you fell over. you had a heart attack. i picked that up. that's easy. it's picking up the stuff that isn't easy, and that's why it's difficult for us to build reliable services because it is

hidden. any hacker would do it that way. >> thanks. [laughter] mr. doyle, you're up next. >> i think we should just call him doctor sunshine. [laughter] mr. totzke, i want to ask you about federal workers. as you might know, the white house is really working on a national mobility strategy to determine how the employees in the federal government are using their mobile devices. and they're going to decide, for example, all agency employs can bring their own devices to work much like many private sector employees do. we don't of course advocate to subscribe one particular type of phone for everyone to use in the federal government, but what security issues do you foresee that might come up as a result of this if we allow all federal agencies, workers use their own global devices and how do you

think device manufacturers can make you that the data is on the phone of federal workers, especially in sensitive agencies remain secure. >> you move to a more heterogeneous environment where you bring your own device. one of the challenges you face is that the security of platforms is going to vary. so getting a consistent view of security in how you're protecting your information is probably one of the issues. there are kind discovered issues in more of a corporate context, who owns the information, who owns the intellectual property if you have to go through any kind of litigation. and in how to protect information on the device which i think is probably one of the more important ones, it is a level of encryption built into blackberry to encrypt all of that data, personal data or government data. that's one of those can be enforced remotely. but as we look at how we go into

a bring your own device scenario, the biggest concern that i have is this lack of a standard bar for protecting information. and what i would be most concerned about is sort of a race to the lowest common denominator. we have three or four competing platforms, so in order to allow everything we will reduce our security requirements to the bare minimum which i think it's the wrong thing especially at the government level. >> mr. levy good, given the concerns outlined by dr. sunshine about implementing the dnssec, can you outline what comcast made a decision to begin using dnssec and what do you think it has had the intended benefits that you hoped it would have? >> intended benefits, it's a long-term gain. one of the challenges with dnssec adoption asian need some critical mass for people to start signing their names, for people to build software to do that. you like what applicable in in

leading the industry in creating that critical mass. that's part of the reason we did not. i think the reason, at root what he did that is when the vulnerability came out in 2008 it fundamentally scared the heck out of us. if our customers couldn't be sure that when they went to bank of america.com it was that website, that scared us because then they are less likely to use the internet, they will not care as much about higher speed services and so when. that's incredibly important to us. to have a way, we also have a short-term fix to that, to have a long-term fix to that we thought was incredibly important. and the dnssec appears to be that when. we are pleased that liebowitz and create a critical mass to help adoption. >> mr. amoroso i've enjoyed your testimony and makes us all realize how much work we all have to do together faced this problem that is certainly there's an easy answer to come but i want to thank all the

panelists for your testimony today. it's been very enlightening. i yield back, mr. chairman. >> will go now to mr. shimkus for five minutes. >> i kind of want to build a little bit on what my friend mike doyle mentioned, but i want a different perspective. because it is kind of tied, popped in my mind when you talk about federal workers. where are you finding your cyber warriors today from? in other words, where are they coming out of? are they coming from private universities? on the coming out of the military? briefly, cutting edge new people who help you do this stuff, where are they coming from? >> i think it's a private of places, and i would say there's a need for more educational focus not just in cybersecurity but i.t. generally. we find people and writing of which some are former military servicemen, former law enforcement. others are just lay next system

administrators that are interested in security. others are former childhood hackers or something like this. it's a friday of things. >> is there a college path? can you get i.t. training in the business schools or computer science class? >> i have been teaching a stevens for 22 years to i teach this semester. if you look at my class in 1990, you would see something that would look like typical college class. i went to dickinson in pennsylvania, so pretty mix of kids. my class today at stevens is about 98% foreign nationals. and i've got about 65 in the classroom. almost all of them have the intention of leaving the country when they complete their masters or ph.d because they see bigger opportunities elsewhere.

>> that kind of segues, if y'all want to jump in, you can will quit but i don't want to forget the aspect of conversation for people entering the private sector versus the the government sector. there's this debate on salary compensation. we have the same issues about bringing in the best and the brightest, but if we're not compensating them for what the private market bears, and there's another thing. anyone want to jump in? >> just on where we source, so there is certainly out of the education system, we find people and a moving into private industry. the most talented guy, the high school dropout, so i think using some of the education system as a bar doesn't help identify the best talent. he would be one of the top recognize, hackers, researchers in the world. so it varies. and i don't think you can actually teach somebody to be a hacker. they're sort of if you want to be a researcher in the area there's agreeing mentality come you're either born with or not. it's not like i'm teaching

someone a trade, programming and getting to level of sophistication and developing software. being a hacker isn't much different mindset. >> thanks. i don't know if i will get to both, the debate on the senate side, this is how you provide is what happens if we, federal government, requires you to follow a new government security standard? what happens to you? that's the debate on the senate side legislatively. one has a government opposed standard, one is really letting, i think letting you guys fight the battle yourself. anyone want to jump in? >> i will offer a brief point. my guess is anything you can write down that you can think of is kind of a best practice, already is being done here. the thing, we're back at the shop worrying about now are things that are not on your list. like as an example we talked about botnet. do you know when i first saw botnet?

remember y2k? we were building the y2k white house infusion center and we were worried that we're going to get d. doctor one day. of the really bad if you're not that one day and missed the millennium change. you can't really move that day, right? will completely freaked out by botnet that we built, a lot of people in this room can we build ways to get traffic around to fix the and now have a service we've moved onto the next thing. spent let me put a final challenge of because i do agree, how do we incented innovation in this area which is part of the opening statements, incentivizing means government money here or government tax credits. you know, that's all kind of purse on product right now in this new world in which we live in. so i would ask you to help us wrap around about this dignity is easing, maybe there's things that is not a dollar and since

component. but tax credit, things like that. it's very difficult to do in today's ann arbor. i just throw that out. thank you, mr. chairman, i yield back. >> with the committee indulgent, doctor, could you explain ddo as? >> i'm sorry, that's tasha here's how it works. when my voice talks to all of your heirs it is one thing to many beers, and it works great. if you're all quiet and you listen, your heirs were. but if you could bounce my voice off your ears to him for it would sound like you are all shouting at him. my voice to all that is in danger reflected back. that is a denial-of-service attack. we get all of your pcs and tell all your pcs to shout this way and boom, it all comes and it sounds like this big attack and clog the pipes and knocks them out. that's how it works. >> into doctor. never go to ms. matsui.

>> thank you, mr. chairman, and this is all challenging and frightening at the same time here. and i do appreciate all of your testimony. as we look into develop an industry best practice standards for isp, should isps own cloud services be included as was other cloud providers, or do you think because that technology is newer it could be better for cloud providers to consider forming their own best practices to secure data in the cloud? and like mr. men and dr. amoroso, answer that, please. and we don't have much time. >> first welcome we're already talking to the cloud providers and some of us in fact our cloud providers. so i do think that the conversation is well under way. we are very familiar with the challenges and if you think about it, the term cloud is a rather generic term that is probably misunderstood. it to mean a number of different

things for a different type of customer. and so, therefore, i would say we continue to include them in the conversation as we have everyone else, so to speak, at the table as partners. and the solutions that you're looking for really going to have to be integrated across the very wide platform. so, therefore, i would say you would want to keep them in the conversation. >> thank you. >> so, my mother has a pc at home that at this instant i'm sure it's like attacking china or something, because it is not administered properly, and she's got a big tower with verizon files, the whole thing. she doesn't need that the she would be much better served to have a cloud provider, just take care of all that for her. she should just be using some of clients. she doesn't is because their software on the pc that she wants to be able to use it. so in general that concept is a

more secure concept that my mom trying to do administration. so i think cloud and gym is a more secure model than the one we have. >> okay, that's good to know. dr. amoroso, given your expertise in this area, what are the differences between securing wired and wireless communication networks? and how can these differences be accounted for, any type of cybersecurity initiatives? >> they are pretty big. the differences are significant. if we had three hours i could take you through the whole thing, but i will give you one example. remember when, i'm guessing most of you remember when computer security was just don't put an infected floppy into your computer, remember that? it's like don't put software in your machine will you don't know where it came from. it seem like perfectly good common sense, right? what do we do every single day

on apple stores? we are downloading stuff, i don't know what came from, boy, a short pretty cool i think i will download it to my device. that's something we're going to have to address from a security perspective. that's a big difference between wired and wireless. >> okay. i'm also thinking of, also, too, that so much of what we do is wireless. so much we do within our own home our wireless. and yet, it's just so easy to do it that most people don't think about it at all. and i'm concerned that we are not thinking as broadly as we should be thinking, as for some of the personal use. and i think it came about here with mr. doyle, too, in a government area, too. but it's so easy to be carrying tablets and different cell phones around. and for me it's, the part that is really to me quite frightening is that nobody knows what they don't know, and we are

looking at you and your thing, too, that there's a lot of things you don't know, too. and we look upon you as experts. and i'm hoping that we can build in some incented here with sort of a sharing of information that goes beyond some of your commercial type of concerns. because i'm looking ahead, this is getting more and more complicated, as we develop more tablets and smartphones and whatever, but we are losing control of cybersecurity aspect of it. and the software aspect i think you brought up, dr. amoroso, is really very important in education of that, and whether or not we are actually kind of building our own principle standards into that, too. so that's just a comment, and i really do appreciate your being here and i think i'm learning

more and more every time one of you opened your mouth. so thank you very much for being here. >> thank you for your comments. we'll go now to ms. blackburn for five minutes. >> thank you all so much. and i'll tell you what i think going to do is just ask my questions, then if you all want to respond or respond in writing, that would be wonderful. first of all, going back to something that mr. shimkus said, i would like to hear from each of you, and you can say now or send it to me, when you are seeing the disturbing trends, and what is kind of the next thing out there. i'd like to know that. i'd like to get an idea of how much of your cost of doing business is beginning to center around the cybersecurity issues. in your testimony, several of you mentioned in one way or another, either in response to

the questions or testimony, fear that the federal government can end up being more of an impediment than a facilitator in bolstering some of the cybersecurity efforts. i would like for you to speak to what you are concerned that we might do, and then what we are not doing that we should be doing. and hear from you in that vein, which are consumers, appreciate to know what you're doing to educate them. i think one of the things that helps us as we work through the process is eating certain that consumers are educated, so if i could get that bit of information. and then when we look at the hacker attacks that are out there, some of the anonymous attacks, there's one in the news today, or i think there are five people that they have, are bringing forward on charges.

what kind of government imposed performance requirements would help keep pace with some of the technological evolution that you're seeing in these cyberattacks? and if we were to do a government top down sort of structure to try to deal with cyber enemies, would that be giving us signal to that cyber enemies? is that too much information for them to be able to work around? so with that, those are the questions that i would love to from you on, the trends, the cost, what we are doing, what we're not doing, dealing with consumers, how you are educating them, and then looking at the attacks, the caution should give to us there. and with that, anyone who wants to respond. >> i can go first and i will try to be quick so that others can answer. in terms of the positive things that government can do, i think

making information sharing feature. there's a number of things they are duo. i think the government has a role to play in education, whether that's psas are the kinds of education. for end-users for citizens. i think is also an opportunity to help innocent or fund additional are indeed. i know that nasd and other groups try to do research and security and other internet futures. i think that there's more that can be done. that is important. and in terms of things to be careful of or be aware of, i think it's to be aware of mandates, be careful of mandates but i think we don't want to be focused on checklist and compliance. want to focus on the innovation and the threats of tomorrow, not the threat of today. >> thank you. anyone else? >> i could just make two comments. several of the questions and comments been mentioned, and sinister identity as an i.t. professional we're heavily incentive spiced to make sure protecting not only our internal resources but all of our partners that are interconnected

with our systems. i think one of the things that is a little scary so far is monitor all of our customer service channels, our call centers stores, website. and witnessing a lot of requests on our customers concerned their own security of their handsets and devices. so i think education is certainly going to be important i think there's just not a general awareness in the consumer population, how big an issue this year's. >> may be a comment more around why so difficult to regulate this arena. i think we've been speaking here rather generically about mobile devices and cybersecurity threats. it's a much broader problem, depending on what category you're looking at, and because there's multiple categories of threat actors, trying to find a solution, and prescriptive ways, they're very difficult to if you think about who is coming at you and why they're coming after you could have a nationstate

cutting-edge for all sorts of reasons. they could be coming at the federal government for military reasons, but that same nationstate to be coming after a corporation, intellectual property. everything from understanding that that intellectual property is not just a 50,000 corporate environment. it could be in 50 person law firms that are doing your activity for you. so you have the broad landscape if you're looking at nationstate. if you're looking at criminal activity, sure, you have what used to be the script kiddie doing something that was relatively harmless and maybe at best identity as your network administrator if they grew up. but on the other hand, you organize crime looking at more broadly the world and how to make money, look at the recent fbi investigation under dns malware. that infected hundreds of thousands of computers. then you can take a look at your anonymous and others that are

trying to make a point. then you can come down to your insider threat and to companies that are doing it. if you think about that landscape, the did their act, that after for sometimes for different reasons, when you try to put a regulatory overlay on that, it's very difficult to bless in a position to his bond to those kind of core broad categories. and at the same time make sure we have our checklist compliant programs going. >> thank you. yield back. >> the gentlelady is yielding back. now recognize the gentleman from the virgin islands, dr. christiansen. >> thank you, mr. chairman. good morning, everyone. thank you for being here. i have a couple of questions but let me begin with dr. amoroso. you suggested in your testimony that congress defined the roles of the various executive branch agencies in cybersecurity. where do you see the sec -- fcc playing an individual?

>> i don't think there's an agency right now that is in a good position to come in and solve a problem that we can't solve ourselves. if it really was a case where you could write out these five things that we should all be doing, and for whatever reason negligence, ignorance, whatever, we're not doing it, then you really do need somebody in government to shake us, you know, into action. the problem is that we don't know what it is that you should be telling us we should be doing. that's why we are going to innovation as the key. so it's almost kind of a moot question whether it should be whomever, because i'm not really sure what they should be telling us. that's the problem. there are some things, like i'm part of the team trying to make recommendations. i don't want to lead you to believe that we're just kind of hunting, it's such a hard problem we're not trying to reduce the risk. but i would say from an agency perspective if it was an obvious

set of things that should be done right now, kind of think in the groups that are here would be doing it. we are incentivized to do that. that's the problem. i hope that addresses the question. >> okay. yes, thank you for the answer. and mr. livingood, you mentioned that comcast is an active participant on the fcc communicate and reliability and interoperability council. so could you just describe for us high you envision the council conjugating to the imprint of cybersecurity, especially with the passionate addressing botnets, hijacking domain name, fraud, et cetera? >> sure pick your number of working groups. i'm on one. one of the folks that works for me is a chair of one of them. and they focus on things like the security of the routing infrastructure, dnssec, and a whole range of other things. i think that's a process that

works pretty well. people voluntarily get involved and to work together and what they think the current best practices are, and that's a process that repeats regularly every year so that it's not static and in 2008, we came up with some best practices and that's we're still focused on. it's something they gets renewed and refreshed all the time. so look at every new threat as it comes out. that's one of many places that we all work together. there are lots of others. the north american network operators group, messaging working group, a whole range of others, other acronyms that i could go on. but i think groups like that are good because they are voluntary, they are focused on best practices and really current issues. >> while your customers may be using your services, four in home computers, they will use the wi-fi networks, access comcast, e-mail and other comcast video products, so how do you continue to ensure that the cybersecurity protection to

develop extends to these as will? >> a number of our security protections are things that a customer can download and install on a device like a home computer. we had a bunch of things that are on a network like our constant guard system which is a bot intelligence and other security threats system, and that's there because you that might just be bring a device into the network or maybe it is a friend visiting in the house and having to talk to a botnet, we will see those kinds of things and so we can alert customers to get. to whether they've installed software that we provide on your device or not we have tools in the toolbox identified that and help them, tell them about it and help them solve the. >> dr. amoroso, you've expressed the need to foster innovation sharing. we talked about that between government and private industry as well as among private companies. what protections do you think are necessary to protect civil liberties and consumer privacy, and what do you believe would be the reasonable boundaries to

liability protections and antitrust? >> of those issues you raise are the reasons we have those impediments now. i'm an american, i want civil liberties, i want all those things. it's the current state that we have swung the pendulum in a direction of making absolutely certain that we are protecting civil liberties. that's a good thing. so the question is how do we somehow preserve its liberties, and also allow all of us, you know, to know if there is an malware thing. i think we have to figure that one out. i'm not sure i can get a real good answer on how we do it. i think it's got to be a pretty high priority. the motivation, everyone's head is shaking, it's a malware, that's not really a civil liberties issue. comcast should know blah, blah, blah, is the problem and they can go the into the system. somehow we just have to maybe get the lawyers out of the room and come up with some kind of commonsense approach. but that's, all the things you listed, that's why we can't take

those signatures today. >> thank you, mr. chairman. >> thank you, doctor christianson. dr. amoroso, you should've seen the people shake behind you when you said get the lawyers out of the room. [laughter] let's go to mr. bass. >> thank you, mr. chairman. i have a couple questions for mr. livingood, but before ask those questions, can i ask a mobile or smartphone question for a dummy? is there a difference in cybersecurity issues between and ipad or a smart device like this, and a laptop or desktop computer? make a quick because i want to ask other question. can anyone ask under an answer that question for? >> there's probably a biological and -- you're on a wired lan so we can do more filtering and policy control. with your wireless, it goes direct to us, the isp, and we've

been incented and lead, you know particularly in washington, push the package, don't look at them, don't do anything, god forbid you impose any kind of policy for filtering or throttling, so we do nothing so your connection from wireless directly to the internet were as your wired connection probably has some i.t. group at work. >> is this unit here exposed the bots? is their cybersecurity issues associated with my ipad? >> in other words, you're connected to, you. speak let's say i'm connected to comcast. >> there are other issues the those are new, a new class of device, and a lot of the hackers and other criminals, they are very focused on return on investment to they are focused where the biggest platforms are and so the more those devices get out there, the bigger target that makes and so they will say okay i can spend a couple days developing this and i've a few million devices, so you will start to see more and more of

those things. debating him on the tablet yet, some are more vulnerable at the moment than others. but that's something a lot of americans are buying in so that will be the next it. >> who is responsible? is apple responsible for this? or are you? >> i think the variety. with that device its apple plays a role. with the android devices, and all the software vendors that make the app to play on that, there's also a commode of customer education. i'm sure over time, you know, in the same way that we have software that runs on pcs, to provide security, that's going to start to develop for tablets and provide an extra level of security as well. we are at the early stages of the. >> and the same is true for blackberry, right? >> all of the tablets are going of different risks and different threats. we look at in terms of how we protect our platform, but the theme i keep hearing over and over and i think it is when this committee has highlighted is a

need for education. when you talk about security, it is the same as driving a car. we don't let people drive a car without a license that would let them get on the computer, connect to the internet, download software without really understand what those risks are. that piece of education and i'm not suggesting we license people to use a computer, but we do need a level of some sort of sophistication and education as to how we inform people of risks that they have when they connected device. >> fair enough. i want to ask a couple questions about the constant guard protection suite. i note your testimony, mr. livingood, on page six this is the comcast we understand it's a good cyber, sofa, education, prevention, detection, recovery are the core objective of our anti-malware efforts. does comcast require its customers to download constant guard protection suite? and if not, and how is the

customer going to know that it exists and how are you going to notify them that they have a problem? >> so it is not required that a customer download that the user service. they just have to have normal internet connectivity to do that. but we do a lot to make customers aware of that into instant them to download a. but before they have issued an after. so before they have an issue, when they are installed, given a lot of information about the things that are they before them, and they're giving links to the and so on. when they get a welcome india force when they signed up for service we are reiterating that for them if we do a lot of things unabridged and other places to promote the fact that these are available. after they have an issue and we notice it we drive into our remediation portal and that's one of the first thing we recommend that the download is that sweet, take a number of other. we do a lot of education up from. we do a lot when they come on. and we do things while they're a customer, reiterating that and then afterwards. >> real quick.

it's limited to windows, correct? how long has it been around? >> that protection suite is pretty recent but i think that's a little bit more that you. that's a supplement to a larger antivirus and security suite that we've had for many, many years that is cobranded -- >> i have run out of time. real quick. what business incentives, if any, did you get or did you have in developing and offering this service? >> we do it in two ways. number one, there's a competitive incentive. if we can be seen as having a more security features, more secure than the next guy, someone chooses us as their isp is someone else, but the other thing is customers when they come on board as a customer, used to toast for two reasons were price and speed. and today it's price, speed and security. the customers are very aware, increasingly so, not as aware as they need to be, but very aware about security. they ask us about those things

when the order service. and so we view it as a competitive feature that we need to add, and that's what all of the things we're doing are important to us. >> thank you, mr. chairman. >> thank you. now we go to chairman dingell. spirit mr. chairman, thank you. gentlemen, we have much to do and little time so i will try to ask questions, if you'll answer yes or no to. starting out with mr. livingood, gentlemen, you all seem to be in agreement that imposing new federal cybersecurity regulations on industry would stifle innovation and harm industries ability to protect consumers from cyber threats, is that correct, yes or no, starting with you? >> yes, i am concerned about that? >> yes. >> yes. >> yes. >> now gentlemen, let us assume for a minute that the congress will pursue the no begin nation path in this matter.

and instead facilitate greater information sharing about cyber threats between industry and the government. would that be your collective preference, yes or no? >> yes. >> yes. >> yes. >> agreed. >> gentlemen, thank you. in that case with the congress need to consider granting exemptions to the antitrust laws and the federal trade commission act in order to allow the companies to share cybersecurity information amongst themselves, yes or no? >> yes. >> yes. >> yes. >> yes. i am forced to comment on that. >> now gentlemen, simile t. believe that a safe harbor provision should be created in statute to permit companies to share serious cyberthreat information with the government

agencies without fear of class-action or other lawsuits in brought against them, yes or no? >> yes. >> yes. >> the reporter doesn't have a non-button, sir, so you have to say yes. >> it is yes. >> thank you. >> third? >> yes. >> i'm afraid i can't comment on that. yes, yes. >> okay. now gentlemen, my last several questions have been premised on a number of elections scenario. wherein the congress adopts legislation to promote information sharing between industry and government. would you please submit for the record what enforcement tools you believe the federal government would have in this scenario to ensure that industry is adequately guarding and being guarded against cyber threats. i've asked you to make a

submission there for the record because of the shortness of time. now gentlemen, let us assume that the government would have some role in promoting cybersecurity in the private sector. if the federal government were to require the promulgation of cybersecurity standards, should such standards preempt state laws? starting with you, mr. living for, yes or no? >> yes. easier to have one standard. >> yeah, i don't know, i'm not sure i haven't thought that went through. >> and you, sir? >> yes spent i will have to agree with dr. amoroso, i haven't really considered that. i can't comment on that. >> now gentlemen, i've read with some interest in mr. olsen's testimony that, and i quote, the ongoing evaluation or metropcs

security program is based on periodic internal and third party assessments and auditing. would your respective companies object if such audits were government mandated, yes or no? >> no, we already provide all those things. we already do that. >> i think we would object. >> we would object. >> we would object. >> let me come back and ask you to explain that. next witness, if you would, please. >> so again we were probably object to it but we do that anyway. >> now, those have indicated no, would you please explain briefly? >> i can't explain. when you write a law, we do paperwork. so i take people away from doing their day-to-day work to sit and do work. we have an office lab and one of

our favorite things to show people in the ops lab is a long one of the walls we have about a mile's worth of ring binders. and they always say there's the government paperwork followed by a lot of sort of chuckling laughter. but it is too. we do have a great deal of paperwork that we fill out. we were dealing with different federal groups, sarbanes-oxley or would've. there's a lot of paperwork. so i'm just suggesting that if we're already doing it and government considers his i need you to thought this compliance checklist, you are taking people away from the work to do paperwork, that's why we would object. >> very quickly if i could just make a know very quickly, i think this is dangerous. but i am told that we might have objections. we would have the same concerns. >> gentlemen, thank you. chairman, thank you for your courtesy. >> thank you for your questions. i think you got to the heart of the matter quickly. now i turn to the chairman and a very important member of the subcommittee, mr. rogers.

>> things are having a hint of things for the witness as well. i think one of the big problems that we run into in this is that we haven't really sounded the alarm bell. i think in all of the circles of people who look at this everyday, all the security shops, the i.t. security shops across america, they know what the problem is. average users don't see it. that's why there's just, there is no human cry yet about how we get this fixed but i appreciate all your comments today. you talked about, each of you, about the importance of information sharing. keeping this is clean and simple as you can, talk about how that would work. we bring folks together, we are sharing the government secret sauce with you all and you are sharing back malicious ware that maybe the government is not aware of. talk about how fast this is. this talk about civil liberties but i think people have this visual the people are reading e-mails, some guy named bob in cleveland is reading everybody's e-mail to find this malicious software. not how it works.

if that happens, it's a miserable failure. can you talk just a little bit of how you envisioned that that would work with this sharing arrangement, real-time, no register, all voluntary? >> i would be happy your first of all i want to comment passion government you on your legislation. there's nice element in work you've done. real-time absolutely. independently auditable i think is important so that somebody can come in and look at the way this is done. but it also has to be controlled, like blasting it out over the internet would be a real bad idea. but i think you need to balance, right, this real-time would also the ability to come back and look at the process, make sure it is transparent without, like i said, exposing to our adversaries. that's the right way to do it. >> there's also a different level of sharing by industry. you have to look at how you do you risk assessments on each category that i previously

described, but there's also right now a very good example out there, what's working well. and that's defense and dutch-based pilot that is going on. that take a supporting defense contractors in dvd, but you can expand it to the financial services industry and other industries. >> just for clarification, when we talked about real-time, i have seen numbers as high as 100 million a second, that packet of information flying around. so if this is going to work, the malicious source code has to be compared at adequately fastly. and you talk about that from an engineering perspective? >> i think one of the challenges is trying to do any kind of pattern matching but a lot of them out where that we seek and have seen for a number of years is what's called polymorphic, where it changes every individual instance of it is different from the next. a lot of stuff changes. it's not like it is with

anti-spam where you can match on a few key words or one file attachment. that's the target, and flag it that would. so you need to come up with ways and a number of us have systems like this, and there's others that are in development that can do this on a wider basis, but that is the very challenger getting at which is doing that in real time. just incredibly difficult, and you're at the edge of computer science at that point. >> which is why the many of you have told us before legislation was written, be careful about the regulatory scheme. if we slow you down, if we give you another row of books on your mile long hallway there, it doesn't work. we already have outdated what you're trying to accomplish in the room, and this is a value added not only for you but for the government, is it not? the government also gets an event from the protection of all of your great work in the private sector, correct? >> that's correct. there are two things that are interesting. one is by the time that a very

prescriptive law would be written, by the time that ink was dry the threat would've moved on. you've got to be able to be flexible. the other is we all need have come with software developers and saturday specialist, they need to be hard at work in the room, not with half a room full of lawyers with them slowing them down and asking questions about why are you doing this? they need to be at work every day trying to solve this problem. >> i have to say for the record this may be my favorite panel of all times since i've been in congress. never so often have a group of engineers belittled lawyers at the table. [laughter] you have warmed my heart today that we have faith that we're moving forward. i wish we had time to talk about all the issues. i'm very curious about how you would fix the program issue, huge problem for us as we move forward. we didn't talk about exultation which is a difficult for any of you to catch, which right i would argue right now is the single greatest threat to our economy moving for. a side of things that we know

today. all of those -- >> could you outline ex-filtration? >> sure. it is time we know that nationstates today are engaged in getting onto your network, working. they'll be there for a very long time. you don't know the your system, administers don't know. these folks can't catch it. sometimes become, a lot of government can't catch it either. and then they will latch onto the intellectual property that is on everybody's computer today. all those designs but everything that is of value to the company. and at the right time, at the right speed, they latch onto it and run like heck through your network and take it back. we know it country like china who is investing in this as a national strategy to exit trade intellectual property and directly use that intellectual property to compete against the united states business. unfortunately, it is happening at a breathtaking pace. breathtaking pace.

and what's concerning is these folks are looking for malicious software that is disruptive or theft oriented this is very sophisticated. this is as sophisticated as any as you will see. and incredibly hard to detect. and a really don't want to break anything. they want to get in and steve -- steal it without you knowing it. that's what is so troubling about. hundreds and hundreds of thousands of jobs lost every year for the theft has been reprogrammed commercially against u.s. companies. this is a big is probably as i've ever seen and it is one of things, of the many that keeps me up at night. >> thanks or let me explain it. it's something we didn't get into today, because that's really not the focus of what they can even watch. so that's why this information sharing i think is so important. it would help american businesses by the federal government having information of being able to identify that code, share it with the right

partners, an amazing what we be able to stop. .. >> it drops a remote access tool on your pc. you know how you dog in to -- log in, when you remote access to work from home or wherever you're doing it? you're now the server, and once they're on, they can troll around your pc, your network and so on, and the intellectual property theft has become significant. it is probably the number one thing i'll bet all of us when we

go back -- we talk about bot nets and dns, but that's not what we deal with when we go back to the office, we're dealing with apt. which is kind of our point. we're ahead of the discussions here, things we've been dealing with in the past are probably things we'll be here testifying about five years from now, so that is an issue. >> yeah. just to echo, the advanced, persistent threat, these are slow, they are patient, they will lurk on your network for years and, you know, i'm from our canadian headquarters. we had a large company go out of business be, nortel, and part of the attribution of that is loss of their intellectual property to a foreign state-level adversary. so when you look at that, this is a serious concern. as ed mentioned, five years from now you'll probably be looking at it, that's how advanced they are. it's great you're looking at us,

congressman, because it's persistent today, and as you say, it is a threat to jobs, and it's an economic threat to the united states and elsewhere. >> thank you. >> thank you. and just for the record i thank mr. mann for his 30 years of fbi service. thank you for all the time you've put on the target, sir. >> yeah. you'd think rogers is a former fbi agent himself. let's go to mr. sterns now. >> thank you, mr. chairman. let me take my questions a little l l bit along the lines of my colleague from michigan. d. amoroso, when you did your opening statement, you were speaking quite eloquently and talking about malicious software, malware you talked about. and you painted this picture that the malware itself you were impressed how well it was developed, put together, and you sort of alluded to the fact that it was almost not unpenetrable

but it was to the point you were respectful of it and were not sure we were keeping up. is that my interpretation of what you said? >> that's exactly right. we're definitely not keeping up. we're trying. and think of the dizzying pace of innovation that you see out in silicon valley, right? i mean, new things every day. the hacking and the malicious adversary community, they're moving at the same pace. so the job we have is we've got to keep up. and you would say, hey, guys, you better be ahead of them. like not even enough to just kind of keep up, you better be ahead. so we're always going to be sort of biased. >> so you're saying you're always catching up. >> we've got to innovate, we've got to go faster. >> is that true, you think you're always catching up? that's what you implied to me by the respect you had for the this malware. >> yes. >> is that true for spyware, all these others? >> yeah. apts are the best, right? i mean, apts, this

exfiltration point that the congressman spoke about, that is the, that is the elite kind of attack vector in 2012. >> okay. >> spyware maybe not so much. >> and with the malware who are these people that are doing this specifically? can you name them? >> i can't. i'm not in law enforcement -- >> is there anybody on the panel -- >> yeah. >> when dr. amoroso talked about this malware so respect my and how howell dependently it's -- howell gantly it's put together -- >> i think if you take a look at the most recent investigation conducted by the fbi on the d, this f malware, you'll see that was a group of individuals operating out of estonia that, basically, sent malware to individuals in various forms and e-mails, and you clicked on it, and it infected your computer in a way that directed you when you went out to do a dns type search, you were looking for

amazon or some other type company, you went to their servers, and they were embedded in various locations in the united states. so these are organized groups. they've figured out how to capitalize on the money you can make with the malware. >> are these people, for example, in estonia, are they part of a mafia, underground, a organization that's larger than just in estonia without you revealing any -- >> these are no longer just individual hackers. individual hackers are out there, but now they've actually formed themselves into types of federations to work together -- >> i cross the world? >> you can do it across the world. there are certain hacking groups you can join and be a member from different countries -- >> so it's like a fraternity. you say i'm a member of the estonia hacking -- >> estonia just seems to be a hotbed right now i think because how the economy is run over there. >> uh-huh. anyone else? >> if i could add to that, it's actually pretty interesting. this is a very large and very

well organized underground economy. they are specialized. you have some people that write tools, you can rent bot nets by the hour, you can tell them where you want the bots to be, what kind of computers. you know, all of -- payment network mechanisms between these parties, so it's very sophisticated. and, you know, if you think about it from a criminal standpoint, a lot easier to get a rush on invest -- return on invest. , and the stale is so much larger. -- and the scale is so much larger. there's just an enormous amount of economic sniff for them -- incentive for them to do it and this is primarily an economic crime. this is all about the money. >> well, i guess, mr. mahon, is there a possibility that we have terrorists involved that are part of this estonia -- that

terrorists could go to this group or this federation across and are using them? >> absolutely. terrorists use these types of schemes for funding, number one. >> right. >> they need funding for their operations. and, number two, they use it just as a communications system. so the ways they need to communicate are surreptitiously in a manner they can't be intercepted, so they use these types of technologies to communicate with one another, but they have to fund their operations. >> i guess the base question comes down, what could we as legislators on this subcommittee or the full committee or members of congress, what can we do to make it easier for you to operate and at the same time give you the wherewithal to compete? and what should we not do? what should we do and what should we not do? and i just as a closing statement, mr. livingood, if we

could go down the panel, that'd be helpful. >> of course. i think what you should do is help make information sharing easier, remove those impediments. i think, also, there's a role for government to play in education to raise awareness about security issues, and i think that there are r&d types of things through agencies that you can help fund to focus on this. i think what you should not do is focus on mandates and compliance. that enables us to focus instead on innovation. >> wow, that sounded good. i would exactly repeat those comments. i had one additional, and that's that you do have some influence around the federal procurement process, right? so a lot of times we see procurements come out, we scratch our heads and say, boy, don't you think there ought to be, you know, through gsa there's this mtips program.

there ought to be more business. there isn't. so i'd recommend that that procurement process ought to be the most secure process in the entire world. >> you know, i would echo what both of them said and add the importance of information sharing. we have limited resources, we conduct risk assessments when we're trying to decide on impacts and probability of events based upon the information we have at the time. if a government or another carrier has additional information and we don't factor that into our analysis, we're really misaligning our resources in how we develop our counterhad beens. >> i think there's a lot of commonality among the panel here on what we'd like to see. i think just to add a little bit to the information sharing area. i think the federal goth has access to -- government has access to information to various agencies that are watching the country's cyber borders. and we've seen in our own company the vast majority of

reconnaissance scans and attempts to gain access are coming from china and eastern europe. and i think the federal government would be in a good position to monitor and provide more information on that. >> yeah. and the point lastly -- [inaudible] going last i get to say i agree with everybody else on the panel here, especially i want to hammer that information sharing from government to industry. the purview that intelligence agencies have and that you have at a state level in terms of what you see is much different than what we see. so my team works with dr. amoroso's team on areas of commonality between rim m&a, the and, the, but we don't necessarily get that feedback from the government about what do you see that we need to be aware of. and if there's anything i could asking for, it's a more transparent, more realtime information-sharing mechanism to let industry know what government knows so we can act to protect our networks and, by

extension, protect your information. >> thank you. mr. gingrey, thanks for your patience. as we've gone through the hearing, you're the last -- >> mr. chairman, you took the words right out of my mouth. i think you are exacting the last member of patience out of the last member to ask a question. i moved down here early in the hearing as all after you know because i couldn't hear very well. but i'm glad i did move down close, because i knew it was going to be interesting, i knew that all five of you experts were going to have a lot of useful information to present to us and, quite honestly, after two hours of this i'm trying to figure out a way to beat these guys, and the only thing i can think of is just the opportunity to invest in these hacking operations. i don't guess that would be legal, but if it were, i think that would probably be one of the best ways for us to win.

but thank you all very much. let me ask a couple of specific questions, and maybe this cuts a little bit to the chase of one of the main reasons why the chairman is holding this hearing. do, and each one of you, please, starting with mr. living good answer this for me, do you believe the fcc has enough cybersecurity expertise to allay the concerns that some industry stakeholders have with the commission? if they do choose to impose cybersecurity regulations on you guys, on the network providers, do you think do you have enough confidence in their expertise to do that, mr. livingood? >> so i don't know the answer to that. we work with a lot of folks at the fcc, and they have a lot of expertise. whether they have enough here, that's a tough question. i don't have the answer. >> i've said earlier, i don't think there's any agency that has the right expertise to do

that. if we knew what the answer was, we would be doing it. so i don't think it's a knock on any one particular agency, i just don't think there's any agent is i that has that capability right now. >> mr. mahon? >> i would agree, i think the answer is no. i don't think anyone does. you do need to bring people in from all sorts of people in the federal and private arenas due to just the evolving nature of the threats. >> mr. olsen. >> yeah, it's an important question, but i'd have to agree, i don't know whether they do or not. >> yeah, i don't actually know either. i think what you're hearing here, and it's common amongst the panel, is the defender job, the job we're trying to do to protect your information is exceptionally hard, and it's actually much more difficult than being on the other side. >> boy, yeah. speaking of hedge funds -- [laughter] let me, let me go back to mr. olsen and in your formal

testimony that you gave you talked about the clearinghouse. i would like to know a little bit more about that specifically, and do you think that would be helpful, and maybe you could elaborate a little more on that. >> yeah. i think there's really two aspects to that. one is where the federal government is sharing with private sector, with industry what they're seeing as far as threats, and i mentioned a little while ago about the threats from outside the u.s., so i think that's a critical component. the other is where companies could share, private companies could share information on threats that they're seeing and that clearinghouse would have to be sponsored by somebody, and i think the federal government is really the right place to do that. >> and you, i think you addressed, also, in your testimony the whole harmless provision -- >> absolutely. >> -- that would be necessary to share that information. so that we wouldn't be subject to lawsuits. >> yes, sir. >> yeah. i've got, yeah, i've got a little time left. let me one more question then. the internet is currently transitioning from this internet

provider v4 to v6 addressing. does that process create any new cybersecurity issues, and will transitioning alone solve any cybersecurity issues that currently exist? does the process of transitioning present opportunities to resolve existing cybersecurity issues? we'll start with mr. liven food and just go right -- >> we've been a leader on ipv6. i think that all of those issues that exist in the current internet and ipv4 simply carry over to ip have 6, it's just a new form of addressing. that being said, because it's a new form of addressing and new technology, you're introducing new things into the ecosystem to dr. amoroso's point earlier, when you change something, it can have unintended consequences. so it's something you have to keep an eye on and make sure

you're not introducing any new vulnerabilities. but i think if there were any, it's simply because some security tool that worked great in 4 might not have all the same features. >> dr. amoroso? is. >> every device on the planet running v6 would be route bl, and that's a pretty dangerous situation. so for all of us we've got to figure out how to architect security protections around that. so i do, i do have some concerns about the v6 transition. >> mr. mahon? >> yeah. the architect and engineering teams are still working through those, but as they've said, you have legacy systems being married up with new, evolving technology, and whenever you do that, you're going to have things evolve as you begin to deploy it. >> mr. olsen. >> i think from a protection standpoint i think it's a step ahead, but the bad guys are out there working just as hard as we are to find a way around it, so as soon as we make an advancement this technology, they're right out there keeping pace with us.

>> and finally -- >> and just as that expands the attack surface and by doing so increases the risk, so we have new and unknown risks we're going to have to figure out how to mitigate. >> mr. chairman, thank you for the generosity of those 45 extra seconds, and i'll yield back. >> actually, you got clear to 49 -- [laughter] glad to help. thank you, mr. gingrey, for staying and participating. i want to thank all our witnesses and those behind them who, i'm sure, played some role. obviously, we're trying to do the right thing. you're out this fighting the battle every day, and we don't want to get in your way. so we may be back to you with or working group digging a little deeper on some of these issues and getting as specific as possible. we hope to look out, too, at some of the other types of networks and small providers. you, obviously, represent the major providers or a representation of them. we're also wondering ant the -- about the weakest link which

might be small isps and how do they deal with this, and do they have the same sorts of capabilities to fight back. anyway, i deeply appreciate your willingness to be here today and share your knowledge with us. we're better for it. so with that, the subcommittee on communications technology stands adjourned. [inaudible conversations] [inaudible conversations]

>> up next on c-span2, the head of the federal emergency management agency testifies about the agency's budget request for 2013. and the senate will continue work on the transportation bill. an agreement was reached last night on a number of amendments to come to the floor. of majority leader reid hopes to have the bill finished today. >> several live events to tell you about today on our companion network, c-span3. attorney general eric holder will testify about the 2013 justice department budget request. he'll be before a senate appropriations subcommittee at 10 a.m. eastern. and at 2:15 p.m. eastern, the senate indian affairs committee will hold a hearing on the president's budget request for native american programs.

>> now, the head of the federal emergency management agency, craig fugate, testifies about the president's 2013 budget request. fema is requesting $10 billion in discretionary spending, a 6% reduction over 2012. this house appropriations subcommittee hearing is chaired by congress an attar holt of alabama. [inaudible conversations] >> the hearing is called to order. good morning. today we welcome the administrator of fema, craig fugate, to discuss his agency's budget request for fy-13. after the conclusion of discussion with administrator few gate, we'll convene an additional panel of stakeholder organizations. i'm going to make a brief opening statement in order to

allow her time for members to ask -- more time for members to ask questions. administrator fugate, first of all, thank you for the work that you do and hundreds of fema personnel who were deployed in my home state of alabama last april and beyond and after the devastating tornadoes that impacted us. they are still there helping our communities pick up the pieces today, and we very much appreciate all the work that fema and your agency has done. as recently as this past weekend, we again saw devastation that was wrought by severe weather. and once again thank you that dedicated folks are on the ground and for all their hard work. before we begin, i will touch briefly on several issues which we'll discuss at length later in the hearing. with respect to disaster funding, we want to know will the disaster relief fund be solvent through the remainder of this year and the next, and will

fema complete all recovery projects for disasters that happened last year before the end of fy-13? grant reform. we want to know how will grant reform work and how will fema allocate funding under the new framework? will you provide funding to high-risk urban areas, port authorities and transit agencies as you have in the past, or will it be provided solely to states for distribution? furthermore, if allocations are dependent upon a state's threat and risk assessment, will you provide guidance on the process that you announced over a year ago? these questions and others must be answered as your proposal is considered. and as you continue to engage congress on this matter, i strongly encourage you to reach out to the states and the local stakeholders that will be impacted by these proposed changes. mr. fugate, these are some issues which you're very familiar. you have seen these issues from the local, state and now federal level. i look forward to your thoughts

and your -- on these issues and problems and what progress you have made in the last year as well as the challenges that remain. as your written testimony will be placed in the record, i would ask to take five minutes or so, summarize it for the committee. but before i begin that, i would like to call upon the ranking member, mr. price, for his opening comments. >> thank you, mr. chairman. administrator fugate, i'm glad to welcome you back to our subcommittee today. the work that the federal emergency management agency does is critical to helping our country prepare for, mitigate against and recover from disasters. in 2011 alone we had 99 major disasters, so that's a hefty job and one you've performed admirably. when you arrived at fema, the agency was in a rebuilding mode trying to recover not just lost capacity, but the lost confidence of the american people. your leadership in this critical government function has brought us full circle. the contrasts between the nearly universal acclaim that fema has received in the wake of

hurricane irene and the heartbreaking images of americans left stranded in the wake of hurricane katrina could not be more striking. this confirms that much of the lost capacity we witnessed following hurricane katrina has been rebuilt, and i commend you for these efforts. at the same time, fema was spread thinly responding to a record number of spring disasters, and your agency was and is facing significant financial challenges. your chief financial officer should be complemented for his efforts to recover money from closed-out disasters and to better track expenditures to keep the disaster relief fund in the black throughout the end of fiscal 2011. as we both know, this was touch and go right up until the end. hopefully, with the new disaster funding mechanism congress passed as part of the budget control act, we will now have more long-term stability to fund critical disaster relief needs. principally, we're here today to discuss your 2013 budget.

the request for fema is $10.2 billion of which 6.1 billion is for the disaster relief fund. that request is 5% less than 2012, largely reflecting a $1 billion reduction in the disaster relief fund based on your reduced estimate of catastrophic and noncatastrophic needs for 13. 13 -- 2013. i'm pleased to note a release for grants. this funding is tied to a significant reorganization of the state and local grant program. your new national preparedness grant proposal has raised many questions as to how it will work, how you will award funds to maintain core capabilities nationwide while also bolstering security investments to buy down risk and who may be left out. today i hope you'll be able to provide more clarity on how you envision this block grant to work if approved. it also worries me that your request substantially reduces

funding for the emergency food and shelter program when states and localities remain on shaky financial footing. it continues to lowball funding, in my view, for the flood hazard mapping and risk analysis program which if adopted, would cut funding for this program by 60% in two years when we all know that flooding is the most frequent and costly natural hazard in the united states. and it eliminates funding for predisaster mitigation efforts even when this program continues to receive far more requests for funding -- and meritorious requests -- than has been appropriated. so, mr. chairman, i hope we can work together to address these problems as we develop our 2013 funding recommendations, and administrator fugate, i want to thank you for your service to our country. i look forward to a productive discussion today and to continuing to work together to build a more resilient nation. thank you. in thank you, mr. price.

mr. fugate, i look forward to your comments and, again, thank you for being here. >> well, thank you, mr. chairman, and ranking member be price, members. first, i, you know, this year i think this is the fourth time now i've presented a budget for fema, and based upon the work that was done in the budget stabilization act, we are requesting the funding for the drf based on what we estimate our total costs will be including previous catastrophic disasters as well as the activity we would expect in fy-13. the overall budget request is a reduction. part of that is reflected in what we have looked at as the reduced cost of the fy-13 response. that is that we see many of the costs expended in the last year for tornadoes and large-scale disasters are those expenses we expect will be paid out in this year and, therefore, there'll be further reductions based upon the long-term rebuilding. so we're prorating this out

based upon what we expect permanent work to continue in these open, catastrophic disasters as well as factoring in the costs for the responses that we would expect. again, the caveat is that in future catastrophic disasters there may be requirements for additional funds, but this is based upon the known universe of open disasters as well as the expected reoccurring workload that we would see in a typical year. so those are rather significant milestones in that area. the other part of our budget does show reductions, including reductions in our, our base budget which is actually reflected more in the efficiencies that we've been striving to achieve. we've had to make decisions about programs to reduce or eliminate. we took an approach that said rather than taking percentage cuts across all programs, we look at those programs that would either be eliminated in its entirety or significantly

reduced while keeping our programs funded to accomplish their mission. and this will result in some people saying that their programs got cut. but in predisaster mitigation which we have recommended not to fund, we currently have a backlog of $174 million in open projects that are still yet to be completed. that does not count the dollars that are out there in mitigation on disasters in section 404 which is also rather significant investment in mitigation. so it was not an easy choice to make, but in looking at those areas that we felt that we had the need to make reductions given that much of the activities are still moving forward on that backlog as well as -- [inaudible] we made that recommendation. as far as the consolidation of grants and, mr. chairman, i'm not going to spend a lot of time there because i know we want to do this as q&a, we are recommending an increase from last year, but we are looking at consolidating those grants and

be looking at more flexibility. i think we are trying to move a program that oftentimes was put into various identified areas of funding that didn't always necessarily coordinate well or look at what was the needs as a nation. and the president's issuing some presidential decision directive a national preparedness and establishing a goal. we're looking at how do you fund not just jurisdiction by jurisdiction and the threats they face, but how do we building capability to serve the nation? how do we build capability that is a shared responsibility at all levels of government to respond to catastrophic incidents? we've seen examples in the recent tornadoes this year and last year that much of that response was contributed to by previous investments in homeland security that meant that teams were available closer to their neighbors, that could respond in mutual aid. urban search and rescue teams, communication vehicles that previously had to come from the

federal government or further away, both speeding up the response, but also leaving resources available for the next catastrophic disaster. so our strategy here is to change the dialogue from funding each jurisdiction based upon threats, urban security areas based upon threats. we recognize that. but how does that contribute to national capability? because we can look at various scenarios that would overwhelm even the best-prepared state or city. where's that help coming from? and are we making investment strategies targeted towards national preparedness goals in those areas that are capabilities that we see as necessary to be the, in the position to prevent or in the event something happens rapidly stabilize that a bit. and so by combining the grants and putting more emphasis on the outcomes and using threat-based and hazard-based recommendations to look at what capabilities we have and where gaps occur and

the best strategy to fund that, it doesn't lend itself to each jurisdiction to try and determine itself. we need to look at this more collectively and go how do we build that capability among our shared resources and utilize the tools that state governments already have and many be local jurisdictions participate in which is the emergency management assistance as well as in-state mutual aid. so this change is really, i think, starting that dialogue of how we build against a national picture versus jurisdiction by jurisdiction. and in the doing that, by consolidating the grants, putting more emphasis on the outcomes and measures to support those investment strategies that would be more directed by a national preparedness goal. with that, mr. chairman, i'll stop because i know we have a lot of questions, and i want to make sure we have the time as you requested n. -- requested. >> thank you. i'll start out talking a little

bit about the disaster relief fund. your fy-13 budget includes, as has already been mentioned, 6.1 billion for disasters including over 3 billion for the cost of the disasters that have already occurred such as the tornadoes that struck my home state of alabama just this past april. i was thinking back just a few minutes ago, little did we know a year ago when you were before this subcommittee and giving your presentation that we would be in store for such a difficult year especially for many members on this subcommittee, but members overall and the devastation that would occur. so i didn't know i'd see you quite as much after that hearing, but we actually saw each other a good bit after that hearing and talked on the phone many times. but before we turn to the fy-13, are you sufficiently funded for fy-12 to complete the year without implementing funding restrictions that limit funding to immediate needs? >> mr. chairman, based on what we know now and, again, the

caveat will always be future disasters, based upon our planned recoveries of about 1.2 billion and what we estimate will be expended in the previous disasters, we are still projecting to end the fiscal year on suspect 30th at -- september 30th at approximately $200 million. now, this again means that we have to still continue to be aggressive in our recoveries and close out older disasters which when i got here in 2009 was something that had been pressed upon me, that we had a lot of open disasters, and we weren't closing them out. since i've been here, we did about $4.7 billion in recoveries from open disasters, we are projecting our budget 1.2 billion this year from open disasters. obviously, if we can find more, we will do that. the other thing we're doing is driving down the cost of response. in many cases we are finding that by using such techniques as not establishing physical presence but using virtual

presence and working closer with the states, we are driving down the cost of the administration of the disaster. and all of these are pressures on the grant itself. so we look at and are holding ourselves accountable not only in the recoveries, but also reducing the cost of administering the disasters and finding ways that we can perform the same level of performance with our state and local partners without the overhead that we may have incurred previously. >> also included in the budget justification for fy-13 is an estimate for anticipated costs in the outyears for catastrophic events which allows you to anticipate no additional costs for any of the fy-11 disasters beyond the end of fy-13. is that correct? >> yes, sir. >> will fema have fully funded the stafford act required recovery efforts in alabama and missouri due to the tornadoes and also in the midwest due to flooding and the northeast due to hurricane irene by the end of fy-13? >> i would say, sir, we'll work

towards that. there are some -- based upon my experience in writing project work sheets, as soon as we have the projects and are obligated, that's the real milestone. we have obligated the funds, we have the project defined. where we may not make that mark is if we have issues about insurance and having to reconcile that. when we get into certain environmental historical reviews which may take time to get those projects moving, so we look at the obligations occurring when we sign off in the state, obligated funds that may not mean the work's been done, but it means the -- [inaudible] we may not be completely written because we're still working and, again, we have the appeals process when we disagree, so not know what may be appealed our goal is to get these projects written as quickly as we can to begin the work. so i would say that we would have the bulk of them done, but experience tells me there may be projects either because of the

technicality of it or because we are in disagreement, maybe appeals may not be getting written, but our goal would be to get those funds obligated. >> as you know, i really put an emphasis on speed because i really feel the quicker we get construction back, the better communities are. it actually reduces our overall cost and recovery, the faster we get communities back on their feet. there are sometimes those outliers which will take longer to get done. >> moving on to debris removal cost. as you know, part of the cost of responding to disasters is a cost of cleaning up the debris. fema provides two methods of cleanup, as you're well aware. communities can select the corps of engineer process, of selecting a local authority can bid out the process to local and regional contractors. recently, been concerns regarding the cost of using the corps when compared to other private options. we included in the fy-12

conference directions that a report be submitted that requires fema in conjunction with the corps of engineers to explain the disparity in the cost factors between the corps and the private option communities have for debris removal. just wanted to check the status of that report. >> it's in process, sir. we're working on that. i'll tell you my personal observations. when we have jurisdictions that have the capability to do the debris, they have their contracts and particularly if they follow the steps required, it is generally faster and lower cost. where the corps provides a significant advantage, though, is in those communities that don't have that capability, haven't had those contracts or the event is bigger than their capabilities, is to provide the management and bring in resources across the nation. so as this report comes up, i think you're going to see that in many cases we would support local jurisdictions that have that capability in managing debris because it's more cost effective. we actually get local hires, and we put money back in the economy. it's faster. but we also recognize there are

going to be those events where the corps still provides a service when it exceeds that capability or that was not in place prior to the disaster. >> okay. my time has expired. mr. price? >> thank you, mr. chairman. administrator, i want to focus on the grants proposal. let me lay out just a few questions that i hope in the course of walking us through this you can address. a 2350eture of -- feature of your budget is the streamlining of these 16 different grant programs into this single, newly- titled national preparedness program. this excludes the firefighter grants but not much else. i mean, you have 16 programs consolidated here. you also lay down a couple of criteria which will govern your grant making, one is the utilization of a competitive risk-based model for making

funding decisions, but also requiring grantees to develop and sustain core capabilities. and those criteria just on the face of it raise certain issues, i think. because you're consolidating programs here that have had somewhat different rationales and, certainly, different criteria for funding decisions. the two largest are the state homeland security grant program and the urban area security can initiative. these are two very different programs. one is intended to build core capacity across the country, the other is intended to protect the most at-risk areas of the country. so i wonder if you could indicate how much would go towards those two basic programs and then how are some of the current guidelines likely to apply when you're providing -- your going to still provide as the then act requires, you're -- 9/11 act requires, you're going to provide a minimal level of

funding to each state. are you going to follow the current guidelines? how is that going to work? and after you've allocated funds, what's your next priority? how do these two object i haves -- objectives coexist? and then finally, when we're looking at some of the other programs, how are you going to graft onto in the use of a competitive risk-based model that has applied to programs like the transit and port grants? for example, how would fema compare a port project to a transit project in a major urban area? what criteria would we use to evaluate across these areas which previously would have been considered separately with a very targeted purpose? be -- >> well, and probably the shortest answer is to caveat

that we'll respond in writing because there's a lot of questions there in the dethat i could probably handle -- >> that's right. but at the same time we have a process underway this year you can perhaps answer on the basis of the extent to which that pattern would continue. >> yes, sir. let's talk with the urban security area and the state homeland security grants. other than how they're being identified and designated, the activities aren't different as to what's eligible. and, again, what we found was in looking at requests in the consolidating debt, we're not looking to say we're not going to fund urban security areas, but in funding urban security areas and state homeland security, are we getting the synergy of are the investments matching up to what the overall needs are? and also recognizing that in these 16 areas of these different funds which we are funding into one grant, the question that we're trying to get to is when we look at jurisdiction by jurisdiction, program by program, what are the

overlaps? and if you actually start breaking down and you go what are the things you're actually doing, people like to start with the money. i say what are you actually doing with it? are we building urban search and rescue teams, are we enhancing bomb squads, are we building fusion centers and maintaining those? you find this money is actually coming back into a lot of these areas from different pots of money to achieve that. so we asked, well, would it make more sense to fund those grants together with those criteria and then administer that as a single grant versus what we find a lot of times is local and states are taking different pots of money to build capability because they can take money from here and here. so as we started that process, it came back to we were looking jurisdiction by jurisdiction. literally, a transit grant, a port grant, an urban security area, a state. a metropolitan medical response team, a citizen core grant. and we said if we're looking at national preparedness and we identify gaps, how do we get

those funds to address those if we're so bifurcated in how we're identifying how the money's being spent and different programs which, again, oftentimes local jurisdictions, state jurisdictions are, hopefully, working together already to address these issues. so as we look at fy-12, we are still funding the state homeland security grants, the urban security grants, and we are doing exittive grants -- competitive grants with our partner bees at tsa. and as we look to combine those grants, we would see the process within an overall structure but would identify in that grant application process the priorities for the urban areas, the priorities for those things as a national priority but not necessarily put them into separate pots of money and give more flexibility to the states and their partners to address how they would fund that within those jurisdictions. >> thank you. i'll pick this up on the next

round. >> like to now recognize the chairman of the full committee, mr. rogers. >> i got this one on. >> can you hear me okay? >> yes, sir. >> mr. chairman, thank you for giving me this time. i apologize for being late, but i had another testimony to give in another committee. but i wanted to be here to plead for a firm commitment from the administerrer to help my district -- administerrer to help my district and my state given our most recent and terrifying few days last weekend. as you well know, kentucky was devastated by very crippling storms last weekend. hurricane-force winds, flooding,

multiple tornadoes including one which left a 90-mile trail of destruction in kentucky and into west virginia. really rare for the hills and mountains to have a tornado at all, but certainly at this time of year. it's left many commitments in my region -- communities in my region completely avenuaged. the towns of west liberty and burnstead have been destroyed, every building destroyed. martin county, laurel county, lawrence county, morgan county, other counties still counting damages all over my district, but there's other counties around the state outside my district hit also. massive loss of life -- [inaudible] some families have lost everything; cars, homes, possessions, fixtures, family bibles, you name it gone. and then on top of that, a 2-inch snow on what remained.

my people are really hurting. and as you can see from the photographs that i think you've provided, homes have been demolished, businesses torn apart, families displaced across the countryside, no communications, no electricity. the governor said it looked like a bomb went off, and i agree. while the response of kentucky emergency management and the kentucky national guard, red cross, firefighters, police groups, church groups, countless l volunteers from all over the country have been both time hi and valuable -- time hi and valuable, the damage brought by these storms far exceeds the capacity of our local governments and state emergency response teams to address, in fact, in west liberty the courthouse, the seat of government was, frankly, destroyed. we are trying. i've heard countless reports of volunteers from all over coordinated and on their own

driving hours to help cut trees, remove debris, deliver water, take in a homeless family or the like. work is now being done -- [inaudible] i want to thank you at the outset by saying the fema personnel were there immediately, and they've been helping coordinate efforts all along even before a request from the governor or a declaration. the numbers are staggering, 23 people lost their lives including 18 in just my district. and it's not over yet probably. 222 are in the hospital with injuries, 48 counties were affected by the storms, 29 have been declared disaster areas by the governor. 1500 or so are still without power, 260 without any water service. almost 400 guardsmen have been deployed to secure the areas hardest hit and clear the routes for emergency responders.

as i said in west liberty, nearly every building in this county seat has been destroyed or damaged including the courthouse and city hall. there is no police department or city hall. it will be a set of trailers for the foreseeable future. and while my people are resilient -- and they are -- they're clearly in need and are overwhelmed. on monday, as you know, i requested the president to approve a request by our governor for a federal emergency declaration. it seems that fema is working diligently to evaluate the info at its disposal, and the president made a disaster declaration last night, thank goodness. to provide individual assistance to seven counties in the region. and i want to thank him for that. however, there are a number of counties, notably --

[inaudible] and martin which remain in dire need of both individual assistance and public assistance because the devastation has torn up the roads, schools, courthouses beyond recognition. can you, mr. director, give us any indication on when a decision might be made about the remaining counties designated by the governor in his letter to the president? >> yes, sir, chairman rogers. as soon as the president declared, we -- and i've done this in several states, and it bears explaining -- rather than waiting until we have all the information, as soon as we saw that we had sufficient damages that would recommend in the counties we were in, we were able to get that to the president. the federal courting officer that was appointed by the president will be able to add on counties were individual assistance without that going back to the president. so as soon as we can say there's damages warranting it, the federal coordinating officer working with the state

coordinating officer will be able to start adding those counties on, and we expect that to be a rapid process of literally within a day or so as we get the information supported. but we also made a conscious decision that our priority would be to get individual assistance turned on first, and then we'll do public assistance because many of those individuals are still responding, as you pointed out. so trying to go back and finding out about insurance and get the cost really for that, we are working with the state on getting back in there to do public assistance, and as soon as we have those numbers we'll process that request as well. but we put the premium on the individuals because we know right now it's going to be an issue about housing and their immediate needs. since we are working closely with the state -- and this is the good news story as you pointed out. i think this goes back to the some of the investment strategies in homeland security dollars. there's a lot more capabilities than we've had before. i was sitting friday afternoon, literally, in fema's watch as the tornadoes were hitting and we knew what was going on as far as the initial impacts, and we

were in contact with states and going we're standing by. if you need it, ask for it. and, again, it pointed out the resiliency that states do have these days that they did not, and they made it very clear, you know, we got what we need, we're going to need you for recovery, but we don't have direct federal assistance for the response, and that was a testament to the local officials, to the volunteers, to the national guard. so we focused on the individual assistance, the federal coordinating officer now will add on those counties where we have damages based upon the request of the state, and as we get the public assistance done, we'll process that. we'll work to get that quickly so we can identify. and, mr. chairman, that may also be where we'll turn on some counties, we may have some counties we're still counting in, but we already see the state's threshold, but we'll turn on what we have, and we'll keep counting until we get all the damages identified. >> good. good. well, i can't say anything but praise so far on the effort that fema has done.

it's an extremely difficult situation because there's no communications. the storms took out the towers for communications. telephones and internet. and so it's difficult to even contact the county or the county executive or the mayors. and besides that, the roads are so clobbered with trees and limbs and damage, it's been, it's been a remarkable thing that we've come this far this quick. but it's a devastating time, and i really appreciate your commitment and your rapid decision making because that's all important given the time of year it is down in the area, winter time. with devastation as widespread as it is, and the human factor is altogether important here. these people are hurting severely, and i appreciate the rapid response that fema has

devoted to this, and i look forward to working with you further as we go on down the pike. >> yes, sir. >> thank you, mr. chair. >> thank you. ms. lowy. >> thank you. and i, too, want to join my colleagues, administrator fugate, thanking you for your service and your important contributions. before i get on to another topic, i just tell you, you are talking about the block grant with a continuing focus on -- [inaudible] doesn't make any sense to me at all, and i am very concerned that efforts such as including use could result in a decrease in funds while the risk of terrorist events still remains high, and i don't understand -- and maybe we can have a continuing discussion at another time -- how -- [inaudible] can be protected. there's other funds for other areas, everybody needs it, but

putting it all in a block grant sends a message to me cut and decrease the emphasis. so let me turn to indian point. i'm also troubled by reports that the environmental protection agency, the nuclear regulatory commission and the federal emergency management agency have engaged in ongoing discussions to determine which agency and with what funds would be responsible for a large-scale event at a nuclear power plant. i have to tell you, that sounds like a cartoon which is just that serious to be real. while things are going on and everything exploding, all these agencies are still deciding about who's in charge. as you may know, the indian point energy center is a nearly 40-year-old nuclear reactor locateed within 30 miles of times square, evacuating 70 million people within 50 miles is impossible. the government responds to a

possible event at indian point should be planned, practiced and ready for implementation. so who'd be responsible for a large-scale evacuation? i hope, god forbid it ever happens, you're still not debating it. and are discussions over the best practices for a federal response to a nuclear cleanup being discussed between fema and other government agencies? >> yes, ma'am. the evacuation would be state and local supported by the federal government, that's the direction of the nuke regs that the local and state officials have the authority to order their evacuations, and we would support that. >> so wait a minute, the reports that the epa, nuclear regulatory commission and the federal emergency management agency are incorrect? that they are talking about who'd be responsible? >> have not seen those reports. >> okay. >> the discussions that i have been involved in, and we've done this as some exercises with the national security staff looking at some of the issues in a post-event of what would happen

to materials to be cleaned up, and the fact that there are different standards out there for what would determine what was permanently cleaned up. you have regulations from epa for super fund sites, you have protective criteria that was issued for evacuation decisions, and we were working on what would be the level of cleanup required before people could resume normal and permanent activities. we're also looking at what levels would be set for those that may have to go back in working critical facilities if a cleanup had not been completed. we had in the exercise determined that because different programs had different standards for cleanup that we wanted to have a consistent approach in a post event in what would be determined as cleaned up versus what the evacuation criteria was. there is also an undergoing review by the nuclear regulatory commission based upon the reviewses of what happened in japan, but also facilities here to look at what additional

actions and protective measures may be required. but not having seen the reports, i do know -- those were discussions we've engaged in, was to make sure that criteria such as superfund were also applied in nuclear power plant access this a clean-up phase and how we would apply that uniformly so we would not have different standards, one for evacuation and one for cleanup which we may be confusing or lead to issues in trying to make decisions about reentry. >> well, i thank you for that thoughtful response. i hope we don't have to face that decision. but how long is this evaluation and decision making process going on? >> well, we've been working on -- this was, actually, an event prior to what happened in japan in picking the criteria that we were going to use uniformly across the agencies, and that actually, i think, is pretty close to going through the concurrence process where all the agencies are signing off on that. i would have to defer to the nrc

where they're at in the review process. that's an ongoing process that they've instituted after the events there and also looking at other threats that we face with nuclear power plants. our role as fema as part of that is the area outside of the power plant, working with state and local governments on protective measures, evacuations, exercise programs based upon the criteria that's developed by the nuclear regulatory commission. >> well, let me just follow up with, um, two other quick -- oh, is my time up? sorry. [laughter] >> [inaudible] >> okay. >> mr. latham. >> thank you very much, mr. chairman, and welcome, mr. administrator. thank you for what you do for a lot of people that have experienced real disasters out there, one of which was last summer as you're keenly aware in the missouri river in iowa. for months and months, people were subjected to that.

usually think of a flood as a one-time event, but this went on and on for months as we all know. and it's, folks there are very concerned about your submission to eliminate the predisaster mitigation program. and your statement notes that the most costly and frequent natural disaster is flooding and that you are going to maximize the use of your flood grant portfolio to assist in managing risk. could you clarify and translate this into a statement in a way that tells my residents of the flood-stricken state and its responders and local officials, you know, what does this actually mean, the risk-managing initiative? how is this going to unfold, what does it mean to them? >> well, we still have in the flood insurance program such as the buyout programs for lost

properties which is one of the things that is often times used to address residential issues after repeated flooding. it is often better to buy out rather than repair, and so we also have in that program the ability to fund for elevation as well as continuing with the mapping and updates there. so those specific pieces to that are actually targeted towards homeowners in either mitigating the risk by buying out or in the case of floods, elevating. in addition, those that were impacted by the floods, the state has under the stafford act additional funds, not just the funds they're using for repair, but under section 404, they get additional dollars to look at these types of risks in the state as well. the decision to cut predisaster mitigation was not an easy decision, but it was reflected across all of our programs and looking where we had other programs that are addressing similar issues, the fact that we still have about $174 million in backlog projects to be spent.

and, again, everybody wants to protect their part of the budget. my responsibility was to provide recommendations on what we could do with our budget to achieve the goals we had. and we looked at predisaster mitigation and going it's a good program, but at the cost can we continue to afford that and looking at providing funding for other programs? >> it seems to me that, you know, predisaster mitigation is cheaper than paying the damages afterwards, and there's a school of thought and there's a lot of very knowledgeable disaster management officials that believe that predisaster mitigation program is on the chopping block because it's been ineffectively administered and that there's a lot of money left lying around, the funds are not expended because of a lack of good projects rather than,

basically, a process that was very cumbersome, often times misguided and limited the projects that were available. i don't know what you would say to those people, but it's more of a management problem than it is a program problem, and it's very difficult to qualify. >> again, no cut is easy -- >> have you ever heard those complaints before? >> i've heard a lot of concerns about predisaster mitigation, how the funds are allocated. the difficulties often times in administering the program. and if that was the only reasons, then i would not have supported that. we looked across the programs and said we're going to have to make cuts. do we cut everything a percentage, or do we take whole programs and cut them and keep other things funded at the revel they need to operate -- level they need to operate? we looked at other programs with flood and the flood insurance program, we looked at the remaining balances in the predisaster mitigation program, we also looked at the amount of money out there in section 404

instead of all the areas. not saying that mitigation isn't important nor that the investment strategy of predisaster mitigation is not also important. it was an area that we had orr programs doing -- other programs doing similar work, so we made the decision that this would be a program versus cutting a lot of different things we would zero out. of it's not a popular decision, it's not one that i necessarily would like to say was something i want to do. it is something that based upon being pragmatic about my budget and making investment decisions do we cut everything a certain percentage, or do we make decisions about programs to eliminate where other programs provide some, if not all the capabilities that we're looking at and support the overall programs. >> is there any way to determine what you save avoiding a future disaster as any kind of cost benefit analysis or anything? >> i've heard people use 4-7

dollars for every dollar invested. the problem is there's not enough money and would never be enough money in predisaster mitigation to significantly reduce the nation's risk. you've got a better chance of getting states to adopt building codes and enforce them that would really save money versus a project-by-project strategy that for that project does good, but nationally you're not moving the needle. you cannot mitigate building by building. you have to look more systemically. this program, i think, did a lot to get people interested in mitigation. it got a lot of people to lock at things -- to look at things they could do this their communities before disasters. but when you look at funding, very good intentions. what's the bottom line? unless that structure's hit, you're not going see the savings. we're not spending and doing enough projects for all those projects to add up. you may get one or two here. you want to make big changes, we need the look at how to we reduce the risk not through paying for it, but building better and appropriately so that we reduce those costs on the

front end. >> thank you. >> mr. o'malley. >> thank you, mr. chairman. >> mr.-- first of all, let me begin by complimenting you on your leadership in establishing a new partnership with the hispanic association of colleges and universities to develop course work for latino students to promote educational opportunities with fema in the field of emergency management. i think you're setting a very, very positive example. recognizing the budget constraints and everything that you have said in response to some of the other questions, i want to raise my concern about the national security grant program marley as it per -- particularly as it pertains to the courts. ports. already ports security funding is down by 57% in this current

fiscal year, and without a dedicated stream as has been stated, they would have to compete for funding with transit systems for these states, and there's a possibility that they would not get the attention that they need. and study after study has shown that any kind of a terror attack on the ports would be disastrous not only to los angeles, but to the entire country. for example, a study called risk analysis that was done in 2007 says that even if harbor -- referring to l.a./long beach -- were closed for only 15 days, the authors concluded that kohs to the port -- costs to the port would spiral to $115 million while the wider economic consequences would be in the billions.

so this is something, an area that we may not want to leave to chance and to state and local governments. having served in local government, there's this belief -- and it could be argued that maritime security is really a federal issue, not a local or state issue, and the focus has always been of from the perspective of state government is to deal with local, state and local jurisdictions. so there's also the concern that state governments lack the personnel and the expertise to evaluate maritime risk or determine how ports should be prioritized against other homeland security priorities. so in the event given a worst case scenario that it plays out and that ports do not receive

the attention that they need true these grants -- through these grants, do not get that money given the importance of securing the port what would be the back-up plan to make sure that they are protected against a terrorist attack? >> well, i'll make myself real popular with a lot of folks when i say this, you know, i keep hearing this, that we can't trust state and local governments and ports and transit to work as a team, yet in a disaster that's exactly what's going to have to happen. we can't trust them to work as a team to come up with funding strategies. i can assure you, secretary napolitano is going to make ports a key part of this funding. and coming from the state of florida, we looked at the ports as one of our most key transportation assets. the question is, if we allocate the money based upon each one of these groups, are we building

national preparedness, or are we doing things in a singular fashion that don't add up to national preparedness? and, again, i've seen a lot of arguments back and forth. i've seen a lot of money spent. i'm not sure the investment strategies always led to national preparedness. and i'm not so sure that is always going towards those things that we're saying it's going to. i'm not going to single out and say this is any one particular area, but quite honestly, you saw the articles, and i have to deal with it. we're buying ice machines, all right? in these programs. is that a national investment strategy? so my question is, if we don't trust states and local governments and ports and transits and citizen corps and everybody else to work together yet in a disaster that failure will be exploited by terrorists, if giving the funding out individually is what has to happen because we can't work together, then i'm kind of concerned that by, you know, the question if we do work in a more leveraged, central fashion by

bringing people together to work these together, are we really building national preparedness, or have we merely funded grant program specific to that concern? but again, it's troubling to me, and i understand the pressures from everybody looking at they don't trust each other. you just said it, they don't trust local officials, they don't trust the state the make it a priority. yet in a disaster as a nation in a catastrophic event if we're all getting our grants separately, we're all planning separately, we're all writing our programs separately, yet we're all dependent upon each other to be successful, can we drive that through a grant process to make people work as a team? and make those prioritizations? but i've been on the other side, and i know the powerful arguments, and i know people are looking to protect their interests, and i'm not saying that there may not be a better way. but i'm very concerned when the first thing that comes out with with -- out is we may not be a

priority with the state, we may not get the attention we need, we may not be able to do what we were doing if funding goes together because we may not be able to articulate, compete or get the issue across. yet if that disaster occurs and that port is damaged, who's going to respond? all the folks that got the separate pots of money that were planning separately trying to build a national capability. so i understand the concerns, and ranking member price, i know that, you know, this is not something that goes over well. but i -- you guys pay me, the public pays me to tell you what i think, not what people want to hear. and i have looked at this and looked at this and been on the bottom of the beginning of this process, and i keep coming back to we don't trust each other, so we gotta have our own separate pots of money. we cannot depend upon us to prioritize in a way that says these are the investment strategies of the nation. and we have to have the separate money. yet in a disaster we expect all

of this will come together magically, and we'll work well as a nation. mr. chairman? >> mr. carter. >> thank you, mr. chairman. mr. administrator, welcome. a lot of things you have to say about hard decisions are things that i agree with. i have a question that i'm trying to figure out the answer. dhs budget seeks to fundamentally reform fema grant structure. i strongly support competition in procurement process and the direction you take in the training grant programs concerned me because, in that it negates the significant investment congress has already made through the national domestic preparedness consortium. it seems to me this new direction would create duplicative programs rather than bolstering the existing programs. i've been told that the current backlog in first responder training through the existing program is over 20,000. how does this newly-proposed structure portrayiar