solyndra stan what your talking about if i have the bogeyed county sales numbers were sales calls it is always below the mine metrics to manage a proper organization night respect your training with liens start-ups in manufacturing i have been through so many training's so i appreciate what you are saying it is important to prioritize to make sure we do what matters within 80 / 20 rule. >> the lady from north carolina is recognized for five minutes. >> i appreciate you being

here and your testimony. i will skip asking about the implementation of the recommendations but are there budgetary issues that can assist that sba to move more expeditiously? >> i very much appreciate the question because absolutely there are. than i am trying to be as resourceful as i can in training to have somebody travel even to headquarters i have to put them up with the her diem i tried to be as resourceful i tried to use what dinars or local schools to do mentoring i try to do what they can with what i have but if you wanted to have a serious conversation with the budget

in california have 14 different departments d&b d&b, caltrans, department of real-estate come in and it was a challenge to run them but i had a unique opportunity to create a department of managed health care ended is still operating a think we're the better run programs and the state of california. entirely different to start with a clean slate this is the core competencies so clearly it does have a little more nuance and to start from fresh and will be delighted to engage in that conversation because that is a thoughtful answer. >> said gao found sba has made limited progress the of

program evaluations without those they lack critical information to ensure the validity of its goals as well as the validity and effectiveness of its programs. for example, that has conducted an annual client survey for the -- for its effectiveness so will you survey the loan recipients to determine if the loan guarantee program is meeting claman needs? >> i can give you an example of some data points with job creation retention common newmarket's, contracts required, usefulness of the services and customer satisfaction.

these are metrics we are tracking. i n interested in a unique identifier to track the person because i think that is a vital point that is on the specifics of the public to understand what they are using the also i am understand we're in federal government space into my disappointment things come into a the sba to deploy in the team with sees innovation hubs the growth accelerator's across the country and letting what the millenials need with that market segmentation to do

more targeted digital marketing to people to have that capacity to answer your budget questions the we're filling that customer satisfaction a what are entreprenuers to surf to compete in an ever globalized economy. >> thank you for your response in in your services >> you are recognized for five minutes. >> i am excited in grateful for your energy and passion when you're trying to accomplish but i still have concerns about what i have read and heard and what i have seen this age is creating council system protect small businesseå economy we are supposed to

act in a manner that is efficient and nimble like small business in agency for the fiscal year 2015 was intended to support 30 billion a small business finance and 80 billion of federal contracts large numbers and concerning but we have serious challenges with this administration for america and the economy although i do agree with my colleague has said we have seen growth and a do believe the sba is vital in assisting that growth that shows how important this department is that these concerns i have a couple of questions so what impact

utilizing be outdated sop and u.s. been here 20 months why is the average 10 administrators in 10 years? what is going on? >> as i looked at the chart i was intrigued by the gao report how far back it went. to things i did a little personal research one evening because it was interesting to me personally. if they were promoted to a larger agency you have to have certain skills to be an entrepreneur but we are of victim of the political process of every administration with the new appointment and generally

people take a four year run then leave them the second bench i hope i am not. >> you are the longest. i appreciate that fact you must be having success do you have a succession plan for what is going on if you leave or if they leave? >> yes. what you said to be effective in critical organization i agree. i just met a young man who said because of a $150,000 loan after everybody else denied he can build a little company called under armour. now international global marketplace. >> now please answer the question.

>> i want to be in enduring legacy item meet with the political appointments but the offices on a weekly basis to view the entire organization down to the bowels to set the priorities and values system were to put into job descriptions. >> now back together question with the impact of small business with the outdated sop is there a major impact? >> since we have so many different vehicle. >> yes or no. >> yes we are reviewing a the sop as an ancient i am addressing them faster than any administrator we're making good progress and i will continue. >> restated its require

senior management to be directly responsible to insure the dissemination of the sop in their jurisdiction. can you expand or tell me the report on findings? >> darr required to certify every year there sop sometimes there are note changes are refinements or sometimes there is a major overhaul. we always have the spi see as a mentioned this is the kind of work i have mentioned it is a process that we undertake at unprecedented levels and we're playing back the momentum we are building upon.

>> please indulge me. >>. >> we have a very flat organizations receive individually and in the program here. thank you for your service in construction and you have a marvelous story. >> she has done her research no question. and for the record this is broadcast by c-span2 tens of dozens of people all over america. [laughter] s -- sop indicates standard operating procedure. now i turn to the gentleman from new jersey recognized for five minutes.

>> maddow an administrator once again good to see you. the good to have you in my district for small business roundtable2-

going over something that has already dead just please forgive me. there have been 41 changes over the last decade with the gao report to give multiple recommendations to increase human capital, specifically to develop the workforce plan conducting skill assessments with the training goals for the sop. what are you doing to address these issues in

senior leadership of the district offices? >> yes. continuity is important we have a program of fluctuation we are constructing job descriptions to make sure they are forward-looking with communications standards and earlier the member mentioned the importance to be nimble is an art form as well as a science to make sure you follow sop and the general performance of the of modernization act and

dodd/frank and sarbanes-oxley and this is my life to make sure i cross the t's and dot the i with the globalization so it is a challenge the sba is an exciting place i was disappointed because that characterization are valid i respected gao but i must tell you each and every day the sba employees are working hard and dedicated people don't have an appreciation we talk about half a dozen people to manage the business partners . .

>> he became a doctor who is 72 years old and served our country by provide health care services to america. >> do you feel the compensation levels in your department may be curtailing your ability to

maintain the best and brightest? >> the sba salary structure is not compriable to other cabinet offices. so i would given the opportunity be happy to address that and give you a comparison analysis. in many ways, it is a complex challenge. in many ways, i want mobility. you want mobility and organization to continue to create opportunities for the younger folks coming in. on the other hand you want constance knowledge and hist historical framework. these are delicate challenges i address every day. i reached out to the office of personal management and the president's office to make sure sba employees are giving opportunity at the commerce, state department and they are

getting them now. >> the gentlemen who is the vice chairman of this committee is recognized. >> thank you, chairman and welcome madam administrator. we certainly welcome you to come. my only comment is that rather than spend your time there if you have your folks be willing to respond more quickly to our needs and concerns that would be appreciated. that is where we need the help. if you want to come see it you are more than welcome. you will see a lot of water. with regards to that, what do you see happening or where do you see the sba going and what is your response to the

disasters happening as we sit here now? >> let me assure you i deployed by team even before it was assigned a disaster in the area. there were certain circumstances that have to be met and i is ten employees going out and conducting that study. we are getting there in 24 hours from getting the orders. it is remarkable achievement. overall, as i mentioned i traveled to washington to see how we responded, i traveled to texas, to north carolina. i am trying to get out to understand what the refinements are that need to take place. as a result, we have put in what i think are important changes. we used to do this manually where we would send out the information to victims of disasters. now when they come into our

offices we have the technology to track them better and give them information more efficiently. >> so we are getting to be able to deploy the people to do the work. that is great. question for you, the next question i have is with regards in 2008 sba was asked for the loan improvement act signed by congress and eight years later the bridge loans don't seem to be able to be had. why are we not implementing this? especially during a time like this. is the program worth having is the first question? >> the financial institutions have having a problem adopting it to be honest. they say it is hard for them to process a $10,000 loan that if not repaid by our permanent disaster program we do, that we would provide them, they have to advertise it for ten years at a

very low interest rate. >> so it is not a practical program? >> the financial institutions are resisting it and i am asking to put them on the record for formal comment on what to do to make it work. >> you either fix it or get rid of it if it doesn't work >> that is the point. we are working with them to get the answers. but meanwhile, i think this is important, we put in an uncollateralized loan and we are processing them in seven days. in the spirit of what we are trying to accomplish -- >> are you authorized to make direct loans? >> that is what the office of disaster systems does. we make direct loans for people who are physically or economically affected by a disaster. for renters as well it is important to note this is the only office that makes direct loans. correct. >> that is news to me.

last time the direct didn't want the ability to make direct loans which was interesting. also, with regard to what is going on, all of this information that you are going to be accumulating with regards to the hacks that have been happening with opm and the irs, how are you protecting your data? >> there is -- first let me just to assure the american people, because as the chairman mentioned, we are other people listening in. the sba operates with financial institutions. they don't join our system until they are assured that the data is protected. >> so that begs the question do you, at the sba, have the same protocols and the same bank secrecy laws and data concerns and protections as the banks are? >> we operate under nift which is the nationalal institute of

science and technology. we operate under different guidelines but similar protocols. so in that regard we are working toward what we call a rev-4 level which is the standard in government and sba is comfortable with the work we are doing -- >> but you are not there yet is what you said? you said you are working toward it so obviously you are not there. >> that is right. i want to be honest with you. >> should that bring concerns to the citizens who have been dealing with the sba about their protection? >> time has expired but go ahead and answer. >> the fact the financial institutions who review and audit the system are comfortable connecting gives me solace. i have an auditor coming in and found no material weaknesses in the system. we have not had a brief. we have moved our mainframe to a

modern redundancy -- >> this is a closing thought here. i appreciate what you are saying. whenever you say that i am not sure the citizens can have faith in what you are doing. it concerns me but apreciate your willingness to work on it. >> i just wanted to say i promised you lunch the last time if i didn't fufill my goal and i want you to know i think you owe me lunch. sba one is up and operating and we have several thousands banks joined and it is working. >> i think the cafeteria is

still open. >> 20 minutes before the next meeting. in all seriousness, i want to thank the administrator for her participation today. i appreciate your enthuiasm and your energy you bring to the program. i appreciate your willingness to do everything in your power to implement the 62 out of the 69 recommendations which still need to be resolved. as i mentioned, my greatest concern is on the security issue because we have seen white house, for god sake, as well as a bunch of other federal entities hacked sometimes by china. i appreciate your willingness to do that. we are willing to be reasonable

but keep us informed and let's get it done as quickly as possible >> mr. chairman, the good news is the sba is working in collaboration with our sister agencies, homeland security, the fbi and all of the other organizations available to all of the government services. i want to put confidence in the system. we are working with serious financial institutions. i used to run the department of motor vehicles and i changed the drivers license and as soon as you fix it another system comes in to hack it. this is something that has to be an ongoing effort. >> i totally agree with you. there is nothing that brings more confidence to the american people than dealing with the department of motor vehicles. members have five days to supplement their reports. if there is no further business

to come before the committee we are adjourned. thank you. >> thank you very much, sir. on the next washington journal, united dreams discusses the immigration policy in light of the immigrants from central america. and john hannah, a former advisor to dick cheney, on the growing sectarian middle east divide including tensions between iran and saudi arabia. and then ann from the "washington post" and sydney wilkinson look at the anniversary of the charlie hebdo cartoon attacks. washington journal live at 7 a.m. eastern on c-span.

c-span's road to the white house coverage continues saturday in south carolina. jeb bush, ben carson, chris christie, mike huckabee, john casich all join together. key in live tomorrow at 10:20 a.m. on c-span. and more on saturday with a donald trump rally in iowa starting at 5 p.m. eastern also on c-span. >> booktv has 48 hours of programming every weekend. here are programs for this weekend.

saturday, booktv is at the university of wisconsin with william p jones to discuss his book the march on washington. >> this movement was going to the core about what the change america should take. it changed minds but sealed people's position to hatred and their commitment to inequality. >> and the james rosen is interviewed on sunday >> no one on the right has attracted more intense vit rawl than dick cheney with the exception of maybe george bush or richard nixon. >> molly crabapple talks about

journalism, political art and her latest book. >> i started out writing essays and only had five published pieces when i got the book deal. i had a delusion that writing a book wouldn't be that hard but just like writing five essays. ha-ha. >> watch booktv every weekend on c-span2. >> john kelly held a briefing with viewers at the pentagon. he spoke about combating islamic extremism and the transfer of guantanamo bay detainees. this is 45 minutes. >> very, very happy to be here. made friends over the years and

as you probably know, you surely know, i am about to go over to the other side and retire at the end of the month. it is a remarkable organization. very different mission. it is all about broadening and deepening partnerships down there to say the least. i would say the partners we have in latin america and the caribbean like the united states want to be associated with the united states. there is a few down there who didn't get the memo about democracy and human rights and that kind of thing but some of that is even turning around. they really do like and associate with us. they very much like, and are very proud of this, that southern command doesn't point the finger but work with them. we deliver an awful lot of good advice, education, and

assistance. the other thing we do a lot of as an inneragency partner is c n confiscate drugs. we have taken nearly 109 metric tons of cocaine after it left latin america. our number one partner with this and a country we have a special relationship with, remarkable people and remarkable military, is columbia. they themselves took a couple hundred metrics ups tons of cocaine before it left their country. they errat eradicated hundreds of cocaine fields and labs that are destroyed.

other partners are the people from panamma and the peruvians. the corruption it brings and the violence it brings has devastated some of our really good partners like honduras and el salvador. there is good news throughout most of the region. as i said, i get ready to hang it up -- when i left the pentagon i was getting options and tired of the war spending so much time in it in the early 2000s. i thought southern command would be a place that would allow me to unleash other energies and talents. it has allowed me to do that. you may or may not know this and it may not be an issue but i

read that guantanamo bay, directly for the president of the united states and secretary of defense, i do not do policy whether it opens or closes, i do the detention ops. my mandate from the president through the secretary of defense is to make sure we are in accordance with all laws and regulations with the detainees and make sure they are treated well, humanely and taken care of medically wise. we do that and do it supurbly. i will end there and open it up. >> a few questions. one, on gitmo. later this month we are told that we can expect a large number of the detainees will likely be transferred out.

more than a dozen. i am wondering if the recent releases which have been in some chunks lately grieve credence to the argument that the military has been dragging its feet over previous years and whether this amounts to a sudden new effort that could have actually happened earlier. just a second question, you mentioned some of the interdiction you have been doing with little u.s. military. there was additional talk about drones being used. have you seen any increase in the amount of other help for the drug war? and is that still an unmet need? >> well starting off with the drug question.

again the partnership issue can't be overstated down there. particularly when we don't have u.s. military assets in that i count the united states coast guard. we have some guarders. we have partners like canada that provide a ship. the dutch will frequently provide a ship. these are not war ships. they tend to be coast guard ships. the french occasionally and the uk. a hundred metric tons wouldn't have happened had it not been for our partners. i don't count columbia in this because they do so much before the product leaves their country. i can see, the joint inner agency task force in key west is probably the best tactical fusion center in the world. i think the cia and others would say the same thing. it brings the entire pow of the

u.s. government to get up through drugs as they flow up through latin america and the caribbean. it is a long way from washington and i think you would agree the further you get away from washington the better things work. people actually talk to each other, people socialize with each other, they work together. there is no rice bowls. when i say partners cia, dea, homeland security, fda, it is phenomen phenomenal. to a dea agent and fbi agent working with partner countries whether it is lima or honduras and shoulder to shoulder to men and women of those country's drug equivalent. that is what much of our human intelligence comes from.

sometimes, not unusual to know plus or minus an hour or two, when a ton of cocaine is leaving a given port and head north i might know the guy's first name and phone number. that is the human intelligence. most of them we pick them up with p-3 aircraft flying down there sometimes often times homeland security and i cannot say enough good things about my number one partner and that is homeland and jeh johnson. he can see it move. what i cannot do is interdict it. it is very simple. all i need is a helicopter. once we locate the movement of one, two or five tons they know what is coming and throw the electronics over the side and wait to be picked up. we take the driver of the boat and he goes into our legal -- typically into the federal leak legal justice system and that

completes the cycle of human intelligence. i don't get much isr but i don't need much more. drones would be nice. but we have not seen any increase. certainly no drones. a lot of countries down there want to acquire drones and we encourage them to do so but they don't need the high end drones or armed drones. just reconnaissance drones. they buy that from somewhere other than the united states because it is hard to deal with the united states in terms of purchasing things for a lot of different reasons. they tend to try and default to israel or yeah russia or maybe china. so i don't know if that answers the questions on the drug side. on the guantanamo bay side, i can speak personally the last three years, because that is how

long i have been there, 38 months, the resident memory of guantanamo bay is the detainee staff and they can talk with a lot of authority back to about 2006 and then less so before that. the fact that there was reporting about this building, secretary of defense, people in uniform, people in detention offices, any way shape or form slowing down to try to impede the release of the detainees from my perspective is non-sense. it is an insult frankly to serving military officers or civil servant in this building to be accused of whether we can agree or disagree with any of the policy we would in any way impede the progress. the president wants to close it i have a role, not in closing

it, but detention ops. my only role in transfer is give me your name, country, time frame and i will get that person to that country. that is my role. we facilitate the movement of foreign delegations that want to come down. we never, ever, ever do anything but facilitate the movement when they want to come to guantanamo bay. we typically the process is a delegation wants to come, or even if they don't want to, when there is a country interested in a transfer they are provided a detailed summary of the medical condition of the individual. they do come to guantanamo bay sometimes with questions because they were given an advance

medical copy and always when they come down and they can talk to the detainee for any length of time they want, typically the conversation goes about 30 minutes, and it goes something like do you want to leave guantanamo bay and the answer is yes and that is about the extent of it. then the foreign delegation will typically talk to my doctors. they will talk sometimes to the guard personal and just ask how did this guy behave and whatever. then they leave and we eventually typically get word the country will take them and that is where i take over and execute the transfer. there was some reporting about medical records. we have never had a foreign delegation ask for the full medical record. they always, always, satisfied with the summary we give them.

in one case i recently read, and this wasn't the reporter's fault, the individual in question his medical record is at least 15,000 pages all of which has to be redacted by every intelligence agency in the united states and that would take two years. i thought it was a better idea to transfer the guy than hold them two years unnecessarily. we have never been asked and they never com plained about the foreign delegation access. i welcome the press and foreign delegations to come down frequently. >> there was a report in the wall street journal about a hell fire missile that was delivered to cuba. it has been -- it was sent as a

nato exercise in 2014 and somehow it wound its way through europe and made its way into cuba. i was going to ask you if you know where that missile is right now? >> no i don't. since you bring up cuba, we look forward to, you know, increasing our relationship with cuba, but for right now, and certainly for the last what? 50 years? we had zero relation with cuba with the exception of guantanamo bay. one of the things provided by the state department is we do a lot of conferences and that is how we do a lot of engagements. some of it is, very seldom is it about drug and addiction, which it on the high seas it is not there.

but disaster or humanitarian relief. we invited members of the cuban military to come to that through the state department. baby steps. when i was in haiti, there is a fair number of cuban doctors sprinkled around, a lot of cuban doctors that do this engagement, some in port of prince, and we offered them the opportunity to come board -- aboard and see what we do. they took us up on it. we had cuban doctors from the port of prince area come on board and invited by docs on shore. but i have zero involvement with

cuba right now. >> your son was killed in afghanistan in 2010. you served time in iraq. can we get your assessment of how the wars in afghanistan and iraq have been prosecuted? >> i can talk iraq. i did three tours there. i am a military man professional and i understand how these things can be done. when i was in iraq, anbar province, there was remarkable improvement in security. we are proud of the two iraqi divisions we trained, organized

and equipped ended up being the best iraqi divisions and they could operate on their own. but we always had advisors with them. i would say to keep sufficient numbers of intel people to provide the advisors to critique the commanders and nco's after they are out on operation. not to command but critique and suggest and whisper in their ear we know how to do this. when they move one of those divisions down, when the 14th collapsed, we had advisors with them. it was the 8th division and they did a suburb job.

the mentalship advising is what makes those things. the equipment is important but it doesn't come close to having people that are with them and less and less involvement until you come to a steady way. >> are you saying it was a mistake to pull out of iraq? >> i am saying there were other ways to do it with much smaller numbers than we had there at the height of the war. tom? >> along the lines, you talk about the apache attack helicopters in iraq with the iraqi forces and having u.s. advisors accompanying iraqi forces. would it make sense to have those advisors going forward? >> we have a whole new war over there. i should add lord austin was there toward the end, a

remarkable man named jim jeffries was there, he was a former vietnam war army. they had unbelievable influence on the prime minister and his team there at the time and obviously on the military people. there was a lot of learning to be done and advising to be done by those two gentlemen and their team to iraqi civilian leadership as well as -- it was like if you tried to teach a young person how to drive a bike and once you take off the training wheels, when i left iraq the training wheels were coming off. butt if you are a parent teaching a kid to run a two wheel bike you are running behind him ready to grab the seat if they start to go over and over time they learn how to drive the bike. that is one way to look at what we could have done. >> what about today? >> we have a new war on our hands. i would say if we want the

iraqis to get good enough to fight this fight i believe we have to reinforce them in terms of not only the equipment but as well as advisory capability and that kind of thing. there is only one way to advise. >> i have a question. in combat, the marines were against opening all combat jobs to women but were overruled by the defense secretary. they were slower and prone to injuries. talk about the way ahead on this. how can they put this into affect and what concerns you in the way they had with this? >> i would just offer that i believe given the mission the united states armed forces to fight the nation's wars i

believe every decision we make whether it is a personal decision, new airplane or whatever, i think every decision has to go through one filter and that is does it make it more lethal on the battlefield. if the answer is shouldn't hurt i would not suggest doing it because it might hurt. the way i think we should do this is simply do it.

my greatest fear, and we see this happen a lot over the 45 years i have been in the armed forces, is right now they are saying we will not change any standards. there will be great pressure, whether it is 12 months from now, four years from now, because the question asked is whether we let women into the other roles and why are they not staying in the other roles? why are they not advancing as infantry people? why are they not becoming seniors? the answer i think will be if we don't change the standards it will be very difficult to have any real numbers coming into the infantry, rangers or seals but that is their business. we will have small numbers anyway and the only study i know on this is the study the marine core contracted with the

university of pittsburgh, i think, and the other aspect is because of the nature of infantry training and combat there is a higher percentage of women in this scientific study that get hurt and some hurt forever. so i think it would be the pressure not for the generals here now but the common admirals to lower standards because that is the only way it will work in the way that i hear some people, particularly agenda-driven people in washington, the way they want it to work. >> thank you. general kelly, last year when you were here you talked about the islamic state and how there are about a hundred islamic state fighters going to syria from the caribbean and venezuela. can you give us an update on the status of those at the airports

terms of checking the comings and goings of people. we do the best we can to help them. i am more concerned -- it seems like the islamic extremist and terrorist have shifted a lot of the message and that is whether than coming to syria stay at home and do san bernardino or boston or fort hood. my concern as the commander is they can even just a few of these, you know, nuts, can cause an awful lot of trouble down in

the caribbean because they don't have an fbi, they don't have law enforcement like do. and many of those countries have very, very small millitaries, if they have militaries at all. they welcome the help from the united states. oh, the expense of guantanamo bay. it depends on how you cut the cost. guantanamo bay is a functioning base and has been for years. when they come up with the cost estimate or cost per detainee and all of that we were never asked here. someone else came up with the number. but i know if you look at, my gitmo budget is plus or minus a million dollars. but that is an approximate. the facility up and running if

you keep counting the cost of the facility, which i guess you should, it is an expensive place, i support the commissions and they have a budget, too. but as a nation you make a decision what you will spend your money on. if to detain a detainee at guantanamo bay cost more than saying take that person to the united states if that is the policy decision so be it. i don't have an opinion on whether it is too expensive or not. i just know that, you know, the money i am given i spend frugally and as i said they are very well taken care of. yes? >> thank you, general. i wanted to get your opinion something on guantanamo bay related and something that has been in the news. what did you think of the swap for beau bergdahl and the five

senior commanders at guantanamo bay? >> policy decision. it was an unusual transfer and when i got the call, these are very administrative things. my staff gets a piece of paper from the joint staff saying acquire c-17 and move 23 to a certain country. in this case i got a call directly from a senior official in the building. it was get these guys ready to go and having worked up here before this transfer issue was brought up initially and my involvement in it -- this was a couple years ago. has to be four years ago, say, and the transfer wasn't done obviously at that point. but i know when they called and

gave me the five names and i said is this the bergdahl crowd and they said yes, same crowd. i followed orders. my question was am i getting the paperwork? and he said you will but it will be after. it it was a dicy transfer because there was a lot of press there because there was a commission period. lots of press down there. when the press were waiting for their airplane and the families of the 9/11 crowd and all of us were down there we were doing the transfer and it never got caught. anyone down there at the time i am sure was probably, you know, should have been paying more attention. but that is a policy decision to transfer them. i know it caused a lot of angst in a lot of areas. but here again i don't try to slow down transfers. i facilitate transfers.

i did by the way get the follow-up paperwork and when the airplane took off we deposited them and they are still there. >> were you concerned it was illegal since congress had not been notified? >> no, i am not involved in that process. i would never assume that anyone in this building for sure would break the law. the up and up was more in terms of is the paperwork ready? am i going to see? jennifer, we work on procedures and sop's and that kind of thing. i didn't assume anyone was doing something illegal. >> maria for radio columbia. the president will be celebrating 15 years of leader in columbia. i would like to know your expectations for the future? and the president from venezuela

said the opposition is planning an international intervention and the united states is leading it and he mentioned you. >> it is crazy what leaks. how did he find that out? remarkable story in the last 15-18 years, columbia. a lot of people in washington and other places if they know about it at all think the united states gave massive amounts of assistance and all of that. but the columbians did it all themselves. we provided intelligence, advice and back to the question about advising and how long to do it but it takes a long time. there were never boots on the ground. human rights training was huge. how do we change our military to be better than it and it was very good at the time. they raised money through a war tax and frankly the elite of that country -- are you from

columbia? your country was standing at the edge of a cliff looking down into hell. and your people decided to change that. and it is not perfect like we are not perfect but decided to change that. the congress and other people in wash washington i think four or five cents from the dollar came from the united states but the effort came from you. you are that close to ending this war. my feeling is the process of ending this war, and the first time i talked to president santos and the ministry of defense and the military men down there three years ago now, my first trip, my recollection was to columbia, i said if you think the previous 50 years have been hard the next 15 years will be more complicated. you are trying to do something that is not done often.

you are ending an internal conflict. once you get the treaty you have to figure what to do with the young fighters that have been kidnapped, not recruited, from the villages. young kids at 12, 13, and 14 years old. what do you with them after they have been fighters and that is all they know? you need to train them. downsize the military and gi bill thing. you need to train them. i use the term the gi bill for the fork because if you don't all they will do is stay in the drug business because they are up to here in drugs. so, it is going to be hard. i hope my country, i have been vocal about this, maybe too vocal, but i think people understand on the hill, that is where i have pitched this more than anywhere else, we have to

stand and continue with columbia for another ten years. it gets smaller and smaller and smaller. we still have, and again it isn't a big money thing, it is more involvement in the process. i think with all due respect, and i am not out of line to suggest this, but the peace divdened is not going to be immediate. it will be there -- dividend -- and the idea once the peace treaty is over and the lambs lie down with the lions is not going to happen. i spend about 40 seconds a day contemplating the situation in venezuela and that is in prayer for the people. any people at this time deserve better than what many people in venezuela have. it is democracy. we just saw a great election.

that democracy is getting stronger but i can tell you there is no plan of any kind that i know of to do anything but leave the venezuela problem to the venezuela people. >> thank you. happy new year. >> going back to guantanamo bay, do you believe that some of the detainees were released in the past and they joined the siege, and right now we have isil and isis. do you think they are inspiring the young people because of their regional and there is no, what you call, freely running those countries. oration oather oultherer orationoratio >> i suppose it depends on your agenda. a certain percentage of them

have returned to the fight. so be it. i don't have any specific numbers. but some return to the fight. as far as gitmo, did you ask about them instigating isil? honest men and women can disagree on everything. the role is joined to things that happened in other places.

i would say i am proud of what they do down there. sometimes i am the only person making that point and sometimes i wish other people would make that point. the security in afghanistan and what this says about where we stand. >> i don't believe we can allow islamic extremist, which is a small percentage of people that follow that great religion, i don't think we can afford to let them have a safe haven. we know how to do these things. some might be out of the box in terms of policymakers. but if you take the point of not

letting them have save havens you have to do political action to prevent that. this is hard. this is really hard. we know how to do it. but it generally translates to more expensive and longer term than what maybe the nation hopes for. yes, ma'am? >> i believe that you are the most senior gold star father in uniform. i wanted to ask do you believe gold star families are supported? is there anything you would like to see the nation do or continue to do for them and following your retirement what is your planned involvement in that community? >> well, i think one of the things about loosing any child, and you cannot imagine until it

happens, and i hope to god it never does for you or anyone, and it doesn't matter how they die, to lose a child is -- i cannot imagine anything worse than that. i used to think when i would go to my trips up to walter reed or go to the funerals with the secretary of defense that i could somehow imagine what it would be like. or when i would send young people back from iraq that died under my command somehow you write those letters to try to sympathize. i lost a father, i lost a father, so you think it is something like that. but it is nothing like that. and so as a person that has lost a child in combat and the strong one in all of this is my wife, karen, and my two kids.

but when you lose one in combat, in my opinion, there is a pride that goes with it that he didn't have to be there doing what he was doing, he wanted to be there, he volunteered, generally speaking there is no encouragement in our society to serve the nation, but many, many people do in uniform in the military as well as police officers and cia and fbi. i think they are special people but they are doing what they wanted to do. and they were with who they wanted to be with when they lost their lives. but i can tell you it is the most -- caught me by surprise the level of emotional impact and every day it continues. gold star families are special to say the least. they don't have for much. i get occasionally letters from

gold star families asking was it worth it? and i go back with it doesn't matter. that is not your question to ask. that young person thought it was worth it and that is the only opinion that counts. they don't ask for anything as i say. i think the one thing they would ask is that the cause for which their son or daughter fell can be characterized to a successful end as opposed to this is getting too costly and too much of a pain in the ass and walk away from it. that is when they start thinking about it might not have been worth it. >> following up on the narrative, you know, seeing what is going on right now does that give you pangs of frustration and anger for your wife, family and kids? i wanted to ask about gitmo.

is there a general amount of time when a foreign government acknowledges they will accept a detainee and when they are actually transferretransferred? what is the general time frame? >> it is pretty quick. i cannot put a number on it. when i first got to the job there were not as many foreign delegations. they seem to be common now. i had no idea what these countries depict these guys. zero idea. none of my business. when they come, i think they are going through the motion. i think they decided if there is a deal and they come to the western countries. we went to gitmo, met with the guy and he seemed honest and he would be willing to be a good boy.

it is pretty quick. i think they come in and get the check. as they say, they always talk to at least the docs and to my senior guys to find out about behavior and all of that. the vast majority of them are very compliant. they are all bad boys. some were more effective in being bad boys than others. i don't think we can quibble on

15, 12 or 8 years in detention is enough to pay for whatever they did. they are bad guys. they were senior guys. i was happy to see their year of restriction was extended and the administration fought hard for that in the receiving countries. i read the same stories and you are right about whether on the phone and doing their thing and i don't know about that. but these are senior guys. they were just senior guys and kind of not very difficult to deal with. there is a few down there i would like to punt because there are a few. but the vast majority are

working with us. i took the job it was 166 and i think it is reported one went to kuwait today, two yesterday, day before one to ghana. you know there is more coming this month. if they go back to the fight we will probably kill them. that is a good thing. i want to end with that. i should end with that. ...

executives from leading tech companies across the country about how the u.s. can better

protected cyber infrastructure. there is a great that the primary challenge is that most cyber attacks begin and other countries. this house hearing is two hours. >> the subcommittee on research and technology and oversight will come to order. without objection the chair has authorized to declare recesses of the subcommittee at anytime. good morning. welcome to today's hearing entitled, cyber security with the federal government can learn from the private sector. in some of your packets contains written testimony, biographies, and disclosures for today's witnesses. i now recognize myself for five minutes for an opening statement.

today's hearing continues this committee's commitment to find solutions for one of the great challenges of the 21st-century, cyber security. this is the second hearing we have held on cyber security since the news over the summer that the office of personnel management was the target of two massive data breaches exposing sensitive information of over 21.5 million americans, including many of my constituents. the breach highlighted the growing challenge of cyber threats for both the public and private sectors. in 2014 and 2015, and 2015, cyber attacks on targets, ebay, home depot, and anthem health insurance were just a few of the public breaches. the time has come for every manager and employee in both government and private organization to make cyber security a top priority in their daily work. for for leaders to be held accountable for negligent failure to protect

information. the american applicant shareholders are demanding it. when criminal hackers gained access to 40,000,000 target million target credit cards, the ceo and cio were fired. in the private sector. although the opm director resigned, i'm still not satisfied that the responsible parties have been held accountable for the bailey of the agency to address known security vulnerabilities. the most recent ig audit found that opm has 23 systems that have not been subject to a thorough assessment. opm does not have a complete inventory of servers, databases, and network the in the system. i just met with a new advisor, clifton triplett, and the omb cyber advisor, i look forward to working with everyone to ensure

our protection of our employees and their families. the state-sponsored set for terrace are getting creative and boulder in their tax. the private sector has been at the forefront of dealing with these threats for some time. with the target of many of these attacks and as leaders in developing technology is workforce necessary to counter cyber threats. visa is preparing to open a new cyber security center in my district just this week. the state-of-the-art cyber security brings together nearly 100 highly hundred highly trained security professionals into one high-tech campus and provides for collaboration both internally, and would enable information sharing and rapid response. i'm pleased that many companies on the forefront in this area my district. we have a number of those witnesses here today. i look for to get them from our witnesses

who are all innovative thinkers in the private sector. i hope we can take the lessons we learn from you today and help apply them to protecting our federal information system and the sensitive information they contain. clearly we must work together and be able to more agile and adaptive to the ongoing threats that we nor the multiplication of information and all of our system that is going to exponentially increase over the coming years. this will be a permanent employment area for all of you, i'm sure. i now recognize the ranking member of the research and technology subcommittee, the gentleman from illinois, for his opening statement. >> thank you for holding this hearing. i want to thank all of the witnesses were being here today, i i look forward to hearing your

testimony. jill had mentioned in her opening statement the real need to make sure that we do more in this area, we need to make sure that both in the public and private sector that people are held responsible for the hacks that do occur. we need to make sure that we have in place what we can do here, what congress can do to ensure there is an incentive for both public and private sector to try to avoid these hacks, this loss of information. i'm very interested to hear more from our witnesses on this. i'm certainly pleased that we are holding our first hearing on cyber security which is certainly increasingly an urgent challenge for our national security, and the personal security of every american.

it is important we continue to hear from experts in government and the private sector about the latest developments in respect to both the risks and the technology and policies to combat those threats. our community plays an important role both the technology side and the policy side. this is an area in which members have successfully collaborated across the aisle. in december 2014, congress enacted the cyber security enhanced act, bipartisan research, education, and standards bill that i worked on with others over several years. over the last month, congress enacted to promote information sharing to strengthen the coronation between the private and public sector. at the committee, and if congress, we need to continue to confront the cyber threat. unfortunately we continue to see an increase in and threats.

in a hearing we held in july we heard from a significant breach at the office of personnel management. in which personal information of millions of current past employees were compromise. highly sensitive filings were also compromised making it not just a problem for those individuals, but national security issue as well. we have laws in place to address the security federal information system. the federal information management act, and subsequent amendments establish policies and procedures with the development of standards and protocols. this has an important role. it is clear that federal agencies need to do a better job implementing the standard of protocols and congress needs to give them adequate resources to do so. the private sector is also under constant threat from cyber attacks. in in the case of large companies, a recent study

conducted found there is a 19% increase in cyber crimes between 2014 and 2015. the study also found that cyber crimes got significant economic damage. for 2015, cyber attacks resulted in 15,000,000 dollars. dollars. while threats continue to grow, private sector is taking steps to increase their system and the personal information of americans they gather doing routine business. to reduce our risk and improve the security cyber space will take combined effort of the federal government, private sector, our researchers and engineers, and the general public. although cyber attacks are becoming more sophisticated, often cyber attacks are successful because of human error. such as unknowingly opening an malicious e-mail or allowing one's credentials to be compromise. part of our effort must be to educate the public. another part, must be to better understand human behavior to

make new tools and technology more effective. such as work being done to will be on passwords. i look for to hearing from witnesses today with best practices, more opportunities public, private partnerships. i'm also interested in hearing to what extent private business and organization voluntarily implement business standards developed and how you may be participating in or benefiting from other efforts. including the cyber security center for excellence and the framework for critical infrastructure. thank thank you, i you'll back the balance of my time. >> thank you. i now recognize the chair of the oversight subcommittee, gentleman from georgia, for his opening statement. >> thank you, especially for

continuing this important discussion. i'd like to thank our witnesses were being here today. to help us understand industries best practice when it comes to cyber security. i security. i look for to hearing about lessons learned and how to apply those lessons to our federal system to help prevent future cyber attacks. it's clear federal systems are not adequately protected. in in fact, just this past summer witness from the government office stated, it is in, upon federal agencies to implement the appropriate security controls, to mitigate those risk, at risk, at a cost effective and acceptable level. without these agencies have not consistently done this effectively. when i asked that same witness to great our federal cyber security, he gave it a deed. a rating of a d is not an acceptable grade. this demonstration owes it to the american people to significantly approve to sufficiently protect government information and thereby our national security.

this administration also needs to explain how it is protecting the american people's personal information. as stated at the hearing the summer, the breach of data from the office of personnel management is exactly why the oversight committee that i chair continues to look into the collection of americans personal data to the website, healthcare.gov. in fact i'm i'm still waiting for complete answers from the administration on questions i opposed in the centers for medicare and medicare services back in june. this demonstration is not sufficiently explained why it was ever necessary to identify or indefinitely store america personal data they submitted when logging into the healthcare data website. particularly those who did not end up in raleigh. when you think president obama would agree that such a practice is unnecessary, as he identified cyber security is one of the most serious economic and national security challenges we face as a nation. but one that we as a government or country are not adequate lee

prepared to counter. it is one of the most serious challenges we face, why on earth with the government think about serena's personal information indefinitely in data warehouses? as chairman of the oversight subcommittee i will continue to ask questions and demand answers until we are satisfied that the federal department and agencies are making decisions in the best interest of protecting the personal information of all americans. the safety and security of americans in this nation must be our number one priority. having continuously subpar security of our federal system is embarrassing and must be rectified immediately. the delays must stop, it's time to do something about federal cyber security. i look for to the witnesses testimony in today's hearing, i had to learn more about the various industry best practices and lessons learned, and hope that'll shed light on what the government could, and should and should be doing to protect our citizens from constantly evolving cyber threats.

drama, you'll back the balance of my time. >> thank you chairman. i now recognize the ranking member of the subcommittee on oversight for his opening statement. >> thank you for holding today's hearing. thank you witnesses for spending friday morning with us. as we keep relearning after each new attack, cyber security is critical and daunting challenge. today the data that we create, store access and share online contains information about every aspect of our lives. our collected digital universes banking, birth records, tax files, and on and on. last last week i went on -- i took an alzheimer's test last night on time which results i hope don't show up in my next campaign. we electronically communicate with their tits, and their

teachers about their academic achievements. i find that none of my kids will return my phone call but they will text me back. newsflash, none of this information is secure. immediate access to these digital provides advantages to businesses and consumers who are highly dependent on information we have gathered on our customers. the next time someone needs something changed on their car. it also offers cyber criminals, and cyber espionage and perhaps even more dangerous, it is not going at a price that requires constant vigilance and continuous adoption. lester's opm attack was a huge concern for all the federal workers that live in our districts across the country. there are procedural failures that are now being addressed but no one is immune from cyber attacks. not not the government, not the private sector.

according to the privacy rank clearinghouse, nonprofit, nonpartisan organization, in 20,152,015 there 17 reported breaches against.gov, or.milla dresses that resulted in access of 27.8 million records. during that same time period, the private sector experience 184 breaches that resulted in 130.5 million records. we need to educate federal workers, it is very important, i look for to today's hearing. i'm sure there are many lessons we learn from you today. i also look forward to the equal certainty that there is much that the private sector can learn from the government, specially the department of defense and our intelligence community. i look for to the discussion today, thank you for being here. >> i you'll back my time.

>> thank you, now recognize the chairman of the committee. >> last year, more than 178 million records were breached. this included members and staff of this committee. united states is a top target for foreign countries, cyber criminals and hackers exploit vulnerabilities in our network and cyber systems to obtain valuable information. the #security has increased over 1000%% in the last eight years. in 2014, more than 67000 cyber attacks were reported and many others were not. a number of federal agencies god

our interests. several are under the jurisdiction of the science committee. these include the national science foundation, the national institute of standards and technology, the department of homeland security science and technology, and the department of energy. all of these agencies support critical research to promote cyber security and set federal standards. however, it is is clear that too many federal agencies like opm failed to meet the basic standards. more must be done to ensure agencies mike cyber security top priority. last year audits revealed that 19 out of 24 major federal agencies failed to meet the basic cyber security standards mandated by law. yet the administration has allowed deficient systems to stay online. what are the consequences when a federal agency fails to meet its basic duties to protect sensitive information? what does it say to federal employees, not to mention our adversaries when cabinet secretaries don't take cyber securities seriously and fail to follow the most basic e-mail

security practices regarding our country's classified classified information. in the private sector, those who neglect the duty of keeping their customer secure usually fired. in the federal government, government, it seems the only people penalized are the millions of innocent americans who have their personal information exposed. during the last congress, was in proved the cyber security enhancement act which was signed into law. this law improves america's cyber security abilities and strengthen strategic planning first cyber security research and develop it. it supports nsf scholarships to improve the quality of our workforce, and also improve cyber security research development and public outreach organized. last month, similar bill, the, the cyber security act of 2015 was signed into law. very partly, this bill encourages private companies to voluntarily share information about imminent cyber threats

with the other as well as with the federal government. the science committee will continue its effort to support research and development to strengthen the cyber defenses. i look for to hearing from our witnesses today about what more we can do to support innovation and help set national standards and guidelines that will enhance our country cyber security. thank you again, you'll back. >> thank you mr. chairman. at this time i would like to introduce our witnesses. john wood, chief executive officer and chairman of the board for telus corporation, a leading technology and company that address cyber security, secure mobility and identity management issues for corporations and governments worldwide. he serves on on the bird of northern virginia technology council, home of the nationally acclaimed will trap

institute for early learning of the arts and it's really stem arts program. he is the bounty chairman of the lading county ceo cabinet. part of joining telus in 1992, he worked on wall street after earning his degree in finance and computer science at georgetown university. he he is very active in stem education and getting young people engaged and evolving them personally. both with with your company and our school system, i appreciate all that you do in that area. doctor martin, is senior vice president and general manager of the networking business unit. he joins vmware 2012 and the company acquired -- he was

cofounder. he was previously held research position at lawrence livermore national laboratory where he worked on national security. he has been recognized as one of the industry's leading innovator, his been featured on business insider's 50 most powerful people and enterprise tech, forbes next-generation innovator, and he, and he received his masters and phd from stanford. mr. ken schneider serves as vice president at semantics. the focus on driving and overall technology strategy across the company. he was previously chief technology officer of the enterprise security and security data management group. prior to guiding semantic, he served as cto of -- before that he founded south beach software,

software consulting company that develop products for the professional video market. he also received a master of science in mechanical engineering from university of california, berkeley, a bachelor science as well. he is the president and chief executive officer of the internet security alliance, multisector trade association focused on leadership, policy policy advocacy and promoting sound security practices were corporation. he is widely published on cyber security and is the principal author of the cyber risk handbook, the corporate boards published by the national association of directors in 2014, endorsed by the apartment of homeland security in 2015. the nicd also named him as one of the most influential individuals. he is in demand internationally having spoken in europe, asia, and latin america. we are glad to have a mere

today. in order to allow time for your discussion, please limit your testimony to five minutes. your entire written statement, which i nor more extensive and have lots of good information that will have in our public record, since we're on c-span today, i would encourage the public to also look at the full statement to get more information. with that, i will recognize mr. wood for five minutes to present his testimony. >> thank you. i would like to thank chairwoman and the other chairs and ranking members for the invitation to share some thoughts on on behalf of cyber security and risk management. as i noted in my written statement, telus protects the world's most important enterprise. the first point i would like to highlight is that all enterprises, public and private

need to emphasize cyber hygiene in their day to day operational practices and employee training. why do i make this first point? because the 2015 verizon data breach investigation report found that the overwhelming common denominator and security incidents is people. nearly all of the security incidents may have been avoided if organizations have taken basic steps to help their employees follow simple cyber security precautions. here are five basic steps that organizations should take to help better protect themselves from attacks. first, establish and enforce cyber security policies and procedures. second, include effective password management practices. third, required regular security awareness training. fourth, implement timely updates and passes to manage vulnerabilities. fifth, use up-to-date and point

security solutions. these five basic steps serve as the foundation for strong cyber security program. every it security professional knows them and at the importance of following through with them cannot be overstated. further, these practices must be embraced in the boardroom and by management so that a culture of cyber security is created throughout the organization from the top down. happy and said, every organization with high-value, digital, digital assets, needs to assume it has always been already been breached or will be. this leads my second point. second point. that is incident response and remediation are just as important to organizations as cyber defense and strategies. telus has developed a rigorous framework for instant response with essential steps like preparation, containment, radical eradication, and recovery which we use ourselves and implement for our customers. further, it is is not realistic

to expect every organization to have the time or financial and human resources needed to successfully defend everything. that is is why management is so critical for effective cyber security. risk management involves identifying, identifying, evaluating, and either accepting or mitigating uncertainty in decision-making. private and public sector organizations need to make cost-benefit choices about what systems to defend and how to defend them. based on the likelihood of an asset being attacked, the value of the asset been attacked, the cost of defending the asset, and the cost of losing the asset. that approach is reflected in the continuous diagnostic and mitigation program established by congress, quote to provide adequate risk based cost effective cyber security and more efficiently evaluate cyber security resources. this continued diagnostic

remediation program extends continuous monitoring in the area of diagnostics and mitigation while acknowledging that risk management is called for when you have to meet infinite needs with finite resources. that is also the value of initiatives like other framework. they put cyber security solutions and best practices in the context of risk management and compliance. this brings me to my third point. the standards and methods of cyber security are very good but they cannot succeed unless companies follow them. we should be looking for ways that market forces can incentivize companies to voluntarily take the strongest possible actions to protect themselves. this includes following the standards and practices. the various sectors are just that, critical. they're so important to our national defense, our economy, and our way of life that it is

imperative that government private sectors encourage organizations in these that sectors to use best practices. one promising area of incentivizing company is tied to the growth of cyber insurance market. the commerce department has described cyber insurance as an effective market-driven way of increasing cyber security. the treasury department has also suggested that the increasing demand of cyber insurance may help drive private-sector policyholders to adopt the cyber security framework. as insurance companies get their arms around the cyber security actuary data that accumulate with each new breach, they will want to have insights into what their clients are doing to protect themselves. are they applying sufficient ongoing protection for their systems and data? are they using the framework or an equipment standard? impact insurance companies may require their companies to adopt the framework in order to demonstrate insurability and

reduce their premiums. when that happens we can see greater market base pressured that will require other companies to do the same. market force in the fear of -- for companies to demonstrate that they have exercise with due care to protect their customers and assets. one additional point. cyber security is too important to do on the cheap. overreliance overreliance on lowest price, technically acceptable contracts can be very risky to feel that has so room for error. cyberspace must be appropriate funded. u.s. cyber command has been funded at a level this year that represents a mere 11 thousands of the overall doj budget. by contrast, just for banks are spending three times the amount of cyber security. j.p. morgan, if they got hacked and decided to double their it

from $250 million a year to $500 million a year, more than all cyber commands. the financial sector is an example of them taking their responsibilities very seriously and devoting the resource necessary to protect themselves. again, i appreciate the opportunity to share our perspective and i would be glad to answer any question. thank you. >> you. >> thank you. i will now hear from doctor -- >> thank you all members of the committee i'm super thrilled to be here. i'm sr. vice president and general manager of networking at vmware. it it is the fourth largest software company in the world with over $6 billion in over 18000 employees. the nature of security breach at the office of personnel

management was not particularly unique. hackers were able to penetrate network systems and gain access to opm and the primitive interior systems where they were free to access and steal data over a period of several months. hackers typically use this attack methodology because the systems are designed to be doors to the network. these allow authorized to eat users to use the system. however, perimeter security is a single point of entry that must be breached or circumvented in order to enter the network. once the intruder has past the perimeter, there is no simple means to stop malicious activity from occurring. in many case the response from companies is to add more security technology to the perimeter which ignores the structural issue. which is basically an imaginal line. there's three points for consideration. one, every recent agency breach

has had one thing in common, the attacker, once inside has been able to move freely around agency network. two, policies, mandates and techniques are necessary but insufficient for protecting government assets alone. three. the attacks will continue but we can increase our ability to mitigate the attacks when they do. there perimeter's centric activities that will stop and attacked her from getting inside the network. perimeter centric security solutions can only be asks us with a key, the only is to deny entry from anyone who does not have a key. however once it's been open people can move about on the beta. in order to effectively prevent an attacker from moving freely around the network they must compartmentalize their by adding zero trust within the data center.

zero trust environment prevents unauthorized lateral movement within the data center by establishing government rules that manage the rules. when the user's system breaks the rules the potential threat incident is compartmentalized in security staff can take any appropriate action to investigate the threat not put the entire network in jeopardy. compartmentalization is equivalent to putting each interior room with locks. this negates the magnitude of a break-in. these approaches are standard in the commercial industry and need to become the gold standard across the federal government. we see many government agencies but the potential for the breaches to build a new called the green environment. agencies reach this conclusion because existing data centers are seem to be compromised unsalvageable.

this is a legitimate strategy but it fails to -- existing networks for data centers continue to operate while the new environment as being provision which leaves sensitive data vulnerable continue to attack. it can take months or years to start up a new environment. as we have seen this is what happened with the attack and opm. there were building a new enhanced network but the attack occurred on the existing system. without clear cyber security guidelines, mandated new software-based strategies that go beyond the new environments are subject to attacked as soon as they become operational. this approach is the insufficient and untimely. agencies have the ability to upgrade and add zero trust to find solutions that are more cost-effective. by deploying this technology is within our nation people can avoid billions of dollars of

investment. thank you very much for the opportunity to testify today. i look forward to answering your questions. >> thank you. now we'll hear from mr. schneider. thank you for the opportunity to testify today. >> chairman, thank you for the opportunity to testify today. the focus of today's hearing is right on point. cyber security is a shared responsibility shared responsibility in the public private sector must work together closely to counter the threats. many of the headlines about cyber attacks folks on data breaches both in government and across industries. but it can be much more than that. in the instance today we see basic schemes to denial attacks,

too to sophisticated and destructive intrusions into infrastructure systems. the attackers include highly organized criminal enterprise, disgruntled employee's, individual cyber criminals, and state-sponsored groups. the attack methods vary in the only is that the techniques are involving an improvement. for instance spearfishing or customers targeted e-mail is still one of the most common forms of attack. social media is also an increasingly popular attack as people tend to trust links that appear to come from a friend social media fee. the scene of growth of what we call watering hole at tax. for example, last year legitimate software developers were tricked into used compromised apps. further the attack service continues to expand as both a

private and public sector moved to the cloud. the internet of things and billions of new devices coming online will bring with them a new generation of security challenges. for example, we predict the sale of 84,000,000 where both in 2015. each of those 84,000,000 users is transmitting sensitive data into 4 million users is transmitting sensitive data into cloud platforms that must be secured. preventing attacks requires an integrative approach. i refute to that is our unified secured strategy. at its core the five functions serve as a useful outline to discuss a useful approach to cyber security. first is identified. you cannot protect what you cannot see. the test goes beyond identifying hardware and software, and includes that the most critical assets are done by the protected. next is protect, starts with starts with people. an organization is to ensure the workforce practices good cyber

hygiene and is ready for the latest comes in scans. technology is important to, modern endpoint security discovers unknown or emerging threats that may otherwise be missed. it is is critical to monitor the overall operation of the system to look for unusual activity that can signal an infection. information protection is important. this record the data loss per section system that controls data across the organization. the third function is the tech. an organization needs to know what is going on inside it system as well as who is trying to access what and how they're trying to do so. by doing so the systems are able to protect threats that bypass other protections. for this response, good planning is the foundation of an effective cyber security strategy. if and when incident occurs they must have a well-defined

playbook to respond quickly and effectively. interviewing potential vendors is not a good use of time while an organization is leaking sensitive data. you need to get impact insistence back up and ready and security based on the lessons learned from the breach. it requires preparation preparation and planning, for example for preparation could leave with incomplete or corrupt backups. the most and port part is to learn from the incident. cooperation is key to improving cyber security. these include national -- fbi, nato, and others. we have also been involved in several operations to take down all networks several high profile such as the game over zeus, and other botnets.

we need partnership and shared expertise. the government government can learn from the private sector experience. we appreciate the committee's interest for learning from semantics best practices. i look forward to taking questions. >> thank you. now we'll hear from mr. clinton. >> thank you madame chairman and members of the committee. it is an honor to be here. i like to focus on five areas that i think were the federal government can learn from this private sector. first, government needs to invest much more in cyber security. private sector spending on cyber security has nearly doubled in the last several years, 220,000,000,000 dollars annually. the federal annually. the federal not defense spending on cyber security will be between six and $7 billion. private sector spending will increase 24% next year, federal spending is increasing