that states created -- >> maryland has one of the biggest ones in that category, about 20,000 people in the state are in a high-risk pool. my first response to that question is i've gotten some e-mails from people in the federally-financed pool which is i've got a surgery scheduled for july, should i move it up? um, i get those e-mails. and, i mean, i've called everybody who's e-mailed me, and i've talked to them about i. and i tell them i'm not sure what's going to happen right now. and, you know, if you think this is an abstract question, you know, we heard some -- there's the abstraction of the individual mandate, all the legal arguments that are out there. i'm not a lawyer. you know, my question is, my question would be, you know, were those sorts of things an issue when the heritage foundation proposed it? you know? but setting that aside, i care about the e-mails i get from people who are worried about their potentially life-saving surgeries this summer and what happens to them, and this could

be extremely challenging and directly impacting 50,000 people nationally who cannot buy insurance in the private market, who are getting coverage through these high-risk pools because they cannot get it who suddenly might get cut off, and there is an awful lot of damage that could be done to people, i think, if there's an adverse decision. as a doctor, that's what i really focus on. ..

how risk gets mitigated which is really critical to the question of premium costs. >> virginia? >> the same, there are limited number of tools available and as they come into the exchange and there is guaranteed issue we have to do sort of the adjustment, risk adjustments at the level above the individual carriers and i think that is how that will be handled. >> the industry, i mean this is a very expensive population. >> right so how do you want them handled? >> the federal rules leave that up to the states. it goes back to the states know their local markets the best. they're in the best position to decide how to coordinate with the high-risk pools in their states. states will handle this

differently based on how many they have in the population and what the risks look like. in terms of transition it is important to go back to the affordability point. if you have very high-risk population jumping into the exchange, particularly in the individual market that could certainly drive up premiums. the risk mitigation mechanisms can help in terms of reinsurance that josh mentioned, risk adjustment and risk corridors as well but could be significant in certain states. we think it is important states do their homework here. they are. they're working with actuaries and consultants to look how to transition this important population. >> the pools at it state had created with their own funds and in 1995 until now. what happens? what are you hear about those? are they going to be moved into the exchange? segmented kept a few years in the state pools? some of the state pools are taking some people, some are

not. so you can't totally generalize. what happens to those really preexisting population of people with preexisting illness? >> good question. i will defer to bill here and josh in terms of what their states are doing but this has to be an important decision that the states look at individually in terms of their own markets and what the impact will be in terms of affordable premiums in the exchange. >> our experience, for sake of time and give you more questions, we're not exactly the same. we had 10,000, 9,000 plus in the high-risk pool prior to the ppca. >> the state? >> the state -- the preexisting pool at the state level and that was maintained. then we decided to defer into the federal pool because frankly when we added up the funding that would come with it we didn't think we wanted to put virginia taxpayers on the hook knowing we would run out of money before the time period was up. so that right now is still a

question for us. >> one quick perspective, these pools obviously are essential given our current system, otherwise folks will have no other recourse. this is not a way for us to be providing health coverage for people and when you have pools you wind up having key rules just for those folks. so, do you have to be uninsured for six months or nine months prior to applying? how significant should your disability or health problem be? obviously it will be a whole lot better if we integrate them into the general pool. it causes issues because it makes the pool somewhat sicker and older and we do have to have balance and there are things that we're going to have to do to make sure there is balance but but i hope we won't need risk pools in the future because it's, we should not be segregating that group and creating rules which

inevitably happens because this group is very expensive and any state or the feds that are implementing a pool is going to be really guarded about the fisk and the therefore the rules will be created. >> could i add to that? the issue sort of in our mind the ideal thing that would happen an individual who comes into insurance would create a relationship with their payer that would last their lifetime. right now what happens an individual comes into insurance and they're employed and changes on average 11 months, or something, you're bumming in and out of insurgeons companies. if you're sick or disabled or get 65 then you become the government's responsibility. and so where is the emphasis and the interest in the markets to insure health as opposed to focusing on the health care side of things? because you're always have that downstream risk that you can put into another pool which is the taxpayers and so, if we were really trying to rationalize this

we would find a way to have it so individuals, and this is the challenge in the exchanges, how do we maintain coverage and physician care as people go in and out of exchanges? that is fundamental relationship change with your insurance we do not foresee in the ppca which i happen to think needs to happen. >> we're going to start banning them, you can do that. we have five minutes. time for one more question. >> we're down to two minutes. june 29th we've had a ruling let's assume it is not all struck. let's assume either all or part or a big chunk of this law is still on the books. we have until a year and a half to resolve it. do the states get to work the next day or does it become, i'll think about it after november? what are you hearing? what is the industry hearing? >> well, i'm not going to speculate on when the supreme court will rule. >> please. >> obviously we're planning for the various scenarios

the states are planning everyone is planning. we'll certainly have more to say the day the supreme court rules. >> you see that as resolving it or do we go to another waiting game, let's see what happens after the election? >> it really depends on the ruling. there is a whole range of possibilities. >> it will be different from one state to the other. so bobby jindal is thinking about 2016 and is he going to change after the, supreme court rules? probably not. will other states probably change if the scenario you described occurs? i think so. there is so many governors who said we're not going to move forward even though actually some of them are moving forward behind the scenes until we know whether this law is constitutional. by the way nobody has argued that the law is unconstitutional. it is only individual responsibility provision and medicaid expansion that is at issue. but i think you are going to see an acceleration occur if the supreme court says that

we can move forward with most of the statute but it doesn't mean every single state, those governors who want to make political statements because their future in the republican party and their aspirations they may not move. >> what about the practicality aspect though? it will be repealed or gutted? if i'm a governor do i want to tear my hair out? >> we already have a process in place and frankly we are developing the level of implementation grant request funding. now the decision will be made above my level whether it goes out but i think our general assembly is expecting we will stay prepared and at some point we're going to have to have a, the general assembly weigh in to greet this and that is really the challenge for us. if you ask me today would the house of delegates in virginia approve an exchange, i would say that is a real iffy proposition. so we have the challenge of

proceeding and what will, i'm not sure it makes, it makes a lot of difference for us around certainty in terms of what may be in the exchange and what may not be and will help us with their planning and when we will be moving forward but ultimately the general assembly will have their say. and i think what happens with congress and the elections and special sessions and all, everyone's wildly optimistic that things will be better for their side but what congress does is a huge issue here that we can't control. >> we're in this for health and the economy. maryland will be moving forward. i promised my mom and her three closest friends that follow me on twitter that i will update them in the event of supreme court ruling at dr. josh asks. shameless plug. our intent is to figure out a way to make this work if we possibly can. >> with that, we're out of time. thank you so much to bill hazel and josh sharf steen

and dan pollack for joining us today. thank you for joining us. too. [applause] [inaudible conversations]

[inaudible conversations] >> coming up tonight at 8:00 eastern we're featuring some

of "book tv"'s programing normally seen weekend here on c-span2. former senator bill bradley shares his thoughts on political cynicism. dr. ben carson gives hess views what is good about america and where it has gone astray. and former obama advisor van jones on restoring hope and the american dream. "book tv" prime time tonight at 8:00. at the same time on c-span is debate between wisconsin governor scott walker and his democratic challenger, milwaukee mayor, tom barrett. polls show him leading. you can see the final debate tonight 8:00 eastern on c-span 1xhhhhhhhhhhh

>> writing is a

transactional process. writing assumes reading. it goes back to that question about, you know, a tree falling in the forest if there is no one there to hear it. you know, if you have written a really wonderful novel one. parts of the process that you want readers to be enlarged and enriched by it and you have to, you have to pull on everything at your disposal to do that >> well the economy added about 69,000 new jobs and the unemployment rate went up from 8.1 to 8.2% since april according to new numbers put out this morning by the bureau of labor

statistics. house republicans will be holding a news conference on those numbers in just a moment. we'll have it live for you here on c-span2. right now a look at the outcome of the corruption trial of former presidential candidate john edwards from today's "washington journal.". >> host: amanda becker is on the line with us covering it for "roll call.". amanda becker, what is next with regard to the prosecution? what are the options when the jury was deadlocked on most of the charges in this case? >> guest: hi, good morning. the justice department's option at this point would be to start an entirely new trial for the five counts which the jury was deadlocked. they acquitted him on one count of campaign finance violations. there are five others. among them are conspiracy, campaign finance violations and making false statements to the government which would have been filing false campaign reports. >> host: so a question that i have about this is really about the justice department and its political

investigation unit. i mean, most famously in recent, their unsuccessful prosecution against ted stevens because it ended up with reprimands for people in the department. where does this leave doj in et cetera pursuit of political corruption? >> guest: not in a good place according to the legal experts i have spoken to. of course the justice department's public intic grit division said this is not indicative of their overall success rate. there are many prosecutions not gathering attention these two have. last week the justice department revealed two of prosecutors who handled the stevens case will be suspended without pay. this is one of a string of two cases involving u.s. senators. of course by the time edwards, you know, engaged in these campaign finance issues he was running for president but these are two kind of cases that they pursued on what experts were

thought, kind of shaky legal theories at best. in one there was prosecutorial misconduct. it was completely derailed. in this case there was a mistrial. they would have to pursue the whole thing again. >> host: any sense how much this prosecution effort cost? >> guest: i haven't seen any figures about that actually. i mean this was, you know, several years in the making though. it was a seven-week trial. the jury deliberated for nine days. these cases have a lot of work on the front end in terms of the investigation and gathering all the information, getting the documents, deposing the witnesses and so while i haven't seen any figures these are certainly expensive cases to pursue and that is one of the criticisms i've seen. a few months ago, after he was indicted and i'm speaking about he had -- edwards again, you even saw good government groups kind of slamming the justice department for pursuing this because they felt that it was going to be a hard case to win and kind of resources could be used more

effectively in clear-cut cases. >> host: and any indications from former senator edwards' statement yesterday outside the courthouse what his future might be? >> guest: i wouldn't say he said anything about his future. he maintained all along that he did something wrong but it was not illegal. he praised the justice system for what he said was, you know, the outcome that should have happened and for working and said he knew who was responsible at the end of the day which was him and i think he was going to try to move on with his life. >> host: thanks, very much, amanda becker for. her reporting on this available online at roll call.com. >> we're live now from the house radio tv gallery where we're awaiting remarks from house speaker john boehner. here he is. >> good morning, everyone. it is pretty clear that the american people are still asking the question, where are the jobs? another month of disappointing job gains.

it is pretty clear that the american people are hurting. small businesses continue to avert hiring any additional people and it's clear that the policies we've seen are not working. and i would just hope that the president, my colleagues in the senate, would look at our plan, create american jobs. passed over 30 bills sitting in the united states senate. we can help the american people at a time of this great need if the senate would just look at the bills that are before us. listen, you watched us for the last year-and-a-half, come up here every day and every week and make clear that our focus is the focus of the american people. we promised that we would listen to the american people and their focus is on this economy and jobs. that's why that's continued to be our focus each and every day over the last year-and-a-half and it will remain that because the american people are in a

desperate spot. millions of americans have lost their jobs. are looking for work and it is time for us to change course and have real policies that will put americans back to work. >> good morning. you know these job numbers are pathetic and the american people really deserve better and i think under the right leadership we can do better and we in the house remain committed to doing all we can to removing the uncertainty that is plaguing not only working families of this country but the small business people of this country. that is why you will see us continue to focus on the fact that we're not going to, if we can, allow taxes to go up on anybody and we'll put a bill on the floor this summer to make sure that signal is sent to working families and small businesses of this country. we also believe strongly that the uncertainty provided by the president's health care bill is weighing

down job creation, is weighing down the innovation and investment in this country and that's why we are going to seek to repeal in total the obamacare bill. we also will look to bring a bill to the floor this summer that will say stop the regulations coming out of washington because they're proving to be an obstacle to job creation. stop everything that is providing disincentives to our job creators so we can get this economy going again. >> i guess the only news this morning is that 3 1/2 years later the president's policies are still failing. 3 1/2 years later millions of americans still remain unemployed. 3 1/2 years later, millions of americans are underemployed. again the president's policies continue to fail. this should not be a surprise. if you threaten the single

largest tax increase in america's history, much of which will fall upon small business people and entrepreneurs, you're not going to get robust economic growth. if you have an avalanche of new regulations, as have ensued under this administrationings you're not going to have robust economic growth and job growth. if you go about vilifying success and free enterprise, you're not going to have robust economic growth. if you engage in cereal trillion dollar deficits -- serial trillion dollar deficits which business people no sooner or later they will have to pay for you're not going to get robust economic growth. unfortunately for our constituents who have seen their gas prices almost double under this administration, who know that their real disposable income is down under this administration, who look around and still see their

friends, their neighbors, unemployed under this administration, again the news today is 3 1/2 years later, the president's policies are still failing the american people. >> as i look at these numbers you can't help but think about the millions of americans that are continuing to look for work and are not able to find jobs and these are really tough numbers. i also think about the fact that when president obama was elected he said that if he hadn't turned the economy around in three years that probably wouldn't be in office in his fourth year. and after he was inaugurated, the cornerstone of his economic plan for america was a stimulus package. it was a $800 billion stimulus package. it was a record amount of spending and he told the congress at that time, that if you pass the stimulus package, unemployment will not go above 8% and by this time, this year, unemployment would actually

be below 6%. well, it is clear that that hasn't happened. but i can't help but think it didn't have to be this way. we could have taken an approach that really focused on unleashing the private sector. and the reason that the house republicans opposed that stimulus package, opposed the big government approach we believed there was a better way, that there was a way that focused more on the private sector. and president obama could have taken a lesson from president reagan back in the early '80s, when reagan inherited a much more difficult economy. inflation was higher. interest rates were, were out of the, were off the charts and reagan, at this time, in his re-election was actually, he had an economy that was booming. we need a course correction. we need an approach, coming out of this administration, that is more focused on the private sector. more focused what it will take to unleash the entrepreneural spirit in this country again.

>> today the president is going to minnesota and i'm told the white house will highlight the to-do list for congress, specifically the veterans job corp. if you plan to move on anything and what would you say to the president today about that? >> instead of another campaign speech the president might want to engage with democrats and republicans here on capitol hill to handle the big policies that are affecting our economy. whether it's the tax rates that all expire at the end of the year. whether it's the sequester that is due to go into effect in january that will gut our military, or, our $16 trillion national debt, our $1.3 trillion budget deficit. maybe the president ought to get out of the badminton game and get into the rugby

game in front of him. >> [inaudible]. you said the american people don't have to accept the president's new normal of fewer jobs and high prices. you're basically saying vote for us. that's what you're saying. that your policies, congressional republicans -- >> elections have consequences. we believe the policies we have advocated over the last 3 1/2 years would have our economy at a much better place than it is today. >> the group of gop challenges that came this week, many cases demographically and idealogically different than candidates who have won in the past. many of them are etch fromming compromise over confrontation. why are you highlighting such a different group of candidates? do you think this will make it easier to get things done? >> these are the first 12 young gun candidates that are on the list. we didn't choose them for

their demographics or their style. they just happen to be good candidates in districts that are winnable for us. >> mr. speenger, if the president had implemented the policies you advocated including the bills you have in your coat? >> talking about the plan, american job creators. 30 bills sitting in the united states senate? >> why don't they bills and pass them and help the american people instead of playing politics over there? >> my question, if the senate had passed those bills and done other things that you wanted, roll back regulations and do away with the health care program where do you think the jobless rate would be now? do you have any specifics? >> -- i'm not an economist. all i can say if that if they would have taken our advice and worked with us the economy would be better. more americans would have better jobs. more americans would have better incomes.

that's clear to us. >> speaker boehner? >> mr. speaker, the president has his to-do list and you have your list there. don't they overlap in any place at all that maybe something could get done? >> we have worked together to pass the three free-trade agreements. we worked together to pass the veterans jobless bill. i can go down a long list, eric, and the majority, or minority whip worked together on the export-import bank, to get it reauthorized. there are a number of places we have found common ground but it's a constant search. and it is hard to sit down and find common ground when the president's always outcome paining every day. >> speaker boehner? now that -- >> no. let's go to the front. loud mouth, relax. >> the -- lost jobs was construction. 28,000 losses. why won't the congress provide some certainty to the construction industry by

passing a highway bill? wouldn't that, at least improve that? >> is there question, that of getting a highway bill finished is very important. the house has passed a bill. the senate passed a bill. we're in conference. i know the conferees are working diligently to try to come an agreement because it would put more americans back to work. but included in there is, are energy provisions like the keystone pipeline that would create nearly 20,000 jobs immediately, directly into this job and up to, over $100,000, 100,000 jobs indirectly. this is, this will help put americans back to work. hope we get an agreement. >> mr. speaker? [inaudible] any culpability for the unemployment numbers? any responsibility? >> they have, they went their own way in 2009, 2010. on virtually every bill. and, they have created quite a mess.

listen, our job is to stay focused on the what american people are most concerned about and that is exactly what we've done. >> speaker boehner, now that mitt romney has clinched the nomination do you have any scheduled appearances fund raisers with mr. romney? >> no. >> can i get your comment on the new york sugary drink ban that mayor bloomberg wants? >> you know i like mayor bloomberg but, are you kidding me? come on. don't we have bigger issues to deal with than the size of some soft drink that somebody buys? >> thank you, sir. >> [inaudible]. >> i will pass it along. >> house republican leaders on the may job numbers. no remarks from the administration as of yet to the labor department numbers. but we have heard from mitt romney. today he made the following statement on the unemployment report. quote, today's weak jobs report is devastating news for american workers and american families.

this week has seen a cascade of one bad piece of economic news after another. slowing gdp growth. plunging consumer confidence, and increase in unemployment claims. now another dismal jobs report all stand as a harsh indictment of the president's handling of the economy. it is now clear to everyone that president obama's policies failed to achieve their goals and the obama economy is crushing america's middle class. the president's re-election slogan may be forward but seems like we've been moving backward. we can do so much better in america. that's why i'm running for president. that from mitt romney this morning. live now to the house financial services subcommittee on capital markets. this morning they're holding a hearing on cybersecurity threats to the u.s. financial industry. according to a recent pricewaterhousecoopers report, cybercrime is the second most commonly reported crime in the financial industry. it accounts for 38% of economic related crime incidents compared to other incidents with 16% cybercrime.

witnesses representing the banking and capital markets industries will discuss information sharing on cybersecurity threats between public and private financial sectors, improving cyberdefenses and educating consumers. we expect this hearing to start in just a moment. [no audio]

[inaudible conversations] [inaudible conversations]

[inaudible conversations]

>> formality. please sit. so, today's hearing, subcommittee on capital markets and gse is called to order. cyberthreats to capital markets and corporate accounts. and i appreciate the entire panel being with us today. look forward to a interesting albeit at times perhaps somewhat technical hearing. so i look forward to the entire testimony of the witnesses and the questions that will follow. at this time we will move to opening statements. and i yield myself three minutes or four minutes. and again what we're talking about today is cyber attacks and the threat of cyber attacks against our economic interest as we learn from this panel and others been

in our office and media and growing concern among many here on the committee. so a better understanding of the potential dangers that cyber criminals pose to both consumers financial institutions and government agencies will help improve our chances to avoid disruption in the financial markets. there have been a number of high-profile cyber attacks over the past several years. known entrution into public web sites have occurred at department of defense, international monetary fund, booz allen hamilton. in 2011 the u.s. chamber of commerce their computer networks were compromised and confidential communications and industry positions were accessed. financial services are a big target of course because the old saying willie sutton noted where the money is, financial services businesses have been leaders in an effort to armor their data networks and identify and deal with any actual breaches as quickly and as transparently as possible. so the cows cost of to business consumers is

difficult to quantify. we must ensure we have the proper safeguards in place to thwart or minimize future attacks while at the same time proteching privacy of citizens. consumer confidence plays a significant role in any transaction made by individual or small business. unfortunately, just as there have been many numerous instances of identity theft out there where individuals have credit cards stolen or accounts looted there have has been significant rise in corporate account takeovers as well. so cyberthreats come in many different shapes and sizes. we're familiar with the threat of identity thefts i know about that according to a recent research study identity theft costs americans $37 billion in 2010 alone. today i can't think of a less appetizing scenario than having someone other than myself accessing my personal banking information for their personal benefit. additionally there has been significant increase of

corporate account takeovers. that is essentially identity theft of a company instead of a business, of an individual. which leaves small businesses seeking solutions to safeguard their information and their finances. our financial markets and clearinghouses have largely been spared the high-profile attacks that have happened to some banks, a partially because of well, their hard work. partially because of the way they are constructed but they are still vulnerable to denial of service attacks or public web sites that serve them. we saw terrible attacks decade ago in new york city, our markets are resilient and i'm confident they have only become more resilient and more reliable ever since but important to let them tell their story today in their own words. so we are holding these hearings to discuss current and potential threats against our financial service industry and discuss how we together can better be prepared against future such attacks. now, we must remember that we must always remain

vigilant when we are protecting personal and financial information. so much of our economy is reliant on internet today, that we must not be complacent in all this. so our economy then has always been a leading contributor to our national strength. we must ensure that it is protected against tomorrow's threats and so at that point i thank you again for coming and your testimony which will follow. at this point i will yield back and yield to the gentlelady from new york. for -- >> thank you. i'll just be very brief. certainly the security of our financial markets are, our government, it's incredibly important to our national and personal security and today's hearing is part of a continuing overnight and dialogue we are having in congress about the threats to our markets and the impact these attacks could have on our economy, on our individuals and on our government. and with the rapid pace of

technology, and the growing number of threats across a wide range of businesses, both large and small, it is truly al huge, huge challenge and one that needs the absolute total commitment and coordination between the public and private sector to, to protect our markets, to protect individuals, to protect our government. i do want to note this recent report and it was very excellent. the internet security report. and it states half of our businesses which he is truly a wake-up call, both big and small, half of our businesses in america are targeted by cyber attacks, and over 232 million identities were stolen in 2011 including my own. there is a carolyn maloney running around maryland.

almost every american or many of us have had that inconvenient situation happen to us. in their report they say 5.5 billion total attacks are blocked, were blocked in 2011. so not only do we have to look at ways to continue to block this but we need to continue to look at ways to protect our capital markets and our industries, both public and private, the information that we have. i look forward to hearing from the, from the witnesses today and i yield back. thank you. >> thank you the gentlelady yields back. the gentleman from arizona for two minutes. >> thank you, mr. chairman. i will actually try to be fairly quick. what i'm hoping to actually hear from the panel and should i be worried that there is another one of you running around maryland? >> there is. the fbi is looking for them. >> it is a combination of a handful of things. first off right now the way we allocate liability. are we creating incentives

or disincentives for some folks within, shall we say, the financial food chain to, invest and others to not invest. that's sort of a side concern. second of all i would like to hear and understand how throughout the industry you coordinate talent, coordinate technology, coordinate data and information and best practices. and number three, i want you to either as swayed me or -- assuade, with me or agree with me. i'm one of the members of congress who has a great concern a growing governmental role in the whole issue of cyber attacks and, data protection, that the government so often becomes bureaucratic and moves so slowly will they actually make reaction time worse and therefore raise our exposure?

that is a concern and i'd like some definition back of in many ways are we making it more difficult to react on an instant time? mr. chairman, i yield back. >> thank you. mr. dole is renned for two minutes. >> thank you, mr. chairman. i certainly appreciate you holding the hearing on a very important topic and i want to thanks the witnesses taking time to join us today. i he have believe our capital markets are a critical for our nation's productivity. our technology is the most advanced in the world. today we're facing constantly increases threat of cybercrimes and cyber intrusions. sophisticated viruses and malware costings us billions of dollars each and every year while also threatening our power grids and our national security. that is why it is so critical to focus on this issue and to strengthen the safety and integrity of our financial sector against cyberthreats.

every day literally hundreds of thousands of cyberthreats hit our financial institutions. i think that is something not many people really recognize and something we need to be prepared to act against. and in that regard i'm confident that my colleagues and i share several bipartisan goals. first we must maintain and improve our existing cybersecurity infrastructure and identify all cybersecurity breaches. second, we must share all relevant cyber threat information to facilitate a fast and effective response. and we must do this in a way that does not unduly infringe upon privacy rights, consumer rights or the integrity ofs about contracts. third, the private sector and the public sector must work together in leveraging existing upstutions to evolve with the increasing cyberattack complexity. finally, the private sector must be able to work confidently with law enforcement agency to protect the existing systems while insuring that sensitive information is

handled securely and is used appropriately. clearly to maintain the public trust the financial sector and government agencies must remain committed to protecting personal data and intellectual property. i want to thank you again for being here. mr. chairman, i want to thank our witnesses for sharing their time, testimony and experience with us today. thank you so much. i yield back. >> the gentleman yields back. and i echo those remaining comments of the gentleman to the panel as well. seeing no other opening statements i then turn to our panel for your opening statements. and as always, for those of you who have not been here before, you will be recognized for five minutes. your complete testimony will be made part of the record and you can summarize what you have in front of you. so we'll turn first to miss can'tly. you're recognized for. >> good morning, chairman garrett and members of the subcommittee. i'm michelle cantley. i'm the chief financial

officer for regions bank. i'm appearing for the financial information and analysis center. i want to thank the opportunity to address the subcommit on a the important issue of corporate account takeover. i've been head of information security at regions since 2004. regions is the 12 largest bank by deposits and loans and serves customers in. regions is member of the fsiac. with the mission of protecting the financial services sector against cyber and physical threats and risk. today the fsiac. has more than 4400 member organizations that represent the majority of the u.s. financial services industry. it is important to note that industry spent much time and effort and worked closely with its regulators and other interested parties to provide safe systems to its customers. the fsiac is familiar with information sharing

arrangements through both public and private sector organizations that criminal actors are targeting our sector. court account takeover is one method of attack. corporate account takeover is the unauthorized of use of online banking credentials typically obtained v. kbrau malicious software, malware that affects customer computers, work stations and their networks. cyber criminals continue to attack business customers computers by phishing which remains the most popular form of attack, through malicious advertisements and by fraudulent messages on social media sites. in each case the cyber criminals attempt to crick their victims into clicking on a bogus link redirect the unknowing user to a server thatdown loads malware onto the victim's computer. this software includes a program that captures the users online banking credentials as he types them and allows the criminal to impersonate -- to create fraudulent financial transactions. over the past two years,

losses experienced by financial institutions and their customers as a result of cyber-related fraud have declined even as the number of attacks as increased. the fsiac and the members recognize the threat to the affected institutions and to customer confidence posed by these criminal acts n 2010 as part of our active efforts to counteract the threat of corporate account takeover, the fsiac performed the account takeover task force. the task force consists of over 120 individuals from financial firms and government agencies. it a has recently completed report recommends three main areas of focus, prevention, detection and response in order to insure an improved and effective defense against account takeover. the fsiac and its membership have taken tremendous steps to limit cybercrime and corporate account takeover. nonetheless corporate account takeover attempts can not be stopped solely by the financial institutions.

all participants in the internet ecosystem have roles to play. banks, for instance have no direct control over the end customer's computers nor can banks control what e-mails bank customers opened or what web sites they visit prior to accessing their online banking systems. still, to increase the security of our customer's accounts, we must educate our customers on the risks, monitor for anomalous transactions and stop fraudulent transactions we detect. customers have a role to play in learning about these threats and practicing safe internet habits. internet service providers and e-mail providers can monitor traffic on their networks for much of this malware and alert their customers to these threats. finally the fsiac believes that the private sector and government can continue to work together to improve internet security. one area i would highlight is that law enforcement should continue to move aggressively against cyber

criminals and that more work on international, legal and diplomatic levels is needed so that all countries recognize this type of cybercrime. i look forward to any questions that you might have, and thank you for the opportunity to appear before your subcommittee today. >> and we thank you as well. mr. clancy. you're recognized for five minutes and well come. for all of you want to pull those things as closer to you. from the distance here looks, they don't pick up that way. >> chairman garrett and ranking member waters, my name is mark clancy. i'm the corporate information security officer at depository trust and clearing corporation. dttc is a participant owned and governed cooperative that service serves as critical infrastructure for the u.s. capital markets and financial markets globally. our operations and processes are essential to mitigating risk and insuring the safe and efficient operation of financial systems. cybercrime poses a significant threat to capital markets globally.

a study the u.s. treasury found that cybercrime accounts for more revenue than international drug cartel income, running into the hundreds of billions of dollars annually. there are three main types of cyber attacks aimed at the financial sector. the first involves the threat of confidential data. it is most insidious form cyber criminals take over the accounts of innocent victims globally and either directly steal funds or use the stolen credential for market manipulation by what is called pump and dump scams. they are moving market in a stock and bidding against themselves and anyone else they can lure into the scam. in recent years dttc saw data theft in our industry involving highly sophisticated social engineering techniques that attempt to give foreign entity as competitive advantage in negotiations often related to winning bids for national resours as ore beating offering price of an acquisition after country. second type of attack involves compromising the

integrity of the national market system, nms in the united states. the goal of these financial crimes is grind the financial system so a halt. there have no public reports of nms being indirectly attacked today. the attack on hong kong exchange in 2011 reinforced the dangers of this threat. the third attacks involves compromising threat of financial data which exists overwhelmingly in digital form. these attacks have the potential to most catastrophic. for example the european market tore carbon credit trading was the victim of such an attack in 2011 when sigher criminals change ownership information of individual carbon credits. this resulted in theft of 30 million euros of thestd in the emissions market and closure the european emission trading system more than a week. financial systems have robust security programs to protect the systems from cyberthreats they're not foolproof a critical resource the industry relies on to safeguard the system is information sharing between federal agencies and financial institutions most notably via the financial

information services sharing analysis center. i want to focus on successful and now-defunct program which targeted cyber espionage. under the program 16 financial services firms were granted ad access to threatened attack data and analytical date on financial mitigation techniques. actionable information to search for similar threat activity in their own networks, axis to context all information to better understand risk i am playcations various threats. adjustments to cyber espionage using quantifiable information that had previously been unavailable better understanding to need to develop standards to support the automation of sharing and consumer threat data. gisf program grove innovation and new initiatives in the industry and helped reshape the sector's approach to assessings cyber espionage richings. it prompted pilot firms including tdttc to provide best practice.

unfortunately the problem was term knitted 2011 for reasons that were unclear. since then more than five financial institutions experienced threat activity from actors first identified through gisf reporting. fsiac found threats willed continue in the future. information sharing which occurred represents the most critical line of defense in mitt bating cyber risk today. tttc strongly supports restarting the program and expanding its reach within the financial sector. as he sophistication and technological mines of cyber criminals increase financial sector needs to move from static one sighs fits all framework to risk based one that incorporates dynamic nature of cyber security thread landscape. in the public and private sectors take important steps in recent years to enhance collaboration a greater degree of information sharing and trust is needed to insure all resource are working in concert to protect the financial sector from cyberattack. dttc stands ready to work in partnership with this

committee the congress and the administration to harden the sector's defenses against cybercrimes. thank you for your time. >> and i thank you as well. mr. graff is recognized for might have minutes. welcome. -- five minutes. >> thank you, chairman garrett and ranking member waters all of members of the subcommittee. my name is mark graff. i have am the vice president and chief information security officer for nasdaq. i am new to nasdaq ox having arrived this april i am no newcomer to information security with 25 years security experience serving both the indid stri and government. most recently i was head of cybersecurity at lawrence livermore national laboratory which is not only one of the crown jewels of the research in this country but the repository of the nation's most popular secrets including nuclear weapons designs. i moved to nasdaq omx to protect another mart america's critical infrastructure, its financial markets.

i changed industry but most of the challenges and many of adversaries remain just the same. nasdaq omx is committed to a vigorous defense of its critical infrastructure and as an expert in the methods used today to defend this nation's most critical, most highly classified systems from attack i can tell you that many of these same techniques and technologies are used to defend nasdaq omx. one key method at both institutions is the isolation of critical systems from the internet at large while many of the services we deliver to customers worldwide are housed on internet-facing web servers. our trading and market systems are safely tucked away behind several layers of carefully-arranged barriers such as firewalls and network isolation zones. this is an important distinction to remember and we should all keep this in mind when we hear about denial of attacks against one istution or another. any troublemaker can run up to the front door of a house

and ring the doorbell over and over again and that is what most denial of service attacks amount to. if sometimes despite our best efforts our customers are unable to reach one of our outward facing web sites for a few minutes as a result of this kind of much vandalism i ask us all to remember it doesn't mean in my homely analogy that some one has broken into the house. the market systems remain secure. but we don't rely on isolation alone. which have a comprehensive information security program using a multilayered approach. for example, the in developing software we treat the information security as a critical element all the way through the life cycle of the software from design to implementation and also in everyday use. these controls that i have talked about span our entire enterprise network, our trading systems though are further protected by their overall resilient architecture. while each trading platform as i mentioned is isolated from the rest of the network, and from the internet, but also the civil restricts the

information that is allowed to be submitted to it through the use of a fixed set of formatted protocals that control inputs to the trading platform. it is also refreshed at the end of the trading day. every information trading system and no data is maintained in the trading platform beyond the trading day. this helps secure the trading markets which are so important to us. for all those steps we do have serious concerns about the worldwide attacks on critical infrastructure that are being led by not just rogue hackers who organize crime but by national governments today. and it is our position that it is not reasonable to expect individual companies, no matter how or so i fist indicated to independently stave off cyber attacks coordinated and backed by a foreign government. so it is for this reason that we at nasdaq omx are very pleased that both houses of congress are looking at ways to protect our critical national infrastructure through improved sharing of information about cyberthreats and vulnerabilities. we support the house passage

of hr 3523, cyber intelligence sharing and protection act although there are some concerns about data privacy that need to be addressed we think it is a an excellent move forward in this area. . . indicates the house clearly understands the importance of cybersecurity.

likewise, the financial-services industry recognizes the serious and constantly evolving nature of cyber threats to its customers, its institutions and the broad u.s. economy. individual institutions, but ongoing risk assessments to identify potential institutional customer address to limit the risks for both their own operations and those of their key service providers. this includes providers of services such as clearings, settlements and accounting within the capitol market environment. these assessments help assure that the institutions and financial infrastructure such as capital markets remain secure. in the battle oversight for security, however, no one institution can fight alone. consequently the secular level several collaborative efforts excess. the association such as institutions band together to collectively identify cyber risks and more importantly develop best practices to improve cybersecurity, reduce fraud and improve resiliency. the largest of these industry collaboration's is perhaps the

sector financial service coordinating council consisting of the major financial trade associations, the largest u.s.-based financial institutions and the key financial infrastructure participants. the council works closely with its public sector parker, the financial and banking information infrastructure committee chaired by the treasury department this committee includes 16 government agencies with regulatory oversight for the financial sector including capital markets. working together, constant committee members focus on key cybersecurity issues including the ability to recover vital infrastructures impacted by cyber or physical incidents. the two groups sponsor industrywide resiliency exercises, the latest of which had its focus on the resiliency of the equity clearing and treating process these. other associations have also formed collaborative relationships with various law enforcement agencies to coordinate efforts in preventing and prosecuting cybercrime. the industry also conducts an outreach efforts to other

sectors. one recent example is participation in the industry group. this multi industry multi stakeholder groups acting collaborative flee to mitigate the problem of the device takeovers by cyber criminals. these types of efforts are consistent with the financial service industry recognition that today's cyberworld is highly integrated and realize on multiple organizations to effectively mitigate security risk. the industry also recognizes the importance of cybersecurity industry consumers and businesses play key roles in cybersecurity and have the responsibility to protect themselves to the industry and others have recognized the often lack the skills and awareness to do so as a result institutions and associations have made significant educational investments. a key culbert a very particularly to notice threatening information sharing, financial ones contusions' currently short for the information through the fsi.

brought into industry private information sharing opportunities to remain because of the interdependency of the sectors in key infrastructures such as capital markets it is vital to share information across a broad swath of characters to improve the responsiveness and the defense of all sectors. maintaining the confidentiality particularly between the private and public sector however remains a concern. organizations haydon ho if are concerned will protect the confidence. that is why the financial service industry is supportive of the passage of h.r. 3523, which if enacted offers additional protection to the confidentiality of shared information. we recognize that it's h.r. 3523 to become a legitimate concerns about protecting individuals information and privacy were raised by several members of the house. as you consider future cybersecurity legislation, however, we do urge you to consider solutions to allow sharing of this type of

federation under certain circumstances in a manner that protects individuals' privacy rights, but also facilitates their financial protection as well. there are legitimate reasons to share this information of benefit citizens. sharing details about breached customer information and sharing it quickly would allow institutions to take actions to prevent fraud against the commercial and retail customers. in closing, again, accept my thanks for the opportunity to testify today. cybersecurity is a vitally important issue for the public and private sectors protecting companies, customers and infrastructures that support our economy is crucial. we commend the subcommittee for recognizing the importance of the subject and for your attention strengthening the nation's cybersecurity. thank you. >> mr. weiss, you're recognized for five minutes. >> good morning germans become a member maloney and subcommittee members. i am the director of the city's cyber intelligence center which is responsible for collecting

and analyzing and exchanging threat intelligence to protect the customers, our brand kuhl global business operations and technology infrastructure against threats worldwide. i'm testifying on behalf of the securities industry and financial markets association. i have to safeguard the capitol markets from emerging cyber threats. i will be focusing the testimony this morning on cybersecurity financial sector. what we are doing to protect our infrastructure and most importantly our customers from cyberattack. with the rebels of the administration and congress to limit sliver security threats against the american people, businesses and government through a more integrated approach. the cyber intrusions and cybercrime said the past decade were cause for great concern. the member firms are on the front line defending cyber defending against cyber threats to the financial markets and we take this free seriously. consequently, members currently

comply with a number stringent laws and regulations on the protection of personal data including the gramm-leach-bliley act, the fair credit reporting act and right to financial privacy. these laws and regulations are reinforced by regular pro-active review and audited buy highly specialized regulators that are supported by the ffiec that issues the the privacy and cybersecurity guidance and monetary procedures. in addition, the financial-services sector proactively founded the financial-services information sharing and analysis center. like all my penalty i currently serve on the border directors we recognize, as shares our concerns regarding the nation's current cybersecurity infrastructure with respect to our industry we believe it's important to keep the following principles in mind. we recognize the need for expanded information sharing with government agencies including greater private sector access of read data from federal

intelligence and law enforcement agencies, accessed through the information must be administered in a mammal that can provide broad cybersecurity protection without compromising on investigations or the privacy of individual americans. cifma believes government agencies should leverage the existing and dhs u.s. search to facilitate the cross sector public/private information sharing that will help the financial the institutions better protect themselves and ultimately protect our customers. sifma believes our current regulators are best suited for designating or regulating critical infrastructure. the treasury department as our sector specific agency and the regulatory issues he's through the financial and banking information infrastructure committee should determine what is considered critical infrastructure. a one-size-fits-all approach is not the right regulatory solution. as the amount and sophistication of the cyberattack increases, the need for new technologies and expertise and talented personnel to combat these threats becomes paramount.

our nation's universities must focus on developing the next crop of talented information security professionals so that the financial services industry and the nation can adequately protect itself from cyberattack because cybersecurity is a global problem and cybercrime frequently occur across borders, cooperation with international partners is critical to preventing, investigating and prosecuting cybercrime. the u.s. should seek strong cooperation with foreign governments to improve cybersecurity and punish those responsible for cybercrime. sifma believes a breach of this occasion standard would reduce administrative oversight, establish clearer notification guidelines and most importantly, reduce customer confusion. we have played a leadership role in developing policies, procedures and technologies to protect customer data and we look forward to maintain that role as the nation upgrades the cyber defenses. thank you, chairman speed and

representative maloney, other members of the subcommittee for this opportunity to testify. >> thank you. mr. woodhill, welcome. you're recognized for five minutes. >> thank you. mr. chairman, vice chairman, congresswoman maloney, members of the subcommittee. when i asked how to be a good witness for you, my good friend, former chairman of the energy and commerce committee, told me that i needed to do two things colin code be brief and then be gone. but before i am gone i should tell you what the problem is an offer to at least one decisive solution. thank you for the opportunity to testify before you today on behalf of the victims and potential victims of corporate account takeovers. my name is jim woodhill. i'm a serial entrepreneur in the information security space. i was recruited in december, 2009 to be the advocate for the victims of this new fast-growing cybercrime by garnering the most prominent analyst in this case.

i am here today because your money is not safe in the bank. not if you're an american church kosko district, small business or political campaign fund. not if you were using microsoft windows. many of you on this committee have heard from victims in your districts. the shocking thing to victims' is that the organizations are being vulnerable is an official financial services industry policy known as shared response will become a personal accounts are safe protected by federal reserve regulation, but the commercial accounts in the subject of a dozen lawsuits over the state law. the consensus of the cyber experts is that shared responsibility will not hold up long term. today the of the number five under the victims of least $100 million stolen. sometimes full restitution. sometimes it reaches a settlement where the loss is

split, but in hundreds of cases it is shared responsibility for the victim and the entire loss. more than one bankruptcy is resulted. the latest lawsuit fired just may 17th by trc producer. no matter whose pocket this money comes out of the stolen money is our funding and fact must stop. this crime didn't have to happen. the regulators issued guidance in october of 2005 that would have stopped the crime. even back then the solutions were expensive to acquire and operate quickly implemented to end of the customer acceptance but they were adopted in great numbers come so the regulators issued much more detail supplied all guidance last year. if the solutions were available and the regulators told the banks to use them, why did united security bank synnott last month to spend more on lawyers to defend a lawsuit than

the $300,000 it would have cost to reimburse trc? the answer is simple. america's small and medium-sized banks still haven't gotten the memo. why not? examples from medicine and public health show that even when a life and death are at stake it takes 20 years to get new information through a medical specialty. as for educating the general public about infectious threats well enough to stop them, public health experience shows that it just can't be done. fortunately, the account takeover can be stopped by the process of the 13 big and small organizations that run on the lam banking on behalf of the 5,000 small clients. just as the 30 largest banks who are their own processors. waiting the alternatives and moving the rest of this crime and responsibility for solving it to the processors is the victim's first choice. the government is not in the

loop, but there are other solutions the woodwork. if banks are required to disclose the risk of online banking, then those customers could, moving online could either accept the risks, turn of online banking or move their accounts to where they are safe. i think banks would quickly turn to the processors for protection rather than admit the money isn't safe in the banking. another alternative is that the fiduciary give the public funds tax payer money like city and state treasurer is simply refused to risk the tax payer dollars by putting them in banks within the industry of the losses than those banks would do the same thing. regulation could be extended to all accounts, but i oppose this because disclosure republic fiduciary action would accomplish the same thing but a more free-market oriented. whenever the congress does, we urge it to do it soon before

there are more victims and more trust lawyers in the banking system. we must work to make cyberspace a safe neighborhood. thank you for inviting me to testify. >> thank you also for your testimony and being with us today. i thank the entire panel. we will turn to questions and in my five minutes i will start from the left and moved down as far as they go. ms. cantley, you know in your testimony one of the recommendations deals with the issue of making changes to the suspicious activity report can this dig into that old it and say what changes need to be done? >> i would add those have already been implemented. when the account takeover -- >> i apologize. >> that's okay. >> it's already implemented the recommendations from the account

takeover taskforce. when we look at these suspicious activity reports that the financial institutions are required to file we noted that the account takeover was not clearly labeled as a form of suspicious activity and we recommend that that be appropriately bold and that has been accomplished as of the end of last year. >> what is being done with that information then? >> now when financial institutions have a situation of the account takeover and a report on the suspicious activity report, then we can use that to do their analysis. islamic what did they do before they had that checkoff box? senate i bigger part and? >> what was done before they had a checkoff box? >> before that it was not clear what was the method of attack, mr. garrett. so we felt it was appropriate that the industry through would

reflect the volume of the account takeover appropriately in the reporting process would be a good method for that. >> mr. clancy might want to chime in on this. so there's talk in the testimony of you and someone else with regard to the sharing of information between the institutions and the government as well. in order to do so you have to have a high level of trust and usually in life he want to earn trust before you execute on it. do you want to briefly talk about ways to do that to evidence the trust and enhance ways to share that information between the level? >> and check your microphone again tricks to mix before, mr. garrett. a trust is slow and fast to be lost. the we look at it in the financial sector we started with anonymous reporting.

we've been easily removing the details of who was impacted but give the facts so others can take action based on those factors. with that committee, there are some limitations, and what we have salles as we started to do is we started to get a small volume of activity. but when the corps small group of us got together who knew each other socially and professionally, we started saying here's what really happens with that report that we've made, the greater context came out and we build what we called the green model where we had people in the center most who started out with 121 personal relationships and expand the network. that community shares with full of tradition this is what happened to me, this is what we did, this is what we didn't do. we fill out the details of that and share the broadest community in our sector and build those rings. now what we've done is build additional rings. as we have started in 2011 and inner circle, if you what, called the clearinghouse and exchange forum, which is a subgroup of people like myself and mr. graff, who are in the capitol market sharing

institution about attacks on us. as you get to know the people you are sharing with, you bring more people into that and now the network grows. it's like social media. the more friends you have, the more friends you get. >> i have a bunch of questions i don't think i will get them all in. speaking of social media, mr. graff, i read about in the paper is a big thing on facebook fever de. if you want to just briefly, since you are here, tell us in your information that you have, with regard to that transaction reported with the problem was, was there any cybersecurity aspect to that whatsoever? what's being done to make sure that doesn't happen again and people involved in taking care of it? >> yes, thank you, congressman. welcome as i think you know, my expertise is in cybersecurity and of the trading systems. >> but you're here, so -- >> thank you, sir. what i know is the facebook

showed us a design flaw in the methods that are used to operate the ipo. it's been used successfully for years and now we've engineered a fix for the design. we are also taking a look at the process used to develop the software test to see if we can improve those. in terms of cybersecurity and any potential involvement with the facebook ipo based on the information i have which is substantial there was no cybersecurity element in that ipo. >> thank you. additional questions, but my time has expired. i will yield to the gentle lady from new york. >> thank you. i would like to ask anybody on the panel when there is a cyberattack how do you find out about it coming to your customers tell you about it, does your internal division tell you, does the government tell

you? how do you find out about it and then what do you do? do you report it to the government so we are coordinating? do you report to other companies? how does it work now? we are hearing that half of the small and large companies are being attacked. how do you find out about it and then what do you do about it? >> the short answer to your question is yes, all of those sources. the reality is the financial institutions are constantly monitoring their environment for indication of attack. so, as darryl would tell you, it is city and he's in the cyber intelligence i would defer to him as second, but there are significant investments in monitoring tools to look at the environment to determine if there are attacks under way. >> these tools the you put in place, are the standards that are required by government, are the standards that private sector putting in place, are there any required standards?

how were these standards being put in place, what are some companies going far above that with new technology to protect this information? >> the primary standard that's in place is an expectation from the regulatory agencies, and it's within the goba, the gramm-leach-bliley act, to have a strong risk assessment management in place. regulation to the plea does not specify the tools that need to be used and that i'd think is good because it recognizes that the environment is evolving fairly rapidly and this will not work yesterday might not work tomorrow. so it is largely up to the financial institutions to determine their best risk-management practices. but i would quickly add that through the collaboration is that we talked about earlier, and frankly most of us at this table have worked together over

the last five to ten years in terms of collaborative efforts, you know, we go through the process of identifying best practices though we would use and share information on tools that have been effective in trying to enhance the industry beyond just hour own institutions. and i will let him comment if you would like to. estimate - to be answered that really well. i don't have to add much. >> thank you. i would like to ask mr. clancy from the depository trust and clearing corporation, you mentioned that three of the dtcc companies have received notice that they are being considered a systemically important financial markets utility under the wall street reform act and recognizing that the new risk management standards for the fsoc are still being developed.

what is your expectation on the extent to which the standards will address information security issues? >> thank you. my expectation as it relates to the fsoc is they are focused very much on the financial aspect some market risk, liquidity risk and the like. it's on certain to me whether they will delve into some of the cybersecurity issues. those are substantially held in the existing framework of the regulatory agencies have. so my expectation is that is what will be addressed. from the dtcc perspective we look at the systems posed by the global and financial system and have been working to elevate our level of control and litigation in those types of threats. >> in a general sense, when a cyberattack occurs, do you tell your customers or private information is extracted on some of your clients what is the standard you have?

i guess mr. weiss are there laws requiring any disclosure or what exactly happens? >> if there is a breach of personally identifiable information there certainly is regulation requires us to provide that notification to customers. islamic basically what are the three things we have to do to make our country more secure? it is very unnerving to me to think that there are individuals and countries that have entire deaths devoted to getting into private information on the financial markets and elsewhere and what are the steps of the private industry is taking to protect this coming and i guess is cantley you played a role in the ordination of government. how is that coordination working? can't be improved on, how we do better at protecting our

companies cut our individuals and our country from this type of attack. >> thank you for that question. first off we do have a high amount of public private information sharing as has been in the oral and written testimony. i think we can do more. we would like the government share for threat indicators they have with us on a timely basis so that we can act on those and prevent cybercrime in our industry. we also would like to be in a position to share information safely with the government without having to go through the steps. so we would appreciate the opportunity for that to be extended from the freedom of information act. we would like some work done in the telecommunications industry. currently the carriers are required to bye law deliver everything to the end user. the government that we know knows that some of the traffic that's on our network is malicious and if they could give

that to the telecommunications carriers and they could be in a position to drop it before it would be delivered to the end user i think that would be inappropriate step forward. last, again, working internationally on legal and diplomatic levels so that when we say someone is a criminal, that individual is arrested, tried and appropriately sentenced. thank you. >> thank the gentle lady. the chairman from arizona is now recognized. >> thank you. this is one of those occasions it's an area of great interest and there's a thousand questions and about four minutes to do it. first let's say cities or a major institution is finding its systems under attack. someone is trying to go up and

down. how quickly does that get shared with others? steve sheriff through government, do you share it through the industry or the working groups? how quickly does the information get disseminated? >> actively it gets shared very rapidly. not automated. there are humans that need to create the e-mail messages, but it does happen frequently. so in that case, through the fsi and the technique from the trust and others talked about earlier about developing this over the past decade we have been able to create the central rings of trust to be able to share that information quickly. >> you hit a point there many of them have had the automated notifications we are seeing this type of mao -- malware. that isn't what works. >> the first steps we've taken is to manually shared information to build that

collaboration and developing these indicators we've taken these steps in the past years to build on automated methods we can share that information at network speed and protect ourselves and mid-court speed so if you take them out of the look and get their it requires a significant investment and a lot of work to get their. >> how quickly is that moving? >> it's moving but it's going to take time to get their. >> from some of the organization's is this one of the areas they were gone as automated indication warning systems and also it's not only the warning but here is the way to block the attack. there are systems that do that

blocking and many have that in place across multiple sectors. what errol is talking about in working with the government is coming up with the standard template for that information so that feeds the systems that exist today and will come down the path so we have a subcommittee that is addressing that to move it forward. as errol mentioned though that is going to require a capital investment, and this is one area where i think the government could assist us because we would like to cooperate together in moving that forward faster. >> this is for anyone would note the answer. how is the technology disparity between the money-center institutions, the financial trading platform and my local community bank. how far behind is the local

community think more flexible or are they more exposed? what do you see out there across the financial world? >> if i could,,, let me try to address that. one thing i would like to point out is that effectively all the systems represented at this table and in fact the systems that help congress, they are all under attack all the time at some level. in contrast to the situation just a few years ago, today internet attacks are a little bit like weather. we have a little bit more rain and less rain but generally speaking they are all under attack. i think to get to the point of your question, the larger institutions that have more sophisticated staff typically will be less susceptible to the sophisticated attacks. i think the smaller institutions

to the local community institutions are at a disadvantage when it comes to defending against extraordinary tax that perhaps have taken years to develop and this is an area that the government could assist quite effectively. >> if there is infrastructure in the organization for that information solution fix, patch fix to quickly disseminate all of them? specter's two points, there's the insemination peace which i think the groups are working to facilitate, then there's the consumption peace and what we found in the program is even the large complicated institutions we had significant problems consuming the data at the volume and frequency at which it arrived. this went be a big challenge for the institutions because they have one of two people that do this. >> therefore the need for a sort of automated platform. sprigg and the service provider routt and there it is the firms that provide those institutions, the financial products are good

ways to do that. >> i am out of time. thank you, sir. >> the gentleman yields back. >> thank you, mr. chairman and i want to thank the witnesses for attending and helping this committee with work. one of the of our hats on where is the co-chair of task force on terrorist financing nonproliferation. so i work a lot with financial crimes enforcement network. they do a terrific job on our behalf. internationally on behalf of the treasury and the american people and they've done a good job. they are working in a more limited environment than all of you. first of all, i want to try to understand -- i know that the exchange's where you have more resources than the smaller institutions that mr. graff was talking about to protect themselves, where are we in

terms of where we need to be with some of the smaller institutions, these local banks? we as government have put out certain benchmarks where we want there to be at least minimal coverage and protection for some of these smaller institutions, but number one is that enough? do we need to do more to require those smaller institutions to provide greater protection to their customers, and is there also adel tuck in terms of what we require the exchanges to do and where you think we need to be? perhaps you do even more. i'm sure most of the big exchanges do more than the government requires, and so i'm trying to get a fix on where we are with a smaller and larger institutions and where we need to be.

ms. cantley? >> thank you. speaking on behalf of the attempt to address the smaller institutions, the dtcc this is more important and the last two years focused on education both for customers and the smaller institutions and we have held a number of seminars. another important step that we took because we think it's critical to deal with the fact most of these small and medium institutions use the same processors. so we build on the authentication guidance that came out in 2005 and with updated last year in some of our recommendations got even more prescriptive to the service providers on here are things you need to providing our products that your institutions can take it vantage of. i would also like to point out to the committee that i don't think additional regulation as the answer to this problem.

it is applicable to all institutions and it provides a method for dealing with these attacks in a cost-effective means for financial institutions of all sides. >> what i'm trying to get at is i'm reading "the new york times" this morning it's got a front-page story about the president exhilarated and amplified the cyber war we have with iran. as mr. gramm has plenty of its an incremental thing. there's all these attacks sometimes we have a shower or hurricane. but i'm concerned about is a stage actor or cause i see the actor could bring a significant part of the economy down on the financial service sector down

and the cause great have a at any time but especially when we are trying to build up a recovery and in anticipating that are we meeting that challenge? islamic they recognize most of the institutions in the banking finance sector were elements of the change represented a potential weakness and one of the major tenants there was to be able to share incident information and threat of vulnerability information but all of those numbers so they can better protect themselves. that is one of the basic tenets that we have in those institutions. >> a couple of points real quickly. one thing i think would move us towards the situation he would

like to see in the terms of preparedness is more cooperation from the computer manufacturers and software vendors and producing products are perhaps easier to secure and i see that as someone that used to work for the software manufacturer years ago. there's a lot of times an issue but i think if we make the assistance with your vulnerabilities to begin with them especially the smaller banks and financial the institutions would find themselves a better place. i also want to point out quickly in addition to information sharing which is paramount, we don't have time for lengthy discussions, but the supply chain problem, the threats of the supply chain attack are really i think perhaps the most serious issue that faces us and one will be most susceptible to helping the government. i've been helping the government sector for a long time and i think it's one that the u.s.

government could make the biggest assistance. >> i yield back mr. chairman. >> thank you, mr. sherman for being here. i have a couple questions i hope i can get in. first of all, maybe this cantley, you did address this a little bit, but i have a constituent called actually several years ago, cpa and she had her own business and she kept getting hacked and became very costly for software. she put another software and and she would be hacked again and on and on. what are some of the cost-effective measures that small businesses can who do personal financial transactions or online or via other smart phones how can they minimize the risk of the threat?

>> specifically with customers who are using laptops or workstations to conduct business, small businesses, one of the recommendations that our industry has made to these customers is you can use the dedicated computer that you do not use for surfing the internet or checking e-mails. the price of hardware and software has come down significantly but this is a chief insurance way for ensuring that you are safe on line until, as mr. graff pointed out, the industry can get to the point where some of the software in the supply chain is more robust. but also i would like to commend companies like microsoft to have stepped up to the plate and are now producing software that can read the eight millions of customers that are affected.

specifically to the second part of your question smart phones and other mobile devices are in the emerging risk and everyone at this table is listening to what's happening in other parts of the world and making sure that we are analyzing those threats in the appropriate remediations in place and also working again on the education front to let people know of the rest. the guidance that we have while it doesn't mention mobile phones is applicable to that technology so again, no more regulation or guidance is needed. we have what will work today. we will get additional guidance there. >> are many familiar with the chicago first something found in 2003 by the chicago area financial organizations and was

to enhance the resilience of the chicago financial community and critical infrastructure overall and they've held a number of exercises that are exploring the threats including cedras' security threats and focusing on preparedness. mr. clancy? >> we are very familiar with chicago first. there a reasonable question. so in the sector council we partner with organizations like chicago first in fact my institution even though we are not based in chicago participated in a few of their exercises and so that community is one of a worse locals of trust. the government is protecting the proprietary information for voluntary come voluntarily sharing security for information and the members of the european union and u.s. are in discussion

about this particularly as it relates to the banks or other financial firms including insurance have your organization's been involved in these discussions with the u.s. and international regulatory standard setting bodies look me ask again about how does a small business entrepreneur where they go to get the information that they need is there someplace -- on line that they can find out. >> many of information on their website so they have held seminars for their customers. also fsi sec task force has put

together a joint bulletin's which we have made available to our members to read it again simply print goes off and give those to their customers and the include all the recommendations that we have for both consumers and businesses were operating safely in the online space when as mentioned stay safe on line which is a member of the recommendations. >> i yield back. >> i'm going to go to you first if i can come and let me appreciate and agree i'm not sure that we want additional regulations but we are concerned obviously about cyber threat and trying to protect consumers as well. my question is what role should the government take in combating the attacks on the private sector and private assistance?

>> i think of a key role that we are looking for from the financial-services industry is that information sharing on a timely basis as unrestricted as the government can make it. and if the government has information about foreign actors as well as software vulnerable the, we would like to be made aware of that. >> how quickly would you like to be made aware? what would be a time frame you think would be appropriate? >> as soon as i know about it. >> mr. graff, i know you talked in your testimony before about coming and i mentioned before there's hundreds of thousands of attacks that have been on the financial institutions each and every day that equated to somebody being the doorbell to i'm not so concerned about somebody ringing the doorbell lamb concern about somebody taking a crowbar to the window or somebody going into the back door. can you talk to me a little bit about how for instance the

nasdaq you identify these threats ever coming in obviously there are multiple different sophisticated levels. what are you doing at nas-daq to try to identify these? >> there are several ways to approach that problem. one of the important steps is to become as it were possible to the potential actors are and what the most sophisticated attacks are the altar so we are interested in the kind of information sharing we were talking about today. so information first we try to acquaint ourselves with is attacking various financial institutions to the best we know and what tools they are using. another approach is to try to build systems that can withstand to use your analogy we put a

great deal of effort in to make sure that the critical systems are deeply isolated and are completely inaccessible coming from the odd sight except to very specific and very highly protected and regulated specialized channels for the use of exchanging and trading information. so one of the things we do then is to only allow a very narrow channel of communications to the trading systems that goes to several barriers that inspected for appropriateness and for example here's the plan they may not be obvious when you are talking about regulating information that flows through network there are two main ways you can do it. one is to constrain where the information comes from. we would call that the ip address to be technical, and

another way is what kind of information comes through. we can talk a therefore what network comes through. if they do that both ways, we used several layers of fire walls to put the information that flows in and flows out to continually smaller and smaller filters. another point i would like to make in just a moment is that if we think of the analogy we are trying to protect inside our houses, our families and precious items we might have it's not necessary all the time to understand all of the many ways somebody might try to get into the house. in many cases we built our proof in many different attacks even those we haven't yet anticipated to read as we try to build a strong ring of defense as we can to make sure we can successful but the anticipated attack as well from each of your perspectives i would be interested to find out as we

look at things that we are working on in the kennedy what do you identify as the greatest threat you are trying to deal with right now and how can we in the united states congress help to try to draft either legislation or highlight some of the issues that are out there today? what is the threat you are trying to deal with right now in terms of seibu security? >> i'm going to go back and really push on the international cooperation and essentially going after the bad guys and really getting the united states to pressure the foreign government that if the governments want to compete, if they want to participate in the global economy, the cost to entry for them to participate is the need to demonstrate that they have enacted favorable cybersecurity legislation and demonstrate that they are actively prosecuting and punishing the people that are responsible for these cybercrime. if i can get a little bit more technical on the other side of the spectrum the issue that we

worry about today is the advanced now where that we see today and the prevalence of it and it's spreading moly to our customer computers but also now into the mobile space that we have mentioned as well. >> mr. chairman, my time is expired and i yield back. >> thank you. thank you mr. chairman. i appreciate all of the witnesses being here and sharing your expertise with us. ms. cantley, earlier you talked about education, and how that can help. tell me how much of this problem can be cured by a good computer hygiene and could have its first is a much more active defense? >> the internet ecosystem requires a lot of players to act to make the internet a safe place for the commercial commerce. certainly good computer hygiene is important, and representative

maloney mentioned this in the report we have consumers and business customers who don't patch their computers and aren't even running anti-virus software much less and i see twenties offers we have to get the message out to people that that's an important step. in the industry telecommunications and financial have a part to play as well as the software manufacturers. >> at what point will the industry determine that day can't allow consumers who don't run anti-virus software and mabey malware software to connect to your institutions and perform transactions? >> that particular step to interrogate a customer's computer to do that requires agents that an institution would have to play on a customer's

computer so that some institutions may choose to go down that road to make that decision. but all i would say is to go back to the guidance that we have from the ffiec to look at a later the security, look at what you're doing to validate if that is the customer login do you think that customer is doing that transaction, and is this transaction in keeping with that customer's pattern of behavior. so there are things that we can do without necessarily looking at the whole customer computer. >> thank you. how many institutions -- i guess this is probably for ms. cantley and the gentleman and maybe others who want to answer, how many companies use cyber insurance to protect against liability? i mean, i know it is still in its infancy.

what percentage of folks out there use that? >> i don't have a specific answer. we could probably get back to you. but as you noted, it is in its -- i would say its second infancy because there was talk about a decade or so and i think it had some issues but it's growing again. i think institutions are looking at it but i don't have an id on the number of the specifics. >> since it didn't come up on anybody testimony, does anybody believe cyber insurance can be an important part of creating new requirements on folks without full wall that we would pass but a much more dynamic model to ensure the risk management is approached in a smart way like it has done on workers' compensation and other firms and issues out there. >> i would answer that in the sense i think it could be

helpful particularly in other sectors that may not be as regulated or may not pay as much attention to cybersecurity issues. i think it could be helpful in terms of obviously the underwriting of improvements in the process. >> thank you. several of you have mentioned the cyber intelligence committee protection act. does it allow you to share, the government to share information about risks with you in a way that happens soon enough for efficient enough, and i know that it's not completely passed yet but in its current form are there changes any of you would recommend to that bill? >> condra sand from we have industry support and improvements we can make on information sharing that's

happening today. we've got great examples of that we can certainly use more of it and ticket advantage of the private sector clearance program dhs is another one to help get access to even more information the things we can also do to enhance the information sharing even between entities within the private sector that are currently either perceived or real barriers from a legal perspective preventing some of the information sharing from happening today we think that legislation could address those kind of issues as well and then we also would like to see the existing that are working well for example we talk a lot about the fsi sec that has a decade with the trust building we would like to see those continue to be leverett and not place any additional hierarchy or a central clearing house above that. >> mr. chairman my to time is expired.

>> thank you, mr. schramm to become chairman. my subcommittee had a hearing a few months ago on ofr which is a new entity created under dodd-frank to basically as a clearinghouse for storing house of for a lot of financial data and i was looking at some of our panelists today and probably many of you are going to be providing some of that. one of the concerns we had in this question came out during the hearing is how secure is all of the data that's going to be mining from the financial markets. can you kind of elaborate on your discussions and whether you have concerns about their ability to protect the data to estimate i'm going to focus my

comments on the protection as opposed to the disclosures made. but the protection is part of the treasury and will fall under fisma that will apply. that's kind macropicture. we have to work out ways to send information that protect the information while it is in transit. the methods used today are somewhat ad hocecause of the ofr entity and that function. as a that is an area that we need to work on and then they need to look at from the risk assessment perspective the interest of other parties including other nations getting into that deep and defending that level of aggression. >> thank you. mr. graff? >> you put your finger on it and and essentials problem which is how do we share that information securely? and there are fairly sound that fits i could talk about to protect the challenge, but the

technology is there. i think the more intense concern might be protecting it once it has a right inside the federal networks. they are a very strong target and that is frankly a concern of ours. we want to work with the federal agencies to make sure the information that's given is sufficient but no more than the need. and also we would like assurances about the way that they protect those internal systems as well. i think that is an important problem. i'm familiar with fisma. it does encourage good security. i think there's a lot of room for improvement there, too. >> mr. weiss. >> i'm sorry i'm not particular with that legislation. >> i want to go back then to mr. clancy. there's multiple aspects.

one is the transmission of the data and second, once the data gets to the ofr, you know, how will that be protected? and i guess the third piece of it and something the market participants have brought up is who will then have access to that the the moving forward in how they would be able to use it and access? those are areas that you have concern? >> i think access to the deed itself is one of the key questions both in terms of the appropriateness of what is done with that the study and how it is used and exported as well as how you defend against it being misused. what we mentioned earlier is the council are being taken over. this happens to the institutions and so if the accounts were taken, the access was used someone else could potentially exploit the data that existed in those repositories. to that end, we would expect a

high level of resilience to those types of attacks to be built into the design systems operation of the platforms used for the data analysis mining. ..

robust infrastructure, to protect your data than the individual at home? >> many of them would, sir, yes. >> thank the gentleman. >> thank you, chairman.

mr. manzulo. >> thank you. i've got a couple of questions as to the distinctions, if any, that occur on these cyberattacks. we're talking today about just banking online, is that correct? or are we talking about accessing of 401(k) information? how broad does this get? >> cyberattacks are across our industry. so, yes, they could be going against your checking account. they could be addressed to your 401(k). we've had insurance companies report this. so it's not just that particular isolation. >> so is a 401(k), that is

identified by social security number, is that correct? >> a lot of the providers used to do that practice and have moved away from it. some more aggressively than others. so the underlying sort of database entry is probably based on social security number but authentication credentials are based on data selected by the customer. >> which means it is not covered? >> well the overall account is protected but they're not using the social security number as user name to sign onto the site. >> that answers my question on it. and then the issue at one time you would write a check, take it to a bank and then not worry about covering it for a couple days. of course that has all stopped. it is done electronically. what about these electronic transfers as they were between, between banks? have these ever been hacked? that you know of?

>> the platforms that perform the transfers had not but the, again, the tack ses to accounts that authorize those platforms to performed transaction, those front end systems had been targeted. >> what about social security now that mandates that, social security checks have to be deposited electronically into a person's checking account? i mean now you have a federal mandate. is that covered? have there been instances where the federal government has gone to transfer a social security recipient's monthly check into a checking account and that the money has not showed up? before it got into the actual account? >> i'm not aware of any instances of that, sir. >> the last year on my

e-mail account someone came in, attacked the account, put out this statement that i was, maybe judy you got it, that i was trapped in britain and needed people to send $1500 and actually got another member of congress, who is a democrat called to see if i was okay. i thought that was very generous on his part but they took all of my addresses. and i went in there and i had to reconstruct that. is this what we're talking about, or is this more intense than this? >> we've been talking about things that cover and things that of higher intensity. that particular example is unfortunately common scam. what happens is that the access to your e-mail account, you were maybe at hotel and signed in and that cue auger and took your password. they're doing a technique called social engineering.

trying to create a context, fellow members of congress knew you were in london and sympathetic. would have taken action to send money that they wouldn't have otherwise done. that is the underlying technique the bad guys are using, drive your behavior based on provock tiff messages. >> some of my colleagues would have liked me to stay in britain. i guess the broader issue really is, secretary rubin said he simply does not bank online. maybe this would be revival for the post office if people, no, serious. we don't bank online. my wife and i don't bank online. because i have always been, sort of old-fashioned and rather put the stamp on there and to get it out but i mean, mr. woodhill, until you stopped by the office yesterday, i always presumed that even commercial accounts were safe and you

make a reference in here to accounts from members of congress and their campaign funds. i mean how pervasive is this and should the american people really take a look at whether or not it is worthwhile banking online? >> well, congressman, that is the threat that my victims group is trying to head off. that cyberspace will become such an unsafe neighborhood that americans will just decide that they can't bank online. that my fellow panelists have made the point for me that individuals and small businesses, and your campaign fund, can't possibly have the cybersecurity expertise the secure on-line banking on their end. i further submit to you that the if we make community bankers in your district become cybersecurity experts and spend their time studying fs-isac bulletins

instead of making loans to move our economy forward, the bad guys have won even if they don't make off with a dime. so, you're not current, your money is currently not safe at the bank except that a small number of very large banks, probably mr. weiss's, for example, that employ multilayer fraud controls and have really brilliant people monitoring them. otherwise it just matters, you know, whether you're randomly targeted like your yahoo! account was. same people that got to your yahoo! account could get, if you had commercial accounts and banking from that pc, they could get to your money. i do like the idea of buying a new pc through to do online banking as a stimulus measure however, as a 5 or

$600 tax on our small organizations, just for the privilege of using online banking, i'm opposed. >> thank you. >> i would have sent you money if i knew you were trapped in europe. >> but there is another one came out this past week -- >> you're trapped again? >> no, i'm not back in, stuck in britain but this one says i got to share with you, this is tv-15. people click on it and it is somebody selling a product out of their house. and i guess virus that went through again and didn't, i got back, you know, 1520, people saying you have been hacked into, i had answered a friend's e-mail and i said you've been hacked into. but i guess when i answered him, then i evidently picked up the virus myself. >> your first mistake. don't have friends. >> that is not hard when you're a politician.

>> miss cantley, there are a couple questions i want to run through. one was given to me by the chairman and one i have a personal interest in and let's see if i can phrase it the proper way. a bot, we often, what we do we'll shut down the server but there's legacy software still, or there is still software often out there in the world sitting on computers. my understanding is we will have, had creative souls, set up a new hijack that. how much is that mechanic because of the residency on computers around the world also a threat? >> i think that's a very large threat and if, if you would allow me to defer to mr. weiss on this question because he has been very active on the bot net takedown, sir. >> you might want to, am i phrasing it in the proper

mechanics? >> that is absolutely fine. let me elaborate on that a minute. just to really address that. one of the initiatives that we recently had within the financial services sector that we thought was a very proactive thing to do on behalf of our customers to help protect themselves was a partnership that the fs-isac and nacha and others from the financial services sector partnered with microsoft to go after three of the very dangerous bot nets responsible for many account takeovers we have in the industry. >> just one point of ref rest, when we say go after, that is actual at the server level? >> this was a civil action to go after the command-and-control infrastructure for those particularbot nets. >> my individual question, residency on individual computers and systems. >> what we normally find, when we talk a lot about all the e-mails people are clicking on. when you click on one you get infected with one of

these variants. more than likely not only thing you've been infected with. so the thing that we, that we took advantage of with this takedown project, with microsoft was that now that we have the, the command-and-control infrastructure seized from the criminals, those computers are now, phoning home or beaconning back to the good guys. so instead of being under the control of the bad guys at this point those computers are -- >> what you've done is a redirect? >> exactly. and the long-term hope here is as we continue to collect forensic evidence we will at one point be able to clean those machines and get them back under the control of their owners. >> okay. interesting. there is one the chairman wanted me to ask and he does this quite often. i'm going to start -- [inaudible] quickly, tell me if you would do one thing what would be it in cybersecurity? >> well, from my particular crime, we're blessed that it is easy to stop the

solutions are in place, just move the responsibility as actually miss cantley spoke about to the processors. she is working with the processors to implement the guidance. my number one is actually, we've got to stop malware. if you look at all these attacks, on the pentagon, on small businesses on everybody, at the root of the attack is the fact that computers will run software that other people wrote who are not your friend and we haven't figured out, the nrs products stopped working over five years ago. we haven't gotten them working again. and the, we can't detect the latest model malware. >> so the threats of malware. >> we've got to stop malware. >> i would go with we have to keep the ball rolling on the information-sharing initiatives that we have in place today with the existing legislation that's

been recently passed. to give you an example there in june of 2011 the fs isaac game the third of the 18 isacs with dhs and from that point going forward we had the ability on daily basis to share threat and vulnerability information between the sectors, partners with government. we made great strides improving the relationship between the financial services sector and our government parters. >> so threat-sharing?? >> yes. >> take it one step further and say threat analysis. so a lot of data flowing back and forth. more could come from other sectors. but taking that data and analyzing it to know when you have the incident that really matters or more importantly when you see the trend that is coming out you know you need to act sooner rather than later. >> can i say threat analystics? >> yeah. >> i take a slightly different approach. i'm very concerned about to

reiterate the supply chain problem that is to say the possibility that computer manufacturers or other nation-states may actually be able to introduce pieces of hardware, software, into computer routers, network servers, network, even network cables to be able to manipulate the computers that way in a way individual companies really aren't equipped to detect. and there are methods inside the federal government right now in the intelligence sector working on this problem. perhaps we get benefit of those. >> extension of physical barriers. >> sir? >> speaking like fon nick walls? -- phonic. >> more problem in hardware and software but the more pernicious problem, hardware, something that appears to be a router but actually has got specialized chips in it. very earn canning. >> forgive me for going so over time. >> very simple. take the program i mentions.

gsif. does sharing and threat analysis and make sure it continues and expands. >> and engage the telecommunications industry in this discussion to help. >> give me a little more definition there? >> yes, sir. our telecommunications industry because of the fact that they passed this traffic between us, between our customers and us and between other sectors are in a situation in our infrastructure where they see this traffic and if they were given the authority to dump it, that would get rid of a lot of this. >> all right. thank you. and the gentlewoman from new york. >> thank you very much and thank you to all the panelists. last year the fcc came out with a guidance that financial first had to disclose the cost of material of cyberattacks and include a description of relevant insurance coverage to shareholders and how

common is the use of cyber insurance by financial institutions now? do they have this type of insurance now? can someone answer? how common is it? >> it is not very common. in my institution the question who didn't insure me against 1.66 quadrillion of transactions. that is the challenge. >> what factors are considered in determining whether or not an institution has a cyber risk? >> those same factors that are used are part of gramm-leach-bliley and socs and all the other guidelines we have are used to evaluate cyber risk and going through that application process. >> and there's been some reports about pump and dump and i would like to ask those of you in the private sector what steps have the private sector taken or federal regulators to

prevent so-called, pump and dump? these scams where thiefs that try to move the market by running up the price of a security with buy and sell orders in accounts they have taken over. how common is this practice? i've read about it in the papers. is it common, is it very uncommon? >> i don't have a sense of frequency. it certainly happens enough that there has been a group put together called the national cyber forensic training alliance in pittsburgh, pennsylvania. it is collaboration of private sector entities and law enforcement partners where information specifically to those types of crimes is shared and acted upon in law enforcement and potentially referencing back to activity work through fincen. >> i would like to ask citi, mr. weiss, your great bank was the subject of a very high-profile cyberattack in 2011. and can you tell us what changes citi has made since

then to protect your cybersecurity systems? what's different now? >> sure. that breach that you referenced in may of 2011 impacted our credit card operations business only and no personally identifiable information was disclosed as a result of that breach. since then we've had many lessons learned and we've invested many, a lot of millions of dollars and people's time to improve the monitoring and detection systems that we have in place today to insure that breach, that kind of a breach does not happen again. >> okay. and i'd like to ask anyone who is familiar with their practice, sifma supports federal preemption of state laws related to breach disclosures and notification and what specific differences in state laws pose challenges for sfma and can you explain why you

favor preemption? >> so i'll take a first crack at that one. the issue that i think we really have, one. major ones for us, is being able to reconcile the more than 50 different state laws and local regulations that we have to deal with when it comes to notification and it's very, it's a time-consuming process to figure out which ones apply, what notifications we have to provide, when and how much. just the consolidation to a national breach notification standard we can rely on would that eliminate that administrative overhead. that burden. allow us to turn around notifications much more quickly and confusion customers get today when they receive multiple notifications, different formats and different remediation standards. >> i would look to ask mr. woodhill. in your testimony testimony you make it clear that you believe account takeovers continue to be a challenge at financial institutions and to what extent could regulatory changes address

your concerns or is legislation or what actions are needed to address the problems that you perceive are there? >> well, of course, if you read my bio you know i'm not exactly a fan of regulation. in this particular case to stop this crime by a date certain and that be close in, it appears that a small, well actually, we'll reduce the net amount of regulation because we'll take the ffic guidance and not make these poor community bankers study it but as miss cantley said put that responsibility, those risks on their processor that is running the i.t.. that it is a huge organization and has a top security staff now. in one case, representative, the bank had the necessary fraud controls in place. was paying for them to the

processor. just was unaware of it. they were getting fraud alerts. they just didn't know to look at them and that bank has spent a million dollars on legal fees to defend the notion that they weren't responsible for transfers. they were getting these red alerts from their processor about. >> my time has expired. thank you. >> thank you. chairwoman bigert. >> thank you, mr. chairman. following up on this a little bit, miss cantley, there, there's a survey described in your written testimony, noting a significant drop in commercial account takeovers between 2009 and 2010. what do you attribute this large reduction in fraud? >> the answer may surprise you, congresswoman. when we polled our members

with our most recent survey, they said customer education was the most specific driver to that. >> okay. any idea about current fraud trends regarding corporate account takeovers? >> that survey was specific to a corporate account takeover. >> okay. thank you. mr. smolzer. is that right? >> yes. >> in your testimony testimony and information sharing groups you have right there, seems like there may be too many, too many of these groups, each slightly different. the so that we might have a lot of information flowing back and forth. potentially the correct information may never get to the right place. is it possible to, should we be streamlining

information-sharing even as we seek to improve the flow of information? >> i think the answer is probably a at two levels. in terms of a lot of the initiatives that we take around best practices and improvements in resiliency, i think we do work very closely together across a number of the organizations and associations that we have and we do try to make sure that each of us is focusing on key areas and we're not wasting resources in terms of time and effort. specific to information-sharing, i think as, within our industry we're doing a good job at the sharing through the isacs, centering all the information on the isac. when we start to think about sharing between sectors and sharing between the public and private sector having some of the standards that mr. weiss mentioned earlier in terms of how that data gets formatted, how we can

look at it collectively will be important because i do think there's a risk that so much data will come in from so many different sources that we'll miss the answer in the analysis. we won't be able to do it well. >> thank you. and then just a quick question, we've been talking so much about what's happening, people have been be haing in or, attacking. and i think mr. clancy, early on you said something about enforcement. maybe this is beyond the scope but how many of these people get caught, and or do they, what happens? and what is the penalty and what happens? >> so i don't have a specific answer on the how many people were caught but i think the way to think of the problem the attacks happen in a time scale of seconds minutes and hours and the law enforcement activity, while very important happens on a scale of months and years. so i think the challenge we have as a sector is the

difference between those two points and the way you respond to them. the minute, second, hours front you have to focus on mitigation. mitigation is stopping the event from occurring, stopping it from expanding and preventinging others from being similarly targeted and that's why we focus so much on information-sharing. >> would anybody else like to. i yield back. thank you. >> thank you, miss biggert. mr. stivers. >> thank you, mr. chairman. my question, i guess is for miss cantley and mr. weiss. under regulation e, the consumers get third party liability protection up to, they can't lose more than $50 for unauthorized electronic transfers and i know some people have talked about expanding that to business customers to help protect small business from these account takeovers. that would essentially shift the liability to the financial institutions.

and potentially i suppose make the small businesses less interested in some of their protection although i guess reg e does require them to immediately notify which maybe would benefit the system. is that a good idea or a bad idea? >> currently, commercial and small business customers are covered in every state by uc c-4-a and we feel that has stood the test of time in addressing this issue. >> what is the coverage amount under ucc? >> that the standards need to be commercially reasonable. >> mr. weiss, do you want to -- >> really nothing else to add to what michelle stated. >> looks like mr. woodhill, go ahead, sir. >> if i may. the, what commercially reasonable means, as a matter of law, has been the subject of 12 lawsuits.

two of them were settled for 100 cents on the dollar just as soon as the bank saw what the judge had to say in his denial of their preliminary, motion for preliminary finding for the defendant. one was actually won at least so far, by the bank. and one was won by the victim. the consensus at the big security conference this past spring, the consensus among cyber law experts was given the new 2011 guidance going forward ucc 4-a will mean that currently the banks are liable. our victims group has deep concerns about making small bankers liable for the risks that they can't really understand and they can't really manage.

so we would like to see those risks and responsibilities moved to these big processor organizations because, the, it's possible that small banks would have to hold additional capital against the possibility that these large demand accounts might, you know, they might get, have to do a refund because a big traps percent were fraudulent, not going back the 0 days, and this is just, this is too much for small business. too much for small banks. >> thank you very much. i yield back. >> one last, mr. manzullo will be our last questioner of the panel. i do appreciate your patience but this is an interesting area with lots and lots of areas. >> thank you. i bought a new computer a couple years ago and the store recommended x company

software, anti-virus and for different amounts you got different coverage. is, is stuff work? >> it works to a point. right and so the challenge has been that the attackers innovate and they run their attack software against the commercial products, all of them, not just the one you bought but the one that everybody else buys so on, so forth and they make sure their attack code is resilient to detection. so it is a cat-and-mouse game. the day they create your software and send it does the commercial you bought or free tools very often not. does it two weeks later? very much they do. there is the window of time problem very hard to address. and attackers will continue to innovate. >> but it is worthwhile to buy some type of protection? >> you're much better off with it than you are with out but it is not a perfect

defense. >> when my account got hacked into last year and my addresses, contact lists that were stolen, i called a representative from this company. i want to give the name of the company. fairly responsible company. just wouldn't be fair to name them publicly but the lady said because the information on the e-mail account was not stored in my pc, but somewhere, i don't know if the word is the cloud or wherever else it was, is that this anti-spyware, whatever it is, was unable to protect it. you're not, maybe you can explain to me what she tried to explain to me on the phone. what happened there? >> sure. essentiay what happened most probably, obviously i'm just basing on what you said,

is that the sign-in i.d., user name and password you use to get your mail box was compromised and the bad guy logged in from some other system to that system in the cloud to pretend they were you to send out these e-mails. right. or using a system to do that on their behalf, as opposed to actually attacking your own personal laptop or computer you're using. because the credential is stolen, right, it appeared to that mail provider as you signing in with your password so it must have been you, right? sew the client tool on your pc didn't come into play because it was external to you. now it would have potentially the fact that sign-in to your e-mail account was taken in the first place if that occurred when you were using your computer or not perhaps something when you're traveling or some other machine. >> but the question is, how did your log-in i.d. and password get compromised. the typical way is because they have malware on your pc that batched you enter your user i.d. and password,

stole it and transmit i had it to the bad guys to use in that scam. there are other attack modes however. you can recover user i.d. password on yahoo! by knowing some challenge questions that they can research about you. so there are other possibilities but almost always it is malware. >> well the reason i asked the question is that is it an option to take and download what's in the cloud now, directly on to your pc and would that make it more secure? or would that, the lady said it would actually open up everything else on the pc to that attack. >> congressman, to make it less secure because the testimony here among the experts is you can't secure your home pc. the pentagon can't secure its desktop pcs. so it would be just two place it is could be

attacked, not just one. you could lose your pc. it could be physically stolen in a robbery of your house and then the data would be on your hard disk. >> the final question is, do you remember, i guess it still goes on with the robo calling of the telephones where computers would generate the telephone, the list of seven numbers and then, actually come up with a combination and then it will ring. do people who do this take a look at somebody's name and then try to figure out, different combinations of that? do we know -- how individual is this? in the hacking that takes place? or is it mostly on a broad based so that everybody gets hacked at one time? oh, no, that is not correct. the crystal lake school district got hacked and had $340,000 and just their district they hacked into. >> i would say both. so there what we call commodity attacks that are

broadly targeted based on an e-mail list was found. whether your name is posted on a website or what not, based on people trolling the internet and looking for identity. there are tar getted attacks that are very convincing, very personized to the individual and sophisticated criminals doing attack and feeder farm team criminals doing more commodity widespread things. so you have both. >> so then the yahoo!, my account is yahoo! or gmail, whatever it is, you really doesn't have your name on that address? would that be correct? such as jim woodhill@yahoo!.com? >> actually, if you look at who lost money, it's random. your school district was randomly unlucky. every time banks sign someone up, like your school district for online banking they get a kind of reverse lottery ticket that if their

number is selected by the criminals, they lose $300,000 as crystal lake does and so studies of the victimization patterns, it doesn't matter if your name is included or not, you're just randomly unlucky to end up with malware on their pc and get their money stolen. so those kind of things, the criminals try everything. they try every attack, every which way. so, you can't defend yourself. >> thank you. >> thank you, and thank you to the panel. this is interesting. i have a feeling we'll spend a lot more time on this subject over the next years to come. all right, the chairman notes that some members may have additional questions for this panel which they may wish to submit in writing. without objections, i'm always worried someone will walk in and just object that moment, the hearing record will remain open for 30 days to for members to submit

written questions to the witnesses and place their responses in the record. i can almost assure you there were two or three members up here that had technical questions that will be coming to you of. thank you for your participation. this hearing is closed. [inaudible conversations]

[inaudible conversations] [inaudible conversations]

>> president obama left this morning for minnesota. he is going to the a town called golden valley. the location of a honeywell manufacturing plant. the labor department announced this morning that the economy created far fewer jobs than in the previous two months than first thought. the unemployment rate rose to 8.2% from 8.1 in april. first increase in 11 months. even so u.s. employers created 69,000 jobs in may but that is the lowest monthly job creation in a year. president obama expects to speak about those jobs number at 1:10 eastern. he will urge congress to act on his to-do list, a series of jobs bills.

[background noise]

[background sound]

>> writing is a transactional process. writing assumes reading. it goes back to that question about a tree falling in the forest if there is no one here to hear it. if you've written a wonderful novel. one of the parts of the process you want readers to be enlarged and enriched by it and you have to, you have to pull on everything at your disposal to do that.

>> probably the fiercest competitor i ever written about. and i have written about presidents and generals and cronkite's desire to be the best was very, very pronounced. a house home land security subcommittee is looking into the tsa's transportation security inspection program. amtrak's police chief. john o'connor, told the subcommittee company's experience with this program has been mixed. he says it could be more efficient.

representatives of the association of american rail roads, american trucking associations, owner operator independent drivers association and greyhound bus lines also testified at this 90-minute hearing. >> i'm trying to figure out all the gadgets. committee on homeland security subcommittee and transportation security will come to order. the committee meeting is to receive testimony on tsa surface transportation security inspection program. i want to thank all of our witnesses today for being here. i know it took a lot of time to prepare for it and be here. i do appreciate your willingness to do so. very helpful to us. less than go% of tsa's nearly $8 billion budget goes to surface. two primary reasons. aviation continues to be major focus of your enemies. second our surface systems are inherently accessible to millions of people every day. they have to remain open for many reasons, not the least of which to keep our economy on track. no pun intended. having said that, terrorists see surface transportation as a very attractive target.

since we can't screen everyone and everything that gets on a train, bus or truck, intelligence sharing and detection measures are important. since nine tobias levkovich ven there -- 9/11 there have been many attacks against transportation systems worldwide. thankfully the work of our intelligence community and vigilance of every day citizens helped disrupt the plots. but that does not mean we can afford to lose focus. regardless of failings and providing aviation security, tsa role is more clearly defined in that environment. on the other hand, local transit agencies and local enforcement, local law enforcement take the lead in providing security for surface transportation and so far tsa has done a good job making sure it stays that way. . .

at least one local tsa officials indicated that he is always looking for things for his inspectors to do to occupy their time. number four, most service inspectors have just two things to look for in a typical day. whether the transit system as reporting incidents to the tsa command whether there's a security person on duty. and finally, the work of these inspectors may not be as robust as reported. according to one former

inspector tsa management encourages inspectors to record more activities to make it look like they are busier than they really are. these findings are disturbing to me. here we have tsa hiring more service inspectors coming and yet where is their security benefit? in the last five years the budget for this program has quadrupled in the history of the program, only one situation has resulted in punitive fines across the entire country. as a result of the inspections. i've already stated tsa is a limited amount of money dedicated to service transportation security command there are some great programs out there, particularly the transit security grand prix and administered by fema that allows law enforcement to fund counterterrorism teams come can on detection and other successful initiatives. we owe it to the taxpayer to close at the heat tsa inspectors program to determine whether this is good use of limited resources or whether the funding would be better spent on other service initiatives designed to prevent an attack. keeping in mind that we are on

the safest souter transit possible today i look for to hearing from the industry sticklers about the tsa, about how the gingrey better job of allocating the security resources no one has more than you do. normally right now i would yield to the ranking member for opening statements. she is tied up in the intelligence committee and will be in and out and when she arrives we will turn to her for that. now i want to go back to go ahead and get started with our witnesses. i will let size of the members of the have opening statements can submit them for the record. we're pleased to have several distinguished witnesses before us today on this topic. let me remind witnesses their entire statement will appear in the record. our first witness is chief john o'connor serves as chief of police for amtrak. he has responsibility for the day development secure a strategic and implementation of security measures and the delivery of the uninformed --

uniformed, not uninformed, freudian slip on investigative special operations for amtrak current position chief o'connor served as the chief of patrol which followed as his time as the commander officer for amtrak metropolitan division in new york. before joining amtrak police department in 1998 he served as the long island railroad police department, the largest committal real and the u.s. for 25 years having risen to the ranks he retired as the chief of police. the chair welcomes back chief o'connor and recognize for five minutes. >> thank you. chairman rogers and committee members, it's an honor and privilege to appear before this committee. in my opinion, the threat against surface space transportation systems as as high as it has ever been. all too often, we hear news of the other overseas attack in

this country. the institute issued a report last year which detailed the attacks in the transit systems since 9/11. it listed more than 1800 attacks on the targets, resulting in over 49 other events and countless injuries. at 22 of heritage foundation report states that in the u.s. alone more than 50 terrorist plots have been since 9/11. many of them targeted the surface transportation systems. we know that al qaeda continues to have even more attacks in its magazine as well as through skillful use of the internet. we must therefore make every reasonable effort to remain vigilant because the threat is real. amtrak's approach of providing for the security of those who depend on our system is one of the prevention, partnership and participation tree on the prevention side, we deploy hundreds of jim from officers and investigators had more than

40 locations and on the country. these efforts are all delayed by special operations forces, which include one of the most skillful canine units in operation today. many of our canines have been trained at the university which is how it developed a technique for detecting the movement through large crowds such as those found in the train terminals. however, no one department can handle the enormity of the transportation security task at hand thus our emphasis on partnership based initially on the coalition first formed by the nypd commissioner ray kelly amtrak has worked with the tsa to form a network which now coordinates the efforts of more than 200 agencies and over 40 states to protect amtrak and local transit systems. amtrak has also been accepted as an associate member of rail paul, an effort of the police

agencies sharing best practices to protect our respective systems. additionally, we partner closer to conduct thousands of joint baggage traiing efforts to the women's throughout our system. we've also turned to the 19th thousand employees and an effort to leverage their familiarity with our system. through a variety of trimming efforts and public outreach, we have given our employees and the public both the tools they need to identify suspicious circumstances and the means to share their observations with a proper authority. i would like to say that tsa has been a good partner and amtrak with tsa has produced significant improvement in transit security but has been at the forefront of many important developments including joint begich screenings are explosives, the establishment of a pure advisory group of transit police chief, assisting and directing funding for the infrastructure protection and

operational security and the administration of dbase program to assist agencies in the application of the security efforts. this is only a partial list but it's a substantial one. that being said, in today's tough economic times, i think would be prudent to ensure that all of the tsa efforts make the best possible use of the respective budget allocations. one pergamon particular that i agree is worth a close examination is the surface inspector program. amtrak's experience with this program has been somewhat mixed. on the one hand, the program has been helpful to us in the assessment of the northeast corner. on the other hand, amtrak has encountered difficulties over interpretations of regulations but different field officers. informal inquiry, as revealed confusion and disconnect with tsa headquarters at times. today the program is at least partially overseen by some 58

security directors who often have analyzed security as a higher priority in their view of the responsibilities. it is not clear to amtrak that this is the best structure for the surface transportation and it's also unclear whether the program has funded and structured continues to add value to the overall security efforts. the efforts would be the the program would take on a more operational focus. in closing, i ask -- i think tsa deserves high marks for the surface transportation efforts notwithstanding improvements that could be made to the surface transportation inspector program. i have submitted a written set for the record, and appreciate the opportunity to share these remarks and would be glad to answer any questions the committee may have. thank you. >> thank you comegys o'connor. the second witness is mr. scaap of the vice president of public safety in the environment, and

he will be testifying on behalf of the association of the railroads. he's a 34 year veteran of the industry prior to joining. in 1998, he worked for the consolidated corporation the philadelphia based railroad in a variety of capacities in the police, safety and environmental department. the chair recognizes you for five minutes to summarize opening statements. welcome. >> good afternoon, mr. chairman, members of the committee. i'm scott elliott and i've been a railroader for five years. i serve as vice president of public safety and environment for csx and inspiration and a natural one responsible for the environment as hazardous materials transportation safety of our railroad police the part of come homeland security and industrial hygiene programs to refine pleased to be here before you today testifying on behalf of csx and the association of american railroads on freight real security issues in general and on the transportation security administration surface transportation inspection

program in particular. on the topic of post-9/11 industry security action, csx and the industry remain deeply committed to the security. immediately after line 11 attwell before, there was a tsa or dhs. our industry moved rapidly to voluntarily address the new threat environment and develop and implement it a highly regarded, unified, risk-based approach to security. on the topic of tsa surface transportation inspectors, tsa has enacted a formal regulations, and we support the goal of the regulations and are committed to full compliance. that said we have several concerns regarding the tsa surface transportation inspection program. first, csx is troubled by the lack of consistency by surface inspectors on the regulatory requirements for moving hazardous material by rail. we frequently encounter service inspectors to apply provisions in different ways to the actions maximus compliant by officers are labeled as violations the

produce officials citations by others. this is troubling to csx as we strive to ensure consistent security practices through the network expands 21,000 miles of tracks in 23 states and encompasses over 14,000 local jurisdictions. our counterparts of others indicate this is not just an issue for csx. second and it is unfortunate that inspectors and in force that efforts routinely focus on the minor paperwork issues that elevate administrative errors to the level of serious infractions generating official letters of investigation that threatened the $10,000 fine. for example, the regulation mandates the chain of custody requirements carrying toxic chemicals. we've received warnings for the noncompliance with a chain of custody rule because the names of the employees were not spelled the same on the forms we used to be at times brought by several minutes and the names of the commodities were inserted in the wrong location in the form. administrative inconsistencies such as variations of spelling

deutsch to the verbal exchange of names as alana by the law did not present a meaningful security breach. in fact, csx has been praised by inspectors by providing flawless positive handoff of these chemicals only to receive the violations for very minor administrative errors. we believe that the lack of consistency and standardization of inspection priorities and activities are related to the tsa organizational construct. service inspectors do not report to the tsa branch to a tsa headquarters official responsible for surface transportation or regional security inspector appointed to be a liaison on the surface transportation issues. mr. chairman, as you did it come surface inspector's report to federal security directors as primary focus on aviation security. on the topic of information sharing and technology, we ask the committee to encourage tsa's ongoing efforts to improve the quality and timeliness of actionable intelligence analysis for the sector. these products will support the

efforts of the real root security professionals and tsa focusing on the truly significant threats and concerns. finally, the current tsa security regulations admired and cumbersome procedures as evidenced by the chain of custody rule. we encourage tsa to incorporate modern technology approaches that provide better, more robust security enhancements for the transportation. the u.s. freight rail industry is quickly expand its technology solutions for safety and security and tsa needs to follow. in conclusion, we recognize the complexity of challenges faced by the government and the u.s. industry and ensuring the safe and secure movement of people and products in a post 9/11 world. we look forward to working with the kennedy and tsa coming and we appreciate the opportunity to provide comments on this important topic receive for. >> thank you, mr. dalia for your testimony. our third witness, mr. philip byrd serves as the president of the blog highway. ke