus as narrowly as i can on maintaining the base electric grid. because if that goes down, our cyber security issues are no longer an issue because we don't have computer systems, we don't have the electric to run them. and it might behoove the committee to consider a possibility of sending the grid act over as it is and, in a separate version, just addressing the emp issue in case there is the issue where the senate can't come together on exactly how they want to do the cyber security. but i emphasize one last time that the cyber security issue is absolutely critical. i visited the palo verde nuclear

power plant just outside my district in arizona, the largest one in the nation and we had a hacker two strokes away from being able to go in and monkey with the reactor itself. >> mr. chairman, my state -- my general assembly and my state legislature, they just yesterday passed a bill out and sechnt ito the governor addressing these same matters. i'm interested in new york, and i'm interested in the other cities that you name. but i'm also interested in the third city, the city by the lake, chicago, and what the threats are to chicago also. with that, mr. chairman, i yield back the balance of my time. >> thank you, mr. rush. generally speaking, when we have members of the house or senate testifying, chairman and ranking member are the only ones that ask questions. however, i would ask our friends

on this side of the aisle if they have any questions? >> i don't, but i've worked with trent on his bill and i just wanted to thank both of you for your good work. this is an extremely important issue, and, as the ranking member and chairman both said, we need to get this to the point where the senate can passes it and we get it to the president's desk. thank you for your efforts. yield back. >> thank you, mr. terry. once again, thank you all so much for your concern and leadership on this issue, and we will continue to work with you as we move forward. unless you all want to stay and hear the other panel, we'll let you go on to your other activities. so thank you. >> thank you. >> thank you, mr. chairman. >> at this time, i'd like to call up our second panel, which includes the honorable patricia hoffman, who is the assistant

secretary office of electricity delivery and energy reliability at the department of energy, and we have the honorable paul stockton, assistant secretary of defense for homeland defense and america's security affairs at the u.s. department of defense, and we have mr. joseph mcclellan who is the director of office of electric reliability at ferc. so welcome to the hearing, and thank you all for taking time to be with us and to give us your expertise and thoughts on this issue. so, at this time, ms. hoffman, i will recognize you for a five-minute opening statement. and i would just point out that there's little devices on the top of the table that has a red, green and yellow light.

when it turns red, we'd like for you to maybe think about coming to an end. but we won't hold you strictly to that. ms. hoffman, you're recognized for five minutes. >> good afternoon, mr. chairman, members of the committee. i would like to extend my thanks to the chairman and esteemed members of the committee for inviting me here today to discuss cyber security issues facing the electric industry as well as potential legislation intended to strengthen protection of the bulk power system and the electric infrastructure. ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure that others depend upon to deliver essential services. the department of energy's office of electricity delivery and energy reliability supports the administration's strategic comprehensive approach to cyber security and specific with respect to the electric grid, we recognize that our focus should

be on seven key areas. one is facilitating public/private partnerships to accelerate grid cyber security efforts. two, funding research and development of advanced technology to create secure and resilient electrocity infrastructure. three, developing cyber security standards that provide a baseline to protect against v vulnerabilities. four, timely sharing of information. five, the development of mraichkment frameworks. six, facilitation of incident management and response capabilities. but also address the unique issues to the electric control systems such as scada systems and other control devices.

the cyberspace policy reare view underscores the need to strengthen private/public partnerships to improve resilience of the critical government and industry systems networks. as directed by hspd-7, a public/private partner pship must be established to effectively aaddress national security concerns for critical infrastructure. however, private industry alone cannot be responsible for preventing, deterring, mitigating the effects of deliberate efforts to destroy or exploit critical infrastructure systems. our office has long recognized that neither the government nor the private sector nor individual citizens can meet cyber security challenges alone. we must work together. nearly all of the cyber security activities involve public and private partnerships. through partnerships and

competitive solicitations with the doe, oe has sponsored research and development of several advanced cyber security technologies that are commercially available and a couple of examples include a secure serial communications for control system has been commercialized by switzer engineering lablts. a software tool kit that provides auditing of scada security settings. this was commercialized by digital bond, a small business. vulnerability assess thes of 38 different scada systems and a common vulnerabilities report. supporting the development of cyber security standards, our office is collaborating with agencies and organizations to develop a framework and road map for inner operatability standards that include cyber security as a critical llt.

the group released the cyber security guidelines for the smart grid. oe also partnered with utilities to develop cyber security profiles to provide vendor-ni t vendor-night -- neutral development. including sae ining implementin safeguards when integrated into the grid. oe supports develop iing work force. working with state and local governments and agencies to put together technical briefs, education forums, workshops and exercises just to name a few. the department fully supports the administration's proposed comprehensive cyber security legislation focused on cyber security for the american people our nation's critical infrastructure and the federal

government's own networks and security. specifically the administration proposes the following legislative changes to enhance protection. voluntary government assistance to industry, voluntary sharing with industry and states, and critical infrastructure security risks mitigation. in conclusion, i'd like to thank the committee for its leadership in supporting the protection of the bulk power system and critical infrastructure against cyber threats. doe looks forward to future dialogue. i would be pleased to answer any questions you have. >> mr. stockton, you're recognized for five minutes. >> thank you, mr. chairman, mr. ranking member and the distinguished members of the committee. i have a detailed statement which i'll submit for the record. but i want to focus on a few key points that i hope will be helpful to you as you exercise the leadership that we need coming from the house of representatives and the congress

as a whole. first of all, the department of defense is not in in the lead f energy security in the united states. for the federal government, that's my colleagues at the department of energy, department of homeland security, department of defense is in support of them, but let me emphasize the department of defense cannot execute its core missions in service of this nation unless we have a secure flow of commercial electric power. that's for a simple reason. the department of defense depends for its energy 99% on the commercial sector. we have no regulatory authority over it, but way are utterly dependent on the flow of that commercial power. let me talk about why that is the case. in the modern way of warfare

since 9/11, our forces deployed abroad operating elsewhere depend to an increasing extent on military facilities back here in the united states to conduct and support those operations, to generate, deploy and operate forces abroad. we depend on military facilities in the states represented here today. if there is an interruption in the flow of commercial power to those facilities for a short period, they have backup power generation, but for a longer disruption of the grid, we'd be facing a situation of potentially devastating effects on our conduct of defense operations abroad. we could face serious challenges at home. i'll talk about those consequences in a moment, but first, i want to talk a little bit about the nature of the threat. first of all, the cyber threat is something we take very, very

seriously. that's why i'm so strongly in support of the administration's cyber security legislative proposal. but i want to emphasize that cyber is only one of the threat vectors that the nation faces. simple connetic attacks could have significant disruption on the flow of power to the department of defense in the united states. we heard about the risk of solar flares. again, something we take very, very seriously. mr. chairman, looking at you and the ranking member as well as the states you're from, i'd like to turn to the new madrid fault and threat that earthquakes pose as sort of a representative way of looking at the nature of natural hazards. a national mental exercise we

just conducted two weeks ago that posited a 7.7 earthquake on the new madrid fault. our friends at nerc estimated there would be a multistate, long-term power outage, long term, weeks, potentially months, rolling blackouts in chicago, and in the east coast. what i'd like for you to think about is the down stream effects of such an event, both on critical department of defense operations in ft. campbell, for example, every place else, all the facilities represented here today. but also in the immediate area. two things to think about. first of all, the way that the loss of electric power would magnitude the scale of the catastrophe to which we would all be responding. municipal water systems in memphis and elsewhere, they depend on the flow of commercial power. when that power stops, drinking

water gradually gets turned off. in a situation like new madrid fault, gasoline s are going te broken. where is the water pressure to fight those fires? is where the gas to fuel the trucks that we go to fight the fires or collect water elsewhere? as you all know, gas pumps and diesel pumps run on electric power. we would quickly be in a situation where we need to get emergency power flowing to power plants, state operation centers, everything else required to deal with the disaster, and there would be in a situation where roads and bridges are down, and there is so much demand for backup diesel power compared to the amount of diesel fuel prepositioned at these facilities. these examples of the kinds of ways in which disaster would be

magnified, but i'm looking at it from additional perspective. the department of defense would be supporting the governors of your states through fema, of course, and there would be big demand pull on the department of defense to provide additional support. at the same time our response operations would be severely disrupted. with the loss of electric power, how are we going to receive the masses forces coming in? how are we going to stage them? move them forward? these are challenges we need to take on very, very seriously. the department of defense is doing so. what i want to do briefly is talk about some of the remediation efforts we are taking. first of all, we are working closely with the department of energy to partner together in the federal government so we can reach out to industry, and find out how we can work together with the industry to provide industry with what we call a better design basis to ensure

the resilience of the electric power grid against all of these hazards. i believe today's power grid has very strong resilience. but it's not designed for the kinds of threats that we're talking about today. above all cyber or carefully-designed kenetic attacks. we need to find a way to enable them to build more resilience in their grid and inside the department of defense family, we need to do a better job securing the flow of electric power to our critical defense facilities in all of the states represented here today, to make sure that single points of failure on the flow of electric power coming in, we take care of those problems and remedy those in partnership with utilities in the same neighborhoods as our military facilities. mr. chairman, i look forward to

answering your questions. >> you're recognized for five minutes. >> thank you for the privilege to appear before you today to discuss the security of the power grid. i'm joe mcclelland director of the office at the federal energy regulatory commission. my remarks do not necessarily represent the views of the commission or any individual commissioner. in the energy policy act of 2005, congress entrusted the commission with a major new responsibility to oversee mandatory enforcible reliability and cyber security standards for the nation's system. it is important to note ferc's authority is limited to the bulk power system, which excludes alaska and hawaii, transmission facilities in certain large cities such as new york, as well as local distribution systems. under section 215, ferc cannot

author or modify reliability or cyber security standards, but must depend upon an electric reliability organization or ero to perform this task. the commission expected the north american electric reliability corporation or nerc as the ero. they develop standards or modifications of the commission's review, which it can then either approve or remand. if the commission approves the proposed cyber security standard, it becomes mandatory in the united states, applying to the years, owners and operators of the bulk power system. if it remands the proposed standard, it is sent back to ero for further consideration. persuant to its responsibility to oversee the reliability and cyber security of the power grid, in january 2008, ferc approved eight cyber security standards known as the critical infrastructure protection or cip

standards. compliance with these eight cip standards first became mandatory july 1, 2010. nerc filed modification, the modifications to the cip standards have not been addressed by nerc. it's not clear how long it will take for the cip standards to be modified to protect the significant gaps in them. the smart grid technologies added to the bulk power system. greater cyber security protection will be required, given that this technology provides more access points, thereby increasing the grids' vulnerabilities. the cyber security standards will apply to some, but not most smart grid applications. moreover, there are noncyber threats that also pose national security concerns. naturally-occurring events or physical attacks against the power grid can cause equal or greater destruction than cyber attacks and the federal

government should have no less ability to protect against them. one is electric row magnetic pulse or emp. emp event could shut down a large part of the power grid. emp events are naturally generated, caused by solar flares disrupting the earth's magnetic field. such events are inevitable, can be powerful and can cause significant and long disruptions to the grid. ferc, dhs and doe recently completed a joint study. man-made and naturally-occurring events and their effects on the power system and measures that could be installed. included among its findings was without effective mitigation, if the solar storm of 1921, which has been termed the 1-100 year event were to occur today, over 300 extra high voltage

transformers could be damaged or destroyed, interrupting power to 130 million people for a period of years. although section 215 of the federal power act can't provide an adequate statutory foundation for the development of routine reliability standards to the bulk power system, the threat of cyber attacks or other intent n intentional malicious acts against the grid are different. these dangers may be posed by criminal organizations, terrorist groups, foreign nations or others intent on attacking the united states through its electrical grid. widespread disruption of electrical service can undermine our government, our military, our economy, as well as endanger the health and safety of millions of our citizens. given the national security dimension to this threat, there may be a need to act quickly. to act in a manner where action is mandatory rather than voluntary, and to protect certain information from bulb disclosure. faced with a cyber or other national security threat, there

may be a need to react decisively in hours or days rather than weeks, months or year. the legal authority is inadequate for such action. new legislation should address several concerns. ferc should be permitted to take action before a cyber or physical national security incident has occurred. second, ferc should be allowed to maintain appropriate confidentiality of security-sensitive information. third, the limitations of the term, quote, bulk power system, end quote, should be understood. our current jurisdiction does not apply to alaska and hawaii as well as some france mission facilities and all local distribution facilities. fourth, entities should be able to recover costs they incur to mitigate vulnerabilities and threats. finally, any legislation on national security threats should recover not only cyber security threats but also natural events and intentional physical malicious acts including threats from an emp. the grid act draft addresses

many of these issues. thank you for your attention today. i look forward to any questions that you may have. >> thank you all for your testimony. many of you heard congressman fran franks, and mr. langevin, also talk about the need to expand. i notice the white house and their cyber security proposal is exactly that. it's focused only on cyber security. that was a suggestion that mr. franks made, let's do cyber security in one bill, let's address the other issues in a separate bill. do you all have any thoughts as far as strategy, if that is something the committee should attempt to do or not? >> as was mentioned earlier, is that cyber security is a difficult and complex issue. emp and other issues are

different in nature. although the impact to the country can be devastating, either one. so in order to tackle things one at a time, the administration is looking just comprehensively at the cyber legislation individually. >> okay. do you have a comment? >> yes, sir. i think that the cyber legislation proposed by the administration is a critical step towards protection of infrastructure as a whole, greatly benefitting the energy sector, as well. clearly, there are threats we've been discussing that would be encompassed by this legislation. it's a critical building block on which we need to make progress. >> i don't see where the administration's bill would conflict with the grid act. the administration's bill provides a broad umbrella to partner with the industry to bring the practices to a higher level. the commission's authority under 215 doesn't have to conflict.

with that concept, and in fact any further enhancement of the commission's authority or regulatory authority may actually complement that concept. >> mr. langevin pointed out the need to expand from bulk systems to expand your section 215 authority. do all of you agree that should be done? i'm assuming you do, mr. mcclelland. >> as i pointed out in my testimony, my position is that the distribution systems aren't covered. we wish to point out if the term bulk power system is followed, there would be significant pieces of the power grid that would not be protective if the grid act passes, either from a cyber security or physical perspective. >> mr. stockton, do you or ms. hoffman have any comments? >> i think it's important to take a holistic look at cyber

security. as you look at the administration's proposal, it wants to take a comprehensive approach so that would include entities that would be defined as critical whether they are in the bulk power system or the distribution. the important thing to notice we need everybody to understand how to advance cyber security procedures and postures. i would say that includes state governments as well as any federal action. >> how would you all describe the coordination between doe, dod and ferc today on these types of issues? >> the coordination between dod and d.o.e. primarily looks at the facilities and interface with the energy sector. we provide support work on studies and looking at the interdependency between the energy sector and defense. we are looking at micro grids, advanced technologies in support of the defense facilities.

our coordination with ferc provides tools and technologies to look at improved reliability for the electric sector. we do coordinate it with information sharing to the extent possible, looking at technologies that will actually improve the posture of the system. so the coordination with ferc is they're a regulatory entity. the department of energy funds private partnerships. in a sense, we are incentivizing changes with an industry and ferc looks at regulating aspects of it. >> anybody else have any comment? >> i'd say there are formulaized mechanisms such as the department of energy sits as the energy sector lead, ferc participates in these initiatives with the other agencies we have excellent working relationships on an informal or impromptu basis with the department of energy, department of defense, department of homeland security,

cia, nsa and nrc. we reach out as necessary to borrow expertise to power grids and individual needs on the grid. >> when we talk about cyber security attacks in the u.s., i am not aware of any major attack. and internationally what comes to my mind is the stets-net in iran that shut down nuclear power systems. are you aware of any other major cyber security attacks that had significant impact? >> and set-net was an attack

over the nuclear issue. the focus we have is there are incidents that may occur and we need to be able to be prepared to respond to those incidents quickly and promptly. how do we have an incident management plan or incident response plan to be able to address the event quickly. so looking at information exchange, diagnostics and the ability to deter and prevent any further damage. >> thank you, mr. chairman. first of all, i want to thank the witnesses. in the last congress, when we worked on this issue in a bipartisan manner, the administration provided the members of this committee with classified briefing that helped us understand the vulnerability

to our electric grid and the need to protect that same grid. i just have to ask each of you, in light of the fact we have some new members, a lot of new members on this subcommittee, would each of you agree at a time determined by the chairman, to return and brief the members of this committee again on the vulnerability of our cyber security area? would each of you do that? >> yes, sir. >> yes. >> let me just ask ms. hoffman. you seem to feel as though -- the impression i get, is that you seem to feel as though, okay, this is a step in the right direction, but it's narrow.

what the administration is looking at is much broader view. taking a more universal, broader view of this particular issue. if you were to overlay the administration's efforts, this bill, this proposal, and the grid act, what would we see and what would you see as being some of the most significant differences? >> the administration's proposed discussion draft focuses on several things. it looks at criminal aspects with respect to criminal charges and an enforcement. it looks at voluntary information sharing. it looks at voluntary assistance. it's building a public/private partnership to actually build capabilities and support to the

industry sector, which is critically needed at this point in time. it also looks at the ability to develop plans, risk-based plans. most of the critical infrastructure definition and the development of risk-based plans will, of course, be done through a rule-making process through dhs. the administration has taken a holistic approach trying to get all the sectors up to a cyber security baseline performance. in deference the grid act is focusing on transformers, emp, focusing on emergency and standard development, which is a slightly different approach from what the administration's position is, but both those could be worked for complementary efforts. any other witness have any comments on this? let me ask you this.

it seems as though my state, as i indicated earlier, yesterday members of the general assembly passed the smart grid regulation. it seems as though some of the states are starting to move on their own, but the administration has a discussion draft or bill, opinion bill, and i'm not sure whether or not these states are starting to take actions basing their efforts on what the administration is ultimately looking at. how much cooperation, how much sharing of information, how much enlightenment is the administration providing to these states so they won't have to come back and redo whatever legislation they might pass prior to the administration getting its bill passed? and what is the status of the

administration's proposal right now? >> the status is the discussion draft and the administration is looking forward to work with members of congress to continue that discussion, to advance the components of that discussion draft. with respect to smart grid, there are security profiles and standards that are currently under development to provide security within the devices as they are being built. we are working cyber security standards with development of the device as we deploy and implement smart grid technologies. we are trying to provide system performance which can aid and provide benefit for restoration time out as management, so more preventive versus looking at the consequences if an event occurs.

>> my time is out. >> recognize the gentleman from virginia mr. mckinley for five minutes. >> thank you, mr. chairman. ms. hoffman, i've got some -- i wasn't here when this bill passed last year. i'm curious if you could walk me through it or someone else on the panel perhaps. the way i'm reading this, the grid act, is we start with subsection a and definitions, then we move into b which is emergency response measures. that refers very specifically to security threat. under that subsection b, it has a subsection 6, which has cost recovery. so there is a vehicle, a mechanism to recover costs for

threat. then if we can skip c just for the moment that has to do with vulnerability and then you do he to d, which is called critical defense facilities. under critical defense facilities, there is a subsection on page 15 about cost recovery. i'm just curious back on the one i skipped over, b -- i'm sorry, yes, b, or c, that's the section that refers to grid security vulnerabilities. under vulnerabilities, there is no cost recovery by this particular piece of legislation. was that intentional? was vulnerabilities would not be able to recover the cost, the utility companies and anyone else would not be able to recover their costs?

i'm sorry. i singled you out, but i don't care who it is that answers that question. >> i can take a shot at that. i believe you're correct. i believe threats are singled out for cost recovery. i believe under the 100 most critical facilities for the dod, the user is rured to pay for upgrades or enhanced measures. i didn't see cost recovered for vulnerabilities either. >> does that make sense that there is someone that could have the expense, if you read down through all the issues, that you have if nothing else large transformer vulnerability, there would be no way to have that cost added onboard? >> we consistently said there must be three aspects present, if you would like to have someone move on one of these issues. one, identify it as a priority. second, identify mitigation, and third, you have to provide cost recovery. >> are you agreement we should have cost recovery under vulnerability? >> personally, i say yes. >> do the rest of you have any

problem on cost recovery on vulnerability? >> we don't have any problem on cost recovery. no matter what the actions are it's going to be recovered somewhere from the rate payers, from the entities that's being protected. eventually. >> the others are very clear. i'm not an attorney, i'm an engineer. it tells me when you leave something else, it looks like we left it out deliberately. there was another line that i caught under, i think must have been page eight. page eight on line 22. it talks about there under cost recovery, only those that were substantial costs. could we get that clarified somehow? can you all help us with some language that might be more appropriate to define what substantial costs would be? >> sorry. were you looking for a comment there?

>> given the time, no. hopefully we can get back to that. much of our defense is actually overseas. we are going to be very reliant on their other countries' responses to threats and vulnerability. you said we would respond quickly. you said you didn't know any necessary attack. do we have any evidence of probe i ing, inquiries, photography, suspicious work? is there something going on? one thing to have an attack, the other is to have someone in preparation for it. >> i don't have any information on that. with respect to overseas, i look at that, my focus is on the domestic u.s. infrastructure.

>> what should we do if overseas we know that is certainly a possibility with the terrorism going on. do we just simply rely on them and react -- rely on the other countries to provide the same type of responses to threats or vulnerabilities? what role do you see us playing trying to promulgate something now. >> europe has mechanisms for any emergency that happens on their system. i have to admit i don't have a great insight or detail how to respond to overseas. >> is there any way we can maybe work something like that into here, something you could provide to us later? how we might be able to integrate both the european and american grid together? at least in terms of cyber

security? >> thank you very much. >> yes, i'm willing to have further dialogue. thanks. >> i recognize the gentleman from massachusetts for five minutes. >> thank you, mr. chairman, very much. thank you for having this very important hearing. thanks to mr. franks and everyone else here for this issue. chairman upton has continued his efforts on the bipartisan grid act, which i introduced with him in the last congress. that legislation passed the house one year ago today. we worked together to pass a bill a year ago. this is a perfect example of bipartisanship. remarkably, 99% of the electric energy used to power our military facilities, including critical strategic command assets comes from the commercially operated grid.

over the last several years, the grid's vulnerability has come into focus. hackers could use communications networks to physically destroy electric generators, transformers and other critical ass assets. over a week ago, lockheed martin suffered what it called a significant and tenacious cyber attack on its system. in today's "wall street journal," a description of the defense department's cyber security plan has a military official quoted as saying that if a terrorist or other adversary shuts down our power grid, maybe we will put a missile down one of your smoke stacks. unlike the frequent outages experienced by pepco's customers every time the washington, d.c., area experiences a serious storm, a coordinated attack on the grid could literally shut down the u.s. economy.

putting lives at risk. damages could take months or years to recover from. recovery may not just be a matter of rebuilding. three nuclear reactors in japan suffered near complete core meltdowns after the earthquake caused a loss of electricity needed to cool them down. the meltdown likely began a few short hours after the earthquake, tsunami and blackout. the hot, radioactive fuel is believed to have burned holes as much as ten centimeters wide through the pressure vessels. it is expected to take months to stabilize the reactors and decades to clean up the damage that the meltdown caused. mr. stockton mentioned that the power outage risk associated with earthquakes near the new madrid fault line is notable

because there are extra nuclear reactors located near it. those several reactors could be vulnerable. let me ask you this. there have been 69 reports of emergency diesel generators failing at 48 nuclear reactors. 19 of these failor oo oures lase than six weeks and more required months. there aren't any requirements for backup power at all when there is no fuel in the reactor core. clearly, a blackout could cause a meltdown in this country, too. do you believe that the portions of the grid that supply electricity to our nuclear reactors are more secure than the rest of the grid? >> the commission has been

working with the nuclear regulatory commission on this issue. there is the offsite power you asked about. >> they are more secure? >> are you saying they are more secure? >> there are agreements in place between the nuclear regulatory commission -- >> today, are they more secure than the rest of the system on not? today. >> in many cases, no. >> the answer is no. thank you. since the legislative hearing this committee held in october 2009, have sufficient measures been put in place to secure the american electrical grid from cyber and physical attack? >> there has been some progress on the nerc standards. >> have sufficient measures been put in place? >> we are -- >> sufficient is the keyword. >> we have issued inquiries to the nerc. >> are you saying there are sufficient -- >> there have been filings made and we are checking the status of the filings to see whether or not they do indeed represent progress. >> given that the number of cyber access points to the grid

is increasing rapidly with the growth of smart grid applications, do you believe the threat facing the grid is greater or less than it was a year ago when the house overwhelmingly passed grid security legislation, given the fact a smart grid actually winds up with more vulnerabilities, ironically? >> yes. >> you think there could be greater vulnerability? >> undoubtedly, yes. >> do you believe the way the grids are set to lead to standards sufficient to responding to the threat that our grid faces? >> the commissioner said when it comes to national security, the process is too slow. it's too open and too unpredictable. >> do you agree with that? >> he is better positioned to

assess. >> yes or no? >> there is room for improvement. >> thank you, mr. chairman. >> you're recognized for five minutes. >> thank you. mr. mcclelland, i appreciate it. in the shield act versus the grid act on ferc authority, do you feel you need additional level of authority to respond to a national security threat? can you be more specific in that? on the flip side of that additional authority is how we balance that with state regulatory entities? >> the shield act provides the commission with a proviso if it finds the nerc standard insufficient, it can offer a measure to put into place to address a security vulnerability. the commission currently under the 215 process cannot author or

modify reliability standards. we can provide input, but we cannot author or modify. i feel it's important that the commission be given that direct authority to be able to order measures to be put into place to write those measures, and to direct they be put into place to address vulnerabilities to the power system or threats. >> do you see working with the state regulatory issues? >> i think it's very important the commission cooperate with the electric reliability organization and entities the commission communicates with. yes, it's very important. >> ms. hoffman, do you have any thoughts in regard to the jurisdictional request? >> i think it's absolutely important for the federal ferc to coordinate with the state

entities in looking at cyber security vulnerabilities, mitigation measures, solutions. as we move forward, the more consistent across the board, the more we'll benefit, not only the electric sector but other sectors that may have the involvement with states or other entities. >> thank you. the other question i have, what type of solutions exist out there that you have under the shield or grid act the appropriate ability authority to, for want of a better word, mandate the technology and is there any conclusion on what the costs would be nationally to adopt the hardware solutions?

mr. mcclelland. >> there are several aspects electro magnetic pulse. e-1 is a high energy radio frequency burst. e-3 is ground-induced currents. the ground-induced current attack will find their way on to the bulk power transformers and destroy those transformers quickly. one tried and true method is serious compensation. putting capacitors to the line. back to e-1, it's more difficult. it's more challenging. i did receive some information from, recently from an israeli scientist that shows promising technology for erecting a

feredet cage that is a simple spray-on coating that looks very promising. there are others in the world that have deployed effective mitigations against electro magnetic cost. we have not done so. >> at what cost? >> i can get back to with you those numbers. i have those numbers, but not at my finger tips. e-1 is most challenging. >> ms. hoffman? >> i would just add to that, joe adequately talked about some of the hardening type activities that could be done. the other thing to keep in mind is current state of health from the transformers. you can do hardening, but if the current health of the transformer is not where it should be, there won't be vulnerabilities. assessing the current health will impact to what level of deterrent or capability they

will have to withstand any geo magnetic solar flare. how much do we want to harden against? are we talking about 200 amp type thing or what is currently tested up to an 80 amp? the other thing is, do we have enough manufacturing capability of transformers in the united states? as we look at it, hardening is only one solution. there are several sets of solutions we must keep in mind. >> let me follow up. building resilience into the system to provide for rapid return of functionality is another alternative to hardening. we need to be able to to be sure we can, from a department of defense mechanism, to get back to conducting our core missions no matter what. sometimes hardening will be the best, most cost-effective approach. other times quick restoration of enough power to do the bare minimum to operate those core functions. that makes better sense from a

cost perspective. thanks, mr. chairman and thanks to all the witnesses being here today. i appreciate your testimony. we certainly heard about the vulnerabilities and it suggests there does need to be better coordination between the private sector and the government. commissioner mcclelland and the rest of the panel, what are the standard operating procedures when a credible threat is received? how does ferc communicate? does it direct nerc? how are those standards communicated to users of the system and what is the protocol for nerc? >> it's mr. mcclelland. i'm not a commissioner. >> oh, yes. that's right. >> thank you. i'll answer your question saying it depends on the issue.

if it's an urgent matter, it may be very appropriate. the commission has done this to bring in members of the affected utility who have security clearances, to brief them in detail on the perceived vulnerability or threat and work out a table top solution as to how they might increase their preparedness for some interim period of time. it wouldn't be appropriate, necessarily appropriate, to try to develop a standard around the very sophisticated targeted threat that exploits a vulnerability with a handful of entities. if it's a larger issue, the commission engages in rule-making procedure. so the commission would order nerc upon filing or upon its own motion, to address a specific issue, security issue. nerc would then receive the order, engage industry through industry volunteers and

standards development process. that process routinely takes years. at the end of that time period, nerc would submit a standard and the commission would be in a position to approve the standard at which time it would become mandatory enforcible or remand the standard for further work which time nerc would take it back, consider the commission's comments and pick up that issue and work on the standard. >> if i may add to that? >> please. >> with respect to a cyber event, generally we follow the national cyber security response framework. cyber events will generally be coordinated through u.s. cert. they'll go through some analysis and forensic coordinator and do risk and consequence analysis to determine how is that going to impact the sector, share it with the industry, the information that is available, then be able

to actually move forward with the industry's help on mitigation measures. so it's really key to having that information sharing and that quick response keepability. that's very important. >> may i add one thing to that? >> please. >> the only action that is mandatory is a standard. until such time as the e.r. or nerc develop as standard and submits it to the commission and it's approved, there is nothing mandatory. they do show levels of increasing urgency. nerc can convey the information to the industry and ask for a follow-up response. and then communicate to the industry the importance of those levels. outside of a standard, nothing is mandatory. >> do you believe that the current system is effective? and how could it be enhanced? >> i think that the current system can be effective for routine reliability matters.

when it comes to national security issues, these are fast-moving, very sophisticated, sometimes highly targeted situations. we've come to the conclusion, no the standards development process is not adequate to address these types of issues. although it can raise the bar to narrow the universe of attackers. it is not adequate in the case where national security is jeopardized. >> if i may add, there is room for improvement. from the perspective we need to do a better job with respect to information sharing, and that goes back to what is in the administration's comprehensive bill as well as looking at protection of information, that information sharing is a key critical component to getting to an effective response in mitigation measures whether, done by the industry, by themselves or it's actually looked at from a different action point of view. >> thank you, everyone.

>> thank you. you're recognized for five minutes. >> thank you, mr. chair. i would like to welcome the witnesses and thank you all for coming and giving us your expertise and your time. i've got a couple questions for you, mr. mcclelland and you, miss hoffman. specifically, if the ferc and d.o.e. had to order a generated unit to operate for reliability purposes or emergency situation, and doing so resulted in that unit receiving an environmental permit, would they indemnify the operator from any private citizen action? >> it is my understanding we do not have jurisdiction over another agency's fines, penalties, regulations. >> the commission has acted in

conjunction with d.o.e. on one other occasion, to my memory. it was the first time section 207 had been invoked. dod invoked section 202. in that particular case there were generating units serving the washington, d.c., region, and transmission upgrades that needed to be performed. in that case, however, both d.o.e. and ferc did not need to conflict or clash with the environmental regulations. i know of no case where that's already occurred. we can certainly, i can certainly posit that back to our general counsel and get that information to you. >> what could happen? what is the possibility of a company that obeys orders from you, but in doing so exceeds some environmental limitations from some other agency? this is a serious problem. if they ask, if you tell them to do this because of those

liability issues and emergency situations, by gosh, they are going to do that and that's the right thing to do. we certainly don't want to have exposure to do what wore arm of the government says to do and the other arm says you exceeded permitting process and we will punish you for doing that. i would gradually appreciate answers to your question. i had operator backs home in texas ask me these questions. we have many disasters, hurricanes, tornados, freezes, all the above, that's impacted the reliability of our grid. we do have people out there who are very concerned about this. i would appreciate an answer to those questions. that's all i have. yield back my time. thank you. >> play, mr. olson. thank you all very much for taking time to come and testify. we appreciate your input. >> mr. chairman, if i may, this is something that kind of gnawing at me.

i heard and i tried to get to this issue in my line of questioning. is there administration bill and has that bill been filed and here in the senate? is it in the senate? i know it's not in the house. >> maybe they'll be able to answer you. it is my understanding. i may be wrong that mr. rockefeller introduced a bill similar to the administration's request. maybe they can answer it. >> is that the bill, ms. hoffman? >> i don't have explicit knowledge. all i have right now is the discussion draft. i'm not aware. >> do you know, mr. stockton? >> the same. discussion. >> do you know, mr. mcclelland? >> sorry, it's the same. >> the white house doesn't talk to you all any more than it talks to us, right? we'll find out.

>> may i have additional time to ask another question? >> without objection, i'll give 2000 additional minutes. >> thank you very much. this is a serious threat to our country. we know al qaeda and other countries are targeting us. there are many ph.d.s targeting us. we know there were those nine in my district plotting to hijack those two planes. they were well-educated people. very smart. they tried to find the aperture and they found it in the aviation system. they are very technically sophisticated people. that's the one thing we did learn about al qaeda. that's why i have such a passion for this issue. back in 2006, the north american electric reliability corporation proposed some grid security standards that seemed to be fairly limited. one of them even allows

utilities to decide for themselves which of their assets are critical, and thus, subject to the standards in the first place. only 29% of the power-generating owners self-reported that they owned a single critical asset. isn't that right, mr. mcclelland? >> yes. >> none of them, 70% of the electric facility industries felt they had no critical assets. >> i was going to say critical cyber assets. >> yeah. and i just think that's a mentality that we have to be realistic about. we move to a new era. we are potentially under assault in this sector in the same way you mentioned, mr. chairman. the attack on the iranian nuclear facility. that was just a very smart way of very smart people figuring out how to disable a nuclear power plant in iran from a

distance. thank goodness however those people are were able to disable it and not cause a nuclear disruption. there may be others that are not so benign in their, in what their objectives are and the harm they can do. i just think this isn't something where you self-identify yourself as potentially being a problem. i think we have to decide is there a problem and al qaeda is out there. do you agree with that, mr. mcclelland? >> yes. i would add one distinction. nerc has submitted a standard where critical assets, now there are several designations for critical assets. assets that serve nuclear facilities are now deemed critical assets. the commissioner has requested additional information. critical assets are not the assets covered by the standard. there are critical cyber assets. the commissioner asked one of the lines of questions is tell us how that translates to critical cyber assets.

those are self-determinations. >> right. is nerc's guidance advisory or mandatory? >> the standard that nerc proposed to the commission would be mandatory. that would be the designation, bright line designation to critical assets, which can help guide an entity to self-determine critical cyber assets. >> thank you, mr. chairman. >> thank you, all. thank you once again for testifying. we look forward to working with you. at this time, i would like to call up the third panel of witnesses. that would be mr. jerry colling, president and ceo of north american electric reliability corporation. mr. franklin cramer, former assistant secretary of defense for international security affairs at the u.s. department of defense. and mr. barry lawson, associate director power delivery and reliability at the national electric cooperative

association. welcome to the hearing. we look forward to your testimony. i will recognize you five minutes for the purpose of your opening statement. >> thank you. good afternoon, chairman. >> is your microphone on? >> thank you. good afternoon, chairman wh whitfeld. a ceo charged with reliability of securing the north american grid, i wake up every day concerned about emerging risks ka caused by intentional actions of our adversaries. the security of the bulk system is not the main priority for nerc. it is a set of nine standards we actively monitor and enforce. we made significant strides as improving our cyber standards. when i came onboard in nerc in 2010, i recognized the

importance of establishing brought line criteria as we heard from the previous testimony, to identify critical assets to be protected. a new standard was developed in six months and filed with the commission february this year and is pending their approval. our standard process works for what it was intended to do. to establish sustained baseline requirements for the reliability and resilience of the bulk power system. however, there is no single approa approach, not even compliance with mandatory standards, that will protect the grid against all potential threats from physical and cyber attacks. a threat environment is constantly changing and our defenses must keep pace. achieving a high degree of resilience requiring continuously adaptive measures beyond those outlined in our standards, measures we are actively pursuing today. the most important of these activities is the operation of our electricity sector information sharing and analysis center. in this role, nerc works closely with federal partners to promptly disseminate threat

indications to participants. nerc staff has the necessary clearances to work with the department of homeland security, d.o.e., federal intelligence agencies to generate unclassified recommendations and actions for industry. using this process, nerc issued 14 security-related alerts since january 2010, covering aurora, stux-net, night dragon and others. the nerc alert system is working well. coupled with our cip standards and using a new expedited and confidential process for developing standards, nerc has a strong foundation of tools we need to protect the cyber security of the bulk power system. as outlined in my written testimony, nerc is leading number of other initiatives including joint efforts with dod, dhs and department of energy. we are preparing an industry-wide grid exercise in november 2011. jointly with d.o.e. labs we are initiating a program to monitor

grid cyber security of the grid networks and another program to improve the training qualification of industry cyber experts. with regard to the proposed draft legislation, first and foremost, nerc has consistently supported legislation to address cyber emergencies and to improve information sharing between government and the private sector. nerc has consistently supported comprehensive legislation authorizing a government entity to address cyber emergencies. which agency is a policy decision for congress. nerc stands ready to assist responding to designated grid security threats. measures to improve information sharing between the government and private sector of critical infrastructure are needed. nerc commends the provisions directing the commission to facilitate sharing of protected information. while the focus on providing adequate security clearances is key, this alone is not enough. it is most important to develop methods for declassifying sensitive information to make it

available to industry decision-makers. new authority to address grid security vulnerabilities, however, is unnecessary. nerc already has the authority under section 215 d-5 to direct ne nerc to prepare a standard. if congress decides to allow to be addressed at a minimum the ero should be given the opportunity to address the identified vulnerability. backstop authority if the ero fails to address the vulnerability within a prescribed period. while we appreciate the current draft which urges to consider our recommendations, if time allows, we believe more is needed. other provisions of the discussion draft are not needed. nerc has issued information to ensure industry understands and mitigating the vulnerability. the provisions on geomagnetic storms also are not needed as nerc already has the authority to address these topics today.

nerc is actively working on the issue and an alert providing industry with operational and planning actions to prepare for the effects of a severe geomagnetic disturbance. in addition, a nerc task force has focused on mitigating risks associated with long lead time, transformers, and developing a secure data base for securing information on spare equipment. finally the ero should be given authority under oversight to address grid security vulnerabilities by enforcement means other than standards. congress has provided us with many tools to address security. as noted previously, we have three levels of alerts. we have strong industry participation and response to these alerts. including a provision to authorize nerc subject to oversight. it would enhance the security of the power grid. i believe legislation addressing the security of the infrastructure could be beneficial, but the framework should focus on enabling

information sharing between government and industry and problem-solving between the private and government sectors. thank you for the opportunity to speak today and i look forward to your questions. >> thank you. mr. cramer, you're recognized for five minutes for an opening statement. >> thank you, mr. chairman, and mr. ranking member. appreciate the opportunity to testify. i think the proposed legislation the grid act you have in the discussion draft is excellent. but i'd like to suggest five things that would actually make it better, at least from my perspective. now, the first is, i think, that we need mandatory federal standards. we need to turn the system around and have the federal agency be add at ferc or have the authority to issue standards. secondly, i think we need to focus on resilience. how will we deal with the problem of how the grid will operate in the face of attack? third, i think that the elements

of the federal government and including especially the dod have to be given clear authority to help protect and/or respond to an attack on the grid. because it's only the dod that has the capabilities that are necessary. fourth, i think we have to think about the issue of scale and resources and particularly issue of cost. and make sure that the industry can recover its cost. and lastly, i think there needs to be a much more expensive research and development program to deal with the advanced threats, we need advance capabilities. now, the reason i say that, mr. chairman, all these points is what you've already said. the threats increasing. we've seen, for example, last year an attack on google. we've seen more recently a attack on a company called rsa. and as you mentioned we've seen the attack. those control systems that were attacked in the control systems that control the electric grid. the vulnerability is very substantial and has been pointed out by others already in this

hearing right now with the smart grid increasingly coming into play, the distribution system as well as the generation system, a transmission system are sources of vulnerability. i think we really need to focus on the entirety of the problem and recognize how much the threat has been increasing over time. the reason i say that we need mandatory standards is that frankly the current system's just too slow. it doesn't work quickly. it hasn't satisfied the problem. in fact, if you look at nerc's own study last year, said very clearly that the grid is at risk against an adversary. if we think about other areas, clean air, water, safety standards, the federal government issues the standards. i think that's the way we ought to do it.

in addition, i think that the current act that the discussion draft has what's called authority for the ferc of a so-called imminent threat. but i think imminent is too late often. what we really need is if we see a significant threat where one needs to be able to take prompt action before we get to that micro second before the attack occurs, the federal government ought to have that authority. so the issue interim standards, but earlier than the imminent threat standard. on the resilience point, i think we all know, and if you look at the google attack, is that cyber office beats cyber defense. in fact, the deputy secretary of defense has said publicly that plenty of others have. in the dod area, the dod doesn't just rely on passive defense. it also does what's called active defense. and if dod needs to do active defense to protect its networks, critical infrastructure. and again, we've said myself the

dod relies 99.9% on commercial electricity. well, that means that that commercial electricity ought to have the same kind of protection that act of defense. i don't think that the industry should do it. i think the dod under the right kind of standards, right kind of legislative standards, regulation, guidance from the president ought to work with the sector-specific agency and also with the industry to be able to provide that. we also need to have capabilities that we haven't heard talked about today. we need what i call gold standard integrity. integrity of data, integrity of software, integrity of hardware. we need capabilities like segmentation and isolation so that the key elements of the grid can be protected by being separated from other elements of the grid. we want to look also finally at the issue of scale and resources. it's a very large enterprise. we're going to have to work to get the private sector to get it

out there. it seems to me if the industry's going to occur cost, and this is a highly-regulated industry and it ought the to be able to recover those costs. that could be in the rate base, but it should be allowed in some way, shape, or form. and finally, as i said, i think we need to have a comprehensive r & d program so that when you have advance threats, we can have advance capabilities. and with that, mr. chairman, i appreciate the opportunity to testify. and i look forward to your question. >> thank you. mr. lawson, you're recognized for five minutes. >> chairman whitfield, rush, and members of the subcommittee, thank you for the opportunity to testify today on cyber security and the grid act. i'm the associate director of power delivery and reliability at the national rural electric cooperative association, which represents over 900 member-owned not for profit cooperatives providing electricity to 40

million consumers and 47 states. over the last decade, i've been involved in a variety of protection and cyber security initiatives with industry, nerc, dhs, and d.o.e. based on these experiences, i know the electric power industry takes these issues seriously. in addition to my knowledge, there's not been a documented case of a successful attempt to protect through cyber means. while my testimony is offered on behalf of electric cooperative, i want to recognize a long standing partnership among all sectors of the reck rick power industry when it comes to reliability and cyber security. nreca is part of a coalition that includes major trade associations that represents the full scope as well as state regulators, large industrial consumers and canadian utilities. it's rare that we all agree on public policy issues, but we unanimously support the nerc process and narrow new authority for the federal government and

the event of severe imminent cyber threats. under section 215 of the federal power act, nerc works closely with industry experts and others to draft mandatory and enforceable reliability and cyber security standards that apply across the north american grid. the standards process can be lengthy when addressing highly technical issues. but it can also be shortened when needed using nerc expedited standards procedures as approved by ferc. also developing standards in a confidential manner when national security requires it. nerc rules a procedure also give authority to distribute alerts on topics that are important for industry to address. there are three levels of alerts and the two top have mandatory reporting requirements that typically require recipients to inform nerc what they did in response to the alert.

quickly provided industry critical information on many issues including night dragon and geomagnetic disturbances. nerc is required to provide reports to ferc explaining the level of action industry has taken. to date these reports show that industry takes these very seriously. the industry realizes that threats are possible. in some cases, even procedures and standards cannot assure that industry gets timely, actionable information to mitigate a threat against the bulk power system. when the federal government at the highest level determines that emergency action is necessary, it should be able to issue orders to our industry that directly address the severe and imminent cyber threat and set out mitigation actions needed to protect the bulk power system. those orders should sunset when the threat has subsided or is

mitigated. for example, by development of a related nerc standard. our primary concern is that the act creates new authority for ferc that largely duplicates authority and ongoing nerc activities under section 215 and could substantially undermine the existing standards regime. it should be understood that vulnerabilities alone do not adversary impact the reliability of the grid. that being said, our industry has every incentive ranging from financial considerations to the fundamental obligations that serve our customers with reliability and affordable power to protect the grid when vulnerabilities emerge. the draft grid act -- if there's is vulnerabilities, that existing standards do not exist require to protect against the

vulnerability. the new authority the draft seeks to give ferc is very concerning to our industry. first, we question whether ferc has the intelligence handling expertise to exercise such broad new authority. second, this new authority regarding vulnerabilities would fundamentally alter 215 by addressing vulnerabilities that nerc and industry are managing very well through standards and alerts. to help industry protect the grid from vulnerabilities and threats, we need timely intelligence. need higher levels of security clearances so we can plan effective responses to threats and vulnerabilities. the draft seeks to make improvements in these areas and we appreciate the subcommittee's support. in conclusion, we urge a subcommittee to focus on the immediate, narrow issues at hand. the need for very quick emergency orders if the faces an imminent attack and the need to

receive timely, actionable information. thank you for the opportunity to testify today. and i look forward to your questions. >> thanks, mr. lawson. mr. kramer, you would agree, then, that the national defense and the interest in national defense for the additional federal authority is necessary? >> yes, sir, i think it's absolutely required. >> okay. and mr. colly, you mentioned in your testimony that you didn't think it was necessary for nerc to develop standards to ensure the availability of large transformers. and i'm certainly not an expert in that area, but it's my understanding that the availability of large transformers is one of the key issues out there. and i was just curious if you would elaborate on your decision on that. >> thank you, mr. chairman. i do take the issue of spare

equipment and transformers very seriously, physical attack, cyber -- it is a major issue. i think we don't have enough information yet to know what the standard should be in terms of how much equipment and where it would be located and how we would transport it. so if i said something opposing, i may have misspoken. i'll have to look at my written testimony. but it is a key issue. and we're dealing with it today with some industry experts and a task force. they're looking at likely scenarios. what would the need be? how would we move the equipment? we're trying to find a technical solution to the problem before we tackle the issue of whether there should be a standard or not. >> are these manufactured in the u.s. today? >> the vast majority of them have been manufactured overseas and continue to be. there's some recent activity to bring some onshore, but the vast majority are manufactured

overseas. >> now mr. lawson, i'm sure you heard the testimony today that in addition to the electric system that distribution should be included in this. the first rule involved in distribution. so would you disagree with that? >> well, we believe that the legislation should focus on the bulk power system. distribution is handled at the local level, whether that be state or local municipality level or what the local board of cooperatives. and we don't think it needs to be extended to the federal level. >> but how do we address the potential problem in some of these large metropolitan areas that was mentioned? >> with regard to the distribution facilities in the large metropolitan area? >> yeah. >> i think there's one

definition in the glossary that is being worked on today. and that's the definition of electrical systems. that definition is looking at how and what should be included under bulk electric system. and one of the issues that the commission has directed the industry through nerc to review is how those facilities in large metropolitan areas are covered. and i think the direction that that drafting team is going in that i'm a member of is covering more facilities than those metropolitan areas than are currently covered under the existing nerc. so i think things are changing. and a draft of that definition was recently for public comment. and it's now moving on to the second draft stage. so i think there will be changes in that area.

>> so do you have any comment on that particular issue? >> just a couple, mr. chairman. the industry has a very long history of the issue of local service and distribution being dealt with with the rate payers and the local jurisdiction and obviously the states and other local jurisdictions. so i think any effort to encroach on that through federal legislation i think should be taken carefully with consultation with the states. on the issue of the military bases which is part of the earlier testimony, i think there is an opportunity to have enhanced discussions between the utility company and the military bases to say, do they have what they need? do they need more backup generators? do they need more lines coming into the base? so i think there's opportunity for those discussions to take place. i'll end there. >> mr. kramer? >> i would disagree with both of

these gentlemen. first of all, i think we have the smart grid becoming increasingly greater part of the electric power system. means from the consumer side from the distribution side, you're going to have increasing vectors that allows for cyber security attacks. so i think those could be national security facts. so i think that we need to have an overall federal standard that protects against that. i don't think actually think they've done enough, but at least they've done something. but i think we need to put that into play. so i would very strongly encourage the committee to expand its jurisdiction. with respect to the military basis and alike, i think he was very clear. they don't have enough. and it's not just the bases themselves. if you think about the military, for example, the entire critical infrastructure transportation infrastructure, the telecommunications infrastructure. all of these depend upon

electricity. so even if the bases themselves had electricity, the dod simply couldn't operate without transportation of telecommunications and alike. and i think we really need to have something done about that. >> mr. lawson? >> just to add to that. on the military bases, the best way to affect change and improvements is at the local level between the military installation commander and the leadership of the utility supplying that military installati installation. those relationships exist today. they're typically very good relationships. and if there are additional levels of reliability, securities that are needed, it's very important for the military installation leadership to let the utility know and they can work jointly toward providing that. regard to the smart grid, the industry is not implementing smart grid facilities

carelessly. doing it carefully and keeping security very much in mind in many different ways. we're also working very closely and as much as we can with the vendor community to try to explain to them what levels of security we need and what levels of security already exists in their equipment today. so it's something that we're very focused on and not doing carelessly. >> thank you, all. my time has expired. you're recognized for five minutes. >> thank you, mr. chairman. it's been quite interesting. and i'd like to ask you about imminent threats to the grid and also long-term vulnerabilities, as well. in the -- let's say our intelligence agency learned of an imminent threat of the grid from terrorists, what would y you -- how would you character

ize nerc's authority to step in on a realtime basis? >> well the ability to acquire that information through working with various intelligence agencies, which we do continuously to get the information digested into what it means, in terms of impact from the industry and issue various levels of alerts. we issued one back just in april, which we turned around within a day. so depending on the urgency, we can turn them out in hours or in days. i think as i pointed out in my testimony, we have different levels. some are just informational, some are recommendations. and there are essential actions, which we've been able the to put out. the essential actions are mandatory under our rules, but they're not enforceable from a legal sense in terms of any sort

of penalties and sanctions. and that's why i was suggesting in my testimony that would be one opportunity to improve the tool kit we have -- >> and would this apply -- there was imminent and severe threat also? >> this would apply to any known threat or vulnerability where there was a high degree of urgency. like we needed to get information out either within hours, days, or weeks. and i think that's a much preferred approach. our standards were not meant to solve a problem in three days or three weeks. they were meant to be long enduring around for years and years. the alert system is meant to solve these urgent actions that you're describing here. >> does nerc have sufficient authority at this point? >> i'm sorry? >> does it have sufficient authority? >> i believe in the area of vulnerabilities in terms of, for

example, whether it's -- i believe under section 215 that congress intentionally provided ferc authority to produce a standard that would solve a problem. under my reading of the plain language of section 215, the ferc has the ability to direct us -- >> mr. kramer, do you agree with that? >> i totally disagree. and i'll give you an example. this committee's heard about it. it is not a classified problem. a very detailed set of reports were issued on that. it's a threat. it's a very, very severe threat we have to think about. and the vulnerability throughout the electric grid system because it's the same kind of control mechanisms that are the type that are involved in the electric grid. and it's sitting out there, so

to speak, as a blueprint for anyone to use. now, i couldn't use it, but any capable cyber adversary. so i think that would be an example what i would call severe threat, it's not imminent. but i think that something needs to be done about that right now. and i think it needs to be done promptly. and from my perspective -- and as i said as we do in other kinds of legislation, i would rather have the opportunity for industry to comment, but for the federal government be it the ferc or the dhs, but some federal agency to determine what standards are necessary, what actions need to be taken promptly, and to cause those to be taken under a mandatory system. >> will you -- your opinion on this? >> well, first of all, as i said in my statement, the industry strongly supports the alert process. i am not aware of another tool

out there today that can get information out to approximately 2,000 utilities within hours or a day or two with specific information about how and a threat or a vulnerability or anything specifically relates to the electric utility industry. so i think the alert process is a very critical one and one that we need to keep utilizing. also, under the alert process there are three levels. the base level is advisory, the middle level is recommended action, and the most serious level is essential action. and i can tell you that the industry reacts very strongly to these alerts because we know that they are -- they are communicating very important information to the industry, and that under the top two levels of alerts, you will be required to

provide nerc with an update on what you've done with regard to that update. and those reporting requirements are mandatory and they are summarized and provided to ferc. so the industry takes these very seriously and the top level alert essential action has not yet been utilized. so only the advisory and the recommended action have been utilized. and both of those levels have been taken very seriously by the industry. and i'm sure essential action would be taken exactly the same. >> mr. chairman, i just want to ask one other question. let me just ask you this -- anyone can respond. what i'm hearing here is in the event of an imminent, severe, catastrophic cyber attack on the electrical grid system here in this country where there can be

vast harm done to the american people. are you saying -- am i correct in understanding that you're saying that the federal government -- let me ask it this way. who are the american people going to hold responsible? for their protection to solve the problem and to protect them? are they going to hold the federal agencies or the industry responsible? in your opinion? >> congressman rush, first of all to distinguish some time horizons. first of all, if there's an imminent emergency like planes flying on 9/11 that are going to cause disaster, nerc and i think the industry supports some government agency having strong immediate authority. under those kinds of circumstances. nation is in trouble, somebody has to be in charge, i think we support that.

i think the other issues where we get a little bit of difference of opinion, but it's not as bad as it sounds, actually, is on dealing with the things we have a longer time to think about and respond to. and all we're saying is we think the ferc has for longer term issues, like spare equipment. we're not going to solve spare transformers tomorrow. it's going to take probably years to resolve that. is that we have the authorities we have now. and i think we could strengthen the gap in the middle between dire emergency right now and things that might take months to solve. in the interim, we have our alert system, and all we need is a little bit more authority to make those mandatory in some cases. when i testify here today, i'm not here testifying against authority for ferc. we work with ferc today as a partner in developing our standards and review them going forward, we continue to work with ferc, anything we can do to help the industry know what they

have to do, we would do that in partnership with ferc. >> mr. terry, you're recognized. >> thank you. the follow-up on that, have you read the grid act or the proposal of the draft? >> so as it's written now, my assumption is you don't support it. is that accurate you wouldn't support it as written? >> i applaud the committee for taking initiative. >> i've got a short time. yes or no? >> i support parts of it, not the entire -- >> the jurisdictional part you have a problem with? >> with the vulnerabilities being unnecessary, that's correct. >> mr. lawson, same question. >> we support narrow authority with the federal government with regard to imminent cyber threats. that's where we are. >> so that's a no? okay. i appreciate that.

i just think we have more work to do than i anticipated before this hearing. mr. cramer, i want to spend the rest of the time with you. do you keep track, was there reporting of hacking attempts to your -- to your office or any office that you know of? >> just so we're clear, i'm a former assistant secretary, and i'm testifying in capacity here. >> all right. >> so i read there are plenty of reports on hacking that are in the open press. there are plenty of reports maintained by a lot of entities. >> electrical generation. >> including electrical. and the point was made to this committee as an example. >> yep. and i participated in a

demonstration at our local generator that showed was able to track hacking attempts within the last 24 hours. and i think there was six or seven. mostly been able to track back to a certain university in china. but we won't go into that for this hearing. now, they are mostly -- how do i say this? but for fun. it was their practice of seeing how they can enter into the system. and not for nefarious purpose, although we don't know that when they're trying to do it, when they're trying to hack the system. and that's what concerns me and this committee. is what we can do to strengthen our system against those hacks.

and by the way, just two questions to you, mr. kramer, my two minutes left. generally what should electrical generation companies be doing to best ensure that their systems can't be hacked into? and then on the electrical generation itself, there's been some side discussions on electrical generation, more critical defense bases or buildings should go off grid totally reliant. and with the small module nuclear reactors may allow them to do that. you have a minute and a half to comment on both of those questions. >> i'll make three points, sir. first of all, with respect to the issue of serious attack. one of the things that a serious attack would have to do is

reconnaissance. won't just attack without substantial reconnaissance. so the reconnaissance or the activities you're talking about are quite consequential. and it would be part of any serious attack. and so dealing with those early on is just as important as dealing with the set of issues, you know, when the attack occurs. secondly, with respect to what the industry ought to do, there are a number of -- standards set forth both nerc itself, ferc, d.o.e. and others have written out. one is called 20 critical activities that was put out by one of the cyber security groups. those were what you might call very good hygiene. and one of the critical things i think needs to be done is that there has to be a greater amount of protection provided to the control system portion of the grid than to corporate portion of the grid.

and i also think there need to be what i call advance capabilities developed so that you can isolate the control portion of the grid from the corporate capabilities and from vendors and others who have to send things in. there will need to be integrity communications at the demonstration level, but are not out there throughout the grid. and i think that the critical parts of the industry -- mr. mark, you mentioned that only -- i don't have the exact figures, but roughly 29% if i remember right of the grid was considered critical. by the industry, i think it's a much larger amount than that. i think you have to have a more significant -- with respect to the bases again, even if the bases themselves have electricity and there are actions going on, i can't tell you what it's called, but it's called spiders a demonstration

program. and this is non-classified. you can look it up in the -- on google. and the d.o.e. has a so-called spiders program at three or four different bases. but even if the base themselves had electricity, the d.o.e. relies on telecommunications capabilities of the country, relies on the transportation capabilities of the country relies on water, relies on gas pumps and alike. and all of those rely on electricity. so there's no possibility whatsoever that you can have an effective defense unless you have electricity beyond the bases. and in addition, i have this to be true overseas,which is a different topic that the chairman raised. but it goes beyond the question. >> mr. rush, do you have anything else you want to touch on? >> well, that concludes today's hearing. we appreciate your being here.

and i'm sure we're going to continue to be in touch with you as we move forward on this legislation. and we'll keep the record open for ten days for additional materials. and thank you all very much. and that concludes today's hearing. >> mr. chairman. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2011]

>> in a few moments, a look at the future of nuclear power. in a a little bit over 1.5 upwards, raising the debt ceiling. after that, and iraq war veteran and representative allen west. later, we will re-air the hearing on the electric grid. a couple of things to tell about tomorrow. a subcommittee on counter- terrorism and intelligence, plus a hearing on how the department of homeland security gathers, analyzes, and disseminate intelligence. that is on c-span3 at 2:00 p.m. eastern, and just after that, at 2:30 p.m. eastern, on c-span2, iraq. a subcommittee will hear from a

representative of the state and defense. >> sunday on "in depth," the difficulties of a climate change treaty and the limits of law. your questions for a law professor, eric posner. his books include "the perils." this is on booktv. >> now, a discussion on the future of nuclear energy in the u.s. in europe. in about one half hour, you will hear a panel that includes the german ambassador to the u.s. on his country's plan to abandon nuclear energy. before that, a look at the role nuclear power plays in the u.s. this part of the event is from the john hopkins school of studies, a little more than 1.5 hours.

>> after fukushima, there were difficulties. so much was being done in europe to we develop nuclear energy input, while so little seems to be happening here in the united states, that, as i said, the fukushima's situation has thrown all of that into question and has opened up, i think, a lot of interesting policy issues. we have a group to explore this drug the day, and you will hear from all of them. before we do that, let me introduce them. i am a former diplomat and

ambassador to nato, but now a senior fellow here at the johns hopkins center for transatlantic relations at the school of international studies and also a managing director of an international group, and i am joined here from the elected council, the vice chairman, who is co hosting the event today. and i want to say thank you to a few people right up front. i want to say thank you first and foremost to david year at the center of transatlantic relations to put in all of the conceptual work to make this event come about, and i think he has just done an outstanding job and has brought together and a list of people to talk about very timely issues. i also want to thank a professor, and from the atlantic council, a number of people were also important contributors at. so thank you.

i would like to turn it over to our cohosts, the general, and then we will come back to introduce the speakers. thank you very much. general? >> thanks a very much. my name is dick lawson. ibm the vice chairman of the atlantic council, and my focus at the council is energy and environment. this year has been a pretty aggressive program for the council as we endeavor to examine with china, with india, with europe, with eastern europe and the various policy issues associated with energy and environment, and in an attempt to protest put new light on the particularly difficult decisions, and it was with a great amount of interest that we

joined with sais on this particular event, and i must say that cooperation between the two organizations has been just absolutely fantastic. i would share with you just a moment. i am point about to leave at 3:00 this evening. the eighth air force, which i commanded a while back, if having a needed. there are about 800 world war two veteran that are gathered here in washington. i happen to be one of the speakers for tomorrow's session, but around 11:30 last evening, for this evening's session, who was making the keynote speech at the banquet dinner in the

excitement of the reunion passed into the blue, so i have the privilege of replacing him this evening. i know the speech by heart. it is the transition that i suspect might be a little bit difficult, but i do want to apologize for not being with you at the end of the evenings. until then, let me just say again how much we appreciate all of the support that you folks gave us in helping to put together this event. >> ok. thank you very much. when you're going to have a series of keynote remarks, and we will need some time for question and answer at that time, as well, and i am just going to introduce everyone up

front. first, we have the deputy secretary of energy, better known perhaps as a musician vote for the willing. he is taking time out from his entertainment life for public service in the department of energy. we are grateful that you are here and are looking forward to your remarks. we're also joined by the ambassador of france, the ambassador of germany, and another ambassador, so thank all of you for coming, he and just looking across and seeing the panel, itself is an illustration of just the kinds of issues and different policy approaches that nations are taking, so i hope both in their remarks and the q&a we can explore that a bit. return it to the secretary -- we turn it over to the secretary for your keynote remarks.

>> thank you, ambassador. look for everyone this morning that i am speaking in not singing. i am delighted to join general loss and boat and my distinguished ambassadorial colleagues. all good friends, and i think it is a testimony to the importance of the subject that yet attracted such a stellar growth as well. i just want to say a quick word about this. two extraordinary organizations, the elected council, you can go back. i know they have nice new spaces, but i liked the old spaces where they had the place at 17th street, the old photographs, and they were the foundation of the alliance, and what a robust and successful alliance that has been. people in and out of government

have been able to find safe haven for discussion on important topics as exists at the national, and as the ambassador did, i am sure, and other extraordinary americans, successful on wall street, famous for his walk in the woods, the authorship of one of the charter documents of the containment strategy, it but i will always remember one thing that is about as telling as any. i was an undergraduate, and i had a job of taking notes at seminars when important people would come through town, and paul was such a personage. this was probably in the mid to late 1970's, in the full flower of what would be accepted doctrine of discussion, and this was a seminar with the seminar

wrote -- center for international affairs, and there is a combination of professors and students like me, and there were always a few kind of people wandering in from the street, and there was an elderly lady who was such a person, and she asked him the question. he was giving some very erudite presentation about throw weights and strategic vainest hi, and she basically said it why do the soviet union and the united states need tens of thousands of weapons just to balance this? this is crazy. and there were snickers all around, because she obviously had not read the book, and the one person who was totally responsible -- responsible was paul. it was a very good question. i think that spirit of inquiry and being very open to any

question. there is no such thing as a dumb question. he was respectful inappropriate in that respect. i do want to turn to the partnership, which i talked about a moment ago with respect to the atlantic council, and it is timely that we do this, because as you heard from the president of to route his european tour last week, the deep and enduring relationship between the united states in europe remains strong. we are committed to working with our allies across the a atlantic to confront the challenges of the 21st century and to work with energy across a broad range of issues. this includes, among many topics, promoting sustainable growth, supporting democratic reforms around the world. fostering education, assuring nuclear safety, and assuring the nonproliferation regime. appropriately, the goal to expand on this effort, we are

undertaking that domestically. specifically, the development of the clean energy economy has been a top priority of president obama and his administration from the outset. why is that? first, it is because the president recognizes that advancing clean energy, innovation, in diversifying our energy portfolio is essential for our economic, environmental, in national security. second, as the global market for low carbon note energy technology grows domestically, next generation technologies will be critical to maintain and expand u.s. leadership in the global economy. and third, clean energy offers tremendous opportunities to create new industries and new jobs here in america and in europe and beyond, but to strengthen our economic prosperity for generations to come. .building on the administration's initial investment, laying a groundwork

for a clean energy economy, in his state of union address earlier this year, president obama set out a bold but achievable objective of doubling the amount of u.s. electricity obtained from clean energy sources from 40% to 80% by 2035. clearly, that goal can only be met if we use all of the carbon and tools at our disposal, and the president has made it consistently clear that he considers to see nuclear energy as an important part of the clean, a diversified energy portfolio of america. just as clearly, however, the president has consistently made it clear that we put safety first when it comes to nuclear and, indeed, all sources of energy. we did not need the devastating earthquake " in japan and the resulting disaster at the fukushima reactor to remind us of this point, but fukushima

does serve to bring safety back to the forefront in the discussion of nuclear energy, and that is a good thing. we have known from years. we have known from the beginning a nuclear accident anywhere is a nuclear accident everywhere, so it is really not surprising that the international community rallied as one at the time of the fukushima accident. i remember very clearly in the first few days, including many colleagues from the nations represented, phone calls among the people in the nuclear sphere, always wondering what can i do to help? what is going not? everyone was acting as one, and it was encouraging thing to observe. as we examine the path forward for nuclear energy following the accident, it is essential that we reflect upon our commitment to safety to individuals, as governments and as an international community.

at the same time, we must renew our dedication to ensuring and nuclear energy facilities be operated safely and securely. here in the united states, safety has always been and will continue to be how we operate and build nuclear reactors. that is why over the past decade, we have continued to improve the safety of each of our facilities. in addition, president obama asked the nuclear regulatory commission to do is study of the existing 104 operating reactors in light of the fukushima reactor. as an independent reactor, the nuclear regulatory commission is tasked with overseeing these and to establish and enforce whatever roles, and i am quoting the statute, whatever is necessary to protect health and safety in minimize danger to health and property. as we move forward, developing next-generation nuclear

reactors. we will continue to incorporate the lessons learned from fukushima into our approach for nuclear safety. now, regardless of what the united states does, the world is increasingly turning boat to nuclear energy as a low carbon source. in fact, there are already 60 reactors being built in countries around the world, including in european countries like finland, france, and romania, slovakia, and ukraine. as countries around the world look to expand, we must do so in a way that minimizes the risks of nuclear weapons proliferation. the stakes could not be higher. indeed, in his nuclear of view, president obama made it clear that he used nuclear proliferation and nuclear terrorism as the pre-eminent threat that we face. a nuclear safety accident

somewhere is an ax and everywhere, so, too, a proliferation somewhere would be a proliferation everywhere. the global event would brought effect, far beyond whatever community is unfortunate enough to experience a direct attack. already, we have taken a number of steps to reduce the threat of nuclear weapons proliferation, and i invite your attention to the president's seminal speech of>> a vision oft nuclear-weapons understanding realistically it may not be attained in our lifetime. making sure that in the meantime we maintain a safe, secure, and -- until the day as possible. he spoke about the need for a new treaty and went to work their concluding the treaty and gaining bipartisan support for ratification.

he laid out a vision for a new international framer for peaceful nuclear cooperation that could insure all nations that live up to international norms that they can rely on the commercial marketplace to provide them with the services they need to operate their nuclear path. let me quote the president "we should build a new framework including an international field bank so that countries can access power without increasing the risks of proliferation. that must be the right of every nation that renounces nuclear weapons. no approach will succeed if it is based on the denial of rights. and to announce peaceful opportunities for all people."

if we do this right, this new international from merck and provide a mechanism to strengthen our national security, reduce proliferation of terrorism threats and enhance our economic growth. discussions are already under way about what the elements of such a regime might look like. the organization known as the international framers for nuclear cooperation, ifnec, includes looking at options will could be made available to make sure they will have access to reliable services through the commercial marketplace reducing the demand for the facilities. under this type of arrangement, we would be able to harness our security objectives to the driver of a commercial marketplace. instead of every operator of a nuclear and -- investing and

reprocessing facilities, a reliable few service would allow countries looking to expand their production from nuclear energy to fuel leasing services for both the front and back end of their fuel cycle needs. companies operating regulation could release nuclear fuel to customers just as companies release cars and many other things. as we move forward to develop the elements of such a from work, it is important that our efforts be guided by a number of principles. as discussed earlier, safety is essential. we must work to make sure that any commercial transaction reflect international free and fair trade practice including equal access to markets. companies working within the

global community must have access to effective and uniform liability protections which is why we continue to urge governments across the world is to ratify known as the scs. the scs would establish a legal regime for the compensation of victims in the unlikely event of a nuclear accident. as custodians for the safety, it is our responsibility to bring it into force. in conclusion, nuclear energy has important role in the global energy portfolio as a low carbon source of electricity and a way for countries to diversify their energy sources. nuclear power can only succeed if it can be utilized safety while minimizing the risk of nuclear perforation or terrorism.

i look forward to working with my colleagues in the months and years ahead as we continue to lay the groundwork for expanding nuclear industry worldwide that will reduce air pollution, create new jobs, and protect our national security. pratt said. i would be happy to take any questions. [applause] >> let's take a few questions for him now. then we'll come back. >> don't be too shy. yes, sir. >> good morning. i with the nuclear energy institute. i love your comments. i listened to them a few weeks back. the idea of a fuel lease is

something we have been looking at. when we discussed it, most believe you will need a national repository somewhere to be successful before you could take on a regional concept. you have to but the building blocks together. do you see a path forward here or elsewhere to accomplish that? >> the question we have a always asked is, what is the minimum set of requirements you have to have in place? clearly the missing link is a solution on the back end. what that will look like, we do not know. the criteria has to be safe. what would provide sufficient confidence to an operator to purchase a lease in the knowledge that the used fuel,

once it is gone, it will be gone from his books. whether that requires a specific facility to be licensed, i do not know. it requires that somebody has to take responsibility for the material. presumably that would make sense for the government for radiological. governments will have a regulatory role over used fuel justice in this country. the government took the responsibility for that. i would think that would be the kind of thing that would have to be in place. it is still under discussion. it would be a clear and easy case if there were an existing repository that people had

already made available. in the absence of having such a facility running in the open, i think we are looking around for a number of options. in the back. >> i represent georgian television station. there were some all power stations in the former soviet region. one of them is in armenia. how dangerous are these for these regional security? we have been concerned. >> i would apply the same tests i would apply anywhere. we have to make sure that each nation that has nuclear power plants as the appropriate regulatory rules and regulations and bodies to enforce them. it should be the responsibility of each of them to analyze the particular plants.

i do think that one of the lessons that of fukushima is that in addition to continuing to put responsibility locally, we should do cross checking with what -- we have a meeting in a few weeks in vienna at the atomic agency. as i said, an accident anywhere is an accident everywhere. rio is have a vested interest in making sure it is cross checked against best practices and other kinds of analytical and peer review process these to make sure that everything measures up. in terms of specific reactors, you have to have people on the ground experienced to make those kinds of evaluations. there was one in front of you.

>> i am from the japanese newspaper. there have been reports out this weekend that germany has decided to phase out its nuclear program. i'm sure the ambassador will make remarks later, but if you could make a comment on that. or perhaps a general comment on the country's better deciding to phase it out. >> the ambassador and i talked about this very subject not so many weeks ago. i was not surprised by the newspaper. i looked into this a little bit. my answer on this will not change from today's newspaper nor will it change. governments are going to make their own choices.

that is the sovereign right of each government. as a global community, we must have a vested interest in making sure whatever choices get made are made with due concern for the safety of all of us. as long as governments are making decisions informed by that larger responsibility for safety and security, i do not think it is for one country to second-guess the decision of another. i will say from a u.s. perspective that when we look it where we want to go in terms of greenhouse gas emissions, cutting air pollution, we do view nuclear energy as a continuing part of the mix. we are mindful as we have always been from the earliest days of the program in the 1950's of the

safety issues. we will continue to be assiduous in assuring the safety of our reactors. i leave it to the ambassador to discuss the determined decision. -- german decision. >> thank you very much, secretary. [applause] >> i would like to turn now immediately from the american deputy secretary to the ambassador of the european union. the floor is yours. .> thank you very much th and many others that will come throughout the day.

i am extremely happy that europe is well represented at this seminar. it is part of the spirit of cooperation. i would like to echo what deputy secretary poneman just said. this is a crucial area of cooperation across the atlantic. we'll set up a number of mechanisms of the dialogue. i am very happy with all my colleagues to realize this corporation is moving forward in a positive way. we did around the fukushima accident is an illustration of the potential of trans-atlantic cooperation. i would leave it to my colleagues from the different states to illustrate the way each country in europe approaches nuclear energy.

my useful role is try to give you an overall picture of the situation and the european union -- in the european union. i would like to congratulate the council for the timeliness of this debate. you could not have chosen a better day to do this not only because of discussions in germany but also because we are on the eve of the launching of a major operation safety review of in europe of all of our nuclear installations. i will say a few a were -- a few words about that. the timing is great and i'm glad to be here this morning. what about nuclear in the european union? european union?