threats for both the public and private sectors. in 2014 and 2015, and 2015, cyber attacks on targets, ebay, home depot, and anthem health insurance were just a few of the public breaches. the time has come for every manager and employee in both government and private organization to make cyber security a top priority in their daily work. for for leaders to be held accountable for negligent failure to protect information. the american applicant shareholders are demanding it. when criminal hackers gained access to 40,000,000 target million target credit cards, the ceo and cio were fired. in the private sector. although the opm director resigned, i'm still not satisfied that the responsible parties have been held accountable for the bailey of the agency to address known security vulnerabilities.

the most recent ig audit found that opm has 23 systems that have not been subject to a thorough assessment. opm does not have a complete inventory of servers, databases, and network the in the system. i just met with a new advisor, clifton triplett, and the omb cyber advisor, i look forward to working with everyone to ensure our protection of our employees and their families. the state-sponsored set for terrace are getting creative and boulder in their tax. the private sector has been at the forefront of dealing with these threats for some time. with the target of many of these attacks and as leaders in developing technology is workforce necessary to counter cyber threats. visa is preparing to open a new

cyber security center in my district just this week. the state-of-the-art cyber security brings together nearly 100 highly hundred highly trained security professionals into one high-tech campus and provides for collaboration both internally, and would enable information sharing and rapid response. i'm pleased that many companies on the forefront in this area my district. we have a number of those witnesses here today. i look for to get them from our witnesses who are all innovative thinkers in the private sector. i hope we can take the lessons we learn from you today and help apply them to protecting our federal information system and the sensitive information they contain. clearly we must work together and be able to more agile and adaptive to the ongoing threats that we nor the multiplication of information and all of our system that is going to exponentially increase over the

coming years. this will be a permanent employment area for all of you, i'm sure. i now recognize the ranking member of the research and technology subcommittee, the gentleman from illinois, for his opening statement. >> thank you for holding this hearing. i want to thank all of the witnesses were being here today, i i look forward to hearing your testimony. jill had mentioned in her opening statement the real need to make sure that we do more in this area, we need to make sure that both in the public and private sector that people are held responsible for the hacks that do occur. we need to make sure that we have in place what we can do

here, what congress can do to ensure there is an incentive for both public and private sector to try to avoid these hacks, this loss of information. i'm very interested to hear more from our witnesses on this. i'm certainly pleased that we are holding our first hearing on cyber security which is certainly increasingly an urgent challenge for our national security, and the personal security of every american. it is important we continue to hear from experts in government and the private sector about the latest developments in respect to both the risks and the technology and policies to combat those threats. our community plays an important role both the technology side and the policy side. this is an area in which members have successfully collaborated across the aisle.

in december 2014, congress enacted the cyber security enhanced act, bipartisan research, education, and standards bill that i worked on with others over several years. over the last month, congress enacted to promote information sharing to strengthen the coronation between the private and public sector. at the committee, and if congress, we need to continue to confront the cyber threat. unfortunately we continue to see an increase in and threats. in a hearing we held in july we heard from a significant breach at the office of personnel management. in which personal information of millions of current past employees were compromise. highly sensitive filings were also compromised making it not just a problem for those individuals, but national security issue as well. we have laws in place to address the security federal information system. the federal information management act, and subsequent

amendments establish policies and procedures with the development of standards and protocols. this has an important role. it is clear that federal agencies need to do a better job implementing the standard of protocols and congress needs to give them adequate resources to do so. the private sector is also under constant threat from cyber attacks. in in the case of large companies, a recent study conducted found there is a 19% increase in cyber crimes between 2014 and 2015. the study also found that cyber crimes got significant economic damage. for 2015, cyber attacks resulted in 15,000,000 dollars. dollars. while threats continue to grow, private sector is taking steps to increase their system and the personal information of americans they gather doing routine business. to reduce our risk and improve

the security cyber space will take combined effort of the federal government, private sector, our researchers and engineers, and the general public. although cyber attacks are becoming more sophisticated, often cyber attacks are successful because of human error. such as unknowingly opening an malicious e-mail or allowing one's credentials to be compromise. part of our effort must be to educate the public. another part, must be to better understand human behavior to make new tools and technology more effective. such as work being done to will be on passwords. i look for to hearing from witnesses today with best practices, more opportunities public, private partnerships. i'm also interested in hearing to what extent private business and organization voluntarily implement business standards developed and how you may be

participating in or benefiting from other efforts. including the cyber security center for excellence and the framework for critical infrastructure. thank thank you, i you'll back the balance of my time. >> thank you. i now recognize the chair of the oversight subcommittee, gentleman from georgia, for his opening statement. >> thank you, especially for continuing this important discussion. i'd like to thank our witnesses were being here today. to help us understand industries best practice when it comes to cyber security. i security. i look for to hearing about lessons learned and how to apply those lessons to our federal system to help prevent future cyber attacks. it's clear federal systems are not adequately protected. in in fact, just this past summer witness from the government office stated, it is in, upon federal agencies to implement the appropriate security controls, to mitigate those

risk, at risk, at a cost effective and acceptable level. without these agencies have not consistently done this effectively. when i asked that same witness to great our federal cyber security, he gave it a deed. a rating of a d is not an acceptable grade. this demonstration owes it to the american people to significantly approve to sufficiently protect government information and thereby our national security. this administration also needs to explain how it is protecting the american people's personal information. as stated at the hearing the summer, the breach of data from the office of personnel management is exactly why the oversight committee that i chair continues to look into the collection of americans personal data to the website, healthcare.gov. in fact i'm i'm still waiting for complete answers from the administration on questions i opposed in the centers for medicare and medicare services

back in june. this demonstration is not sufficiently explained why it was ever necessary to identify or indefinitely store america personal data they submitted when logging into the healthcare data website. particularly those who did not end up in raleigh. when you think president obama would agree that such a practice is unnecessary, as he identified cyber security is one of the most serious economic and national security challenges we face as a nation. but one that we as a government or country are not adequate lee prepared to counter. it is one of the most serious challenges we face, why on earth with the government think about serena's personal information indefinitely in data warehouses? as chairman of the oversight subcommittee i will continue to ask questions and demand answers until we are satisfied that the federal department and agencies are making decisions in the best interest of protecting the personal information of all americans. the safety and security of americans in this nation must be our number one priority.

having continuously subpar security of our federal system is embarrassing and must be rectified immediately. the delays must stop, it's time to do something about federal cyber security. i look for to the witnesses testimony in today's hearing, i had to learn more about the various industry best practices and lessons learned, and hope that'll shed light on what the government could, and should and should be doing to protect our citizens from constantly evolving cyber threats. drama, you'll back the balance of my time. >> thank you chairman. i now recognize the ranking member of the subcommittee on oversight for his opening statement. >> thank you for holding today's hearing. thank you witnesses for spending friday morning with us. as we keep relearning after each new attack, cyber security is critical and daunting challenge. today the data that we create, store access and share online

contains information about every aspect of our lives. our collected digital universes banking, birth records, tax files, and on and on. last last week i went on -- i took an alzheimer's test last night on time which results i hope don't show up in my next campaign. we electronically communicate with their tits, and their teachers about their academic achievements. i find that none of my kids will return my phone call but they will text me back. newsflash, none of this information is secure. immediate access to these digital provides advantages to businesses and consumers who are highly dependent on information we have gathered on our customers. the next time someone needs something changed on their car.

it also offers cyber criminals, and cyber espionage and perhaps even more dangerous, it is not going at a price that requires constant vigilance and continuous adoption. lester's opm attack was a huge concern for all the federal workers that live in our districts across the country. there are procedural failures that are now being addressed but no one is immune from cyber attacks. not not the government, not the private sector. according to the privacy rank clearinghouse, nonprofit, nonpartisan organization, in 20,152,015 there 17 reported breaches against.gov, or.milla dresses that resulted in access of 27.8 million records. during that same time period, the private sector experience 184 breaches that resulted in 130.5 million records.

we need to educate federal workers, it is very important, i look for to today's hearing. i'm sure there are many lessons we learn from you today. i also look forward to the equal certainty that there is much that the private sector can learn from the government, specially the department of defense and our intelligence community. i look for to the discussion today, thank you for being here. >> i you'll back my time. >> thank you, now recognize the chairman of the committee. >> last year, more than 178 million records were breached. this included members and staff of this committee. united states is a top target for foreign countries, cyber

criminals and hackers exploit vulnerabilities in our network and cyber systems to obtain valuable information. the #security has increased over 1000%% in the last eight years. in 2014, more than 67000 cyber attacks were reported and many others were not. a number of federal agencies god our interests. several are under the jurisdiction of the science committee. these include the national science foundation, the national institute of standards and technology, the department of homeland security science and technology, and the department of energy. all of these agencies support critical research to promote cyber security and set federal standards. however, it is is clear that too many federal agencies like opm failed to meet the basic standards. more must be done to ensure agencies mike cyber security top priority. last year audits revealed that

19 out of 24 major federal agencies failed to meet the basic cyber security standards mandated by law. yet the administration has allowed deficient systems to stay online. what are the consequences when a federal agency fails to meet its basic duties to protect sensitive information? what does it say to federal employees, not to mention our adversaries when cabinet secretaries don't take cyber securities seriously and fail to follow the most basic e-mail security practices regarding our country's classified classified information. in the private sector, those who neglect the duty of keeping their customer secure usually fired. in the federal government, government, it seems the only people penalized are the millions of innocent americans who have their personal information exposed. during the last congress, was in

proved the cyber security enhancement act which was signed into law. this law improves america's cyber security abilities and strengthen strategic planning first cyber security research and develop it. it supports nsf scholarships to improve the quality of our workforce, and also improve cyber security research development and public outreach organized. last month, similar bill, the, the cyber security act of 2015 was signed into law. very partly, this bill encourages private companies to voluntarily share information about imminent cyber threats with the other as well as with the federal government. the science committee will continue its effort to support research and development to strengthen the cyber defenses. i look for to hearing from our witnesses today about what more we can do to support innovation and help set national standards and guidelines that will enhance our country cyber security. thank you again, you'll back. >> thank you mr. chairman.

at this time i would like to introduce our witnesses. john wood, chief executive officer and chairman of the board for telus corporation, a leading technology and company that address cyber security, secure mobility and identity management issues for corporations and governments worldwide. he serves on on the bird of northern virginia technology council, home of the nationally acclaimed will trap institute for early learning of the arts and it's really stem arts program. he is the bounty chairman of the lading county ceo cabinet. part of joining telus in 1992, he worked on wall street after earning his degree in finance and computer science at georgetown university. he he is very active in stem education and getting young people engaged

and evolving them personally. both with with your company and our school system, i appreciate all that you do in that area. doctor martin, is senior vice president and general manager of the networking business unit. he joins vmware 2012 and the company acquired -- he was cofounder. he was previously held research position at lawrence livermore national laboratory where he worked on national security. he has been recognized as one of the industry's leading innovator, his been featured on business insider's 50 most powerful people and enterprise tech, forbes next-generation innovator, and he, and he

received his masters and phd from stanford. mr. ken schneider serves as vice president at semantics. the focus on driving and overall technology strategy across the company. he was previously chief technology officer of the enterprise security and security data management group. prior to guiding semantic, he served as cto of -- before that he founded south beach software, software consulting company that develop products for the professional video market. he also received a master of science in mechanical engineering from university of california, berkeley, a bachelor science as well. he is the president and chief executive officer of the internet security alliance, multisector trade association focused on leadership, policy policy advocacy and promoting sound security practices were

corporation. he is widely published on cyber security and is the principal author of the cyber risk handbook, the corporate boards published by the national association of directors in 2014, endorsed by the apartment of homeland security in 2015. the nicd also named him as one of the most influential individuals. he is in demand internationally having spoken in europe, asia, and latin america. we are glad to have a mere today. in order to allow time for your discussion, please limit your testimony to five minutes. your entire written statement, which i nor more extensive and have lots of good information that will have in our public record, since we're on c-span today, i would encourage the public to also look at the full statement to get more information. with that, i will recognize mr. wood for five minutes to present his testimony. >> thank you.

i would like to thank chairwoman and the other chairs and ranking members for the invitation to share some thoughts on on behalf of cyber security and risk management. as i noted in my written statement, telus protects the world's most important enterprise. the first point i would like to highlight is that all enterprises, public and private need to emphasize cyber hygiene in their day to day operational practices and employee training. why do i make this first point? because the 2015 verizon data breach investigation report found that the overwhelming common denominator and security incidents is people. nearly all of the security incidents may have been avoided if organizations have taken basic steps to help their

employees follow simple cyber security precautions. here are five basic steps that organizations should take to help better protect themselves from attacks. first, establish and enforce cyber security policies and procedures. second, include effective password management practices. third, required regular security awareness training. fourth, implement timely updates and passes to manage vulnerabilities. fifth, use up-to-date and point security solutions. these five basic steps serve as the foundation for strong cyber security program. every it security professional knows them and at the importance of following through with them cannot be overstated. further, these practices must be embraced in the boardroom and by management so that a culture of cyber security is created throughout the organization from the top down.

happy and said, every organization with high-value, digital, digital assets, needs to assume it has always been already been breached or will be. this leads my second point. second point. that is incident response and remediation are just as important to organizations as cyber defense and strategies. telus has developed a rigorous framework for instant response with essential steps like preparation, containment, radical eradication, and recovery which we use ourselves and implement for our customers. further, it is is not realistic to expect every organization to have the time or financial and human resources needed to successfully defend everything. that is is why management is so critical for effective cyber security. risk management involves identifying, identifying, evaluating, and either accepting or mitigating uncertainty in decision-making. private and public sector organizations need to make cost-benefit choices about what systems to defend and how to defend them.

based on the likelihood of an asset being attacked, the value of the asset been attacked, the cost of defending the asset, and the cost of losing the asset. that approach is reflected in the continuous diagnostic and mitigation program established by congress, quote to provide adequate risk based cost effective cyber security and more efficiently evaluate cyber security resources. this continued diagnostic remediation program extends continuous monitoring in the area of diagnostics and mitigation while acknowledging that risk management is called for when you have to meet infinite needs with finite resources. that is also the value of initiatives like other framework. they put cyber security solutions and best practices in the context of risk management and compliance. this brings me to my third point. the standards and methods of

cyber security are very good but they cannot succeed unless companies follow them. we should be looking for ways that market forces can incentivize companies to voluntarily take the strongest possible actions to protect themselves. this includes following the standards and practices. the various sectors are just that, critical. they're so important to our national defense, our economy, and our way of life that it is imperative that government private sectors encourage organizations in these that sectors to use best practices. one promising area of incentivizing company is tied to the growth of cyber insurance market. the commerce department has described cyber insurance as an effective market-driven way of increasing cyber security. the treasury department has also suggested that the increasing demand of cyber insurance may

help drive private-sector policyholders to adopt the cyber security framework. as insurance companies get their arms around the cyber security actuary data that accumulate with each new breach, they will want to have insights into what their clients are doing to protect themselves. are they applying sufficient ongoing protection for their systems and data? are they using the framework or an equipment standard? impact insurance companies may require their companies to adopt the framework in order to demonstrate insurability and reduce their premiums. when that happens we can see greater market base pressured that will require other companies to do the same. market force in the fear of -- for companies to demonstrate that they have exercise with due care to protect their customers and assets. one additional point. cyber security is too important

to do on the cheap. overreliance overreliance on lowest price, technically acceptable contracts can be very risky to feel that has so room for error. cyberspace must be appropriate funded. u.s. cyber command has been funded at a level this year that represents a mere 11 thousands of the overall doj budget. by contrast, just for banks are spending three times the amount of cyber security. j.p. morgan, if they got hacked and decided to double their it from $250 million a year to $500 million a year, more than all cyber commands. the financial sector is an example of them taking their responsibilities very seriously and devoting the resource necessary to protect themselves. again, i appreciate the opportunity to share our perspective and i would be glad to answer any question. thank you. >> you. >> thank you. i will now hear from doctor --

>> thank you all members of the committee i'm super thrilled to be here. i'm sr. vice president and general manager of networking at vmware. it it is the fourth largest software company in the world with over $6 billion in over 18000 employees. the nature of security breach at the office of personnel management was not particularly unique. hackers were able to penetrate network systems and gain access to opm and the primitive interior systems where they were free to access and steal data over a period of several months. hackers typically use this attack methodology because the systems are designed to be doors to the network. these allow authorized to eat users to use the system.

however, perimeter security is a single point of entry that must be breached or circumvented in order to enter the network. once the intruder has past the perimeter, there is no simple means to stop malicious activity from occurring. in many case the response from companies is to add more security technology to the perimeter which ignores the structural issue. which is basically an imaginal line. there's three points for consideration. one, every recent agency breach has had one thing in common, the attacker, once inside has been able to move freely around agency network. two, policies, mandates and techniques are necessary but insufficient for protecting government assets alone. three. the attacks will continue but we can increase our ability to mitigate the attacks when they do. there perimeter's centric activities that will stop and attacked her from getting inside

the network. perimeter centric security solutions can only be asks us with a key, the only is to deny entry from anyone who does not have a key. however once it's been open people can move about on the beta. in order to effectively prevent an attacker from moving freely around the network they must compartmentalize their by adding zero trust within the data center. zero trust environment prevents unauthorized lateral movement within the data center by establishing government rules that manage the rules. when the user's system breaks the rules the potential threat incident is compartmentalized in security staff can take any appropriate action to investigate the threat not put the entire network in jeopardy. compartmentalization is equivalent to putting each

interior room with locks. this negates the magnitude of a break-in. these approaches are standard in the commercial industry and need to become the gold standard across the federal government. we see many government agencies but the potential for the breaches to build a new called the green environment. agencies reach this conclusion because existing data centers are seem to be compromised unsalvageable. this is a legitimate strategy but it fails to -- existing networks for data centers continue to operate while the new environment as being provision which leaves sensitive data vulnerable continue to attack. it can take months or years to start up a new environment. as we have seen this is what happened with the attack and opm. there were building a new enhanced network but the attack occurred on the existing system.

without clear cyber security guidelines, mandated new software-based strategies that go beyond the new environments are subject to attacked as soon as they become operational. this approach is the insufficient and untimely. agencies have the ability to upgrade and add zero trust to find solutions that are more cost-effective. by deploying this technology is within our nation people can avoid billions of dollars of investment. thank you very much for the opportunity to testify today. i look forward to answering your questions. >> thank you. now we'll hear from mr. schneider. thank you for the opportunity to testify today.

>> chairman, thank you for the opportunity to testify today. the focus of today's hearing is right on point. cyber security is a shared responsibility shared responsibility in the public private sector must work together closely to counter the threats. many of the headlines about cyber attacks folks on data breaches both in government and across industries. but it can be much more than that. in the instance today we see basic schemes to denial attacks, too to sophisticated and destructive intrusions into infrastructure systems. the attackers include highly organized criminal enterprise, disgruntled employee's, individual cyber criminals, and state-sponsored groups. the attack methods vary in the only is that the techniques are involving an improvement. for instance spearfishing or customers targeted e-mail is still one of the most common forms of attack. social media is also an increasingly popular attack as

people tend to trust links that appear to come from a friend social media fee. the scene of growth of what we call watering hole at tax. for example, last year legitimate software developers were tricked into used compromised apps. further the attack service continues to expand as both a private and public sector moved to the cloud. the internet of things and billions of new devices coming online will bring with them a new generation of security challenges. for example, we predict the sale of 84,000,000 where both in 2015. each of those 84,000,000 users is transmitting sensitive data into 4 million users is transmitting sensitive data into cloud platforms that must be secured. preventing attacks requires an integrative approach. i refute to that is our unified secured strategy.

at its core the five functions serve as a useful outline to discuss a useful approach to cyber security. first is identified. you cannot protect what you cannot see. the test goes beyond identifying hardware and software, and includes that the most critical assets are done by the protected. next is protect, starts with starts with people. an organization is to ensure the workforce practices good cyber hygiene and is ready for the latest comes in scans. technology is important to, modern endpoint security discovers unknown or emerging threats that may otherwise be missed. it is is critical to monitor the overall operation of the system to look for unusual activity that can signal an infection. information protection is important. this record the data loss per section system that controls data across the organization.

the third function is the tech. an organization needs to know what is going on inside it system as well as who is trying to access what and how they're trying to do so. by doing so the systems are able to protect threats that bypass other protections. for this response, good planning is the foundation of an effective cyber security strategy. if and when incident occurs they must have a well-defined playbook to respond quickly and effectively. interviewing potential vendors is not a good use of time while an organization is leaking sensitive data. you need to get impact insistence back up and ready and security based on the lessons learned from the breach. it requires preparation preparation and planning, for example for preparation could leave with incomplete or corrupt backups. the most and port part is to

learn from the incident. cooperation is key to improving cyber security. these include national -- fbi, nato, and others. we have also been involved in several operations to take down all networks several high profile such as the game over zeus, and other botnets. we need partnership and shared expertise. the government government can learn from the private sector experience. we appreciate the committee's interest for learning from semantics best practices. i look forward to taking questions. >> thank you. now we'll hear from mr. clinton. >> thank you madame chairman and members of the committee. it is

an honor to be here. i like to focus on five areas that i think were the federal government can learn from this private sector. first, government needs to invest much more in cyber security. private sector spending on cyber security has nearly doubled in the last several years, 220,000,000,000 dollars annually. the federal annually. the federal not defense spending on cyber security will be between six and $7 billion. private sector spending will increase 24% next year, federal spending is increasing about 11%. i know of two banks that have a combined cyber security of $1.2 billion. dhs is about 900,000,000, 75% of what two banks are spending by themselves. cybercrime costs are nations and have chilly dollars a year. if we're successfully prosecuting maybe 1% of cyber criminals. we need to spend more. two, government needs to act with greater urgency. it took congress two years --

sorry six years to pass a sharing bill. in 2009 we present to congress with detailed recommendation on cyber security. in 2011, the house gop task force embrace the recommendations but four years after the house report, we still have not seen any substantial work on the top recommendation of that report or the executive orders. for example, the gao task report, and and the executive order all call for the creation of a menu of incentives. yet aside from the information's sharonville, the president has not proposed, congress has not introduced, a single set of strategy bill. last month it was reported that 12 of 15 sectors specific agencies had not identified incentives even though it is called for.

the presence executive order call for it to be more cost-effective and prioritize. three years later they have been no objective measurements of the framework effect on improving security, adoption, or its cost-effectiveness. three, the government needs to escalate, educate top leadership as the top leadership is doing. in 2014, isam ait created havoc on cyber security for corporate boards which is published by the national association of corporate directors. they recently validated the success of this approach. they said, ports appear to be listening to the nicd guidance. this year we saw double-digit increase in poor participation of cyber security leading to a 24% boost in security spending. also identification of key risk, fostering a a culture of security and better alignment of security with overall risk management goals.

we believe government is a similar program to educate government boards. most sr. government officials are not sophisticated with their understanding of cyber security. if they are educated we think we could a more effective policy. four, the government needs to reorganize for the digital age. of the last several years the private sector has moved away from the it department is a central focus of cyber security and is involving a more integrative enterprise enter price approach. a bank of america study and a 2015 found that the u.s. government is still in the process of determining who will have jurisdiction in cyber space. departments, agencies and commandant are battling for funding. the result of the

fragmented system, it's hindering the development of a secure system. finally, five, the government needs to be more sophisticated managing their own cyber security program. 2015 study compared federal civilian agencies with the private sector and found that the federal agencies ranked dead last in terms of understanding cyber security, fixing fixing software problems and failed to comply 75% of the time. the reason the government does so badly is that they simply evaluate by a predetermined checklist. the private sector uses a risk management approach where we anticipate what the future tax will be based on our risk and then forward looking look to adopt standards and practices. we believe the government needs to follow the private sector's lead, become more educated, sophisticated and innovative with respect to cyber cutie security. i appreciate the opportunity to speak with you today. >> i think the witnesses for their testimony. we now will move to questioning.

we have five-minute question rounds. i will recognize myself for the first five minutes. thank you all so much for your expertise and your passion about this important issue. remember back in 2014 i was able to sit down with mr. wood. we spent a long afternoon identifying the problems i'm sorry to say that everything you said came true, all the problems identified were dead on. i appreciate that you are here to help us address that. is that the consumer technology conference earlier this week and we are seeing a lot of the new things that are in practice, certainly the concept of innovator die is very much a reality here. i was wondering, i think you are

all interested a little bit, how do existing government contracting provisions impact the ability for the public sector to be agile and to be able to do what you do in the private sector? how i know this is maybe a little outside of our jurisdiction we have standards and practices, we need to be more risk management base instead of just a checklist, how can we all get that type of policy in the government that are as agile as what you are dealing with in the private sector? >> one suggestion i would have set i think it would be very helpful for the government to move more towards the best value approach to government contracting versus lowest price technical us up approach. the

same individuals individuals that we put on assignment with the government often we will receive a much higher rate for those individuals commercially. commercial companies tend to value the tender kind of capabilities that are security professionals have. when i say much higher, often it's two to 300% higher. at% higher. at the end of the day, that's a big issue that the government needs to at least address. otherwise you tend to get what you pay for. >> s mr. clinton. >> i agree with mr. wood. i think it speaks to part of the education issue that i was speaking to. we need to have a better understanding of the breath of cyber security. what you're talking about is not an it problem, it is, it is an economic problem. that's what cyber security is. it is an economic problem. we need to find a way to move

away from lowest cost items, particularly in the federal space. we have examples where federal agencies are buying equipment off of ebay from nonsecure suppliers because it is lower-cost. while we appreciate the tension and the need for economy in these times, we have to understand that there is a direct trade-off between economy and security. we are going going to have to come to grips with that. if we could educate the federal leadership and by the way we have the exact same problem a few years ago, we might might be able to get a better appreciation of the play between the economics of cyber security and the technology of cyber security. the real problem that you are speaking to in my opinion, mostly comes in the smaller business elements of cyber security. if you going to deal with the

major defense contractors, frankly, you compensate them perfectly well, they have good cyber security. but good cyber security. but because of our procurement system there required to farm out a lot of the procurement to smaller firms in the smaller firms do not have the economy and scale to meet the standards. we have to find a way to provide incentives for those lower companies to come up to grade. it is is not economic from their business point of view in order to do that. we think there are number of suggestions we have made, referred to in my oral statement and my trade association paper that can talk about how we can better incentivize the smaller companies so that we can get them up closer to where the majors are. if if we can do that, we can achieve our goal which is a cyber secure system opposed to cyber secure entities. >> mr. snyder. >> i think another thing, this is a

>> you had just mentioned there should be more done by the government to engage silicon valley entrepreneurs, what more could the federal government be doing right now in this area? >> i'm actually very positive about the action the government has taken of the last few years. i worked directly with government agencies, continue to fund efforts that work .. , i think it's very beneficial. again all the work that i've done in the past eight years has been based on my experience personally in the government and it is turned into major industry initiative. i would encourage encourage you to continue the work that you're

doing. >> anything that is not being done now that you think should be done. >> the problem is there great at funding at the early stage of but i think then it gets harder to evolve with the government because it's owned by number of people. i would say if you do a great job at incubating and then they find out that we can't work with the government because it's too hard or too sick sticky so he fell to the private sector. one thing you could help out his not only just get them incubated but actually give them inroads into selling to the government be in an actual government to the government. so originally we try to engage the government and it wasn't till eight years later that we could do it in a viable way. having handholding would've been hugely helpful.

>> anyone else on the subject before we move on. >> are starting to see more engagement in the silicon valley, one example is that dhs has been active over the last three years. there is a new dod project called where they establish a field across from silicon valley for their able invest in startups to bring some of their technology needs to the valley. think we see more engagement over the last year. >> anyone else? >> thank you sir. i'm honored to sit on the commonwealth of virginia cyber security commission as well. one of the things i've been encouraging the commonwealth of virginia to do is to encourage closer relationships between the university ecosystem and the business ecosystem and to really promote research. i think that will help propel the startup activity that the

gentleman to my left about talking about. whether it's in silicon valley where the state of virginia. at the end of the day, we need far more research than what we currently have. the reason is because when i talked about early the dollars, the difference being between being spent in the government and commercial side. we have a real scarcity of resources in terms of cyber security professionals. we need more tools being able to deal with the complex environment going out there. those tools like automation are the way forward in order to help deal with that scarcity of personnel resources. other things we can do as well but that research would really help us a lot in the cyber security perspective as a nation. >> ray quickly i want to thank you for your work on stem education, thank you for bringing up how important it is that the human behavior is

critical in preventing so much of this. i think you said nearly all of these could have been avoided with better behavior i think that brings up the importance of what i talk about in understanding human behavior and funding social science research into things like this. the last thing i want to ask you is you talk about insurance. i'm very interested in how do we incentivize the private sector? is this something you think should be required or do you just think this will develop over time? i'm looking at you if you see the need of the government to require insurance against these type of attacks? >> i don't think there's a need for the government to require it. i think the lawyers at the end of the day will help

corporations and other organizations understand the legal lie of ability associated with not taken. >> do companies really suffer that much who have had these data breaches. >> all i think they're beginning to. i'm seeing more and more boardroom calls being made to our company than ever before. i think the very public retail breaches that have occurred are now heading into not just the ceos office but right into the board rooms. i also believe the critical infrastructure industry that we have out there that are ready regular laded seal the pressure associated with doing something. that's why think doing the insurance companies are doing what they are in terms of trying to promote cyber insurance. there feeling is that if the corporations can provide evidence that they are doing what is important from a risk

management point of view that will result in two things, one is lower premiums to the corporation who is looking to get the insurance, secondly a better legal defense to the extent that they are sued. >> thank you you'll back. >> if i could just real quickly, first vault we are big fans of insurance, we've been promoting it for over a decade. i do not think a requirement is appropriate. >> you been up promoting it over a decade but it's not that widespread, is it it. >> no that's because systemic problems within the market, in in particular the enormous risk the insurance company realized that if they insure and there is a major catastrophe, there is on the line for everything. we we face the same problem in terms of insurance in the last century with crop insurance and flood insurance. there there systemic ways we can work with federal

government in order to address that problem. i be happy happy to go into those with some detail. i wanted to get to the requirement piece. i think one of peace the federal government could do is require cyber insurance for your information system in the same way that you require physical insurance when you build buildings and everything else. i think if the government did that, it would be a market leader in that regard. the other thing to point out in this vers more conversation because of that widespread misnomer of the reality when you look at the data of the economic impacts of the high-profile breaches is not what you think, if you go back and look, six months after the sony attack, their attack, their stock was up 30%. look six months after target, their their stock was up 26%. most of the high profile breach you find there is an initial reduction then there's a bounce

back. i can explain why that is, because smart because smart guys on wall street say who nice distribution system, i like the price point of their product and the prices down, so the natural things we assume are going to happen, really are not happening when we look at the data. mr. what mr. what is right about the fact that corporate boards are spending more attention on this. i think that has to do more about their threat to their intellectual property which is being vacuumed out and a tremendous economic risk. concerned about the consumers. they are concerned about their own -- that is the suggestion. >> we have to move on to our next question. and we can -- i would appreciate you submitting more information on but insurance. i now recognize mr. larry -- >> after 30 years in the i see industry, i can equate to what

you are saying especially cyberinsurance. big supporter of cyberinsurance because of standards the insurance companies put up on these businesses and i sold my business year ago, was greatly relieved when i sold the business because cybersecurity was on my mind 24 hours a day, running a small company and managing it was not on the minds of my customers. mr. clinton mentioned the been. we and many instances of the insecure network into place, a small government managing power distribution system and we engineer it, but the products in, some of the products you represent from stephen ville testified walls, content managers, bandwidth managers and we would find out that they would body parts of trees off of the that would come from somewhere over ties and they don't know the firm where on it and i understand what is on

their mind especially dealing with small business, bottom line is doctors, lawyers, and doing what they are doing, we are supposed to take care of that but when we go forward and say this is what we need to do and the gritty, we don't want to do that, do we have to do it, your network is still functioning, a high-end mountain of risk, that usually doesn't change their mind set. having different standards is important. another thing that was brought up is the management we live by. there are two types of computer users, those that have been hacked and those who don't know the have been hacked. another part of risk-management is we emphasize don't keep what you don't need to. if you don't need the data you don't have it you don't have to secure it. that brings to an issue i have

great concern about in the federal government and ennis the moraitis system which according to news reports is storing information on americans to access the healthcare.gov web site, not just those who got their health insurance but those who shot dead and it is storing personal identifiable information of americans without their knowledge in a delaware house. considering what happened to the federal government, recent expanded data breaches, does it concern you the federal government would be holding information on citizens without their knowledge even for citizens who did not get their health care coverage through the system. am i justified in my concern over the risk of storing this data especially data that is not

needed? >> you are raising both the privacy perspective and cybersecurity issue. at the risk of being a monday morning quarterback which is what i would be doing if i were to reflect on the situation, very unfortunate opm situation because like all of you i received my letter that gave me the good news i think in retrospect, had 0 p.m. been using two factor of authentication, using encryption at rest, had they been using log files we would have had much different situation than we end ed up having. as relates to the healthcare.gov situation i don't know how they are storing the data to be able to reflect to you about what is appropriate, but i think generally speaking most people

are a little nervous because those of us in the note worried that there just isn't enough resources being applied through a financial perspective to the itc curie issue not just at the federal level but the state level too. commercial corporations on the other hand i see a round world are taking the appropriate steps. i gave the example early on in my testimony about jpmorgan chase. when they were hacked, spending at that time $250 million. after their customer information got out it went to the board, the board looked at it and determined they had to increase their spend. to do a couple things. one was to buttress what they were doing from the security perspective but the other thing was to raise the confidence of their customers so i would argue their shareholder prices gone up over time they absolutely and every corporation care about

their customer. >> i would like to ask mrs. clinton to respond to the same question but also part of mitigating your risk is not keeping data you don't need which you agree that is a good practice. if you don't need data don't store it. mr. clinton. microphone. >> absolutely right, thank you. >> now on will recognize mr. beyer >> i was fascinated by your testimony especially, and quoting you, once the ask perimeter security there is no simple means to stop malicious activity from the data center. this whole notion of unauthorized lateral in your call for zero trust at the segmented environment, is this recognition built in to the

cybersecurity framework? moving from perimeter security to the internal stuff? >> we are working with this now but i don't believe it has currently, on fire. making it part of the standard would be beneficial. >> and essentials part of the cybersecurity framework. >> it is becoming a best practice in the private sector and in some areas of government as well would be beneficial. >> mr. schneider, you said and i quote again we are well past the days when a password, even a complex one will be much more than a speed bump for sophisticated attack. multi factor authentication something like a password with something you don't know like a text message is essential for any system to be secure. is this part of the cybersecurity framework? >> i think it is very similar

that it is best practice into the framework, it is something that the ability to protect your information is becoming an industry practice. at example i would give the discussion in the future there should not even be passwords at the core elements of how we access information because it is so eminently packable, a future with multi factor levels of authentication, go back to your office afterwards, sit down and check your e-mail. if you are using mobile device that tracks your location there are several factors authentication which i am supposed to be in mop is accessing e-mail on the device that is not very. get a different level of authentication but having the dynamic authentications in the future and not a static path way. both of these revolutions. >> that leads me to mr wood, you wrote in your testimony that

most would prefer the possible requirements. how many breeches will it take to recognize allowing the private-sector to choose the path of least resistance creates an opportunity that might put a personal information at risk, critical infrastructure at risk and but the national economy at risk. this standard, it is purely voluntary. this really needs to be the mandate and standard across the country. >> yesterday we were talking about insurance. the simple reason is there was no standard, no agreed upon standard until not that long ago. ultimately, look at cybersecurity as the baseline

and these are in fact good points and added to the baseline. and what the baseline is and we adhere to a baseline, the other person i am dealing with, the wheat -- take the appropriate steps. >> thank you very much, we look at so many things that affect us and mandate it. we did airbags in cars, 5 miles an hour seatbelts, health care, this may be a threat to national security, personal security that we think about mandatory standards rather than voluntary rather than relying on the threat of the lawyers lawsuit and the threat everett -- >> i would go the opposite direction and point out the

testimony, and look at business standards, and evaluating independently to the federal government comes out dead last. the reason is this is not airbags. not consumer-products safety where there's a magic standards that we come to the standard and we are set. the problem is not technology below standard. the technology is under attack. and if we talked about mandating standards a couple years ago, talking about mandating fire walls and things like that. we see basically obsolete and all our companies would be spending a lot of money complying with outdated standards so we needed different model. the digital age is more forward-looking. the obama administration and house republican task force and

they all agree that what we need is a forward looking incentive based model and we need to get industries to understand it is in their best interests to be continually advancing security. we have to look for words. it is a completely different mind-set. we need to understand the old model just isn't going to work for the modern problem that includes nation states attacking private companies, and no minimum standard, we needed different model and think we can develop that. >> i recognize chairman smith. >> let me direct a couple questions to you but let me describe this in area for its stand and ask you to comment on this particular situation. let's say a senior government official approach your company

to set up a private e-mail account for official and personal business. these could include sensitive or classified information on national security. in addition all e-mails would be stored on a server located in private residence. cyberattacks and attended infusions would be obvious threats among other security risks to be transmitted on the private e-mail account could be a matter of national security. could this scenario expose classified information to being hacked? >> yes. >> you want to elaborate? or is that clear? how would your company respond to this request? >> we wouldn't do it. >> does any other witness want to comment on a scenario? >> for the simple reason you are exposing classified data in the open and at the end of the day that would not be prudent and

would be illegal. >> why illegal? >> a government requirement is all official information be used through official means, through government networks. >> i don't have any other questions. >> i now recognize mr. comcstock. >> mr wood recognize the component of growth in this region and this area. the government plays an important role supporting cutting edge research on all aspects on prevention to detection to recovery, agencies like the national science foundation and national institutes of standards and technology and homeland security we find everything from basic

research to test beds in the emerging technologies and federal investments and cybersecurity coordinated under longstanding network and information technology, and are their recommendations that you, mr. wood or any individuals who are testifying, any recommendations you have about federal agencies, research gaps exist out there, with research opportunity. >> thank you for your question. i agree, national labs are doing a tremendous amount of work with all kinds of initiatives that regrettably many don't see the light of day. more can be done to make industry aware of what the national labs are up to and

provide a mechanism for industry to license some of those critical research and development initiatives that may have one specific customer but ultimately could have an industry to serve. that could do a couple things, at potential income stream for the government and provide more innovation without spending a lot more dollars. >> thank you. >> one area of the we are invested in right now is on helping people as part of the equations, and an important element of any security approach and automation underneath but clearly people on top we have to make sure are adequately trained. we were highly invested over the

past couple years and what cyberbreeches look like so many companies send out fake fishing e-mails and see what did they respond or not to their security organizations, one simple example, platforms take real world regions and allow officials to interact with those of that is an area that things like cider initiatives, it is coming into the private sector and civilian agencies, an area that semantic invested in and there is a lot of potential for cooperation. >> the slightly different level of abstraction, we strongly support the notion of the government doing some research on cost-effectiveness on the framework. as we think it is our idea,

published material number of years ago, the executive order says it is supposed to be prioritized and cost-effective and voluntary. we believe if properly tested we would be able to determine the various elements of the framework, the framework is enormous and applies in different ways to different companies and sectors. if we did cost-effectiveness studies we could demonstrate what elements of the framework of our most effective to varying sizes and sectors of industry and once you demonstrate the framework is cost-effective you don't need mandates for it. companies will do what is cost-effective but if you go to a board room you can't just say this is a great idea and congress passed it, they will see where are the numbers. show me if it is cost-effective and we do that kind of research which is pretty easy and pretty inexpensive, i think we could get a lot of things as far as doing what we all want which is for industry to adopt these

things on a forward looking voluntary basis. >> i have had a lot of experience, i was a research scientist in the national lab. dhs paid for my program, started my company, did a number of research grants, the biggest difference in my experience without useful funds is the number of constraints on them. more flexibility applying for funds to our direct research agenda lead to better research. the more agenda that goes to funding the harder it is to it fit it with in our broader research agenda. is great to fund certain areas, and what is being looked at. >> with that i yield back. >> i now recognize mr. lahood. >> thank you. i think the witnesses for being here and your testimony.

question, when we talk about cybersecurity and these breaches in the private sector or in the government and whether we described them as hackers or something more sophisticated, every time this is done in the private sector or to a government agency or entity, would you describe that as criminal behavior? is that a violation of state or federal statute in some respect? >> one of the challenges, it is a global phenomenon, many attackers are not in the united states, the legal considerations can be complicated. it is more and more infrastructure moves to clout platforms deployed globally where the assets are, it becomes more of a unchallenged.

in general the answer is yes that there's a lot of complexity to the global nature of cybersecurity. as a follow-up if we look at traditionally when there is criminal behavior engage in eventually there is somebody held accountable or responsible, there's prosecution, a beagle process that happens. it seems as if the question is are you aware of a successful prosecution where someone is held accountable, deterrent effect, there is no penalty, no pain or consequences to everyone in engages in this activity. >> you put your finger on what i think is one of the number one problems in this space. it absolutely should be criminally in many instances is criminal but as mr. schneider points out is not. in certain places. we need to do two things, we need to be dramatically

increasing law enforcement capability. as i said in my testimony we are prosecuting 1%, there is no deterrent on the criminal side, no viable deterrent, we need to be dramatically help law-enforcement guys doing a great job but they are underresources and we need to work aggressively with our international community to create an appropriately goal structure in the digital age. we are operating in an analog with cyberattacks to do both of those things. >> is anybody leading the way on fat out there? internationally or domestically? where are we with that process? >> not doing nearly enough, give a speech here or is there. i won't point fingers, they're

under resources, by congress to demonstrate that this is a priority and we are going to fund it much more aggressively. >> thank you. mr wood. >> thank you for your question. the issue is from a law enforcement perspective, as mr. clinton points audit requires global cooperation, standards of prosecution have to be the same. in other words standard prosecution at the federal level might be different than the commonwealth level which is different from paris so there needs to be some agreement as to what the standards are. >> why are we waiting around for that? it would seem this is ongoing, there should be some standards, doesn't sound like there's a framework in place. >> we did an analysis of the commonwealth on that point. it is a great analysis i would be happy to provide from the commonwealth of virginia.

i don't know why. all i can say is the standards within the states are different prosecution. >> can you point in the commonwealth of virginia where a successful prosecution has been put in place in virginia? >> we just change the laws in the last six months and i have to refer to my colleagues in law enforcement to let you know. >> and there are a number of great examples of cooperation between private sector and law enforcement, i could give you a number of them where zeus has been a financial fraud that has been around successfully for a number of years, put out by up public-private partition, the next version came on line. this is what was propagating, it takes machines and increase its information and exports you to

get that information back so some very successful examples but to your point, much more consistent global approach is needed. >> i appreciate you mentioning that. was there individuals held in prison? >> particular individual in eastern europe has been prosecuted and convicted. >> in the united states in prison and? >> no. >> i now recognize ms. bonamici. >> thank you for holding this hearing. is an important issue and one where there is room for bipartisan cooperation. mr. clinton identified the challenge of setting policy because the technology always changes faster than policy change so that being said i the forward to working with all my colleagues and continuing to raise awareness about this important issue and also come up with policies of not only addresses the issue but prevents

it. i was recently out in oregon visiting an oregon business that specializes in health data breaches, not just a federal issue, look at the anthem blue cross, millions of people here, most people when they think about financial consequences, medical identity, if someone gets the procedure or prescription that is entered into the electronic health records and financial risks and no surprise the majority of people don't review their explanation of benefits like a lot of people don't care fully review their financial statements or credit card statements that might alert them to something. i want to follow up on something about the psychological aspects and ask mr. schneider, in your

testimony, put a picture in my mind like the lion in the wild, unsuspecting prey, cybercriminals lie in wait on legitimate websites that they previously compromise to affect visitors. most of these reliance social engineering trying to trick people into doing something they would never do as fully cognizant, and the most successful attacks as they are, and this vision of a lion waiting to stop me from clicking on things i shouldn't click on but can you talk a little bit, to fund more behavioral or social science research or a better job in educating people about those risks and how to identify it from. are we adequately addressing that psychological aspect because when we talk about the

risks, and you brought this issue up as well, we have to do more to prevent that. could you address that? >> social engineering will always be part of the security question because we are fallible. systems have to be put in place to enable us to do a better job behalf to secure our and information, as well as the agency's information. the examples i would give you are in the training area we talked about, helping more, talk about the awful security but secondarily, the security architecture makes it much harder for the attacker fled to get information we care about so all the world's information is not created equal. medical health records are more important, financial records are more important than the lunch

menu we look at today's so it has taken a much more granular approach to information protection identifying the sensitive information we care the most about and putting more security investments around those assets than the generic assets out there. >> i am 49 years old. when i was 37 i got any mail from my sister on my birthday, a picture of us when we were kids, nice to see you last week and happy birthday. and this is so sweet, my sister has never remembered my birthday before. my sister has never remembered my birthday before so high look at the mail header is and it came from russia. i have a technical background and a sister who doesn't remember my birthday and if

either of these -- if either of these were not true, i would have clicked on that link had been affected by computer and this tells me fundamentally that is very important to train users, a determined attack will find a way in. they got these pictures of of facebook, it was not hard to do, two hours of work and if i was anybody else on would have seen that. >> real quickly, almost out of time. i was on the educational work force committee. what are we going to do in terms of education and next-generation to make sure we are getting a step ahead? >> court education, but mr. wood was clear, the second factor is there are things we need to put in place assuming a breach will happen because it will happen. it is a determined adversary will get in, they're following me to implement the zero trust

policy. >> there is a huge gap of security professionals in the country today creating an educational program to enable returning move veterans in high school and college to choose careers in cybersecurity, something that is very important. >> we will have to work on that. if you want to let your sister know right now. >> i am happy to report that my sister does remember my birthday but my brothers do not. on that same line, dr. casado, you can have the best technology in the world and great training but if employees are negligent in their use of its viewers to exposing yourself and let bring this up in the context of an article in the wall street journal back in a june, june 9th

and it relates to the fact that the immigration enforcement agency sent a memo to their employees in 2011 because they had seen an uptick in cyberattacks related to employees using the federal website to access their personal web sites or personal e-mail. the labor union filed a grievance that prevented from from doing that and that is where the breaches occurred later last year and my question, this would be for corporations and the federal government, does it make sense to prevent employees in the private sector or the government sector from using their company's servers or federal servers to access

personal information or e-mails? >> i t goes to phase is where it expands. we have a mainframe and a bunch of computer use and others spending again, mobile-s, it is unrealistic from day to day perspective to assume people at work are accessing outside information. every time i travel no matter where i go we need to assume this information will be accurate whatever capacity we are running under. >> i agree, particularly with respect to millennials. if you doubt that work force policy, you won't have much work force to deal with but i think

there are things we can do and we are doing some in the private sector so one of the things we're doing is moving out of this iron tee centric notion of cybersecurity that involved human-resources departments and what we are advocating and seeing some success with is we are integrating good cyber security policy into the employee evaluation system so that if you have downloaded things you shouldn't be downloading, you are less likely to get that step of increase or bonus at the end of the year, we got to make this part of the overall process and there are other things we can do such as having separate rooms with separate equipment so people can access personal information or data without using the corporate systems so if we are more inventive about this and use that incentive model we will have more success. >> great point, you can have public access, a separate environment where people can do this where they have to use it

because if you have opened that e-mail from your sister through the federal mainframe would that have potentially -- >> i had four computers that would measure something very comfortable in security environment. if you want to be competitive from a business perspective you have to assume your employees are fully connected. >> can you create a separate indictment? >> was not an of operational leverage you limit the ability for the distance function. >> you want to comment. >> i want to follow up on what dr. casado said. has produced of the internet increases and the internet of things becomes more prolific everything has an ip address. where do you draw the line? at some level i would almost

prefer people use my infrastructure because i know what we do from security perspective. i don't know what they do. to the extent you make the argument there should be some separation, there are good arguments on both sides. i would rather have them in my infrastructure. >> the approach makes a huge amount of sense when you think about all the connectivity to protect the information and identity of folks trying to access it. that is what we of seen in security over the last five years is this move to protecting networks but truly understand the information, the most sensitive information and putting the right protection around that. >> i think the witnesses for the clarity of your answers. i yield back. >> thank you. i recognize mr. swalwell. >> i think each panelist for

their service. mr. casado, i want to highlight you graduated from stanford university and you began your career at the national laboratory in my congressional district. and many of them working on this issue. your solution for cybersecurity is to wall off some segments to prevent cyberintruder to penetrate defenses from gaining access to sensitive information. you are you special approaches are the gold standard for commercial industry and need to become the gold standard across the federal government. how much time and resources will take for the federal government to do this and not accosts worth the benefits? >> great question the technology evolve enough to do this without disruption. early on it was like it was an extremely sensitive environment,

to retrofit things and software solutions you can put in and do non descriptively, cost benefits from a business perspective make sense of much so that this adoption is one of the fastest growing sectors, it is not a leap practical and we have enough experience to see adoption. that actually exists, that is what is retrofitting. >> for all the witnesses falling upon mr. lahood's question as a former prosecutor i am frustrated that individuals are able to attack networks with relative little punishment. and these attacks are originating in russia, ukraine or state actors. for non state actors. what could we do internationally

to maybe have an accord or an agreement where we could make sure we bring people to justice. we ask high ranking cybersecurity official at one of our libraries are we going to go after these individuals? this person kind of laughed, not being renewed that saying we are not going after them, just trying to defend against what they are doing and i agreed that until people start paying a stiff price i don't know if it will change. as a prosecutor, putting together a case like this is very difficult, the chain of evidence, proving whose fingertips were touching the keys to carry out an attack can be difficult but what more can we do internationally? mr wood. >> thank you for your question. i will answer your question over

a period of time. after september 11th i was sitting at a meeting with a large number of information security officials in the intelligence community and the question was posed in the auditorium where there are 250 people. when are we going to start sharing information? the answer came back, one senior person in 50 years and the other, another answer came back from another person, not in my lifetime. it was disappointing to say the least of these you will forward 15 years and it is not like that at all today. i see the intelligence community sharing information in a way they have never shared it before. what has happened, as more breaches are occurring and more of this culture of frost is occurring, there's a willingness

to work together that didn't happen before and security commission and the commonwealth of virginia, we work very closely with dhs and fbi and state police, work closely with interpol and others, that i haven't seen in a long time. the resources and funding associated with prosecuting, number one and number 2 having a common level of standards on what is prosecutorial and are not. >> i recognize mr. westerman. >> i commend the panel for your informative testimony and the zeal you have in working in cybersecurity and potentially the war in the future we are

fighting in cybersecurity and i am from arkansas for personal reasons, do you have any arkansas ties? just out of curiosity. [inaudible question] >> okay. also been listening to the testimony and answers to the question. i have a 20-year-old college student at that fascinating conversation over christmas, you guys were talking about how millennials are always connected and he was telling me that is a huge consideration where you take a job now. would be connected the speed is. there wasn't something we

considered when i was getting out of college and where we would eventually live. we are inside this connected world. to follow-up on mr. swalwell's question he was talking about being on offense, and the technology side is it all defensive or are there proactive ways, it to make theibt sting wo >> one example is things like honey pots. if the bad guys are attacking you and you gave them a place that looks like a legitimate part of your infrastructure they go to and spend all their time and energy attacking, you protect your real assets and able to study what they're doing at the same time. they're also things like shock absorbers where the harder an attacker liveds you with traffic, the more you slow them

down and do things like tar-pitting. there's a whole set of defensive and pro-active measures that don't go directly after the attackers that are in place today and are actually very successful within the enterprise. >> congressman, i think that's of course true and there are others, and i i think i want to build off this point into having a better understanding of the multifacetted nature of the cyber problem. for example, one of the technological mechanisms that we use in the private sector is we understand that the bad guys are going to probably get in -- actually have more control over the bad guys when they're inside the network than when they're out the network. if you're dealing with a cybercrime situation you're basically dealing with theft. they have to get so the net puck, wind the data and get out.

with globing round traffic rather than the inbound traffic we can solve cyber breach problem and they can look at our data but don't get to use it. from a criminal perspective that's a problem. i if you're looking at this from national security perspective, the attacker may be interested in disruption or destruction. they don't have to get back outside their network. they don't care about getting outside your network. we need to understand we are dealing with multiple different cyber problems, some of which are national security, defense, critical infrastructure, and we need a different strategy with regard to that than we may knee for a the strictly criminal or theft problem, and when we have a more sophisticated policy in this regard, i think we'll be able to make more progress. >> also, just to briefly follow up on a question that -- as far as developing new workers for the cyber security work force,

are you companies seeing a work force shortage? do you see a lot of growth for the future in that? >> we do see an enormous shortfall of cyber security professionals. in the state of virginia alone, the state government has announced we have got about 17,000 unfilled cyber security professional positions just in the commonwealth of virginia. if i might go back to your other question if you don't mind, about offenses. your question that is very much near and dear to my heart. if someone were to come in my hughes uninvited and either hurt my children or my wife or take my stuff, i have the right to defend myself. but if someone were to come into the corporate house and virtually take my stuff, whether it be intellectual property or customer dat or whatever it might be, or financial

information, whatever it might be, we need the ability to defend ourselves. particularly if we don't have -- if our cyber command is not going found itself in a way that gives us the comfort, the same way that we have the comfort, i think, as a nation, from a standpoint of air, land, sea, and space. >> thank you, mr. westerman. i will also join you in plugging that. i know it's on our web site and our facebook pain, and i think the tate is january 15th when things are due, right? >> unless you extend it. >> now, recognize mr. abraham. >> thank you, madam chairman for having this great hearing.

i want to thank the witnesses for giving direct answers to direct questions. it's refreshing and somewhat of a novel idea in a committee hearing. so, cue doughs to you -- kudos to you guys for answering straight up. we appreciate that. some of you have espoused the value of sharing cyber security information, whether it be a cyberthreat trend trend or cyber crime with other companies or government officials. this last cyber security we passed last month, did that help or hurt in this area? >> sir, think that was a good bill. we endorsed the bill and support the bill completely. the most important thing, however is that is not the cyber security bill. that's a very useful tool to have in the toolbox. it can help but it is nowhere near sufficient. >> we need to do more is what

you're saying. >> absolutely we need to do a great deal more. >> just give me your top three recommendations. what be your bullet points for the new legislation. >> we would like to see the incentive program that has been endorse by the president and the house republican task force put in place. that would include things like stimulating the cyber insurance market we talked about earlier today. it would include with providing some benefits for smaller businesses who don't have the economies of scale in order to get in here. it would include streamlining regulations so that we had an opportunity to reward entities that were doing a good job with cyber security in the way we do in other certificators of the economy. a lot of the incentives we talk about and are referred to any my testimony are things we're already doing in aviation, ground transport, agriculture,

even environment etch we simply haven't applied these inventive programs to the cyber security issue. and if with did that we could do more. the third thing we need to have a much better and more creative and innovative work force development program. we have talked here about the fact that we are always in an online -- always connected now and we all know this. but the slogan that dhs uses for their work force education program is, stop, thing -- think, connect. no millenial stops and thinks before they connect. just makes no sense. we need to be leveraging espn and r need to be leveraging esp. and they are interested in gaming, get them interested in

cybersecurity, more inventive in this. they are doing these things in other countries. we need to take a page from that. the final thing i will mention is we like to see, i am not kidding, an education program for senior government officials like we are doing for corporate boards just like you guys, very busy things that have to do, demand on their time. we find when we educated them about cybersecurity, we have more investment, better risk-management, we need to do that on the government side like we're doing now. >> anything else? >> if you think about threat information, for many years in the cybersecurity industry, what some of the keys are being able to take it and aggregate it in a safe way. before taking information that is specific to a particular

industry or set of customers to gain security knowledge, but not put that information at risk. it has happened for many years in the securities industry and an important element. >> thank you, i yield back. >> thank you for being here. lot of things have been asked and answered but as we say not everyone is asked the same questions of my turn. i have been trying to focus on a couple different things but thank you. this is so important and the american people, our constituents are waking up and feeling some of that fear and wanting to know the right thing to do. we always want to hear from you about your constituents about wise decisions and ourselves, our families and staff to

protect important information. so much of our society, so much of our financial business is based on consumer confidence. there's a feeling this is not safe for whatever it is there is going to be, we are going to lose the benefit this technology has. we want to do this well. i do want to talk briefly, ask you your thoughts, we talked about what government can do better, learning from the private sector, the private sector is ahead of us in some areas. and for us to say this is like an air bag problem. is completely different. for us to be prescriptive you have to do this. we always pick the wrong technology too late. it is a way of thinking how to solve this problem but the question i would have is with impediments government is putting up to your business or other business from new

innovation what would you say maybe the greatest impediment that you feel from government, from your business, innovating, is there something that is a turtle you have to overcome? >> this will be an indirect answer to your question. working with the government, something very difficult to know is when there is flexibility. it is difficult for agencies and departments to adopt new technology because it doesn't allow them to move as quickly as possible so from a purely financial side more flexibility wilhelm and certainly helped us introduce new technology. >> mr. clinton. >> i offer a few things. first of all, we need to really read our government partners from playing the victim, attitudes that may have

particularly at the independent agencies for example as we have articulated here and it is fairly common knowledge the determined attacker is going to get in. the fact that you are subject to a breach is not evidence of malfeasance or in -- there are instances the we should investigate but breach per se is not one of them so we need to move beyond that particular notion. the second thing that i would say, the government really needs to get it back together with respect to cybersecurity. everybody, cyber is to the security is a real hotbed. every entity in the government, every state, every locality coming up with their own cybersecurity programs and a lot of things defer just a little

bit, you are forced to meet with multiple different compliance regimes trying to do the same thing. we are in favor of this framework. let's have one and make sure we are all working in the same direction because as we also pointed out we have adequate resources in this space, frankly we have one of the big problems my company tells us is they are spending all their time on compliance which means they don't have time to spend on security. i have one company telling a story how they have a legitimate best practice investment casting your system every quarter to make sure you are in no they did and they had to go from quarterly testing to annual testing because all their security was busy doing compliance. 70% reduction in a key cybersecurity best practice due to overregulation. we need to streamline that process, have a good process but

one process that is cost-effective. >> you can speak on this, really important. >> the one point is education, a huge and growing gap in the number of cybersecurity that is available and semantics, doing a lot of work at local universities, not just universities but primary education, the boys and girls in high school, action will be ready to think about courier in cybersecurity the goes with that. >> i would echo a comment that the deterrent hacker finds no question but as the breach report focuses on 94% roughly could be avoided. vote hacker has to focus on the 6% or the 8% which is harder, we have standards and the approach. the second point of this

framework is something we can all get behind and is something that is the baseline. the third thing i would say and the last thing i would say is compliance and mission are not mutually exclusive. you can make compliance work but it has to be automated and invisible to the guy -- doesn't inhibit the ability to get the mission done. >> thank you. thank you all for being here. >> i think the witnesses for their valuable testimony and members for their questions. we have a lot of assignments, new issues and various that we explore further. to keep an open dialogue and to provide us additional

information. and exponential the -- a cyberwar being waged against us. post 9/11 when they are at war with us. we definitely have a bad actors and all kinds of fronts from individuals, nation states waging cyber itof war on us and we need to respond in kind and have that be reflected in our budget but also our responsiveness and how we plan, 94% the we get covered if we have the right system in place, then allow us to spend our time at 6% because we all agree and understand no matter what we do, exponentially increasing information we are going to have breachedes, i was talking about this before the hearing, it was done in las vegas, like asking

never to get sick. the world we are dealing with, there will be breachedes but what system as we have in place to identify them? 6% the we have to deal with in our creative resources and all we need to do very quickly to identify and move on to bigger problems. i thank you for the challenges you have put before us and records will remain open for two weeks. for additional comments and questions from members, if you have questions we did not get the opportunity for people who are not here and i think the witnesses very much, you are excused and the hearing is adjourned. [inaudible conversations]

..