quorum call:

the presiding officer: the majority leader is recognized.

without objection, so ordered. underunder the previous order, the senate stands in recess until 6:30 p.m. vie guest: my pleasure. host: is that time of year again

wiers we announce our stum it is that time of year to announce the contest of the studentcam winner 75 videos have been chosen and here is the opening clip. >> the more relocation authority b.a.t head to take men women and children from their homes. the military determined to do the job as democracy should come up with real consideration for the people involved. >> a did not call us citizens. it is a legal without due process. >> they did imprison u.s.

citizens without due process. over bonn hundred 10,000 who happen to be of japanese ancestry. they were uprooted from their home comment taken away from their businesses businesses, and sent to places like this. one was my great uncle. he was a dental student california at the beginningent of roomin for two. >> of the c-span educational the specialist called the vendor on monday and here is him receiving the induce. >> we are very impressed with yourdocr erred document terry -- documentary andlp ierviewerview had and thtion and afraid you related to your topic of your exc.family members was compelling so, for all of these reasons you has been -- have been selected to be one of our winters. would you like to know where you place? >> sure. >> you have be selecte part of the overall quality

was excellent >> wow. thank you very much. >> you are welcome. can you share with us one thing you learn while you went through this process? >> i really learned a lot about the process that the japanese americans went through and the struggle for social equality and justice. >> what was in the faber part of making the documentary? >> my favorite part was going to the place myself and seeing the conditions they live in, as well as the editing and putting the whole movie to the. >> would you like to know what you have one? >> sure. >> you have won $5,000. >> thank you very much. >> you are welcome. and your teacher has earned your school $1,000 to use toward video equipment. >> cool. >> pam mcgorry is joining us to tell a little bit more about this year's studentcam

competition and won a spirited -- competition. what was the theme? >> it was the constitution and you. we asked students to select any provision of the constitution and creates a video illustrating why it was important to them. we received a record number of entries this year, over 1200, from 43 states, washington, d.c., and puerto rico. they were judged in middle school and high-school categories. we awarded 75 student prizes and 11 teacher prizes, totaling $50,000. matthew, our grand prize winner, will receive $5,000 for his entry. host: let's talk about the first prize winners in high school and middle school. guest: first prize high-school winner was cole lazzeroni -- carl colglazier a whole school student, and he talked about intellectual property.

he talks about patent and copyright and whether or not our current system supports innovation. carl this topic. he did an excellent job of explaining a timely and complex topic. in our middle school division, our first prize winner is leo pfeifer. he is an eighth grade student at salmon bay middle school in seattle, washington. in his documentary, "who owns free-speech?" he discusses the first amendment and focuses on the freedom

host: pam mcgorry, where can people what to these documentaries and learn more about studentcam if they want to get about next year? guest: you can go to studentcam.org where you can find all this information, but we posted are 75 video so they are there for you to you. in addition, each morning from april 1 through april 27, at 6:50 a.m. eastern time, we will be airing one of the top 27 winning documentary's. al

fifth according to our recent report to cybersecurity threads have increased 650% in the last five years. we pick up the beginning of the hearing with the question and answer portion. this is 90 minutes. >> i will lead off with the question. and if you agree to the track lourdes networks i assume you do that? how to read facilitate network sharing from providers while protecting

privacy and sensitive data? >> the debate is security and if there is a hacker that says there is uh signature i shall look at then i run back and put it in place. if the government individual does that i cannot but that's in the network because then i operate as a branch of the government. that seems silly and should be addressed. >> that is the specific issue. can you give us more specific? where does that show up? >> united states intelligence agencies agencies, law-enforcement agencies regular see signatures the we do not look for.

we provide a service to customers. we don't chase that down. all need to the point* where we can stop it. for them to share that, i know there is more lawyers involved in the discussion then people in the room. almost like disincentive to bother. it is not between different groups because frankly, we do. the internet does not work if we do not share constantly. >> any prohibitions if you go to the conference, is that something mr. olson or others should look for as well? >> i am sure they do. >> can you share that information or are there

impediments? >> we have services from the same companies that do that. three or four companies have the intelligence is pretty good and make sure it is useful because i pay them. [laughter] >> so do the customers. >> there is not a problem sharing information back and forth? >> sometimes. >> we are looking for barriers. >> at&t had an exclusive on the iphone. so i had people in it new york city, ph.d. is an said find ways to filter attacks aimed at the iphone. they were tarred and we came up then when other carriers had access to do you think taiwan's to give them the

fruits of our work? their incentive is to do it and compete. then customers say we will invest and do the protection. our competitors says the same thing. the market will force the competitors to catch up or to somebody else. that is the right balance. but between government and industry and i think information sharing should be more free. >> mr. olson and? >> at metropcs communications between the systems we also have cybersecurity partners. firms to monitor our network and systems 24 hours a day. they do share information but if i understand your

question, not a central clearing house of the information for those outside of the security companies to share information. if mr. edward amoroso could not notify a other people of the threat to respond to it. >> i hear a disincentive if you have research, identified the threats, . >> not a disincentive. when we advertise the broadcast, you tell the bad guys. it is a little weird to be to open up your concern. i like the existing model. we evaluate those companies and with the intelligence is good we buy it. >> my time is expired.

>> thank you to the witness is. excellent testimony. jason livingood it is good you are the ideas p in north america for the isps and how we encourage them to follow your the? quickly? i have a series of questions >> with the adoption by other providers, keep in mind not about network operators baking websites come that people have to make it work in the ecosystem. but network operators, there is that going on already. the way it is successful is multi stakeholder organizations groups are

involved in. one is a group i am on coming out with the recommendation soon. >> when is tha3 one is a group i am on coming out with the recommendation soon. >> when is that? >> today. >> you never know with government. with the extensive network to ensure the security of mobile devices that they run on, i experienced firsthand last year when i travelled abroad with the congressional delegation and and my device was infected during the trip. it never left me. i practically slept with it never left in my purse or hotel. but the good news because of

the proactive measures it was detected before being reactivated in the house network. what steps to your customers adhere to the same proactive security measures? mr. edward amoroso i'd love your name. [laughter] mr. os -- john olsten? >> we provide a comprehensive cliffs of configuration of guidelines so we have the information to access and our goal is to make sure your by the organization if it is a blackberry device has full control at all times. comprehensive policy more

than the administrator can could draw auspex including information or allowing software installed on the device. there is a is a lot of education and four people understand it is difficult we tried to offer transparency and help through standards and best practices through items like this. >> as i and stand it when potential is to isolate and block the it addresses that pose a threat to. do you have the technology to do this today and how has it been affected? >> we have the technology to block but it does not work.

>> there you go. >> we try hard. it is your pc being infected. we turned every% in this room inches of administrator. that model is wrong. you do not do a very good job. even be say we don't do what will be there. >> that causes the complexity? >> billions of people around planet earth improperly protected. it is the piece of cake to build a day bot. 50,000, one digit thousand we do not even bother naming. you cannot block ip address you would not like that.

you cannot get on the internet today. we bloodshot the whole internet down. >> i talked about the supply chain and the security to be brought to that. do you share these concerns of the supply chain? what is the appropriate role for us to play for us to address its? >> it is a serious issue. we came to more fully appreciate after we were attacked were the systems to rely on. i don't know what we would

have done it. but the use keep coming out to the supply chain. i want some any comments. >> cancer in from a device manufacturer standpoint, the four rimm, we have to understand where big get the components from from, manufactured devices, it was easy in the beginning it was under our control in our factory as a global entity you outsource and distribute that capability around the world. are you manufacturing the product that you think that you are is it all and intact? >> of understanding what we can do during the manufacturing process for some strategic vendors, we are embedding being cryptic

elements in the silicon before it gets to us. mfg. process has verification of every two will comment checking with the rimm had office to say if you perform the operation. horse caris software certificates in the silicon to make sure it is not tampered is used to get by various services. we know it is manufactured and intact when you turn it on. that protect our network, and your network network, hardware software network all looking dazed working together to provide the integrity of a blackberry services. >> winnow turned to the vice chair. >> with my five minutes and five people asking the same question, you are the interface.

if i wanted internet experience, i have to higher when a view. were you doing to protect me from a virus, and an attack to my computer? >> we all have an similar capabilities. a multilayer approach. not one thing to solve it. like in any and, a lot of players. intrusion protection, things that provide service attack attack, mitigation, bot net intelligence systems that i mentioned in my opening

statement. notifying customers. a number of things that we do to educate customers so they understand what they need to manage their networks and get them the software to protect their computers. a multilayer approach. >> exactly what we do. there's a lot of different product names. what we don't do, we did not so you the computer or the operating system or select what type of software and increasingly we are drug into that. people say isps something is wrong. you are sitting in a cloud and figure out how to fix it. we all struggle with that.

>> [inaudible] [laughter] we do thain is to protect our customers anti-virus, parental control, educational awareness on the website to go to. bot net notification and program. if you're computer does we have a vested to notify you to clean up your home device >> there is a lot of commonality in the approaches. fine distinction regarding cybersecurity partners is important. of these people are focused on full-time cybersecurity.

looking for threats having hundreds if not thousands of customers feeding them real-time threats. it could hit one company they are aware before we would see that. that information sharing is critical. it is something that the values. >> you may have already answered this question. >> the embedded security elements are part of that also the security for customers to dictate what level into the platform. also consumers and enterprisers have remote backup, remote restore calm the ability to wipe a device so as the mobile device that could be lost or stolen or left in the taxicabs a we give you the ability to deal with that eventuality. >> the last 47 seconds go to

edward amoroso. should the ideas the providers have a system to detect viruses before they go into your network? >> if we could do that reliably i would try to sell that. it is very difficult to detect viruses and know where. i call between 100 and 1,000 people every week. friday knew exactly how to fix the pc i would call everybody why not just those affected? but not one per cent in this room can tell you how to clean them know where off in. other than we and rich.

that is the best. >> can't you just stop it? >> here is the reason. the concept of the accepted tonneau, if you visit the web site, there is cryptography between new and the website. but the reality is every hacker knows they pushed the now we're through that tunnel because we cannot see it. . . [laughter] >> mr. doyle, your up next. >> if i could follow up

dr. sunshine. [laughter] i want to ask you about federal workers. as you might know, the white house is currently working on a national mobility strategy to determine how the employees of the federal government are using their mobile devices, and they are going to decide for example but they're all agency employees can bring their own devices to work much like many private sector employees do. of course advocating to prescribe one particular type of phone for everyone to use in the federal government, but what security issues do you foresee that might come out as a result of this if we allow all federal agencies workers to use their own mobile devices and how do you think device manufacturers can make sure that the data that is on the phone of federal workers especially insensitive agencies remain secure? >> if you move to a more heterogeneous environment where we bring personal reliable individual reliable device is

one of the challenges you face is the security of the platforms is going to vary based on the offender and the features that they built into that, so getting a consistent view of security and how you are protecting your information is probably one of the issues. there are kind of liability discovery issues and more of a corporate context, who owns the information and who owns the intellectual property if you have to go through a litigation, maybe not such a case through the federal government employee and then how you protect the information on the device which i think is probably one of the more important ones. there isn't level of encryption velte into the bloc to encrypt the data for government data, and that's one of those that can be enforced remotely but when we look at how we go into a bring your own device scenario, you know, the biggest concern that i have is this lack of a standard of our for protecting information coming and what i would be most concerned about is sort of a race to the lowest common denominator, so we have

three or four competing platforms, so in order to allow everything, we are going to reduce our security requirements to the bear minimum, which i think is the wrong thing especially at the government level. >> thank you petraeus mick mr. livingood, given the concerns outlined by dr. sunshine about implementing the dms sec can you out like comcast made the decision to begin using the dms sec and whether you think it's had the intended benefits that you hope you would have? >> the intended benefit is it is a long-term gain. i think one of the challenges with dns sec adoption is a need critical mass for people to start signing names and bald software to do that coming and we felt like we could play a role in meeting the industry in creating that critical mass, so that's part of the reason that we did it, i think the reason at root why we did that is when the vulnerability came out in 2008, it fundamentally scared the heck out of us.

if our customers couldn't be sure that when they went to bank of america dhaka, it was that website, that scared us because they are less likely to use the internet, they are not going to care so much about the high services and so on and that is incredibly important to us. so we all certainly have had a short-term fix to that come have a long-term fix to that we felt was incredibly important in dns sec appears to be that one and we are pleased to help lead the way and create that critical mass to help adoption. 64. in closing, dr. amoroso i've enjoyed your testimony and it makes us realize how much work we have to do together to face this problem that certainly there is no easy answer to but i want to thank all the panelists for your testimony today. it's been very enlightening. >> i yield back mr. chairman. >> we will go now to mr. shimkus. >> i want to build a little bit on what my friend mentioned, but i want a different perspective.

because it is kind of talk in my mind when you talk about federal workers, what are you finding in your cyber warriors today in other words where are they coming out of? the coming from private universities, coming out of the military? briefly, the cutting edge new people who are helping you do this stuff, who are they coming from? going down real quick, i don't have much time. >> it's a variety of places, and there is a need for more educational focus not just in cybersecurity but iacp generally. but we find people in a variety of ways so more military service members and former law enforcement. others are just administrators the current kristen security and others are former childhood hackers or something like this and they are interested in it is it's a variety of things. >> is there a college path, i mean, can you get i.t. training

in the business schools or science class? >> i've been teaching at stevens for 22 years. i teach this semester. if you look at my class in 1990, you would see something the would look like typical college pretty mixed of kids. the cost today is about 98% for international, and i've got about 65 classrooms, and almost all of them have the intention of leaving the country when they complete their masters of ph.d. because they see bigger opportunities elsewhere. >> that kind of segues and if you want to jump in, i can real quick but i don't want to forget the aspect of compensation for people entering the private sector versus the government sector. there's a debate on salary compensation. i don't know where it is.

we have the same issues of bringing in the best and the brightest but if we are not compensating them for the private market bears the there is a notice. anyone want to jump in? >> there is the education system in the military and intelligence resigned people moving into private industry. the most talented is a high school dropout and so i think using the education system as a bar doesn't really help identify one of the top recognize hackers of research in the world, so it varies, and i don't think you can actually teach somebody to be a hacker. if you want to be a researcher in that area there is an increase in the mentality you're either born with or not so it's not like i'm teaching somebody treat like program and in getting to a level of sophisticated developing software. being an attacker is a much more different mind set. >> i don't know if i will get to both of them but the debate on the senate side on just this is how you provide is what happens

if the federal government requires you to follow a new government security standard what happens to you? that's the debate on the senate side legislatively, one has a government opposed standard, one is really letting you fight yourself so anyone want to jump and? >> i will offer a brief point. my guess is anything you can write down that you can think of as kind of the best practice is already being done and we are back at the shop about our things on your list. as an example we talked about about that. remember yankee's, building of yankee's white house communications center and we were going to get for one day there would be really bad if you miss the millennium change you can't really move that date, it?

so we were completely freaked out. we've spelled ways to steerer traffic around and now we have a service and it's where we've moved on to the next thing. >> let me put a final challenge out because i do agree how do we in sent innovation in this area which is a part of the opening statement? and incentivizing means government money here or government tax credits. that's kind of persona non-grata in this new world in which we live, so i would ask you to help us wrap around this. maybe there's things we can do that's not a dollar and send component, but tax credits, things like that. it's a very difficult to do in today's environment. thank you, mr. chairman. >> thank you, gentlemen. with the committee's indulgence, doctor, could you just explain d

dos? >> that stands for distributed denial of services. when my boys talk to all of your years it is one thing to many years and works great if they are all quite and you listen in your years work but if you could bounce my voice of of your years to him it would sound like you were all shouting. my voice to all of your ears and then you reflected back that is a denial of service attack. we hit all of your pc's and then sell them to shout this way. it all comes and sounds like this big attack and clogs the pipes and locks them out and that's how it works. >> thank you, doctor. now we go to ms. matsui. >> thank you, mr. sherman. this is all challenging and frightening at the same time here. and i do appreciate all of your testimony. i want to go into another area. as we look into develop an

industry best practice standard for the isp, should the allin service is included as well as others providers or do you think because that technology is knew it could be better for the providers to consider forming their own best practices and secure the the in the cloud, and like mr. mann and dr. amoroso answer that, please. and we don't have much time. >> first of all, we are already talking to the cloud providers and some of us are in fact clout providers. so the conversation is well under way. we are very familiar with official pledges, and if you think about it, the term of cloud is a rather generic term that is probably misunderstood. it can mean a number of different things for a different type of customer and so therefore i would say we continue to include them in the conversation as we have everyone else so to speak at the table as partners, and the solutions you are looking for are going to have to be integrated across the

white platform so therefore i would say that you would want to keep them in the conversation. >> thank you. >> so, my mother has a pc at home that i am sure is attacking china or something because it's not administered properly and she's got big tower with the verizon, the holding. she doesn't need that. she would be better served to have a cloud provider just take care of all that for her and she would just be using some appliance. the reason she doesn't is their software on the pc that she wants to be able to use. so in general, that concept is a more secure concept than my mom trying to do administration. i think the cloud in general is a more secure model than the one we have now. >> that's good to know.

dr. amoroso, given your expertise in this area, what are the differences between securing why your and wireless communications networks and how can the differences be accounted for any type of cybersecurity initiative? >> they are pretty big. the differences are significant. if we had three hours i could take you through the whole thing but i will give you one example. remember when, i am guessing those of you remember when security was don't put an infected floppy in your computer, remember that? don't put software in your machine and you don't know where it came from. it seemed like a perfectly good common sense. what do we do every single day on the at stores? we are downloading stuff. i didn't write that, i don't know where it came from but it looks pretty cool. that's something we are going to have to address in the security perspective. that is a big difference than

wireless and wired. >> i'm also thinking that so much of what we do is wireless, so much we do within our own home, and yet it's so easy to do most people don't think about it at all. i am concerned that we are not thinking as broadly as we should be thinking as far as some of the personal use and i think it came about here that mr. doyle, too and the government area, too. but it's so easy to be carrying tablets and different cell phones around, and for me it's the part that is to me quite frightening is that nobody knows what they don't know, and we're looking at you when you are saying that there's a lot of things you don't know, too, and we look upon you as experts, and i am hoping that we can build some incentives here with a sort of sharing of information that

goes beyond some of your commercial type of concerns, because i'm looking ahead if this is getting more and more complicated as we develop more tablets and smart phones and whatever that we are losing control of the cybersecurity aspect of its come at the software aspect of it you brought up, dr. amoroso, is very important in the education fact of that and whether or not we are actually kind of building our own principles and standards and to that. so, that is just a comment, and i really do appreciate you being here and i think i'm learning more and more every time one of you opened your mouth so thank you very much for being here. >> thank you. we will now go to ms. blackburn for five minutes. >> thank you also much. and i tell you what i think i'm going to do is just ask my

questions, then if you'll want to respond or respond in writing that would be wonderful. first of all, going back to something mr. shimkus said, i would like to hear from each of you and you can say it now or send it to me what you are seeing as a disturbing trend, and what is kind of the next thing out there? i would like to know that. i would like to get an idea of how much of doing your cost of business is beginning to center around the cybersecurity issue. in your testimony, several of you have mentioned in one way or another either in response to the questions or testimony feel that the federal government and up being more of an impediment than a facilitator in bolstering some of the cybersecurity efforts. i would like for you to speak to

what you are concerned that we might do, and then what we are not doing that we should be doing and hear from you in that vein. would your consumers appreciate knowing what you're doing to educate them? i think that one of the things that helps us as we work through the process is being certain that consumers are educated so i could get that bit of information and then when we look at the attacks that are all there, some of the anonymous attacks, there's one in the news today are a think there are five people that are bringing forward on charges, what kind of firm government imposed performance requirement would help keep pace with some of the technological revolution that you are seeing in these cyberattack said, and

if we were to do it government top-down sort of structure to try to deal with cyber enemies would that be getting a signal for them to be able to work around? so if that, those are the questions that i will love to hear from you on the trends of the cost what we are doing and we are not doing, dealing with consumers here you are educating them and then looking at the attacks, the cautions he would give to us and with that anyone that wants to respond. >> sure, i can go first and i will try to be quick so others can answer. in terms of the positive things the government can do making information sharing easier there's a number of things out there to help. the government has a role to play in education, whether that is the tsa or other kinds of education for end users for citizens. i think there's also an opportunity to help in cent or

fund additional r&d. i know that other groups try to do research and security and other internet futures. i think there's more that can be done that's important, and in terms of things to be careful of or to be aware of i think it is the mandates we don't want to be focused on the compliance we want to focus on the innovation and threats of tomorrow and not of today. >> thank you. anyone else? >> i will make two comments. you mentioned incentives. i can tell you as a professional we are heavily incentive list to make sure we are protecting our internal resources and all of our partners that are interconnected with our systems. i think one of the things that is a little scary so far is we monitor all of our customer service channels and we are not seeing a lot of requests from

the customers concerning the devices, so i think education is certainly going to be important. i think there's just not a general awareness in the consumer population how big of an issue this is. stickney be a comment more around why it's so difficult to regulate this arena. i think we've been speaking rather generically about the mobile devices and cybersecurity threats. it's a much broader problem depending on what category you're looking at and because there's multiple categories of threat actors, trying to find a solution that risk of us the ways they are difficult. if you think about who is coming at you and why they are coming at you you could have venations discovering that you for all sorts of reasons. it could be coming at the federal government or for military reasons the same nation state could be coming after a corporation with intellectual property understanding the

intellectual property is not just in the 50,000 corporate environment it could be in the 50 per cent will firms doing their activity. so you have the broad landscape if you are looking at the nation states. if you are looking at criminal activities, sure, you have what is to be descriptive at doing something the was relatively harmless as the network administrator if they grew up. but on the other hand, you have organized crime looking at more broadly the world and how to make money with the recent fbi investigation that infected hundreds of thousands of computers. then you can take a look at the anonymous activists to make a point and then you come down to your inside threat and the companies are doing at. if you think about the landscape in different reasons when you try to put a regulatory overlay on that it's very difficult to

put us in the position to respond to those kind of categories and the same time we have our checklist compliance. thank you. >> thank you. amit yellmac pure islamic the gentlelady is yielding dhaka and recognize the gentleman from the virgin islands. >> thank you mr. chairman, good morning everyone, thank you for being here. i have a couple of questions. let me begin with mr. amoroso. use a justin aretas the money that congress defined the roles of the various executive agencies and cybersecurity where do you see as an independent agency playing a role clacks >> i don't think there's an agency right now that's a good position to come in and solve a problem that we can't solve ourselves. is it really was a case you could write out these five things we should all be doing and for whatever reason negligence, ignorance, what

ever, we are not doing it, then we do need somebody in government to shake us into action. the problem is we don't know what it is you should be telling us we should be giving. that's why we are pointing to innovation as the key, so it is almost kind of a moot question whether it should be dhs or whomever because we are not really sure what they should be telling us. that's the problem, and there are some things part of the team to make the recommendations so i don't want you to believe that we are just kind of punting at a hard problem and we reduce the risk from the agency perspective if there was an obvious set of things that should be done right now, kind of thinking the groups that are here would be doing it coming and we are incentive to do that. that's the problem. i hope that addresses the question. saxby for. thank you for that answer.

ms. livingood, you mentioned that comcast is an active participant in the communications security and reliability and interoperable the council. so could you just described for us how you envision the council's contributing to the cybersecurity especially to the types of attacks the council is addressing by the internet hijacking the main etc? >> sure. there are a number of working groups to decline on one. one of the folks that works with me is the chair of one of them and they focus on things like the security of the routing infrastructure and a whole range of other things, and i confess that is a process that works pretty well. people voluntarily get involved and what they think the current best practices are and that is a process that repeats regularly every year so that it's not static and it's not just 2008 we came up with this practice is and that is what we're focused

on. it's something that gets renewed and refreshed all the time and every new threat as it comes out and that is one of many places that we all work together. there are lots of others. the north american networks operators could come messaging group, a whole range of others i could go on for minutes about but i think the groups like that are good because they are voluntary and focus on best practices and really current issues. islamic weigel your customers may be using the service for in home computers they also use the wi-fi network's texas contest e-mail and other video products, so how do you continue to ensure that they are developed for the core services? >> and member of our security protections are things a customer can download and install on the device like their home computer but we have a bunch of things in a network like the constant guard system which is about intelligence and

other security for systems and that's there for customers that might be bringing the device and the network and maybe it is a friend visiting their house and we will see those kind of things and we can alert customers, is whether the installed software to be provided on their device or not, we still have the tools in the toolbox to identify that and held them tell them about it and help solve it. >> you talk about it here the government and private industry as well as the private companies. what protections do you think are necessary to protect civil liberties and consumer privacy and what do you believe could be the boundary to the liability protection of the antitrust? >> the issues that you raised the reasons we have those impediments not because i am american, i want civil liberties, i want all those things. the current state, we have swung the pendulum in the direction of

making absolutely certain that we are protecting civil liberties. that is a good thing. the question is how we somehow preserve those liberties and also allow all of us to know if there is now we're saying - we've really got to figure that one out. i'm not sure i can give you a good answer on how we do it but i think it's got to be pretty high priority because the motivation everybody says that now where it's not a simple liberty issue. comcast should know the problem and they conclude that into their system so somehow we just have to maybe get the lawyers out of the room and come up with some kind of a common sense approach the that's the reason. all the things you listed, that's why we can't take those signatures today. >> thank you mr. sherman. >> thank you, dr. christensen. dr. amoroso you should have seen the people shake behind you when you sit get the lawyers out of the room. let's go to mr. bass from new

hampshire. >> i have a couple of questions for mr. livingood but before i ask that, can i ask a mobile or smart phone question for dummies why is there a difference in the cybersecurity issues between an ipad or smart device like this and a laptop or desktop computer? make it quick because i have other questions. anybody answer that question, for me? >> there's probably a firewall in the wider demand so we can do more filtering and policy control. with wireless it goes direct to us and we have an incentive and lead particularly in washington to push the package, don't look at them, don't don't do anything, god forbid you impose any kind of policy for faltering. we do nothing secure connection is strictly to the internet

whereas you're wired connection probably has some group at work. some car you exposed to -- is there a cybersecurity issue associated with my ipad? >> i don't know you're connected to. >> let's say comcast. >> there are those issues and i think those are a new class of device, and a lot of the criminals are very focused on the return on investment, focused where the biggest platforms are and so the more the device is get out there, the bigger target that makes so they will say okay i can spend a couple of days developing this and i have a few million devices, so you will start to see more and more of those things and depending on the tablet that you have some are more vulnerable at the moment than others, but that's something a lot of americans are bodying so that will be the next threat to this too is apple responsible for this or are you?

if apple please enroll with the android devices and then also software vendors that make the applications play of old there's also the company's customer education, and i am sure over time just in the same way that we have software that runs on the pc to provide security, that will start to develop and evil and provide that extra level of security as well which i think is the early stage of that adoption. >> and the same is true for blackberry, right? of the tablets are going to have different risks and when we look at it in terms of how we protect our platform the themes i keep hearing over and over and it's one that this committee has highlighted is the need for education, and when you talk about computer security one of the inevitable comparisons is driving a car and we don't let people drive a car without a license, but we let them down on the computer, connect to the internet, download software with

with those risks are, and that piece of education i'm not suggesting we like these people to use a computer but we do need a level of sophistication and education and how we inform people of risks they have. >> i just want to ask a couple questions about constant guard protection. i know in your testimony on page six it says at comcast we understand securing cyber is a complex task, so education prevention detection mediation recovery of the court objectives of the antimall where efforts. does comcast require its customers to download the protections week, and if not, how is the customer going to know that expense and how are you going to notify them that they have a problem? >> it is not required a customer download that to use our service. they just have to have normal internet connectivity to do that. but we do a lot to make the

customer is aware of that and to in sent them to download it both before the have an issue and after so before they have an issue, you know, when they are installed, they are given a lot of information about the things available to them and they are given links to that and so on. when they get a welcome the mail when they sign up for service we are reiterating that for them and we do a lot of things on the web site and other places to promote the fact these are available. after the have an issue, and we noticed we drive them to the mediation portal and that's one of the first things we recommend the download is this week and take a number of other steps, so a lot of education up front and when they come on recall that on board as a customer, and we do things while they are customers reiterating that and then afterwards. >> it is limited to windows operations. how long has it been around? >> that protections week is pretty recent and that is a little bit more than a year. that's a supplement to a larger anti-virus security suite that

we have had for many years that is -- >> real quick to cause i've run out of time. what business incentives if any did you get or did you have to developing and offering this service? >> we view it in two ways. number one, there's a competitive incentive if we can be seen as having a more security features or more secure than the next guy someone chooses us as their isp rather than someone else the next thing is customers when they come on board as a customer used to tell us the two reasons we are price and speed and today its price, speed and security, so customers are aware increasingly so not as aware as the need to be billed very aware about security. the ask about those things on the call to order service, and so we view it as a competitive feature that we need to add and that is why all the things we are doing more important to us to miss the next before mr. chairman. >> now we go to chairman

dingell. >> mr. chairman, thank you. gentlemen, we have much to do and little time so i'm going to try to ask questions if you will answer yes or no to. starting with mr. livingston to read a sober security regulations on industry would stifle innovation and harm the industry devotee to protect consumers from cyber threats is that correct, yes or no, starting with you? >> yes i am concerned about that. >> mr. amoroso? >> es? >> yes. >> now, gentlemen, let us assume for a moment that the congress will pursue no regulation passed in this matter is to facilitate greater information sharing about cyber threats between the industry and the government. with of your collective preference, yes or no? >> yes. >> search? >> yes.

>> gentlemen, thank you. in that case, what the congress need to consider granting exemptions to the antitrust locker and the federal trade commission act in order to allow the companies to share cybersecurity information among themselves, and this or no? >> yes picks demint yes paris demint yes. islamic i unfortunately can't comment on that. >> now gentlemen, similarly come to you believe that a safe harbor vision should be created in statute to permit companies to share cyber threat information with government agencies without fear of class-action or other lawsuits being brought against them, yes or no? >> yes. >> yes.

>> thank you. >> server? >> yes. >> i'm afraid i can't comment on that. >> gentlemen, my last several questions have been prefaced on a note regulations scenario. in the congress adopts legislation to promote information sharing between industry and government. would you please submit for the record what enforcement tools you believe the federal government would have in this scenario to ensure the industry is adequately guarding and being guarded against cyber threats. i'm asking you to make a submission there for the record because of the shortness in time. now, gentlemen, let us assume that the government would have some role in promoting cybersecurity in the private sector.

if the federal government were to require the promulgation of pop cybersecurity standards should such standards preempt state looks? starting with you, yes or no previous panicky yes. easier to have one standard. >> i don't know. i'm not sure i haven't thought that one through. >> sir? >> i will have to agree with dr. amoroso. i hadn't really considered that. >> gentlemen, i have read with some interest in mr. olson's testimony that, and i quote, the ongoing evaluation for the metro security program is based on a periodic internal and fourth party assessments and auditing. what your respective companies object if such audits of the government were mandated, yes or

no? >> no, we already provide all those things. waiting we would object, yes. >> you would object? >> we would come back and ask you to explain that. >> we would probably object. those that vindicate would you please explain briefly? >> when you write a law do paperwork, so i take people away from giving their day-to-day work one of our favorite things to show people in the lab is a long one of the walls we got about a miles worth of ring binders and we say there's the government paperwork followed by the chuckling laughter but it's true we do have a great deal of

paperwork that we fill out when we are dealing with a different federal groups were sarbanes oxley, whatever. there's a lot of paperwork, so i'm just suggesting that if we are already doing it and the government comes in and says i need you to start this compliance checklist, you are taking people away from the work. that's why we would object. >> very quickly if i can just make a note to very quickly i think this is dangerous we might have objections we would object to the same concerns. >> thanks for your questions. the heart of the matter quickly. now turn to the german house intelligence mehdi committee. the spread in the witnesses as well. i think one of the best problems that we've run into in this is that we haven't really sounded the alarm bells. i think in all of the circles people that look at this every day, although the security shops, the itc to the shops across america, they know what

problem is. average users don't see that, and that's why there is no pride get it about how we get this fixed but i appreciate your comments. you talk about, each of you, the importance of information sharing and keeping it as clean and simple as you can. talk about how that would work. we bring the folks together. we are sharing a government secret sauce with all of you and you are sharing back malicious where that the government is maybe not aware of. talk about how fast this is our talk about celebrities and i think that people have this visual people are reading e-mails, some guy named bob in cleveland is read and everybody's e-mail to find this malicious software, not how it works. as a matter of fact it is a miserable failure. can you talk just a little bit about how you envision that the woodwork with of the sharing arrangement, real-time, no regulatory, kit you talk about

that quickly? >> first one to compliment you on the legislation. there is nice work in the work that you've done. first of all, real time, absolutely. independently audited i think is important, so that somebody can come in and look at the way that this is done, but it also has to be controlled, like lasting it out over the internet would be really bad idea, but i think that you need to balance, real time and the ability to come back and look at the process to make sure it is transparent without exposing it to our adversaries. that's the right way to do it. there's also different levels of sharing by industry. i think you have to look at how you do your risk assessments in each category described what's working well and that is the defense industrial base pilot that's going on. that particularly is supporting the defense contractors in dod but you could expand that to the financial-services industry and other industries

>> just for clarification, when we talk about real time i have seen numbers as high as 100 million a second, that information flying around. so if this is going to work, the malicious source code has to be compared at an incredibly fast rate. can you talk about that in an engineering perspective? come anyone? >> one of the challenges is doing any kind of pattern matching tv to matching. for a number of years but is called polymorphic where it changes every individual that is different from the next so a lot of stuff changes and it's not like it is with anti-saddam where. you can match a few key words that's it, that's the target, and fly get that way so you need to come up with ways and a number of us have systems like this and there's others that are in development that can do this

in a wider basis, so that is the very to launch your getting at which is doing that in real time just incredibly difficult and you are at the edge of computer science at that point. >> which is why i think many of you have told us before the legislation was written, be careful about the regulatory scheme. if we slow you down and give you another row of books down the hallway there, it doesn't work. we already have outdated what you are trying to accomplish in the room and this is a value added not only for you but for the government, is it not? the government also gets benefit from the protection from all of your great work in the private sector, correct? >> that's correct and there's two things that i think interesting. one is by the time a very restrictive law would be written by the time that the industrywide threats would have moved on and so you've got to be able to be flexible. the other is we need to have with our software developers and secure specialists the need to be hard at work in the room, not with half of the roomful of lawyers with them slowing them

down and asking questions about why are you doing this and that, the need to be at work every day trying to solve the problem. estimate for the record this may be my favorite panels all time. never so often has a group of engineers belittled lawyers at the table. you have warmed my heart that we have faith that we are moving forward. i wish we had time to talk about all the issues and i'm very curious about how you would fix the programming issue come huge problem for us as we move forward. we didn't talk of the exultation which is difficult for any of you to catch, which i would argue right now is the single greatest threat to our economy moving forward the side of the things we know today. >> can you outline exultation? >> sure. we know that the nation states today are engaged in getting onto your network looking, they

will be there for very long time. you don't know it on your system administrators don't know it, these folks can't catch it, a lot of times the government can't catch it either, and then they will latch on to the intellectual property that is on everybody's computer, all those designs, everything that is of value to that company, and at the right time, at the right speed, they latch on to it and run like through the network and to get back, and we know a country like china who is investing in this as a national strategy to exfil treat intellectual property and then directly use the intellectual property to compete against the united states business, and unfortunately it is happening at a breathtaking pace, breathtaking pace. what is concerning these folks are looking for malicious software that's disruptive or theft oriented. this is very sophisticated as any that you will see, incredibly hard to detect and they really don't want to break

anything or get in and stealing it without you knowing it and that is what is so troubling. hundreds and hundreds of jobs lost every year for the fifth of the intellectual property that's being reprogrammed commercially against u.s. companies. it is as big a problem as i have ever seen and it's one of the things of the many that keeps me about might. mr. chairman, thanks for letting me explain it and it's something we didn't really get into today because that is a focus on what they can even watch. that's why the information sharing i think is so important. it would help american businesses the federal government having information being able to identify the code share it with the right partners, amazing what we would be able to stop. >> with the indulgence of the committee members, perhaps the importance of that topic you could each of you have anything you to add on that area, and sure that we will go to mr. stevens and mr. gingrey.

does anybody want to comment? >> it's the advanced system threat, he's got it right. somebody targetting any of you. if we know the folks you run around with, we can crash defeat e-mail that looks pretty realistic, point you to one of these web sites that establishes a tunnel, it drops a remote access tools and now you log in with remote access from work or from home or whatever you're doing this is a hacker doing remote access to you now the server and once they are on the control the pc, the network and so on and the intellectual property theft is becoming a significant. it is probably the number-one thing i did all of us when we go back we talked about the baht net and the ns but that isn't what we deal with, we are dealing with a kind of our point, right, we are ahead of the discussions here, things we have been dealing with in the

past and the things we deal with now are probably things we would be testifying about five years from now so that is an issue. >> the advanced threat these are remarkably sophisticated, they are slocum the your patient, they will work on your network for years and i'm from the canadian headquarters, we had a large company going to business as a part of the attribution of that, the loss of the intellectual property to the foreign state let for series right off the network so when you look at that this is a serious concern. five years from now you will probably be looking at that. it's great that you're looking at it now, congressman because the threat is real and persistent today and as you stated it is a threat to jobs and an economic threat to the united states and elsewhere. >> for the record i want to ears for your 40 years of fbi service. the to for all the time that you

have put in. thank you. estimate let's go to mr. stern's to the estimates before mr. chairman. let me take my question a little bit along the lines that my colleague from michigan talked about when he talked about the advanced threat. dr. amoroso, when you did your opening statement, you were speaking quite eloquently in talking about malicious software and que painted this picture that you were impressed how well it was developed, the put together and you sort of alluded to the fact that it was almost not an impenetrable, but it was to the point you were respectful of it and were not sure that we were keeping it up. is that my interpretation? >> that is right we are not keeping up. we are trying. think of the pace of innovation

you see in silicon valley. new things every day. the hacking and demolishes adversary community are moving at the same pace, so the job we have is we have to keep up, and you would say you'd better be ahead of them, like not even enough to just kind of keep up, you better be ahead, so we are always going to be sort of bias. we have to innovate, we have to go faster. estimate deutsch you are always catching up? applied to me by saying the respectability you have is this true for ad where, spy where some of these others? is also applicable to that, too? >> apt is the best, it's this x filtration point that the congressman's book about. that is the elite kind of attack in 2012, spy where maybe not so much. >> now who are these people that

are doing this specifically, can you name them? >> i'm not in law enforcement. >> is their anybody on the panel that can talk about this now sort of respectfully and how eloquently is put together anybody can tell me who we are talking about? >> i think if you take a look at the most recent investigation conducted by the fbi and the ds malware you will see it was a group of individuals operating out of estonia that basically said the malware to the individuals and various forms and e-mails and you click on them and infected your computer in a way that directed you when you went out to do a search you were looking for amazon dhaka, or some other company. you went to their servers and directly embedded in the various locations in the united states, so these are organized groups that have figured out how to capitalize on the money that he can make.

>> are these people in estonia, are they part of a mafia underground, an organization? is larger than just an hazony without you revealing -- >> those are no longer individual hackers. they are out there but now they've actually formed themselves into types of federations to work together. >> across the world? >> you can do it across the world. there are certain groups that you can join in and would be a member from different countries petraeus too so it's like a fraternity. i am a member of the -- >> it needs to be a hotbed right now because the economy is run over. islamic anyone else? >> if i could add to that it's pretty interesting to read this is a very large and very well organized underground economy. there specialist so you have some people that right tools, other people that read access so you can rent them by the hour and tell them where you want them to be and what kind of

computers. the payment network mechanisms between the parties, it's a very sophisticated, and if you do about it from a criminal standpoint it is a lot easier to do and get a return investment this type of thing than it is to go out and do the physical oriented crimes and the scale is so much larger these are folks that operate across internationally and there is an enormous amount of economic incentive for them to do it and it's primarily on like abt it is an economic crime focused on the economics but the intellectual property this is all about the money. >> is there a possibility that we have terrorists involved with this that are part of this, the terrorists could go to this group or federation and are using them? is that? >> the use the schemes for funding. number one for their operations. and number two, the use it just

as a communications system. they know they are being looked at. so the ways they need to communicate our surreptitiously in a way they can't be intercepted so they use these types of technologies to communicate with one another but they have to fund their operations. islamic the question comes down to the premise of what this hearing is all about. what could we as legislators on the subcommittee and the full committee and members of congress, what can we do to make it easier for you to operate and at the same time give you the wherewithal to compete, and what should we not do? what should we do and should we not do? as a closing statement if we can just go down the panel and each gets what we should and should not do, that would be helpful as one legislator. >> - what you should do is help make information sharing easier, remove those impediments. i think also there is a role for

the government a plea education nutter that is of the things to raise awareness about the security issues, and i think that there are r&d types of things through the agencies you can help fund to focus on this. i think what you should not do is focus on the mandates and compliance. that enables us to focus instead on innovation. >> that sounded good. i had one additional and that is that you have influence around the federal procurement process, so a lot of times we see procurement cannot and scratch our heads and say don't you think they're ought to be more business, there isn't. i recommend that process ought to be the most secure process in the entire world. >> i would add the importance of

information sharing. we have limited resources we conduct risk assessments. chris assessments when we are trying to decide on the impacts and probability based upon the information that we have the time the government agency or another carrier has additional information we don't factor that into our analysis and we are missile lanning how we develop our countermeasures. >> i think there's a lot of commonality among the panel on what we would like to see. i would just add a little bit to the information sharing area. the federal government has access to information through various agencies that are watching the country's cyber borders and our own company we've seen a vast majority of reconnaissance stands and attempt to gain access coming from china and eastern europe and i think the federal government would be in a good position to monitor and provide more information on that.

>> i agree with everybody else on the panel on the government industry and the intelligence agencies for what you see it's much different than what we see so my team works with dr. amoroso on areas of commonality between at&t where we think we of issues that need to be addressed and and that the security of our customers but we don't necessarily get the feedback from the government about what you see that we need to be aware of, and if there is anything i could ask for it would be more transparent, more real time information churring mechanism to let the industry know what the government needs to know so we can act to protect our networks and by extension protect your information. >> thank you. mr. gingrey, thanks for your patience. >> mr. chairman, took the words right out of my mouth. you are exacting patients out of the last member to ask a

question, but i moved down here early in the hearing as all of you know. i couldn't hear very well even though the chairman said speak into your microphone, so i'm glad i did move down close because i knew it was going to be interesting and i knew that you all all five of you experts were going to have a lot of useful information to present to us and quite honestly, after the two hours of this i'm trying to figure not a way to beat these guys and the only thing i can think of is there is an opportunity to invest in these operations i don't guess that would be legal, but if it were that would be one of the best ways for us to win. thank you all very much. let me ask a specific question and maybe this cuts to the chase of one of the main reasons why is holding this hearing.

each of you, please, starting with mr. livingood answer this for me. do you believe the sec has enough cybersecurity expertise to allay the concerns that some industry stakeholders have with the commission? if they deutsch to impose tighter security regulations on you guys on the network providers? you have enough confidence in the expertise to do that, mr. livingood? >> i don't know the answer to that. we were a lot of folks in the sec and enjoy doing that and have a lot of expertise. that is a tough question i don't know the answer. >> i don't know if there is any agency that has the right expertise to do that. to know the answer was we would be doing that so i don't think it is a knock on any one particular agency. i don't think there is any agency that has that kind of capability right now. >> mr. mahon? >> i would add the answer is nobody not think anyone does.

that is the importance of collaborative relationships. you do need to bring people in from all sorts of the federal arena as well as the private industry every network together to the evil in nature of the threats in this arena. ..

what terracing as far as threats, and the mets in the low while ago about the threats from outside the u.s. think that is a critical component. the went -- the other is for companies to share impression on present they are seeing, and that tiering house would have to be sponsored by somebody that the federal government is to the right place to do that. >> and that think you addressed also in your testimony, the whole harmless provision that is necessary to share that never nation so that you would not be subject to lawsuits. >> have a little time left. one more question. the internet is currently transitioning from this and said provider before. does that process create any new cyber security issues, and will

transiting alone solve any cyber security issues that currently exists? the process of transitioning present opportunities to resolve existing server security issues? >> well, i think, you know, we have been a leader of. i think that all of those issues that exist in the current ip before simply carry over. it is just a new form of addressing. you know, that being said, because it is a new form and in the technology, you are introducing new things into the ecosystem. to the point earlier, complex system when you change something, unintended consequences. so it's something you have to keep an eye on and make sure you're not introducing any new vulnerabilities. i think if there were any it is simply because some security to their work straight might not have the same features. >> every device and the planet

would be addressable, rubble. for all this we have to figure how to architects security protections. i do have some concerns about the transition. >> the architect and is nearing -- and engineering teams are still boarded through the estimates but you have legacy systems being married up with the technology, and a never you do that you're going to have things evolve as you begin to deploy. >> i think from a protectionist and point it is a step ahead but the bad guys out there working just as hard as we are to fund other way around it. as soon as we make an investment and technology they're right up they're keeping pace with it. >> expanding the attack surface. by doing so increasing the risks. the unknown risks. >> thank-you for this generosity of those 45 extra seconds, and i

yield back. >> actually, clear to 49. thank you. i want to thank all the eyewitnesses and all the folks behind him who, i'm sure, play some role. really appreciate your insights. very helpful. our effort to mommy's there were trying to do the right thing. you're out there trying to fight the battle every day. we may be back to you with the working groups deal little deeper and some of these issues, giving a specific as possible. we hope to look out to some of the other types of networks and small providers. you obviously represent major providers or representation of them. also wondering about the weakest link which might be small isp. how did they do with this? they have the same sorts of capabilities to fight back. so i deeply appreciate your willingness to be here today and share your knowledge with us. we are better for it. so with that the subcommittee

and communications technology stands adjourned. [background noises] >> coming back in after recessing. dissever security briefing with, and security secretary janet napolitano. of the floor, said this continue to negotiate amendments to the highway bill. debating the transportation measure for a few weeks.

and now

quorum call: quorum call: quorum call:

quorum call:

quorum call:

quorum call:

a senator: i know it's probably clear to all of us that the american people have a very high level of frustration with the lack of productivity of this congress. the fact is, when we go home to our respective states, i'm sure we're all hearing what i heard last week as i traveled across pennsylvania, people asking, why can't you guys work together, why can't you get something done, why does it seem that there's so much partisan bickering that you can't come together on even simple things that could help grow this economy, help make progress in these very difficult times? well, on this front, i think we've got some good news and i'm delighted and i am -- i want to talk about this tonight and hope

that this early sign of good news reaches fruition and we actually have a meaningful accomplishment soon in this body as well as the other body. and specifically i'm referring to the work that has been coming together of late on a series of capital formation bills that will help small and growing companies raise the capital that they need to expand, to hire new workers, to help improve our economy and give us a healthier economy with the job growth that we badly need. in particular, i want to thank house majority leader eric cantor. congressman cantor took the step of pulling together a series of bills, series of separate bills, putting them together in a package, a capital formation package, and i -- there is very, very broad support for this package in the house. i think under his leadership, it's very likely to pass the house soon and present a tremendous opportunity for us

here because there's broad bipartisan support for these commonsense reforms that will help companies raise capital and grow. mr. toomey: the bipartisan support includes the president of the united states. much to his credit, the president, just yesterday, i believe, issued a formal statement of administrative policy indicating his full support for the passage of the measure that congressman cantor, leader cantor, is proposing in the house. these proposals, many of them come from the work that the president initiated. some of them are included in the start-up america jobs plan that the president proposed. some of them were recommended by commissions that the president has assembled. the president himself spoke about the need for enhancing small- and medium-sized companies' access to capital in the state of the union address. so the president has been really i think very, very clear and very strong in his support, as

the house republican leadership has been. here in this body, i think th the -- the leadership on both sides of the aisle have indicated support. the majority leader, the minority leader have both indicated their support for moving in this direction. the chairman and the ranking member of the banking committee have both expressed the desire to move forward with the capital formation package. and there's wide support among outside groups. in fact, it's very broad support and very little opposition. the support includes support of entrepreneurs, whether they be from convenience stores, financial services firms, high-tech firms. in pennsylvania, the life science companies feel very strongly about this because for them, access to capital is a huge challenge. it's -- it's the absolutely essential precondition for their growth. and they're not alone. manufacturers generally, the supermarkets, all kinds of trade

associations, the support for these capital formation bills is very, very broad. i want to touch specifically on three of the bills that i've been working on for quite some time now and i'm -- i'm very hopeful and optimistic about because i think the -- well, first of all, these three bills are among the six bills -- they are three of the six bills, i should say, the house companion version of these bills are in the package that leader cantor has proposed and there's broad support i believe in this body for these bills as well. the first i want to refer to is -- is a bill that i've introduced with senator tester. it's senate bill 1544, and it's called, "the small company capitol formation act." it's more commonly known as the reg-a bill, because what it does is it lifts the current ceiling on the amount of money that a business can raise under the regulation a provision of the securities law. that's a provision that allows a

small company to issue a modest amount of debt or equity without being subject to the full range of very costly regulations. the limit's been at $5 million for many years, and the bill that senator tester and i have proposed would raise that limit to $50 million. it hasn't been updated in almost two decades, and there's no question that raising the ceiling would allow a lot of companies that need to raise substantially more than $5 million to do so and thereby to grow. this is something the president has supported as well and it passed the house by a pretty stunning margin of 421-1. not very controversial. and i don't think it's controversial here. so i'm glad this bill is included in this package in the house. the second bill that i would mention is senate bill 1824, the toomey-carper bill. has to do with the limit on the

number of shareholders a closely held company can have without triggering the full sec s.e.c. compliance. currently that limit is aat 500 share shoulders. and if you go 500 or above, then you're treat as a company like exxonmobil for reporting purposes. well, that might have been appropriate many years arc but in the modern era -- years ago, but in the modern era where exphiewks so much ease yes, access to information is so much greater and so much faster, the necessary information for shareholders can be distributed more broadly, more quickly, more easily. and it's high time we raised that limit from 500 to 2,000, as this bill would do. i appreciate senator carper's support for this legislation. this is a bill that has a companion measure in the house that was raised at the house financial services committee. they voted on it. they voted by voice vote and approved it. and by voice vote, that means

generally speaking there's no opposition and nobody cared to bother with a roll call because everybody supported it. that's a big, broad committee that represents, really, virtually every constituency in the house of representatives. passed it by voice vote. this has very, very strong and broad support. the third bill i want to mention is senate bill 1933, the schumer-toomey bill. this -- the technical name sheer "reopening american capital markets to emerging growth companies act." we call this more colloquially the onramp bill. and the reason we call it that is we think it as a on-ramp to becoming a publicly traded company, a path to launching an i.p.o. that will facilitate this. you know, there's been' big reduction in the number of i.p.o.'s that have occurred in the united states. an i.p.o., the initial public offering, is the process by which a private company becomes a public company. and what's so important about that is it can be a very substantial opportunity to raise

capital. and as i mentioned earlier, when companies raise capital, they put that money to work by expanding and hiring new worke workers. an i.p.o. is a hugely important step in a company's progress and almost invariably follows a substantial increase in hiring. that's why this is so important. one of the reasons that companies are slower to go public now than they were in the past is because we've -- we measure that congress have created a much more expensive set of regulations when a company does go public. part of that is the sarbanes-oxley bill, and certain features within sarbanes-oxley are enormously complex and expensive to comply with. so what our bill does, it says if you're a small company -- relatively small company, specifically, less than $5 billion in revenue and less than $7 billion in public flow -- the amount of stock's that trading -- then you can do an i.p.o. without having to comply with all of the

sarbanes-oxley regulations immediately. over time, you'll have to. if you either exceed those -- those caps, those thresholds that i mentioned, or within five years, in any case, you have to comply like everybody else does. but at least you have that opportunity to grow into the ability to afford the expense that is associated with it. now, a companion measure to had bill, identical version in the house, was considered by the house financial services committee and that passed actually just a week ago, passed the financial services committee by a vote of 54-1. 54-1. this is not very controversial. this is very broad, bipartisan support and this is the kind of legislation that's going to help businesses to grow. i -- i really can't stress enough the link between raising capital and growing one's company and

hiring new workers. capital and jobs are completely linked. what these bills will do together with the other bills that make the broader package, what they will do is they will encourage a healthier economy, stronger job growth, more people working. let me stress one other thing about this that i think is important to know, and this came out at a hearing that we had actually just earlier this week on this very topic, and that is that for many small companies, young companies, growing companies, there are a whole number of steps along the way to becoming a larger and more successful company, employing more people. a number of steps along the way in raising capital that can start with an angel investor followed by venture capital followed by private equity followed by maybe a securities issuance followed by an i.p.o. this sequence of capital raising is very, very important, and if

you facilitate any one step along the way, as these bills would, the experts who came and testified before our committee confirmed that by facilitating one step along the way, you facilitate the capital raising at the earlier steps. because what happens, mr. president, is the investors are more confident that they will have the opportunity to liquidate their investment at a later stage if they see that the regulations have been made more amenable to that liquidation further down the road. so even a company that is not yet necessarily poised, for instance, to do the i.p.o., the fact that the i.p.o. is easier to achieve when that company gets there, it increases their chances of raising money now through other vehicles, through other sources, and therefore increases their ability to grow. so i really -- i am very, very enthusiastic, as you can tell, about this legislation. certainly the three bills that i have been working on. the other bills as well which

are a perfect complement to this and really constitute a portfolio of bills that will facilitate capital raising across the board. i want to thank my democratic cosponsors of these particular bills, senators tester, carper and schumer for working with me on this. i also want to commend leader mcconnell for his leadership and senator reid for his as well as ranking member shelby and chairman johnson. you know, i think what our constituents have been telling us for a long time is they want to see us working together and doing what's right for our country, for our economy, for job growth. this is a wonderful opportunity to do that. i think it's quite likely that a package of these bills is going to pass the house very soon. i hope that some comparable measure will pass in the senate. the president has already indicated he supports it and wants to sign it. i don't think we should waste any time at all in passing the legislation that will be good

for small and medium-sized businesses and good for their ability to grow and hire more workers. with that, mr. chairman, i will yield the floor and suggest the absence of a quorum. the presiding officer: the clerk will call the roll. quorum call: