leaving his young family behind. >> and a a few moments senators examined efforts by the federal government and private industry to enhance cybersecurity. al capone, the gangster's main business was to supply a legal alcohol became an important cultural figure in the 1920s. they were very violent of course. gangs that organize with other

gangs and other gangsters and the blood ran in the streets of chicago, detroit, new york philadelphiaand philadelphia pittsburgh and other major cities across the east and the midwest. by 1925 when he is only 26 years old he gets into the business that generated $60 million annually which is equivalent to about 400 or $500 million today. his payroll included 1000 gunmen who killed at least 250 competitors of his in chicago and he was a complicated fellow. a family man several children faithful to his wife, at least that is what people heard and believed. he hosted annual block parties where he lived in chicago. he was the consumer. he wore it 11-carat diamond rings. he liked to buy and consume rich

wine and excellent food not just excellent italian food but french food as well. and also seemed like a good man and ambassador to the community as we say now. members of the senate judiciary subcommittee today examined with the government and private industry are doing to enhance cybersecurity. government officials and business leaders said progress is being made for some computers remain vulnerable. this is a little less than two hours. >> good morning. we call this hearing to order and i believe that senator graham will be joining us but in

the interest of getting underway on time we have been cleared to proceed and await his arrival during the course of the hearing. i would like to note today's hearing we will consider cyberthreats law enforcement and private-sector responses. this as press reports indicate every day it's an extremely important and timely topic, indeed i would like to add without objection to the record in this proceeding to pages from the department of defense annual report to congress that just came out saying among other things china is using its computer network exploitation capability to support intelligence collection against

the u.s. diplomatic economic and defense industrial base sectors to support u.s. national defense programs. obviously there is a lot more to this issue than that but it's an indication of the timeliness and importance of security here. technology continues to expand into every area of modern life. our power stations, our dams and as the consensus report says our industrial base are all in line and even everyday items like our cars, our home alarm systems and even our refrigerators are increasingly connected to the internet. unfortunately these innovations have been accompanied by new threats to our prosperity, to our privacy, to our intellectual property and our national

security. this subcommittee has heard previously about hackers who have taken over the webcam of unsuspecting americans computers. we have heard about tactics like anonymous using distributed service attacks against financial institutions. we have heard about criminal rings that use botnets to send spam to spend -- send spearfishing information to sell a person's credit card information or engage in scare where or ransom ware schemes to finally we heard about the bands of the persistence threat that has allowed foreign entities to steal enormous amounts of america's intellectual property and to work their way into our american critical infrastructure this hearing will consider nations law enforcement response to these threats.

our first panel will include witnesses from the department of justice and the federal bureau of investigation. we will consider their strategies to combat the broad array of cyberthreats and the resources that they have brought to bear to execute those strategies. the second panel will discuss the private sector's role in responding to these threats. it will consider a recent investigatory report based solely on public information that indicates that members of the chinese military are engaged and sophisticated and extensive cyberespionage including industrial espionage. and it will evaluate the role of the private sector in investigating preventing and responding to such crimes and intrusions. i will start this discussion by noting that the department and the fbi both already have done some important work to address the cyberthreats facing our nation. in march of 2012 for example

charges against the former head of the hactivist groups anonymous and lulzsec and for the members of anonymous lulzsec and another hacking group. earlier this year the justice department secure the conviction of a 25-year-old russian who had operated and controlled the megad.net and in april 2011 the fbi and the justice department engaged in a civil lawsuit to bring down the botnet. the justice department and the fbi have developed fbi's national cyberinvestigative joint task force and the justice department's national security cyberspecialist network. i'm glad that the department and the fbi have taken each of these important steps but much more as the departmendepartmen t concedes, needs to be done. i was disappointed to learn for example that the team that took

down the botnet was not kept together for the purpose of taking down other comparable.net. the four-star general heading of our military cybercommand has said that our country is on the losing end of the greatest transfer of wealth by illicit means in history. it is all well and good to complain about such steps of diplomatic channels but at some point we need to stop complaining and start indicting. the justice department has not indicted to my knowledge a single person for purely cyber-based trade secret theft. i am sympathetic that the justice department and the fbi lack adequate resources to respond to the severe cyber threat as the witnesses will

testify shortly. these are immensely complex and challenging cases to put together. the administration of course agrees and its 2014 budget includes a request or 60 new cyberagents in the fbi, 16 new cyberattorneys in the national security division and nine new cyberattorneys in the criminal division. as welcome as this request is to many of us, we must also ensure however that the resources are deployed wisely. accordingly i will be inquiring today if appropriate structure whether task forces or centers of excellence are being employed, whether attorneys and agents are properly dedicated to cyberwork, not just carrying the badge of the cyberattorney, and

listening to the conference call while they do their other work, whether they are tasked with goals of achievable scope and whether the attorneys and agents are properly evaluated and recognized for that work. i will close my opening remarks by adding that the law enforcement frustration and a frustration that has affected this very hearing is the unwillingness of many corporations to cooperate for fear of offending the chinese government and suffering economic retaliation. the shadow of china's heavy hand darkens the corporate world and it has even shadowed this hearing. i look forward to important discussions on our nation's response to the cyberthreats that we face.

i thank all the witnesses who are here who participate today and i will call the first panel right now. i will introduce both now so that they can move from the testimony of one to the testimony testimony of the next and we both begin with jenny durkan. ms. sub were as united states attorney for the western district of washington. she is on the attorney general's advisory committee for the united states attorney and she is the chair of the aga c. sub commit the on cybercrime and intellectual property enforcement. prior to beginning or service as u.s. attorney in 2009, ms. durkan was in private practice representing a friday of clients and civil litigation pitch is a graduate of notre dame and received her law degree from the university of washington. with her today is joseph sub

two. mr. demarest is the assistant director of cyberdivision at the federal bureau of investigation. in that role he manages over 600 employees dedicated to the investigation of national security and criminal computer intrusions. he joined joined the fbi is a special agent in 1988 and has served in a number of roles for the bureau including as a swat team leader in the new york division, as shift commander for the investigation and as assistant director of the international operations division. i welcome both of the witnesses here and before we ask you to begin your testimonial also welcome the wonderful ranking member who has demonstrated intense interest and commitment to this issue and invite him to make any opening remarks. see most of what i know about cybersecurity threat comes from

the white house which is a damning indictment to him. but i've really enjoyed working with our chairman here that i think understands the threat as well as anyone in the congress when it comes to the private sector and has the most practical solutions. i'm trying to get the private sector to voluntary standards for the liability and protection so i look forward to hearing from you. >> ms. durkan want you proceed with your testimony will obviously put your entire conference a statement in the record and if you would keep your oral statement to about five minutes that would be helpful so we can gauge in some conversation afterwards and leave time for the next panel. >> thank you. good morning mr. chairman and ranking member graham. thank you for the opportunity to testify of the department justice regarding the investigation and prosecution of cyberthreats and the resources

required to do so. i thank each of you for your leadership in this area. the articles you have written show the great grasp of the array of threats we face. as united states attorney i see the full range of threats that our communities and our nation faced. things are as sobering as the daily cyberthreats breathing that i receive. technology is changing our lives. we have witnessed the rapid growth of important business is lifesaving technology in new ways to connect our society. unfortunately the good guys are not the only innovatorinnovator s. we have also seen significant growth in the number and sophistication of bad actors exploiting the new technology. seeking profits international rings have stolen large quantities of personal data. criminal groups develop tools and techniques that disrupt their computer system. state actors and organized criminals have demonstrated a desire and and a capability to steal sensitive data and

intellectual property. one particular area of concern is the computer crimes that invade the privacy of every individual american. everyday criminals hunt for a personal and financial data which they use to commit other fraud or celtic criminals. as you will hear from the next panel for potential victims range in the tens of millions. the national security landscape is also undergone a dramatic evolution in recent years. although we have not yet experienced a devastating terrorist cyber attack we have been the victim to a range of malicious cyberactivity that are testing our defenses, targeting our valuable economic access and threatening our nation's security. there can be no doubt cyberthreats actors pose a significant risk to our national security, our communities and their economic interests. addressing these complex threats requires a unified approach that

incorporates criminal investigative tools, civil and national security authorities, diplomatic efforts, public-private partnerships and international cooperation. criminal prosecutions whether in the united states or abroad play a central and critical role in these efforts. we need to ensure that throughout the country the department of justice, investigators and prosecutors have the resources and capabilities they need to meet this evolving threat and we thank this committee for its support in those efforts. the department justice has organized itself to ensure we are in a position to aggressively address this threat. the criminal cybercrime and international property section works with the nation and white network designated as computer and intellectual property prosecutors. they are doing the work in the

field. daily our efforts to investigate and prosecute cybercrime events, the department national security division pursues national cyberthreats toure variety of means. including counterespionage and counterterrorism investigation and prosecution. recognizing the diversity of this threat last year we did -- mr. chairman you've noted the national cyberspecialist. this network brings together the full range of expertise in this area drawing experts from the national security division the u.s. attorney's office the current division of the other components. there's an there is a national security cyberspecialist designated in every united states attorney's office across the country. these combined efforts have led to great success and i hope to address some of them later here today. but despite these successes the number of intrusions continues because of the very serious made her of the cyberthreats the need to respond, the administration

has asked for enhancement of the budget to target this critical program. most of this is addressed by the fbi so we can do more ground research and additional requests of the $92.6 million from the national security division and we must address the increasing security threat and criminal divisions that we have the resources we need to deal with it internationally. mr. chairman, ranking member graham thank you for the opportunity to testify today. the the country is at at risk and there's much work to be done but we look forward to working with your committee. thank you. >> thank you very much ms. durkan. as assistant director demarest. >> i'm pleased i am pleased to appear before you today to address the cyber threat and how the fbi has responded and how we are bargaining our resources and strengthening our partnership as we combat the increasingly

sophisticated adversaries that they face in cyberspace. as a subcommittee is well aware 21st century brings with it new challenges which national security and criminal threats strike from afar through computer networks with potentially devastating consequences. these intrusions into our corporate networks and personal computers and government systems are occurring every day. such attacks pose an urgent threat to our nation's security and economy. we face significant challenges in our efforts to address and investigate cyberthreats and we are currently prioritizing our immediate and long-term needs first to teacher development in order to division ourselves for the future. we have made great progress since the cyberdivision was first created in 2002. we have seen the value of structured partnerships who worked tirelessltirelessl y to support an improvement. providing information needed to secure networks demands cooperation and cybervulnerabilities are magnified when you consider that ever connected ecosystem of the

cyberworld. we follow a one team approach in our partnerships with u.s. intelligence community law enforcement private industry and academia. we significant increase the hiring of specially trained agents analyst and computer scientist. we play cyberspecialists in key local -- global locations to facilitate the investigation of cybercrime affecting the u.s. and while we are pleased to report our progress we recognize they must be corrected if in order to effectively address the threats that we face. our nextgen cyberserved -- cyberserved to collect and analyze action information related to cyberintrusion investigation in fbi headquarters and throughout her 56 domestic field offices 400 resident agencies and with the intelligence community and law enforcement partners both domestically and overseas. implementation of the initiative is focused in four areas. firstly national cyberinvestigative joint task

force in virginia. a key part of the governmental effort is the fbi led national cyberinvestigative joint task force. this was formed and is made significant progress developing capabilities and operational coordination as well as expanding its leadership to now include increased personnel to 19 partner agencies and deputy directors from five key agencies. the second key element on this initiative is the restructuring and expansion of the fbi's network of field office cybertest forces which emulates the terrorism task force model and our counterterrorism division. just last year the fbi has established a cybertask force in each of our field offices 56 staffed by cyberspecialized agents analyst and other agency participants. in the future it each ctf for

cybercapital will continue to grow its capabilities leveraging national and develop systems investigative efforts in expanding its membership with a key focus with state and local participants. the fbi is committed to advancing the capability of our cyberworkforce and supporting the enterprise infrastructure. we established high technology environment training high-tech initiative to enhance the technical proficiency of agents professional staff and task force through on line training. the result of this efforts and increased efficiencies and improved information analysis. since the role of nextgen cyberthe fbi has expanded its abilities as a source of cyberactivities and dramatically increase the cyberintelligence reporting. last but not least the fbi is working to strengthen local and national information-sharing collaboration the investigation and intelligence operations and disruption operations. to support this we adopted an incident reporting in

collaboration with e-guardian used successfully by our counterterrorism division and cyberreporting. further we are deploying an i guardian to also report cyberincidents in a secure and efficient manner to the fbi and where leveraging intelligence from to identify and notify cybervictims. as the committee knows we have faced significant challenges in our combat of cybercrime and we are optimistic identifying strategic areas for change the fbi will position of two face criminal threats in the future. we look forward to working with the committee and the congress as a whole to determine a force to address cyberthreats and thank you once again for the information appearing before you today and i would be more than happy to take any questions you may have. >> first of all let me thank you both very much. i immensely appreciate the work you are doing.

it's a considerable honor to be selected as confirmed united states attorney and even greater when you're in that ranks to be selected to serve on the attorney general's advisory committee and your work is focused on cybercrime and cyberterrorism as the chair of the subcommittee i think is something that we should all be very proud of. agent demarest you have been working for a while and no one has more passion than you. i'm i am preaching to the choir but i do want to try to give both of the organizations a bit of a shove through this hearing to be a little bit more forward on this issue. one of the ways you measure legal outcomes is results. your testimony ms. durkan talked about the importance of prosecution both of the terrorist and the punishment and at the level of actual legal

activity does not seem to be all that great. the bot -- botnet was taken down a year ago and i'm glad they were recognized for that important piece of work. as i understand it the group cobbled together from a variety of different offices and in the inclusion of that effort it was basically allowed to just adhere back to those original offices rather than continue the process of cleaning up and attacking botnet which microsoft has done at least for that i can think of civil cases go go to court and get an order to clear botnets out of the system so it's not impossible for the justice department to have done more than one. on this side of our intellectual property theft we have i think primarily the chinese attacking

exceedingexceedingly vigorously not only our national defense infrastructure but have tried to hack into things like how how were just work and how her guidance systems work so they can imperil our military in the event that we were to end up in a military conflict with them. they are also just trying to steal stuff so they can give it to their companies so they can build it without inventing it or paying us for the intellectual property rights. that has been described as the biggest transfer of wealth in the history of humankind and to my knowledge the department has done exactly zero cases involving a pure cyberintrusion that deals with intellectual property and backed out. they have done some intellectual property theft cases where somebody left with a cd in their pocket, kind of the old-school version but they haven't done any cases yet. so the results are a little bit they don't send the signal yet to where we need to be. when you try to look at the

structure it's not clear that the structure is firmly in place for this. this has been a considerable issue for some time and yet it was last year at the expert corps began with the department of justice. your testimony ms. mandia -- durkan is developing cells, they ncijtf has a wonderful effort and i think the people who are there are doing great work but my impression of it was that they are working so hard out there just to try to figure out who is coming through the windows and trying to keep track of them and trying to warn the business that someone is now in their system that there really hasn't been the capability to sit down and take that information and turn it into a prosecution package and put it into play in the u.s. attorney's office and go and put somebody on the stands for an indictment. i'm not even aware of a grand jury interaction at this point.

so i think that thanks to your leadership the u.s. attorney's office in the department of justice and the fbi are rethinking the structure that needs to deploy this effectively if this really is a national security threat of the type that every major administration figures is a transfer of wealth and the history of humankind. we are still pretty underresourced for it when you put it up against we have the dea who deals with narcotics and atf for alcohol tobacco and firearms. where are we in terms of what are we doing about this little threat? so i want to applaud you for your own personal work on this issue but i really do want us to continue to push the department and the bureau to resource this

up and do everything we can to support your efforts to enhance the resources in the way that the budget request, at least i will firm up the structure so it's clear to the people who are on the list of doing cyberwork are in fact doing cyberwork and not just -- i have been a u.s. attorney and i know the drill. someone has to get on the phone and there is an ausa in the offices across the country listening to the call. that is not the way to fight this battle and we shouldn't really be counting it. it's a valuable function but we shouldn't be counting it as full-time. i like this notion of the threat focus cells that are being developed. tell me both of you a little bit more about the new steps, the new structure you are looking at for implementing the cyberand where on the curve between

behind the curve way behind the curve we are in terms of the resources necessary to do this? >> thank you senator. let me unpack that little bit. for some a saeb want to talk bit about results. in the last three years i have been united states attorney and served in this role on the cybercrime task force and the threat has evolved enormously but i would say also so is the department's response in our forward-looking nature. there is no one solution to cyberthreats and no one part of government can fix fix it alone. as mr. demarest said we have to have the one team approach so every aspect of government is working together and we have two work with the private sector so for example in my district we have a very strong outreach to private enterprise to see what they are doing and see with the threats are that they are seeing. if we can prosecute someone believe me we will do it and we have done it. i want to report that we have

been very good and i will use my own district as an example. in the areas of botnets some people as the conficker botnet it was one of the largest, i think the largest in the district. it was as you know a very resource intensive investigation it required multiple agencies in multiple districts in multiple countries but we were able to work with our international partners across law enforcement secret service and fbi. we took down the entire botnet at the same time in america, in several european countries. several people were arrested and several european countries and we were able to expedite in my district prosecute them and put them in jail. we have had successes and we will continue to have successes but we also understand to make is that we will not be able to prosecute her way out of it. we have to have technology answers. we have to have the department

defense, the department of state and all across government from the top down, i think every agency committed to addressing this threat. it's a big thread but i think we have great successes to report and i'm proud that we do. spevak may ask senator graham to jump in because he has to step up out for a minute to make a phonecall. >> thank you and you can continue to answer his question which i thought was a great question. from a layperson's point of view, we have a pretty robust system to deal with bank robbers, isn't that right mr. demarest? >> yes, sir. >> how many, do you have any idea how many bank robberies there were last year that the fbi was involved in? >> no, sir. hundreds. >> how many cyberthreats are there in the united states? >> hundreds, it days weeks. >> thousands if not hundreds of thousands a year? >> yes sir. >> so there are two ways you can

have money stolen from you. the guy comes in with a gun and says give me your money or someone can hack into the bank and steal your money. how many people have been prosecuted for hacking into a bank and stealing money? >> can i answer that senator? actually very many. let me as an example for our district. one of the things we saw is spiking where people would put in panel cameras and were able to take millions of dollars in many customers. we put together a task force and we were able to break down -- is a romanian ring and we prosecuted those people and had great success and a bag for period of time in my district we drove down the incidence of stemming to almost virtually zero but we did it not just a prosecution for but working with the banking industry educating the public -- >> how many people? >> their work, i will have to give you the exact number but it was the entire ring responsible for this group of fats so it was more than a dozen. >> if you can get back with me.

i know you all are doing it the job in trying to up our game but the resources we have provided over time in bank robberies, compare that to the resources we have provided over time that deal with cyberthefts. how would you equate the two? >> the threat is certainly changing so the fbi has reallocated resources in which we had in other programs internally to cyberso we significantly, we will talk about structure and the chairman's question and what we have done to develop the headquarters and national platforms in their local offices and cybertaskforces. >> do you have the resources necessary to deal with this what is the rampant theft problem? >> we are making do on what we have today. >> let's don't make do let's treat this more like donnie and clyde. remember the bonnie and clyde

the national bank robberies during the depression? that really started the fbi. it's one of the reasons it's an existence in that focus of dealing with you now crime in the 20s and 30s. do you think we have this kind of focus now ms. durkan? >> i describe it as the buggy. it is changed so much where crime on the street has gone on line. we have more violent crime and targets, victims are being targeted on targeted on line and we are addressing that threat but we still have a great threat we have to address on the streets which we are doing. it is a time where we have to allocate and realign ourselves. we need to do more and with the help of this committee in congress -- >> we need changes in our laws to make it more effective. >> yes and i think we have proposed some changes and i think there are other changes that senators have proposed in congress when they're working

with them and their staff to make sure we address it. >> in the 20s and 30s we fundamentally changed the role of the government's involvement in crimes committed across state lines and billy created elliott ness type groups. maybe it's not a good analogy but to me we seem to be having a new emerging crime wave here and when it comes to resources and legal infrastructure, would you say on an a to f rating, a being exceptionally prepared and f we are failing, where would you put us in terms of legal for structure and resources to deal with this new kind of crime? >> i think we are much better off than we were 20 years ago. i think we have aligned yourselves to address it and have successes but i think we have to make sure we are aligned also with the private industry. >> give the congress and a to f grade in law enforcement. >> i give congress always an a

grade. >> heuer the one person in the country. >> i wish you were my teacher. [laughter] how would you say are infrastructure is? >> i think today we are still facing the same threat that we face 20 years ago but now we have this parallel threat if not an an in emerging new thread in addition to the old crimes. >> that is what i'm saying. how far behind the curve is the white houses analogy regarding? >> even from the time the cyberdivision was created in 2002 to where we are today and even over the past six months or a year -- >> they need to get there quicker and wherever the congress is failing we need to up our game because if you have hundreds of bank robberies and millions of deaths and

cybertechnology it seems to me -- >> senator graham has to step out for a moment and i would like to continue this. one thing i'm going to do without objection is to put an the op-ed piece that senator graham and i wrote together into the record in this proceeding. i want you guys to know we have just confirmed a new omb director of the new director of the process of confirmation. i've spoken to both of them about this problem and about the concern that i have that you guys are good scouts and don't go beyond the envelope that omb and the white house allows you in the budget, but we have to have a discussion and sit down figure out what the plan is for dealing with this and have we really resourced enough? i've been trying for some time to get omb and the department in the room together so we can have this discussion with without

talking out of school with out omb there. i hope to do that. senator graham and i came very close to having a bipartisan agreement on the a cyberbill that fell apart unfortunately at the last minute for reasons beyond both of our control and the executive order emerged and now that the executive order is seven the landscape has been changed by that executive order we are reengaged on trying to do what needs to be done legislatively. so please work with us on this. we will provide whatever coverage you need to bring omb and so in so we could have a grown up discussions in which you don't have to be flinching from saying what earl needs are. but it is very clear to me that when you put the privacy and the criminal law of all of our individual credit card and personal information that is

being hoovered up out of the internet and actually marketed on crooked web sites where crooks can actually go and buy personal information so they can live crooked screams -- screens and you stack up on the attack on the banks that senator graham was referring to, stacked out stack that on top of the theft of so many companies secret special, confidential information that they used use to protect themselves and build their products and their own intellectual property and espionage, you throw on top of that what is being done to our defense industrial base which has both private paths and national security connotations and you throw on top of that the viruses and the worms and the programs that have been inserted into our critical infrastructure

so that the grid can be taken down, bank records could be compromised and dams can be be opened and gates and pipelines can be opened and all those types of things could take place. if you stack all that up that is a big problem. i don't want to get you in trouble for saying any more than you are authorized to put you have at least the two of us who strongly believe that we need to have our elliott ness moment on this and get ready to put the resources into this problem set and one measure of that will be when we see some significant indictments on this industrial espionage related to what the defense department is being done and related to the company is said is being done. i will give you a chance to

respond. we are having a of the back-and-forth here but i really want to push you on this. i think is wonderful as the work is that you have done they aren't there yet and we need to make sure we get there. we cannot for long been named on the losing end of the biggest transfer of wealth in human history and what that means. i see senator coons has arrived. >> go ahead. >> thank you for being here senator coons. see a very sincere and strong interest in this issue and you have worked hard with me and others to get that bill through the finish line before it fell apart, before the executive order came out so thank you very much. >> thank you senator whitehouse and thank you for your invitation to you and senator graham and so many others who

have dedicated time and effort and leadership to trying to make sure that we in the congress are doing our part. we will give ourselves a low grade for how we have done in terms of being able to bridge the differences between our parties in her chambers in terms of coming up with some functional structure for dealing with the cyber threat to our nation and i'm grateful to senator whitehouse for his persistent leadership in this very complex issue that crosses a number of committees of jurisdictjurisdict ion. in my own state senator carper chairs homes -- homeland security. let me just if i could at the outset ask a few questions. the piece of legislation i want to talk about. if you would help me understand in the run-up to some of this legislative work last year, great deal was made about our military's unique capabilities to defend the united states cyberspace in their advantages over other agencies in

government at least in terms of their capability. what unique advantages to civilian agencies or the companies that the next panel represent have been around of cybersecurity? >> one unique ability we have is going to jail and we are trying to that more but again i think our ability to investigate and prosecute i think forms a couple of important things. number one we deter further activity and believe me when we are able to extradite someone who is a foreign national vacationing in a different jurisdiction and we arrest them and bring them to seattle and put them in jail it sends a message. we try to disrupt because we don't have the capability to put a all the bad actors in jails as part of our strategy has to do be to disrupt the activity and he where the where we can do it. the third is hold people accountable which we are trying to do more and more.

i think the unique capabilities we have this in our system we have the ability through the grand jury process and the subpoena process to get information that others don't have. again looking at the department of defense we have to use a whole government approach. senator whitehouse is exactly right. the nature of this threat frankly cannot be overstated but it cannot be answered by any one part of government or governmental alone. it has to be a private sector diplomatic efforts in their civilian efforts to prosecute people. >> senator coons the fbi is uniquely positioned in making statutory authority so the program we have within the fbi that looks across criminal counterintelligence and counterterrorism so we are able to incorporate the subject matter expertise for each of those divisions. looking at the various threats. just one area being counterintelligence is a broad

array and again getting back to the jurisdiction dod plays a key role along with nsa and the intelligence community writ large and along with homeland security. >> thank you for those answers and i agree with you in particular in a democracy facing what is a broadly distributed threat, its origins not completely clear and it is not always nation-states and not always attributable to a specific foreign actors. his cybercrime and cyberthreats come from a wide range of sources and manifest in our country in a very wide range of impacts of the ability to complement the defense capabilities with agencies that have broad jurisdiction and the capabilities to investigate, to deter and imprison victims is a different response than the defense department. i just wanted to comment if i could in my remaining minutes that when it comes to doing comparably broad things that

deal with both domestic disorder or natural disaster or confronting foreign threats the national guard has a broad range of capabilities in its legal authorization and tactical capabilities and its strategic role a fairly broad range of capabilities so a number of us senators gillibrand and vitter have introduced the cyberwar act which among other things would get governors the capability to order cybercapable guardsmen to support and train local law enforcement to leverage the expertise they have for the military training and their civilian careers. my own home state happens at the capable network which allows us to tap into the skills and abilities of a fairly sophisticated data centers operated by the advance elements of the financial services committee headquartered in delaware and also through the national guard service adjuncts

to the nsa. i think this sort of function and this particular legislative authorization would be helpful to doj and the fbi as well because it can help the map more capable better prepared state and local partners. i certainly welcome recommendations or comments from you or from the other witnesses on the next panel. we will be holding a law enforcement caucus in june and i'm grateful to senator whitehouse for the chance to contribute to this hearing this morning. thank you. >> thank you senator coons. we in rhode island also have a cyberweighing in the rhode island guard and i look forward to working with you on your legislation. i think it's a very valuable thought. it is important for the record in this proceeding to reflect that when you move from our local guard and reserve capabilities to our military and from there to our active-duty military and from there to our

intelligence services. there are increasing restrictions and concerns about taking action within the continental united states particularly where it involves american companies and individuals and so that is i think a particular reason why our law enforcement and why some portly look at this domestically. we are joined by senator klobuchar a former prosecutor herself. delighted to recognize her. >> thank you very much mr. chairman of thank you to both are witnesses. i was listening to senator coons and thinking about back to when i did my job for eight years in an office of foreign to people. two levels of issues with computer crime and cybercrime. one was officers despite their best efforts just didn't have the training so we had cases where they were going to room and turn on the computer and erase everything on it because that is how it was rigged to do and it happened a number of times. the second thing we are second per-capita for fortune 500

companies to be targeted like by companies like 3m and u.s. bank. so i see how challenging the situation is and how is a local prosecutor we simply didn't have the resources or the know-how to handle some of those cases when they would come out and handled by the u.s. attorney's office. my first question is -- that goes to you ms. durkan, and thank you for your good work. what is the best model of how we go forward and how we get them trained? >> that's an excellent question and again the partnership with local law enforcement is critical to our success is working both with the secret service and electronic crimes task force and the fbi task force. we have great successes in that field. the key to it is training and we have worked to make sure that we afford not just with task force officers but forensic people who can handle it in education of the public.

an example of the success that has worked to my district is we had a very small family restaurant that was at attack by someone in maryland who was appointed salesperson. he stole many many credit cards. he sold them to someone in romania a citizen of another person who posted them for carting side and then they work purchased by a gang affiliated group in los angeles. throughout investigation we were able to arrest the person in maryland, charge and extradite the person in romania and so we got all three levels of that. we did it working with the local law enforcement task force officers and secret service and the fbi who all played a part in those and other investigations of it is a critical part of it. the training also, we look at our training for lawyers. we have worked to make sure that not just our shift lawyers are trained in cyberactivities but other lawyers have that experience. we have a national advocacy center in south carolina and one

of the conferencconferenc s even in this difficult time is we made sure we went forward with was our cyberconference. we have to make sure prosecutors are trained in our local law enforcement is trained in the public is educated. >> i think that is part of it especially small businesses aren't going to have the resources of a u.s. bank in minnesota. i think that would be a good idea because i think they are starting to be victims as well and they just don't have the resources. see that is absolutely right and the if it wouldn't come forward if we would have had that case. it's also enable us to do our job. >> my next question is a cloud computing area of the fact that our cases are becoming more and more sophisticated as you know. the evidence evaporates are a lot quicker than a paper trail making it difficult for law enforcement to investigate the crime and another challenge is that the evidence is

incriminating information it a distorted mcleod out of the jurisdiction of united states. i had a bill on this and is floating out there like the clouds as we try to deal with some of those cyberpills that i think are important. can you comment on the challenges of the lifetime of evidence cybersecurity crime and the possibility that the evidence could be outside of the jurisdiction of united states. >> it's a very good likelihood that it will be outside of the jurisdiction of the united states. it presents many challenges and depending on which country the evidence may lie, a relationship that country and investigative agencies of that country as well so it does presents several challenges on that front. see what would be the best way to try to get data? would it be agreements with other countries? is there something we can put in the law that would create a structure for those agreements? >> i think the agreements and as far as what law or change we

could possibly put in place to better circumstances working with our foreign partners. >> i think it's all of the above senator that you mention. you will notice one of the budget increases we have asked for is to have additional prosecutors overseas. we have seen more and more of these cases arrive on international soil. our partnerships with foreign nations with europe and particularly has increased but we need more people there. we also have the convention which has more and more international partners to make sure we can get the evidence that we need but they can get the evidence from our country that they need there so we have to do all those things. >> we have increased our footprint overseas by three offices that will be short if it doesn't key locations. >> thank you. appreciate it. >> senator graham had his time interrupted both by me and a call he had to take so let me turned to him and give him a fresh starts.

>> just very quickly we are facing law enforcement for people stealing our property and internet -- intellectual property and stealing our money and everything else. but on the nation-state national security counterterrorism after 9/11 the fbi has two missions counterterrorism as well as traditional law enforcement. are there are clear rules of engagement that exist today that would allow the fbi and the cia and department of defense to engage the nation-state that has committed a cyber attack under the laws of war? >> there has been a lot of discussion and a lot of coordination and -- >> that means no. >> i'm sorry the question against senator? >> are there any rules of engagement? amin has anybody sat down and

said this event would be considered a nation-state cyber attack allowing us to respond outside the law enforcement model. our chinese friends seem to be hell-bent on stealing anything they can get their hands on here in america rather than developing it in their own time but i am more worried about what they could or other nationstates not just china other terrorist organizations could do to our ability to defend ourselves. do you worry about a cyber9/11? >> again depending on this extremely complex issue and what you may be referring who are looking at in different motivations. >> is a possible that new cybertechnology could create a 9/11 type event on america? >> it is possible that they could cause significant damage

and destruction through cyber. it's possible. >> what kinds of things would be possible? >> if you look at access to ics or data systems, you get access to oil and energy and the systems that control key networks or critical networks. that could cause significant damage and whether it be long-lasting or shirt -- short-term. >> could it disrupt military operations? >> i'm not sure, sir. >> would you like to take a crack at that? >> i think senator graham if you look at the range of threats, this is what keeps me up at night. part of the questions have to go to general alexander but i think if you look at the range, anything with intelligence can be hacked so you have everything from one rogue actor to state actors to criminal organizations and there are people who work to get that done.

that is why the department of justice is part of the solution but it's not the whole solution and began private enterprise is developing better security mechanisms and better technologies. going back to robbing banks when banks were set up they did not all have ours and they didn't have cameras and private companies are determining technology. they have developed to provide part of that solution. >> how we can go after bad actors, are you familiar with the counterterrorism threats? are you familiar both of you? >> yes sir. >> yes sir. >> how would you rate our infrastruinfrastru cture system on the counterterrorism and national security side to protect us against people who don't want to steal money but want to do more damage? >> i think based on those threats 9/11 we lost part of the response to that in new york and your headquarters, think it's a much more developed model that

the community has an addressing counterterrorism issues. >> further down the road. >> i think we are further down the road. >> absolutely. >> i think we will get their senator. >> if i could just use one example come the national security cyberspecialists while it sounds like another government alphabet soup one thing we realize in the study is there a cyberevent or we get intelligence that is going to be, who do we call? do we call the cyberlawyer and do we have cyberclearances? do we call the anti-terrorism lawyers who may not have the cyberexperience? that is what we are trying to do is make sure we have the appropriate people in every office and the best expertise we can hear to give to the field. ..

it will help as senator graham and myself and arguing with their colleagues birthdays if we have more than the conclusory statement these are complex difficult required to capabilities wideout a bit of a case study or example that makes the case further. that would be helpful to assess the perceived.

the second thing is the discussion about resources and structure of budgets and i look forward to continuing the discussion with the new omb director in your department and bureau. separate from that i think we can make some progress on your capabilities and authorities and safeguards and taking out these bot nets. i asked you for your commitment to work with us in drafting appropriate legislation that will allow you to have more authority and proper safeguards is to go after future contactors. but you do that? >> upsala, senator. >> when they close by thanking both of you for your service and passion in this area. i am pleased people like you are in our government service and if

you detect a note of impatience from mice of an senator graham comes with recognition or praise a very, very large bureaucracies that don't always know with great alacrity and sometimes it's our job to give them a bit of a shot, but it reflects on interview for folks recognize problems that. thank you very much. we'll take a minute to call up the new panel. [inaudible conversations] >> let me thank our private are represented as for being here. kevin mandia he founded in 2004 to help private organizations

detect and respond to and contain computer intrusions. when you find out you've been hacked, you're going to call? ghostbusters. that is what mandia does. he began his career in the u.s. air force in which he served also in the air force as a computer security officer of cybercrime investigator has decreased in lafayette college and george washington university and is touched at carnegie mellon university's. i may stop there and i will call on kevin. back in our earlier legislative process, senator graham and i tagger mikulski and others organized a series of classified briefings for senators to bring them more into awareness of what was going on in the field in your gracious enough to come and make one of his presentations

and there is a very effective on and i want to thank you for that. i ask you to proceed with your testimony and then all introduce the other witnesses as they're called to get >> thank you, mr. chairman. and ranking member graham. today american companies will be under c-span many types of attacks. criminal economic espionage appear to be an attack that a sophisticated economic espionage attacks. many try to counter threats come at the end of the day there is a security gap would need to close appear together to talk about three things. my security gap exists, with the private sector is doing and how mind worsening can help in regards to the security tab. the reason the cap access is their government resources hacking our private sector come is simply an unfair balance for a period for cover moisture to

hack the private sector and other countries, but be very successful. i was like that too is champion mike and my grandmother. mandy and point that out with a report in february this year released a report to the public that shows members of the pla targeting the private sector in the united states. the second reason is that gap and cybersecurity is for the first time in history that i'm aware of pities to be one when systems were targeted, nobody knew who used that system. but today, the cybersecurity tax or human target and they also showed that in our ept one report at the pla is recruiting english-speaking people so they can send innocuous looking a mouse but in fact this e-mail to seek information in them and report to be from someone they are not from our compromise

systems. we haven't figured out technically had a patch the human trust. third reason is that government entity compromising u.s. private sector are compromising supply chain. we have the big companies that have immature security program so that the security program is bolstered ministers reject any tax, they go down the supply chain with smaller organizations that have hundreds of folks and no cybersecurity posture. for a threesome at the security gap is because the sampling imbalance. it only takes one attacker to create work for thousands if not hundreds of thousands of defenders. it's been imbalance in the expertise required. another reason is simply no repercussion to hack in its infrastructure from certain dave harper's for safe havens such as china, russia, north korea and

iran countries that have greasers is with impunity do not fear any repercussions. we have a lack of resources. in short technology vastly outpace his ability and willingness to secure it. so what are companies doing? companies to where they are compromised and do some -- really adopting technologies and hiring expertise to defend. senator, you mentioned lublin to oppose china come in my experience most of the private sector takes it seriously when they cut a breach from china to do everything on the technical front to bolster safeguards and the fear and unwillingness as a public admission as to what happens based on the fear shareholder value repercussion and at the same time frame because the economic gains can be so great. it's a tough issue. make no mistake in the

cybersecurity side, folks who a lot in the private sector when they are aware of the regional resources to do something about it. a lot of companies are pretty aware of the security breach making important intellectual property for a country that they don't have the defense is to it. those are beholden to standard legislation or regulations to create security posture and it has been my experience if your sole driver for security is some kind of compliance, the compliance does not prevent the attacks we see. so what can we do about it? what can the fbi one person into the hope? average to american companies have been compromised with records. two thirds r. baker party appeared if we do it we can and that could be the dod, intel community, but i think communications from the fbi.

the fbi narrows the gap and notifies quicker to eliminate impacts and consequences breaches. for private industry will not win the battles in cyberspace, if we share that information in a codified manner, what you see is limit the impact of the breaches consequences and build to share the information and law enforcement can do that. by establishing a system where private sector share proactively and is a threat information, america will put a cyberdefense dynamic. no one gets any smarter for breaches today. but that i thank you for the opportunity to share with you. >> our next witness is stewart baker, partner at dacula johnston in washington paper in 2005 to 2009 was policy at the early stages for homeland security effort intelligence lawyer mr. baker has been

general counsel to the national security agency and the commission that investigated weapons of mass destruction intelligence failures that took place prior to the iraq war. mr. baker, welcome. thank you. [inaudible] >> -- and turn the question throughout the fbi and justice department could be should be. i will not spend too much time as kevin demonstrated. we are not likely to defend our way out of this problem. the defense played a part on an supportive of the legislation and executive order, but it is not enough. it's as though we saw the street crime problem by telling pedestrians to buy a better body armor for year. that's not a complete solution. we have to find criminals and deter them. i don't have to preach to read

the review about the of that. but in thinking about that the real question is how can we best reached the threats and the struggling to americans today, which is the government protect the attackers and mary seems to me both the justice department and the fbi suffer from a lack of imagination authorities and lack of imagination respect to resources. with respect to authority, the idea of prosecuting, most of the people attacking us in deep but unlikely of many to additional mechanisms for deterring the activity. the administration is doing naming and shaming. but we should be using our visa authorities to say if you participate, if you train hackers in a country if you

hire hackers after they finish their tour of duty in the government, you have to cooperate investigation so you are not going to give visas to come to the united states. same thing is true for the treasury department, which designates nationals without we will not do business. we don't do business with bad human rights in russia or belarus. we don't do business with people engaged in conflict diamond transactions. we should take at least much care to protect against people abusing human rights rate here by breaking into computers of dissidents and ordinary citizens. we should use those tools as well. i see senator mccain, senator levin on the senator coburn of the matter rockefeller have introduced a bill that goes down this road looking for tools to detert government-sponsored attacks. just the names of cosponsors

gives me a lot of hope and the approach of looking for handles to detert the beneficiaries of this espionage is for pursuing. that may turn out to the question of resources, which is profound and probably not so football and our current energy situation. you know, chairman white house talked about the gts that notifies people about attacks on their networks. this is enormously effective because many people do not know they've been exploited for months. at the end of the day an effort with clients who have this experience. the fbi's role is to basically figure out if someone has been compromised and tell them and give them a little advice but frankly after that it is like not having somebody tell you your bicycle has been stolen.

you're not going to get a lot of help from the tracking down because they don't have enough cops to do it in the fbi will not be able to help the companies they are notifying. what happens is after they put a few person days into that investigation made to notice, the company is largely on its own and they hire somebody and they begin a process of spending hundreds of thousands of dollars, sometimes millions of dollars to get the attackers out of their network and figure out who is attacking them. we know from the kinds of work being the end has done that they gather information on who is attacking a particular client they have. we should be working much more effectively to utilize that information to build it into mechanisms that deter the

attackers by outing on. the biggest problem i think we face there is even our resources are enormous and the private dexter and well focused on particular attacks, we do not let individuals under attack for the people they've hired will be on the can on their network in a few networks that cooperate voluntarily inside the united states. i am not calling for vigilanteism. i am not calling for a winch mounts, but we need to find a way to care for ensuing investigations at the ready to go network under some guidance from the just this department said they are not doing harm but they can go to the networks are the hackers are storing

their stored data, traits you achieve to gather enough evidence to prosecute these guys. my deepest disappointment and the reason pulling my money into the justice department at this point is a dubious proposition is the justice department's reaction has been to deplore as much cold water to say we think it's a bad policy idea and probably illegal, so they are deterring companies that investigate the people attacked in them and provide input to the government and say you can get it to us but what made him take you inside of the. my suggestion would be refined mechanisms to provide the oversight necessary so why not just letting people wander around in the dark but people who know what they're doing can carry out investigations and pursue attackers to what is their safe haven in another

country. if we don't do that come will never get to the bottom. >> finally thank you for being here and so much symantec has done to be hopeful in our process of trying to get to legislation. >> thank you. chairman white house -- >> your microphone might need to be turned on. >> chairman white house ranking member graham, it's my pleasure to testify before you today. my name is cheri mcguire and vice president for global government affairs. >> i should've done a more complete introduction. ms. mcguire serving capacities that department of homeland security including act as director and deputy or at the national division in the u.s. search. she comes not only with experience at symantec and i'm sorry i lamented that. he is perceived.

>> thank you rematch. says semantic is developing security software may have over 31 years and management technology. today we have employees in more than 50 countries and more than 21,000 that does. in particular, that you mentioned global intelligence network what is comprised of 69 million in method 200 countries were required which gives status incredible insight into the landscape. every daily process more than 3 billion messages and 1.4 billion web request of 14 data centers. these resources capture what red

security intelligence data gives analysts a few of the internet threat landscape. a few key findings i would like to share with you including 2012 we saw 42% rise in targeted tax and 93 million identities exposed through simple error. we estimate there were 3.4 computers worldwide and one in seven or 15% were located in the united states. we saw a rise in the threats to mobile devices. a disturbing trend is the expansion of what we refer to this watering hole attacks. these are attackers to compromise set up on risks affection. criminals off indiana's to distribute ran somewhere, i type

of noller -- a type of malicious software that locks the user's computer, displays a fake fbi warning and attempts to extort money from the user in return for unlocking the computer which by the way doesn't get on mott even after the user pays the extortion. symantec participates organizations as part of our global commitment to fighting cybercrime as well as numerous public-private partnerships in the u.s. abroad to address these and other cyberthreats. just a few of these partnerships include the north ever security institute, national shaver is a shining lance, fbi h. ricard, u.s. acres service and interpol. i provided more information about each of these admitted in testimony, but if you want to highlight a few.

for example, two years to reestablish the norton cybersecurity and figure to address critical shortage of investigators, prosecutors and judges adequately trained to handle complex ever come this. through the institute be coordinated and sponsored technical training for law enforcement globally. we also publish the annual american cybercrime report, one of the largest cybercrime studies and interviews with 15,000 users globally. another example of a too high as the national forensics and training alliance includes more than 80 industry partners and provide real-time cyberthreat intelligence to help identify threats and actors which is in a key player in the fight against financial sector intrusions that have occurred recently. these partnerships of the two notable successes in one example of this year at the dam atoll.net which compromised

computers or criminal activity such as identity theft in click fraud. this is the culmination of a multiyear investigation. many say it takes far too long to complete these investigations and demonstrates what can be done with the private industry and law enforcement turn forces to go after cybercrime networks. have us a detailed similar successes mentioned earlier in other testimony today. unfortunately come examples highlight how much needs to be done. while recent come prosecutions and takedowns as chairman white house described in her opening statement, undoubtedly more marcher ring operating today in the relative cases like these is not because the government does not want to pursue them for the criminals are not out there. the investigators and prosecutors are quite willing and many in the private sector are eager to help.

the cybercrime cases require highly technical understanding is so astute knowledge of multi-jurisdictional legal issues here there's simply not enough investigators with this technical training to keep up with the cybercriminals. there is a low bar for deterrence. we are commanded to secure and anonymous critical infrastructure as well as data across a club and will continue to work with governments and industry ennui cities of their thank you for the opportunity to testify. i'm happy to answer any questions. >> thank you. i'm going to turn immediately to senator graham as his schedule is starting to tug at him and i'll be here until the end of the hearing. senator graham, thank you again for being the ranking member on

this and the intensity of your effort at protecting our nation in a variety of areas particularly the cyberarea. >> thank you, mr. chairman. enjoy the easy question. you're about to embark upon. i really have learned a lot from senator white house and the witness is today. just to keep this saturday 30,000-foot level, two mr. baker, do you agree china as a nationstate is that only involved in hacking into u.s. databases, banks stealing intellectual property, is that a fair statement? >> yes, i would agree. >> could you give me two pages of why you say yes and i'll take it to the chinese ambassador and ask them to give me a response. >> octavio about 100 pages sir.

>> which will be consolidated. >> absolutely. comments company has done the most feared >> breccia? >> russia is harder to identify as a country. >> would you say china is number one? >> china is the number one and my country doubles in size every year. >> china by far in terms of volume is the most aggressive. >> who was second? >> there is a battle for second. >> in the top five. >> at alliance for safe harbors. middle eastern organizations emerging. china first, russia's second but my opinion the rules of engagement between russia and america is almost like we worked it out. russians only hacker government.

trainees are like a tank in a cornfield and there's an enormous gap between china first, russia's second but there's competition there. research as he attacks out of the middle east more. >> in the top-five. will try to do something about this. will try to put nation states on notice that if you continue to do this, you'll pay a price. these are programs are all kind of tools available as politicians appear to put the bad actors on notice and maybe the immigration bill with the good opportunity to see that. when it comes to cyber9/11, i've got two minutes and 20 seconds. could you describe what you think a cyber9/11 could look like? >> very briefly to break into a network, you can probably break

it. no networks in the united states have not been broken into. all of them can be attacked. you commit to the equipment that runs on that here we demonstrate that when i say dhs just offending code, we burned it up and so the real risk here is an attacker could break into industrial systems and rack pipelines, refineries water and sewage. new york city without all of those things would be an unpleasant plays. it will be worse than 9/11. >> i think it's complex to determine what will happen when somebody tries to bring down an electric grid. from the attackers perspective you get unpredictable results. during the super bowl, everybody was like with a cyber?

two things. one, we should see mmic shots across the bow before it happens. i don't think the first attack will be noticed. the catch is if it does happen it's going to come from a third-grade classroom in mississippi somewhere. it's an ip address in the states are a human operator here in the states, british open there. hopefully we have controls in place to know who did it because deterrence for that is outside of the cyberdomain. >> you mentioned law enforcement resources model. how would you rate the infrastructure and providing tools necessary to go out and attack favorite fast and creepy turn about a resource in point view? how advanced our requite >> is a great friend hus.

>> legal once restructuring the resources available to our government to fight cybercrime. >> from a standpoint of legal infrastructure, we have a strong legal infrastructure, so it's been a quiet to address cybercrime in my opening statement is something we need to play catch up with. we just don't have a number of investigators, prosecutors. >> it is a wish list of what we need to get to where we want to be. >> we clearly need more investigators, prosecutors equipped and trained with the necessary skills to address these actions. that is a pretty big gap we have today. the folks out here would say they are overworked and can't keep up with the volume they are being presented with every day.

>> given the threat and given the focus, is very big gap there? he mentioned the security tab. is there a gap between the threat we face as a nation and the amount of is we are supplying to the threat to meet the threat? how big is that gap? >> i don't know if i could quantify how large the gap is but suffice to say there is a gap. the significant gap. we are not put enough resources against this today. what you mentioned about the way we approach burglars and robbers do not put the same emphasis on cybercriminal and cybercrime act to be today in this country ever making progress, but we've got a long way to go to catch up. >> thank you senator graham.

let me do a couple follow-ups. first of all mr. mandia, when you mentioned that a big attack might very well come through a clustered in mississippi or through somebody's individual computer come you didn't mean to be originated there. you were referring to an attack overs these that would've come through a slate computer there so it would look as if that was a source. clearly that's the level of sophistication enemies operate at is that they could slave in mississippi classroom computer and use that to the directx to the critical infrastructure. >> professor the case. unless every attack is high points in between but these attacks are coming straight out of china into the handpicked him. they are routed through a vulnerable site in the real challenge we have is the protocols -- nothing looks bad

about the traffic termination fee to third-grade class or mississippi. it's normal access. it looks bad from the classroom to the real target. it's very complicated to prevent that. >> you mentioned china and russia. if you look at what we call for want of a better word the word developed from advanced persistent threats versus botnets and crime efforts. much on the direction of advanced assistant brad into tacky intellectual property and trying to insert potential sabotage from a cybersabotage into systems and not so much

engaged in that activity from the russian side both official and criminal network that to be and that is much more involved in stealing and spamming. so there are two different problems depending on the source. is that correct? >> at the highest level, i think it is a consumer problem not necessarily an enterprise problem, the companies have to deal with it. but the targeted attacks, the criminal element uses. economic espionage, most of those are targeted attacks and sophisticated attacks. >> provider to correctly in your testimony, he said two thirds of the time when you respond to a company that is such we've been hacked, they had no idea they'd been hacked until some

government agency warned them often the fbi. usually the department of homeland security. there is a time not too long ago and i'm just using my recollection now when my recollection is both your company and the fbi operation indicated when i went out 90% of the time they were the bearers of bad news to companies that had no idea. a little bit like the u.s. chamber of commerce which while busily hacking efforts to get legislation in this place, also had basically the chinese throughout other systems right down to the fingernails for months and months and had no clue about that until the government came and told them you do not.

has it shifted from 90% to two thirds? is my memory failing me? >> i wouldn't even equate it to awareness. when mandia reports that, i've been responding to cheney's intruders since 1996. over time it's no longer the first time you learn you learned to compromise these folks. when you go through your second or third trail have been compliments come in general security posture gets to appoint read detective yourself. i think that's just a few because last year we torture for 90%. it's been over 90% third-party notification since 1998 for the customers have service. this is the first tip because we respond for the second or third or fourth time to organizations detect it themselves because

they lived through the first week of call from him for his men. >> would you describe the companies he provides services to its operating critical infrastructure in america? >> yes. i mean, the critical infrastructure demarcation line is harder to find commended the answer is yes. >> do you see any difference among companies who operate critical infrastructure? are they demonstrably and noticeably better at this? at a faraway than 90% or more less like any other company? >> it's my experience that there's a regulation or standard imposed by your industry for security is in fact better in general than organizations that may be fall through the cracks of all the hodgepodge of legislation and regulations out there. a regulated industry in general, your security is better.

>> let's talk what we can do to increase security for critical infrastructure. let me ask ms. maguire and mr. baker. this is the department of homeland security's task for some time to develop better defenses in the critical infrastructure sectors. we've heard from both of you that the word dynamic keeps popping up. this is a very dynamic threat. if we set xyz strategy or xyz technology is the mandated defense, within a week or month or year, that would be obsolete and i would be holding companies back from doing what they need to do because we require them to certain obsolete technology. passive receptor requirements in

a static way. so what is your recommendation to how we might go about accomplishing what mandiant suggests which is standard so that we need to have them for critical infrastructure. at the same time the dynamic capability necessary to make this evolving threat. ms. mcguire, then mr. baker. >> keypoint is this is not detect knowledges solution issue. you can't just fix this with technology it has to be a multipronged approach. it goes across all areas of the business. >> you can tell when a company house and when they don't. the fact it's not just a technological solution doesn't mean there isn't a best solution

out there, correct? >> absolutely. first and foremost you got to have it all she properly deployed and up to date to be your line of defense. in most cases they catch most of those threads. back to mr. mandia's point, in the case of a sophisticated attacker that is well resourced that has deep roots for sponsorship we will not be able to address those types of fats. what happens if a masher standard risk management approach. the guy to address this through, and risk management principles that includes a technology training of personnel and

critical infrastructure owners and operators the threat is real. they are starting to get that now that we have more high profile conversations with the events in the past as well as the recent saudi aramco issue with 30,000 devices they are. starting to have awareness and a surge around the importance of it. a couple other areas as information sharing. it's not the be-all end-all, but certainly can help with the morning and preparedness of those critical infrastructure owners and operators in the comments to her question always comes up and i see mention they need to be dynamic and flexible

enough to the modern up-to-date technologies to be implemented. having a common standard that are being worked on through the executive order right now but hopefully will raise the bar across all industries, that will go a long way. still remains to be seen, but that is a positive step forward. >> , we can't resolve this with technology, regulation is not the greatest tool because as we've seen come in the you keep doing changing faster than the regulators identify the things they need to be done and start imposing sanctions. people want to pursue security themselves appear regulatory solution will solve the problem. the good news is there's a way to think. >> perhaps measures that pursuit rather than solution.

>> the pentacle gate bridge, they never stopped. they get together and go back and start pinning over again. that's probably our best. conservatives attacking me what type xip using now unlikely to use? how do i stop this type takes any say okay now that i implement that, who was attacking me and what tools are they going to use now? you just lather rinse repeat. that process is probably the only thing you could say for sure we have to require people to do. >> there is an array of responses among operators of critical infrastructure to this problem. some of them are very forward in the foxhole and throw everything they can at the problem and the

dj regulation creates is your interfere with and hold back their efforts and there's a price to be paid if that's the effect. at the same time, there are free riders and people who say why should i spend the money this quarter when what are the chances of this happening now and it's probably such a big catastrophe the government will save my rear end anyway. so there is backers in freeride in chief of the system basically. but that is standard, they continue to be like her and free rides and cheats so there's a significant cause cause to not have been in a standard as there needs to be a standard but he needs to be dynamic and measure pursuit rather than any static point. >> one area where there's been a distortion due to regulation and where we should try to find a

way to use the existing regulatory schemes are some of the data breach notification laws say you don't have to notify if you have encryption. so people spend a lot of security budget putting encryption on hard drives of laptop so if they get lost and they don't have to disclose they had a breach. that is probably not their biggest threat, but it is the one that hurts the most. finding a way to get the ftc and state attorney general to focus on security as a whole rather than just is one thing is useful. >> mr. mandia, any thoughts on the pursuit versus static delivery problem? you deal with a lot of these companies as well. >> when you look at legislation commits a complicated matter. i've had these discussions on how to legislate benchmarks. the private sector is doing a lot of that themselves.

what i've heard here makes a lot of sense. if you push for an agile defense mechanism in the united states that companies can take intelligence shared with it and not the type knowledge in these processes to do something with it. that's a great next step to cover the security guy. a hodgepodge of standard legislation covering 80% of the problem. when you have to do with the nationstate, 10% to 20% of the problem is the means for the government to share intelligence with the private sector. the dirt without enormous liabilities doing so can start that information sharing in a codified way, where we make it quicker. >> all three of you agree among the operators of critical infrastructure in this country, it you can find companies that

are not doing that they should be doing in this area and very they're not pay any it deserves for making economic decision not to invest are basically plain old alacrity in freeride during what other people drive it forward. the 70 yes, yes, yes across-the-board? >> have a slightly different opinion. your positions to respond to breaches unreasonable to prevent. respond. they were probably getting a check in the box for compliance with pretty aggressive standards coming yet they were still breached good when it comes to the critical infrastructure the majority of the organizations have assisted high-security programs that were mature and about compliance yet they were still breached. i'm giving you an unfair frame

of reference because we respond to the highest at 10% to 20%. >> even high performers remain vulnerable to preach by highly qualified and persistent attackers and at the same time is a considerable set of critical infrastructure officers to make it easy to not been up to basic standards. >> i just discovered 10 seconds. they have the exact same chance of getting in. the only thing that separates if they will detect a successful attack themselves b. won't. we are responding to a's and b's right now. >> to the point i have heard many people articulate in this area and that is if you look at a company, it is in one of two categories. the theater has been hacked to knows that gore hasn't been

hacked and doesn't know it. but any company of significance has all been hacked. senator klobuchar is senator koontz book mentioned interest in small business. as the attack broadened, particularly those they specialize process for your product or scale is susceptible of being stolen and replicated without license fees and invented on your own are becoming more and went to target, particularly in the supply chain. so they get to a point where if you're a small shop in rhode island, that is the best place in the world at manufacturing a very specific kind of medals to elegy that's what we want you to be doing. we don't want you to stop everything and try to bring in best of class cybersecurity in

the same way a raytheon permit donald douglas or subcontractor and yet they're just as much at risk we all agree. let me thank all of you. i know you work hard in this area every day and think and dynamic ways about this problem. i look forward to working with all of you as we go forward. i will accept senator graham's indication or suggestion that come up with something on visas in the framework of the immigration bill now pending. as i said to the first panel would also be engaging in trying to do cyberlegislation 2.0 not that the executive order is in place and we look forward to talking with you about the substance of the legislation and also have you help us communicate with colleagues but the nature and importance of

this problem. this has been helpful. i'm grateful to all of you. the hearing will stay open for a week if anybody wishes to have anything to the record of hearing. if i've not done already, by consent i will add the peas lindsey graham and i wrote into the record and with that we will stand adjourned. [inaudible conversations]

you can see the entire hearing online at c-span.org. >> and it is continued to tear it? to cut this outstanding service record and things deteriorate even more. as i read the transcript, it should be it came to a head in phone calls you around with lawyers from the department of state prior to congressman chase is coming to visit and libya. is that accurate? tell me about those conversations, with the lawyers and struck duty to on the visit to libya. >> i was instructed not to allow the acting deputy chief of mission be personally

interviewed the congressman chassis. >> don't talk to the guy coming to investigate? >> yes sir. >> it has several congressional around the world. has it ever happened or lawyers get on the phone prior to a delegation to investigate a time were two americans lose their lives. has anyone told you don't talk with the people coming from congress to find out what to please click >> never. >> you've had dozens has he been? >> yes sir. >> and also, isn't a true one of those on the phone call, the folks in the delegation tried to be in every single meeting you had with mr. chief ed and delegation from the committee? tell me what happened when you got a classified racing. would have been in phone call after that? >> the lawyer was excluded

because his clearance was not high enough and the delegation insisted refitted not be limited. >> the work and not retain? >> he tried. the chief would not allow it because the briefing needed to be at the appropriate level of clearance. >> you had a conversation after the classified briefing the lawyers got a lot to be a fun that delegation. another conversation with cheryl mills. >> counselor for department of state and chief of staff. in the that's an important decision. >> yes sir. >> she is the fixer for secretary of state, as close as you can get. is that accurate? >> tell me about the phone call you had with cheryl mills. >> a phone call from the senior person is generally not considered good news.

>> what did she have to say du? >> she demanded a report of the visit. >> was she upset that this whenever you want to call it was not in first time it ever happened was not allowed to be in a classified briefing. but she upset? this goes right to the person next to secretary clinton. is that accurate? >> yes, sir. >> 22 years of outstanding service to our country raised by everybody who counts. the president, secretary, and one of defending it now because he won't help them cover this up he's an honorable man telling the truth now is getting this treatment who praised them before.

>> this, take exit 13 businessmen purchased to get to the grant family and appreciation disservice to the war. julia mentions coming up the hill and being presented this lovely villa she said was

furnished with everything good case could offer. now the entertaining part of the home and of course we all know julia was an avid entertainer, loved it. the family spent quite a bit of time in the parlor also. mr. grant played the piano. imagine the family here the other is the need to their sister and mother play songs for them. grant launched his headquarters located at the desoto hotel downtown colina. the day after his election, granting truly open up their home in the parlor here for people to follow-through and congratulate both of them on his election of the next step of their lives. this has misses u. s. grant on it. this was truly is. should probably cut papers, pens, spore respondents for which it is writing letters

them. on the dresser we have a bible given to mrs. grant by the methodist episcopal church in 1888. this is the dressing room. the most personal space in the house to julia grant or she would come in to get ready in the morning, ready for bed and to just give a little solitude. a lot of things going to mrs. graham. her stomach as she would have used to mend some socks for the kids or general, so it button on. a couple pairs of her size for shoes and purses as they were going on the town. this is where he came back after he was a military hero started political career, his rise to the president the where he was living when she became first lady and this is home to them before that.

>> behind on the budget request for treasury department and internal revenue service. the senate appropriations subcommittee heard from treasures agree terry jack lew and commissioner stephen. it's over an hour and a half. [inaudible conversations] >> good afternoon, everybody. the subcommittee on financial services and general government will come to order. today, the hearing will be about

the department of treasury's request for their fiscal 14 appropriations and we will sit here and take testimony for acting director, mr. melander from the internal revenue service. we will also be listening to the ig for department of treasury to give us ideas and recommendations on how we hurt the functioning of government avoid any boondoggles in the area of technology and also taking hearing on iris are we not only talk about the best ways to collect money, but also make sure we have a sense of frugality and how we spend the money. so we look forward to that. i want to know i'm kind of a pinch-hitter today for chairman lautenberg. senator lautenberg was for the

full committee and a speaker to begin work on the new bill. he could not be with us today and rather than make it enemy of the good i said i would move this committee forward and i want to thank you is the ranking member for your courtesy here. i know you also have to leave, so we defer you on the early bird questioning and a bipartisan way. we have two panels as i said the secretary of the treasury and focusing on irs. the treasury department's largest bureau and the irs account for half of the subcommittee spending. we are so pleased secretary lew could join us in his everyman a crucial role at this important time in our economy.

secretary lew knows better than anyone the importance of the appropriations process to create conditions that generate jobs today and grow our economy. that's why support the budget of 1.5 trillion as we agreed to in the american taxpayer relief act pitches past four months ago. we know there will be a difference of opinion with the house or enough that the ram budget level of $996. so there are going to be issues they are. right now the issue is to hear what the treasury needs from what it is we need. the bush this week is public service recognition week when we support public employees for their tireless work. the treasury staffer on the job

providing value for the taxpayers. they do things extinction experts at the office of foreign assets control target sources of finance is to disrupt iran's pursuit of wiping mass destruction. the intelligence analysts in the financial enforcement network followed the financial paper trail to make sure that crime doesn't pay for terrorist financing, organized crime for narcotraffickers. the payment specialist at the sms insurers get to the senior disabled veterans. we could go through agency after agency and these are on the job serving america. i'm deeply troubled by what we face during sequester and i'm interested in the impact of sequester and mr. lu we look

for your commentary about it. i have heard firsthand because i have world-class treasury department agencies in my state from irs to assess mass another report agent deeds. we are also interested in the impact of sequester as you sit on our economy and the failure to get our budget clear so we can keep our economy on track. we look forward to your commentary admit that i would like to turn to senator johanns for any comments you'd like to have. >> nottinghamshire wanted, thank you very much. my comment is made read gazettes indicated i have to move on about an hour. i did want to offer opening comments to one of the witnesses here today. we appreciate your attendance. today marks my first hearing as

the ranking member of the financial services and general government subcommittee. i appreciate the opportunity to serve on the perp rations committee given its role providing oversight for discretionary spending. as we begin our review of the budget for fiscal year 2014 am glad the president knowledge to import entitlement programs, social security and medicare are in trouble and must be strengthened. they have adjusted the formula used to calculate social security and medicare cost of living adjustments to more accurately reflect inflation rate. but -- as part of the equation. i'm disappointed the budget does not make necessary strides to addressing our nation's debt.

unfortunately, the small move towards entitlement reform is overtaken to increase the name, added debt, higher taxes and additionally calls for dismantling the spending reductions to sign into law as a 2011 budget control act. this would leave less than 12 billion annual deficit reduction compared to this year's projected deficit. the task before us a significant if not enormous. if the president wants to stimulate the economy, i recommend he reversed his record of increased spending and taxes. it just seems straightforward as the former mayor council member, commissioner of the local governor that money left at home with hard-working americans means more money

exchanging hands and made street. we have to reduce the deficit and forge a path to a balanced budget. to make progress towards reducing government and ensuring medicare, we all must engage in a serious discussion about how to put programs unsustainable path not only for my generation that the generation behind us. my hope is the president's recognition of the unsustainable path is only a first step, one followed by additional meaningful proposals and later shift. they are willing part nurse. i myself am a member of the group of eight senators working for a long time in coming up with ideas to deal with budget

issues. is a member of the committee and senate, i continue a series to be a part of the approach to balance the budget to rein in spending. we need to repeal costs and mendes lower taxes increased regulatory trends errancy and accountability. americans are looking for us to do the work in washington. we must work to promote sustainable economic growth. we do so through a tax code that recognizes the hard work and achievement are worthy of reward not penalty and then making difficult decisions necessary to put our country on a path to long-term financial security. as we were for the budget request, i look forward to working with the chair and other members of the committee and subcommittee to do our part to address the mounting financial issues and promote a stronger economy for a nation.

thank you, not a chairman. >> i want to welcome two of my colleagues. senator udall who is new to the committee, yet new to appropriations. and experience in the house and colleague senator moran. but i would like to suggest his recovery to the treasury secretary. we had to change the schedule. senator johanns has to leave. secretary lu had to readjust. what would you to include? i'm going to have you testified. and then i will go to you in case you have to leave because he can hold down the fort. do i go to my questions. does that sound like a good way? >> thank you very much chairwoman mikulski, members of the committee. i appreciate the opportunity and i would just like to say i'm

sorry senator lott and bergeson terra and i only wish him well and that he returns soon. i want to start by thanking the talented public service at the department of treasury. thoughtful dedicated, focused with the goal is to further the mission of the department of american people. it's my honor to work with them and i'd like to begin an overview on the economy and get into the treasury budget. our economy stronger today than four years ago we need to continue to pursue policies that will accelerate growth. since 2000 economy expanded for 15 consecutive quarters and 6.8 million jobs in the housing market improved. consumer spending, business investment and exports expanded. very tough challenges remain. families across the country are still struggling. unemployment remains high. economic growth needs to be

faster and while we've made progress and we need to put our fiscal house in order. political gridlock in washington continues to generate had been including indiscriminate spending cuts from sequester you will be a jack in the month had not replaced a sensible deficit reduction policies. this password replaces sequestration takes a balanced approach to restoring long-term fiscal health and makes investments in manufacturing infrastructure and worker training. investments are critical in the hope or economy and create jobs onto the future. i was in cleveland visiting business owners in manufacturing workers and it's clear the american people want to focus their economic policies on growth and jobs. as their budget demonstrates treasury helps shape and implement policies are streamlining the tax system in the financial system to securing interests abroad and increasing funding for small businesses and

home. with remaking social security payments, treasury touches the lives of almost every american. we're committed to meeting obligations as efficiently as possible and lowest cost to taxpayers. over the last for years, treasury has made progress to make the department beanery more efficient. today we build on momentum by identifying $400 million in additional savings. we bring out wasteful spending and consolidate programs. we cut travel costs to sharply reduce expenses. these materials and save on rent of the of fiscal services and provide more services electronically so we continued to cut down on paper paperwork. it totally reduce spending by 2.3% when it sued the irs. the budget to the past fiscal year. the iris is the main area who requested an increase.

the services will allow the irs. to crack down and bring in more revenue. for every dollar we spend on enforcement initiatives we expect to collect $6 in revenue. the request or increase includes additional funding to the iris can meet responsibility under the health care law, which lowers the forecast budget deficits by a trillion dollars over the next two decades. the affordable care to help slow the growth of health care costs and continued implementation of the affordable carrot improve the quality and efficiency of health care system. nevertheless to carry out obligations mandated by congress in the health care love companies appropriate resources. beginning in 2014, and millions receive unprecedented tax benefit they make buying health insurance affordable. the iris must have necessary funding to assist american and provisions of the law into effect.

the irs invest in new technology modifying iris taxes. efforts facilitate application of tax credits while protecting information. i baked a point not request ration has taken a toll on treasury but we do everything akin to a circus cospeaker reducing services. we scaled-back training delete contracts, but the branch of the castle by treasury's hard-working public service at the irs, workers have to stay at home without pay for as many as seven days between now and september. this will erode ability to provide service by forcing irs to visit fewer colds and bring him suspect that in one of delays in responding taxpayer questions. delete if you enforcement actions to reduce revenue collections. the fact is sequester is not only hurting treasury employees. it's hurting taxpayers as well.

sequestration must be replaced as soon as possible. the president's budget does that i have colleagues take action to get this done. thank you and look forward to answering any questions you have. >> senator johanns. >> thank you, mind share. secretary lew, thank you for being here again. let me find my focus questions on a piece of legislation passed a year or so ago, dodd-frank thomas are familiar with. i think to revisit a question posed about a month ago in a very bipartisan way. center tester and i wrote to you. you are the share of fsoc.

which nonbank companies are designated and systemic a risky? for me it seems that important question because those entities that are going to be hugely impacted by the designation should know where the line of fire. and so i would like to pose again with his metrics are and what do you think it is important for metrics to the public. >> was sanner, the general approach is something that is public. we are looking at whether there is a risk to the financial system and that really amounts to a question of combination of factors, including what the nature of the institution is size, scope, transition mechanisms that indicate if there were a financial problem

with those systems. the individual analyses going on our matters being discussed with companies, but we haven't disclosed a public list of companies and i don't think i would be appropriate unless and until designations are made after which point in time companies have the ability to exercise any concerns they have in their review of those regulations -- of those actions. there is going to be every opportunity for fsoc to make its determination to go if i were at the analysis set to be reviewed. >> i don't want to get stuck on this although it's a hugely important issue, but as a former cabinet member myself through regulated industries, it seems extremely important ec to the industry this is what qualified

you to be regulated. this is what excludes you from that regulation. i kind of look at this in the same way. team soothsayer to alert companies, whoever. this is why you fall into this kind of hyper regulation under dodd-frank. what am i missing here? >> i think the designations are still being reviewed. to some extent, to the extent there are nonbank designation in areas where we've not yet taken action, there's not yet a public record to review. if actions are taken, it will be very much substantiated by consistent analytics that get at the question of the scope of press and whether or not the risk was spread. it's a great deal of attention given to make certain questions are asked in a systematic way.

i think us were in the early stages of implementing a lot of dodd-frank, the financial stabilization or stay count of is a new entity bringing together regulators to make decisions like this is something exercise for the first time. so it's difficult to have them on history and experience to go back on. i can tell you as chair of fsoc and very much focused on the procedural regularity about the way it's reviewed so there is consistent analysis when it is reviewed and withstand skirt me. it will go forward semidesert nations are made being able to demonstrate that by the actions. >> at them i just up by saying i serve on the banking committee. we spent hours in hearings

coming to grips with the concept of systemic risk on what to do about it and it's much true spirit is possible is very critical and that's only drive towards members of the banking committee. let me the night damascene piece of legislation. chairman bernanke testified in front of the senate banking committee and house financial services committee that dodd-frank sections of 16 does nothing to make things safer and increase is cost of derivatives for end-users. and it should be faxed. his testimony was very clear on that. do you agree with that? is a willing group of republicans and democrats saying we've got to do something on

this. i've been working on this since the passage of dodd-frank even though i was in a supporter. congressman franks supports it sheila bair, paul volker others. do you agree we need to fix this? >> we are still in the process is seen how issues are addressed by regulatory agencies. the fed still has rules not yet completed. there are questions about end-users. the definition is always a challenging one but we have to see where they end up in order to come back and see whether it addresses concerns that have been raised. >> i will wrap up with this because i am out of time and i don't want to dominate questioning here. senator tester and i have been working on this. again, we are trying to be very fair, very bipartisan. this is not a cut you sort

thing. the gc problems that would result if you can send your stuff in our direction, we be happy to lay out or thinking about for proposing to do with these issues. >> a firm is trying to run its business and how that process the oil on site. the regular business and i.t. up with a preachiness termination with the need for further correct of action. >> you had a big agency and a complex agency. looking at this year's appropriations, we see for treasury you take out irs, the

biggest agency under your umbrella of agencies because the treasury department is an umbrella function at the request is to fund you at 1.35 going in. another is that is what you're funded in 2013 omnibus. this is nearly identical to the 2012 enacted level. under sequester your code, $669? am i correct in that? roughly more than 66 million. my question to you with the issues in shrewsbury voting on a friday mark with those other things u.s. custody.

but the president, to fiscal policy, provide economic growth, promote exports and currency. complex issues with implementing sanctions, which this congress heartily support centers running success of their action. two things near and dear to my heart and i noted the cd if i have transferred neighborhood. my question to you, sir is what is the impact of sequester on functioning of your agents be and is a benign impact verdure colony and impact? >> senator, it is a very real impact. our dimension impacts and the internal revenue service. it's a very significant thing

that taxpayers are inconvenienced by having difficulty reaching an office to get assistance and advice taxpayer offices are meant to provide. i spent a lot of years in government trying trying to shorten waiting. an improved service taxpayers get when they reached the government. if winning. get longer and questions don't get answered, i'd are a high initiate cumulative impact. for every person has kept on hold, that is a taxpayer who hasn't been well served. they should have been properly paid. it's key that we enforce the law as best we can. the real impacts in terms of the services we provide. the benefit is being reduced.

they are providing financing and these are the themes i don't think we would've chosen to cut. sequestration is across-the-board yogyakarta. there isn't anyway to have flexibility to fix the problem at an agency like treasury or the other agencies of government. it is shifting around reductions after years of having tighten our belt. the challenge going forward is to replace across-the-board cuts which is dallas between revenue and spending cuts and there should be entitlement savings in a balanced package, where resolve medium and long-term problems. it is cumulatively have a half a

percent or more of gdp. 750,000 full-time equipped once across the economy. our economy is growing but not his fact is that they cared if they could figure testified for some other way to increase economic growth by half a percent of gdp and create jobs people would think i was really important. sequester takes that away. 750,000 jobs by replacing sequestration with the medium and long-term policy which is that the president is an alternative. >> first sequester has the impact down the function of agencies. in your perp relations, the request for treasury is 12.8 --

160 billion for irs with functioning for headquarters and sanctions to other sms could be a billion 316 million. you are saying because what we are doing the sequester nr cover mac, whether it is treasury, dod, big impact on contractors and civilians to nih the future thinking of cures and things that pharmaceuticals can sell around the world. are you saying we are not only sequestering employees, but have a nature crony and impact on our economy? and could you give us a sense as you've now been for this, scaredy big time whether it's

the french or whatever. what is your view of an approach that the sequester our economy and not to be critical of other governments and policies, the consequences that lowers in public debt, but where in terms of economy? >> for using k2 sequestration, the decisions the united states made in 2009 to take immediate action to deal with their economy growing after a deep deep recession to fix the financial system in collapse our economies back on its feet not as fast as we would like but we are growing. europe started with austerity and their economies are not going very well. i don't think we disagree fundamentally that there needs

to be deficit reduction and we can't have deficits growing infinitely to dangerous levels. when your economy is weak you can't cut your way to growth. you have to get growth growing and make cuts in the absurd cuts and the economy. ..

>> madam chair, thank you very much. i responsive committee for the last two years and i'm glad to be back or if there is important jurisdiction. congratulations on your nomination and confirmation. madam chair, i am pleased to be with you. i hope the senator is able to return to the senate near future. let me first start on this issue of the economy. one of the things that i think the treasury could do, along with other regulatory agencies is to assist our community banks

and other financial institutions in a regulatory environment. it was focused on our largest institutions credit means their ability to make loans, i am absolutely convinced based upon the conversation i have with acres, also their potential borrowers, the regulatory environment is handicapping the ability to make good and solid loans because of the regulatory concern. i have a number of bankers who say they no longer make real estate loans to people within their own community because of the onerous nature and potential penalties for making an error. beyond back on the increased regulatory costs is reducing the number of community banks that we have. acquiring more banks and other communities.

we haven't increase in depositors and loans in order to cover the increasing cost of hiring people to comply with rules and regulations. i'm interested in knowing whether or not you, as the secretary of the treasury, have thought about how we can unleash the opportunities that banks have to make loans across the country, particularly in community banks i that with actual community bakers i have to make a few observations. first, both the laws that have been enacted in the rules that they are being implemented are taking cognizant of the concerned of smaller financial institutions. i think one of the challenges

that we have in general is that there was a delay in implementation with certain provisions of dodd-frank greatly because it was still a political debate frankly whether it was going to be implemented or repealed. we still have rulemaking to do and it's a high priority. one of the things that is going on is rules that haven't been settle down and they are concerned on what will regulate this sentiment of the concerns of smaller institutions. i cannot say exactly what each of the different regulators will do. but i have discussed this issue with representatives and i am quite confident that they are thinking about this very hard in trying to address these concerns

as best as they can. i think that the size issue alone is one factor. we are not taking the view as we implement dodd-frank, a smaller solution the presents no risk. i don't know any agency that is doing now. on the other hand is there a systemic risk in its to be addressed. and as we resolve those issues we believe that some of those issues will subside. >> the uncertainty is clearly a problem. >> i have heard that it is much part of what they are worried about. >> i have had this conversation with her predecessor with the fdic, the regulators on the banking committee the

suggestion that we take into account is one that is always offered in return to the dialogue her mom while that we must have. i only have less than a half minute left. evening for the record, the acting commissioner. it deals with this issue of the irs and the inadvertent release of tax returns including the information that is released. i'm going to outline a number of instances where that has happened and asked you and the commissioner to explain what is going on what is happening at the treasury department, how do these releases occur, what actions have you or the commissioner taken to make sure that they don't happen in the

future. including if the employees are culpable. this information may be used for political means and political outcomes. i will submit that for the record. but i am very interested in making certain that every american can know that their tax return is nothing that's going to become public. >> thank you very much madam chair. secretary, thank you for joining us today. thank you for your very nice comments about senator lautenberg. we really hope that he returns

soon. secretary lew, i agree with your statement, even though our economy is improving more work is necessary for job creation and accelerate growth. in every community across new mexico, i hear the same concerns. jobs are hard to come by. businesses are struggling to stay open. the recovery has not come to main street and will talons. can you speak to what efforts treasury has underway to help the recovery reach mainstream. this includes vibrant local economies and how do these efforts help support a strong middle-class in building a

strong middle-class. >> i think we have to start with the big picture. we need to get overall economic growth grown faster because we do need to go more and create more jobs to reach all parts of our country that need to get the benefits of a growing economy. part of it is at the macro level, which means we shouldn't be creating headwinds for the economy. on the narrow basis the treasury department has a number of programs. some of what we have talked about already this afternoon. those that do provide direct support and community is and institutions that are really getting the need for growth in parts on states and cities that otherwise could be left behind. we are proud of what we have accomplished and where homeownership programs and

targeting and there are communities that have been hidden there is more work to do. i think that we can't look at treasury alone. we have to look at it with what we're doing in the other agencies and what we are doing together. so we have transportation programs going into it in those communities and education programs we have tried to concentrate efforts as we go into an area in a coordinated way. something that i think is very important in our budget is the manufacturing hub that the president has proposed. i was in ohio yesterday and it is really pretty striking when you talk to the businessperson who is able to get into an abandoned warehouse and create a high-tech company because now

including how we make the trade-offs between revenues and bending. >> we are very hopeful the kinds of resources that you have talked about there in ohio to all put forward and try to get

one of these manufacturing hubs going. i think it is the key to the future we've done this on a bipartisan basis. >> thank you, madam chair. >> mr. secretary, senator lautenberg had some questions for which i'm going to submit to the record and ask you and your team to respond to it. they are related to iranian

sanctions and the implementation and efficacy rate also the alcohol and tobacco tax. also the very deep concern about the efficacy and treasury foreclosure relief program particularly as it affects new jersey we would like to be in conversation with you about cybersecurity you and the acting commissioner are the keepers of such an immense amount of data particularly in terms of individual and businesses also,

the concern that the appropriation committee has for the protection, not only of.gov but.com. and the impact that was concerned about the rising tax that have occurred both overseas and here. in the implementation that that could have been the impact it can have on their economy. this is kind of a robust conversation. i know that those who are in defense of homeland security, as well as myself, we really want to protect critical

infrastructure. we have the right legislation to do that we have them incredible amount of american people and american citizens and american businesses. bank of america and these others. >> senator, i think you just put your finger on a very important problem.

one of the things i'm committed to is making sure that we are done, we have to stay on it because the threat resolves and we change and it's not like you get to check the box and say that we did that. it is a new way of life we just have to stay on. it's one of the reasons why we have the resources to stay on top of it. i met with bank representatives couple times already.

we will make it possible for them to share the information as well we need the tools that we need. this affects financial services, dod, homeland security the implementation of that and the president's executive order, information sharing and some others. we are all moving in the same direction and enabling agencies to take the necessary steps to protect this while what we are

looking to work in partnership to protect this. >> we look forward to working with you senator mr. secretary thank you so much for being here. we are going to take testimony during the and internal revenue service is the inspector general. so we thank you and until we meet again. >> okay now we ask mr. steve miller and mr. jay russell. our treasuries treasury for the taxpayers. we have to distinguish tourists and thus mr. george russell and you've got these names and i gather we must distinguish this is both colleagues.

[inaudible conversations] >> i invited mr. george to testify as i have on my own subcommittee and encouraged other subcommittee trimmings. and we have a benefit. expensive frugality, with the government, and having said that, you are the acting commissioner and you have a big job and we will have a big opportunity. will you please proceed?

>> thank you, chairwoman mikulski. and members of the subcommittee. i appreciate the testimony time today. 94 million refunds for a total of $250 billion. this unfolded despite the difficult challenges presented by substantial tax law changes and were not enacted until jiri second we are going to provide more online self-service option. enforced initiatives include

increasing resources and tools available for identity theft and addressing other issues and improving the manner in which we use data. we have a number of initiatives. a one example is identity theft. more than double the number at the start of last filing season. the last fiscal year, the irs is spending nearly $330 million of our budget of identity theft and refund fraud. and it was money well spent. during fiscal year 2012 the irs protected more than 20 billion in revenue, up from 14 the prior

year. so far the irs has been that were rejected over 3.3 million suspicious returns and i know that the current budget environment is tight. but it's important to understand that these and other accomplishments are not sustainable if our budget continues to atrophy. we will continue our efforts to maintain excellence and performance and performance will begin to reflect the impact of a large budget cuts that we have received over the last two years. this means that there will be a steady erosion in the service that we provide to taxpayers and the amount of money that we collect. in this regard, let me note the effects of sequester. the irs faces up to seven furlough days in the fiscal year and we anticipate a reduction in the revenues we collect and our ability to answer phones will

begin now that the filing season is over includes another 55 million in savings and efficiency. note that this filing season, we ran nearly 10,000 employees worry were during the fight filing season in 2010. are labor spending, we have limited operating travel and

increased use of virtual training, allowing reduced cost on an annual basis, a 55% reduction from the fiscal year 2010. there has also been reduced spending on technical services by $200 million and $60 million in printing and postage savings as well as aggressive reduction in rent payments. madam chairman we will continue our efforts to be fiscally prudent and to make wise investment in our strategic priorities and business modernization. however, as i've noted, without a change in a current budget environment, americans will see erosion in our abilities are gone and the federal government is the fewer seats from enforcement efforts. thank you for the opportunity. >> thank you, commissioner. we would like to hear from you, sir. >> inc. you, madam chairman.

sir, thank you for the opportunity to testify for fiscal year 2014 budget request and all recent work related to these issues currently confronting the irs and the fiscal year 2014 budget request for tech administration also referred to as k-care. resources is approximately $12.9 billion, this is an increase of slightly more than $1 billion from fiscal year 2012. people the portable tract contains an extensive a worry of tax law changes that will present many challenges for the irs in the coming years. the fiscal year 2014 budget request includes additional funding of $440 million.

while the department of health and human services will take lead in developing the policy provisions of the act the irs will administer the numerous tax provisions in the development and implementation of new systems for the provisions include major information technology management challenges. these includes rapid implementation of interdependent objects that require extensive coordination within the irs and with other federal agencies. one key health care provision takes effect on december 31 of this year. this provision is a requirement for individuals to maintain minimum essential health care coverage or face a continuous penalty. starting in calendar year 2012 the irs will be responsible for implementing the premium assistance tax credit, as well as implementing the penalty on

applicable individuals for each month that they failed to have minimum essential coverage. these two issues have a far-reaching impact and will design and build a new computer systems and prepare for increased customer service as taxpayers turned dirs with questions and issues about those and their tax and health insurance for hermans. customer service has been declining in recent years with fewer taxpayers being served at their local offices and the irs answer your telephone calls and pc will further stretch these resources at the irs. the challenge confronting the irs is the tax gap which is the difference between the estimated amount taxpayers owe and the amount that they voluntarily pay for it ataxia. the most recent estimate was

developed by dirs was $450 billion for tax year 2006 and that is $400 billion each year. the following example of the strategies that could improve tax compliance, enhance third parties to the irs and help taxpayers comply voluntarily and however, identifying additional opportunities can be challenging because third parties may not have accurate information that is readily available. also adding reporting requirements creates a burden for third parties as well as the irs to determine the appropriate level of resources, the irs would need to consider how to balance taxpayer service and how productively uses of resources. we noted that in fiscal year

2007 the irs elected over $59 billion in taxes and penalties and interest in fiscal year 2012 and dollars collected decreased to approximately $50 billion. there are two new systems will help the iraq reducers. reduce this. one is the system that will automatically match business return filings to third-party information returns in two areas. merchant payment cards and cost basis reporting on the sale of securities. the other system, which was referred to by mr. miller includes information reported by financial institutions in foreign countries and u.s. citizens regarding offshore bank accounts. simplifying the tax code could help taxpayers understand and

voluntarily comply with their tax obligations and limit opportunities for tax evasion. incidents of identity theft have continued to rise 2011 when the irs again identified more than 1 million incidents in 2012. then they identified almost 1.8 million incidents in the irs has placed emphasis on this area over the past year, but there is still work to be done. and this is on this area over the past year they have identified 1.5 million undetected taxi or 2010 returns with characteristics of identity theft and $5.2 billion in refunds that were inappropriately issued. the irs issues numerous refundable tax credits, the most

significant is the earned income tax credit, which the irs reported 12 to $14 billion in 2122 other fundable credits, that includes the additional child tax credit and the american opportunity tax credit, also referred to as the education credit. if the irs freezes a questionable earned income tax credit claim, it will later disallow the additional tax credit claims 67% of the time. the irs could have prevented $419 million in erroneous credits and a review this at the same time as the earned income tax credit. it was also reported that as of may 2010 over 2 million taxpayers received