how many years will the product be patched? how many times have penetration tests then run? the quality of the security and code integrity in a particular device is not necessarily something that a reasonable consumer can take into account when trying to decide whether this product that costs $15 more is worse that extra $15 against other products when they are both the same iop device with functionality so thinking about those hidden costs and whether the market is rewarding iot companies that are investing in security and taking care of the consumer that is him trusting those devices with access to their homes and information. so that the competition point. on the consumer protection side, there is a bigger conversation playing up on some of the other comments about the question of what i calltechnology suitability or more colloquially , the federal bacon problem. sometimes the fancier technology is not necessarily the better technology for

getting a particular task accomplished. i say better with bacon because as some perhaps overzealous chefs think that they sprinkle bacon on everything, it suddenly that much better but it you are a vegetarian you just effectively destroyed the diners meal so thinking through what task are we trying to accomplish when we are bringing a device into our home or our enterprise and how those connections facilitate or add risk to the bigger picture of our lives. so let's just quickly take an example. let's say that i am a state employee and i live in dc and i'm out shopping and i see this really needs connected oven with an app and that can operate my oven from my phone , it's kind of cool. but thinking through how the oven connects to my wi-fi network, what kinds of

information i access from home with respect to my professional life, whether there's sensitive information that could potentially be compromised if the security on my internet connected oven is not necessarily up to par and whether vulnerabilities are getting past. we've already seen the first internet ovens exist in the first vulnerabilities on internet ovens but wholly apart from the data control aspect, if you have a small child in the home for example and the child likes to play with your phone, maybe an internet connected oven with an easily accessible app is not necessarily the best choice for your home at that point in time. so thinking through the totality of circumstances, and how the technology capabilities of a particular device, the iop devices you bring into your home connect with those tasks and risks thatare the realities of your existence, that the consumer

protection side . so on one hand we want to reward the companies in the marketplace that are doing great jobs and thinking about security and protect the consumers and on the other hand we want to train consumers to help themselves be informed and make good purchasing decisions. of those products that are a higher quality products. >> thank you. so speaking of that, when we had launched the gallery initially we talked about four different products because they had four different markets, four different sets of regulators, for different market dynamics. one was automotive cyber safety, one with medical cyber safety, one was industrial control and public infrastructure which is a very large and difficult bag that you've been researching. and the last was consumer and iot in the home. and we kind of put the iop in the home on the back burner

because with the focus of public safety and human life we said, we love our privacy. we like to be alive to enjoy it and more of the mortal in life or limb consequences were found than the others but it was a very exciting opportunity to work with the atlantic council on this because it forced us to stretch which models have we been using to solve some of the problems that you just outline for cards in medical devices. many of you have seen these but we had a five-star automotive cyber safety framework for connected vehicles we publish on our first birthday in august 2014 and while it had fancy names, the way i would describe it casually to my neighbor is, all systems fail, please tell your customers how you avoid failure, how you can help avoid failure without suing the helper, how you capture a study and learn from failures, how you have a confidential response to failure and how you contain and isolate failure. and more recently this january, we published the hippocratic oath for collective medical devices which is spiritually similar. when we tried to apply to smart homes and we will have this as a question, what we found is those controls are useful but they were

additional market enablers and information to customers that were required so the audience could start thinking of what you could do to help the consuming public avoid products that may endanger their families safety or privacy. and we are going to pose the same question to our panelists which i am going to join now. >> first question. if we got smart phones right, and this is a downfall to everyone, because i know you've been skeptical that we can get a smart home right and it's been a big letdown, was the primary use case you'd want to see out of an intelligently connected home? anyone? >> i go first. it's going through and looking at some of this, i really like the convenience features of some of the smart home stuff. i don't have an amazon electric device to tell me when to reorder and automatically reorder but that kind of thing appeals to me because sometimes i'm absent-minded and i forget by detergent, forget my laundry

detergent so if i could have a way to just say into the air, alexa, my laundry detergent and it will automatically refill it, that would be really easy for me. me i could show up to work with clean clothes 81 day when it wouldn't have happened otherwise. so for me, i think that convenience factor is really where the sweet spot is for smarthomes . not necessarily to automate my decision-making process but to make it easier to act on those decisions andhelp inform that process . >> anyone else? >> i disagree with bonus sense that i agree that convenience is the reason it's going to happen. the cognitive this and since you said earlier about the fact that everyone anticipates it will happen but they are terrified about it, i think that's actually an extension that comes out of the framework that exists now by facebook, google and

others which is that we harvest your data and resell it to others. if the service is free, the product is you so bruce sterling the science-fiction office author wrote about this in his struggle with the struggle of things that the internet enabled fridge which is the icon of failed dreams of the smart home. really, the true internet fridges one supplied by amazon for free or at least at cost to you in exchange for them harvesting data and you won't need to tell alexa that you ran out of detergent because amazon already has a patent on predictive or ordering so it will use everything to fine-tune its patents to ship you things before it even occurs you to buy them there it that's one of the problems. to me they are going to be able to create this data regime which is all about harnessing your personal information and that could lead to the vulnerabilities we have and some of the use cases about it. i'm most excited about the stuff around home utilities and energy stuff. most exciting tumor product in a while is the power wall which is interesting that they've already canceled the larger capacity version but

the notion of what's been talked about for literally 35 years by people at the rocky mount institute to create more sustainable micro grades, to really enable the city to more solar power energy because you have more storage products to feed interior your electric cars that leads to a shift in how we produce and consume energy and it's also has interesting implications for climate change and other strategic issues for the united states. i'd like to think it will be done. >> for me, i think the best case scenario is a home where the iop gadgets are totally personalized double, totally customizable because the assumptions that work for say, the majority of people don't necessarily work for all people. for example, i travel a lot so if i have automatic ordering of certain things, there would be a constant pile of rancid food and various products sitting outside my door blocking entry.

a fire hazard and probably my neighbors would hate me. so there are individualizing needs that consumers have whether it's to facilitate their engagement with a particular product or because their life is structured a certain way or because they have special limitations on their environment because of a particular other human and household or their own physical challenges they have. there's a need for customization that sometimes is absent in some iot devices. so i think my ideal iot home would be one where human overrides existed on all the things and the devices would allow me to tell them what i want them to do, not assume that they know what i want them to do. >> interesting. i think i've always been interested in the power savings and smart meters and the next dynamically taking the cheapest price for me,

etc. and that idea, execution has been different. one that i settled with is, i thought there was a lot of promise in smarter use of network sensors or home security. suddenly though, i've been very disappointed to find that nearly every bluetooth doorlock or automated high-tech home security system has been compromised by one of our friends. i don't think they failed yet on any of the equipment they tried so it's ironic that the devices we buy to keep those out of our homes may impact the very attack sector that lets them into our homes so we talked about some nightmare scenarios in here in this dystopian future but what do you think the most likely, realistic first half is what we had some baby monitor screening. what's likely to be compromised first in the near term in a smart or connected home? >> so, if you read the news

lately about hospital using ran somewhere, that's a big thing. compromising devices to be able to monetize that and one of the things i think i started looking at and thinking about early on is, if you've got a fridge that has a monitor on it, that might be actual. and if i have your attention span for two seconds i'm going to serve you and add right? so whether their product maker intends that the outcome or whether somebody hijacks that process to then serve you add when you're opening the fridge to get milk, maybe it serves you an ad for a different milk brand or something like that. but i would expect that type of a driver to be the first catalyst for somebody to want to hack a smart home device, to be able to advertise to you. if you do it in the right way, and don't want to get any ideas but if you do it in theright way, it's going to be undetectable from normal operation of the device . so it is just going to say

well, this fridge, it must have updated the software and now they're selling the ads. i don't like that. you're going to think it's a manufacturer that did it. so again, there's going to be some brand impact. you can also see a similar thing accomplished not by actively reaching out to gain something but where these smart homemaker goes under or they forget to renew their website and somebody just goes and buys the domain name. now they have complete control of the infrastructure that your smart device is connecting back to and they could again, change the firmware, whatever. if they just put afile out there and you, your fridge goes and retrieves it and pulled it back down , that might be totally legal. i don't know. it's conceivable. we have somebody who knows or would be able to tell us that it's conceivable but that's totally legal. just somebody forgot to renew the domain name so i think that would probably be my first expectation would be somebody would hijack to serve ads orhave some other

financial mechanism . >> i think a lot of people look at the device themselves or how you could manipulate sensors but most of these things have some sort of backend harvesting or storage or configuration so the amount of information cleanable about you even if they never touched your device could be interesting on the back end. anyone else? >> i think what will happen, one of the things that will happen will be one that is intact at all. it will simply be an extension of the logic of how this stuff develops and that's goes to kim riley, publishes all the riley books says it's a business model of web 1.0 was advertising then web 2.0 is the internet of things is going to be insurance. and there's another thing, i think they said that in the future every piece of data is a piece of credit score data. there's a whole rapid bit

of startups accusing who your friends are on facebook, all your interactions and using it to figure out your financial viability. one of the things we put in the nightmare scenario which is an extension of this is the notion that if somebody borrows from philip k dick you back in the 1970s in which the protagonist can't open his door because he's behind on payments to his landlord. he has to unscrew the door off the hinges and we can start to imagine in the future, you are basically behind or your credit score simply says you are unviable to run this smart phone, essentially you are locked in your house until you agree to pay your bills and the first nightmare is to have mister turn your power off all the day and crawl out the one window that you had not turned into a smart window. this is a logic that comes out of a drivers who are taking vehicles that fall behind ontheir payments, their calls are basically switched off remotely and they are unable to drive for her. we see these systems evolve where there are punishments if you are unable to conform to the terms of service . so what will be interesting.

you think you own the smart phone but we know from things like the digital millennium copyright act that in the future, your entire house will simply be a license from the software companies and if you fail to meet the terms of service, you will suddenly be shut out of your house by not even hackers but the actual companies that supplied you. >> i think what else we can also assume that the techniques for marketing we seen used in the smart phone today will extend naturally to all of the iot devices so for example, there are currently some enforcements, actions potentially in progress relating to app is that surreptitiously flashed somewhere buried in the license agreement, received consents to? . turn on the microphone on your phone in order to monitor your tv viewing habits in your living room area now, undoubtedly you will have additional information also being collected about the private

conversation happening in the room and we had some smart tvs bathing in similar ways through the remote control correcting. information with a microphone and so it's reasonable to extrapolate for marketing purposes that all of the devices will look for new streams to modify the information that they have access to. short of voluntarily binding themselves to never do this and some sort of non-amenable way in the contract, i think it's reasonable to expect that most of our iot devices are planning on that secondary stream of income and to the example of the locked up cars, we also have in a consumer scenario, we had creditors who were cutting the end runs on some cars while the debtors were driving and that caused some safety issues and so while the car is maybe not strictly positive then an ioc home, it

sits in the garage vaguely connected, it's all part of this bundle of iot devices that have remote access capabilities not only for the consumer but for the authors of the code. and that creates a wrinkle in some of the traditional relationships of control that consumers have come to expect with respect to the product that they purchased . >> yeah, i will give an exotic one than a more mundane one but as soon as i learned of all the cost savings you could have with the intelligent thermostat, thank goodness we are good guys but we had the idea of essentially small manipulations on a large population of nest devices to essentially pump and dump based on investment on energy sources in the region so you could make a significant amount of money very quickly making small adjustments on mass too many homes consumption of electricity. so that's the more exotic

one. i think one of the more prosaic, more troubling ones is, think how many devices right now are connected your home to the wi-fi? just, is five, it can, is larger than last year and how many will be there in a couple years? if you look at the home router, wi-fi routers, about half of the original extension of partly you open, most of you read your passwords and many of your banking institutions or social media accounts , about half of the original infections bread were unpatentable. you devices that were horrible but could not be remediated at all. and a lot of these devices that were exposed, you may not have known they were even running this or connected. so i'm more worried about the zombie or the leper colony of these devices where any one of them that fails now has privileged access as a steppingstone to every other part of my home network

including more sensitive work material, cameras that monitor my children, express cameras on my television without turning the light on, i'm actually looking for devices that aren't smart. i want to have a market for traditional devices in some cases. >> that kind of goes my competition point that as we are marching bravely forward into this world of iot, it's not only about consumer choice along iot devices, it's about consumer choice with respect to how technologically connected these devices are. you losing the bottom end of the not connected devices, that's a form of empowerment and consumer choice and our marketplace becomes impoverished if we eliminate the ability to have a less vulnerable option when we need it. and of course, the scenario of the home and having just one device as a point of compromise not only is the information on your home network but if you are that statement department employee i referenced that the hacker that accesses your network

through that one on patched security camera, that can potentially fall you onto your employer's network because if you are accessing that network from your home network , they can piggyback on and suddenly they are not only obtaining your privileged information but the privileged information of your employer depending on your employer is and that could be national security information so we've seen accidental compromises happened by consumers who are simultaneously government employees for example when we look at the sony drm root kit problem circa 2005 where these cds had some code on them that was intended to be digital rights management code but in reality it was coded in such a way that opened the security hole in every system that the cd was

played in. cod employees played cds in their work machine, other government employees played those cds in their machine. employees clearly never intended to cause a security problem. they were just trying to listen to music. the same way consumers will never intend for their comical cyber toaster they just purchased on a whim to cause a security problem for their government employer without their permission. >> it makes an interesting point to come out of that. i was listening to the other show last weekend we were discussing those issues and one of the things was that yes, they discovered the back door and one of the various hardware yes, various character strengths of the cds, you can pop it into the cd player and a block access to the system so that's interesting. also you bring up, it's funny you bring up the notion of purchasing your cyber toaster on win because there's been this interesting proliferation of sites, wish.com and others that felt really inexpensive and these manufactured goods coming out of the pearl river delta and

elsewhere, we don't know the prominence of this and we can start to imagine ulcerative interesting actor level stuff where you can push a profusion of compromise devices out there that can then basically create trojan horses into the homes where you are now buying this five dollar mobile phone, your who him og that you have there that lights up in your house and suddenly we have a wireless network so that's been discussed by all these initiatives but now it's sort of imagines that stuff into their house. >> also, about a month ago, i forget who it was but somebody in the law enforcement apparatus of the us government said we love this internet of things proliferation, we can't wait to use it to find the flaws, met them, use them to track down, identify, survey of potential criminals. well, kind of extending that a few years ago, dod forbid any use of usb sticks because they said well, these could potentially be gateways to transfer malware into

networks. does that mean the dod will issue a new memo saying you can't have any smartphone devices? going back to an earlier point, what's that going to to do for the market of smartphone devices went potentially dod or a state us employee might be forbidden from buying certain classes of devices because they are so poorly secured over the lifecycle, right? so that's one of those things that could become a wicked problem in the future is, what are the interrelations that we can't even think about or expect now that will come about 10 years down the line based on choices, design choices and purchasing choices we make today? >> i think there's an interesting cognitive dissonance and security professionals and military where getting credibly strict guidelines, physical security access, what technology can

use, what kind of systems can access the network we are locked down and then people bring their laptop or work home and are incredibly relaxed there. one christmas there was a big story about this digital picture frame at best buy where it was certified preowned from china but this is not a rare occurrence, especially on the lower end of the devices so i remember having to leave all mac electronics at a military base and i couldn't bring anything in general i was speaking with had a rotating set of pictures on his desk, on his digital frame. why is not allowed in here? this is simply about your home, it's about any of these consumer electronics. if i were a hacker trying to do competitive industrial espionage i would absolutely compromise the microphone capabilities on all these smart tvs and flat panels in the board rooms of my competitors so there are a number of use cases, we're just not being creative enough in our assessment of

what people can do because we are on not on our guard when at home. >> my question is because i'm usually monitoring this myself but i'm asking questions to. to me, what's interesting is coming at this from an industry view, this is not something where individual consumers should be required to handle their own security. this has to be at the manufacturer level and to me it's interesting that right now, the whole internet of things is basically a giant glacial battle of various standards consortiums. you've got cisco pushing the internet of everything and g pushing the industrial internet and we are fighting this and negotiating various boardrooms about this and security is at a very low level discussion and to me the question is, how do we a, bring that to the forefront with the manufacturers and is there a way to sort of create the nested hierarchies of secure networks inside homes so that whatever i bring home doesn't automatically have the same level of access because these are not new problems that have been addressed in every government level military and even

enterprise ideas to deal with this. we have refused to deal with it.>> i would love to probe some of these. one framework we have been using for iot is a very obvious question. we thought this in the enterprise which we had by way but the assumption is you saw this in the enterprise, how is iop different and in a really simple framework i uses, there are different adversaries and different motivations. there are different consequences of failure. there are different operational consequences. you're not going to be behind physical security and parameters and network layers. there are different compositions of the hardware, firmware and software used. there's different economics which is one of the big problems here and there's different kinds of timescales. some of these things, the time to live might be a year, some of it might be 30 years. how often do you replace your oven? so those things take some of our best practices and shatter them. so that is one thing. within those there's anumber of things preventing us from doing very well .

>> if you look at corporate it security apparatus, there's about $80 billion a year spent globally increasing at about 10 percent year every year on products and services. i think the total number is around $250 billion if you include it people read and that's on top of the existing it investments that are being made. this is just add on security so if you buy a couple hundred dollars worth of smart home gear, are you going to then also buy a couple hundred dollars of security gear and then manage it and maintain it and keep it up? i've done it stuff, i've done it security stuff in my day job.when i got home i don't want to do that so it's like the story of the cobbler's kids have no shoes. i'm going to be one of the worst people. my stuff is going to be woefully unprotected and on security leave it to me to do it and i know what i'm doing. i'm capable of doing this, i do it professionally.

for people like my mom and other fault to are less well-educated in cyber security, what's the hope that they could possibly be able to secure their devices in that corporate it security space transplanted onto smart home security? >> one of the other problems that exist as we haven't created what i might call vigilance infrastructure around security flaws generally. not just iot context but more broadly in traditional context. we have nomenclatures of assessing severity of vulnerabilities. we have numeric systems we are trying to identify but those systems are not failing optimally, particularly in a world where there are billions of iot devices though these are bigger picture problems about infrastructure information for vulnerability information sharing that we need to bolster and scale and improve

in order to be able to get the information in a present hallway to allow for comparison of of products based on security to help consumers, make good security choices, these underlying steps are not yet fully developed so we like to talk about information sharing regally and i'm going to ask one more rapidfire speed round and then

encourage each of you to also ask questions. as was what to do about i agree my neighbor plan to be a secret professional and they never would have to be the i.t. person for the own smart home across their devices. we outline recommendations of things that could be adding 1032 consumers or add basic expected capabilities to reduce the possibility of harm. what do you think would be, for each of you want a more, what would be some good additions that were recommended or elsewhere that could make as we do have to security settings, getting more interlinked secure? >> i think one of the biggest things is some of the existing consumer practices in non-smart devices, one of the things i found that fascinating and talking to some people in the retail industry is of course we go into by something and we bombarded with questions or there.

we've done tons of research going outside the wooded. that's one of the retail folks because concerns. is there some way a store employee at a retail outlet can be able to have a quick answer of yes, it is secure, rather than well, here's what you do. put this in front and do that. if they can have those quick answers that helps them sell more products. which goes back to the market competition drivers. so if somebody comes in to a store and says what's those secure device and the retail complacency this one and i can tell you why with three simple bullets but also you can read for yourself. i think that something i is very powerful that goes up the retail channel. barring that, there is immediate action to go to if, for instance, someone market something as a secure webcam or a secure baby monitor and you find out it's very much not a secure device.

that are ways you can contact the ftc and report things. that's maybe not a technical thing but that's something my mom can do. she has done before, to call the better business bureau or somebody and take that step which a lot of people don't talk about in our industry. i think we should talk about it more. >> who is next? >> i'll go. this might be utopian but the discussion about recording devices, smart television. if i recall the samsung smart television ready to read the terms of servic service he thats recording all of the conversations and dissected on a personal conversations in front understands on television. back to me said everything. rather than ever television that did not record and have it not record your conversations, you simply assume the risk of would record everything you said and used against you. to meet the utopian broader political discussion is we need to end the current data

collection regime which is the fact that any hardware maker with their services are and we put everything they can from you and they own it. we need to have some sort of scheme or start altering the scheme to create, that you own your data. something like the world economic forum or some other approach that would create real legal protections around her day which would enforce the manufacturers and service providers to treat with seriousness rather than just don't have any personal data in front of our devices because that we don't have to worry about a thing stolen, which is the current regime. >> and the prices don't reflect. which goes to the broader conspiracy point. i think one of the thing before we open up for questions is the hopeful question mark note that this is a space where technology tools can help to translate concepts for consumers,

policymakers and for creators of these technologies. we have a robust community of experts who could act as third party auditors but sometimes that information doesn't translate well and filled into the public consciousness to inform the less technologies sophisticated consumers. with respect to the state of the art with what we know to be true in the security research community. building technology tools to facilitate that translation of fact both among consumers but also to help small businesses, creators, better embrace the importance of security by design from the ground up, and to recognize that security isn't something you can slap on the end of the process. it's not a bad. it needs to be -- band-aid. biggest be inherent in the broader structure and architecture of the device, or

it's a lose-lose both for the career and for the consumer. >> well, a very large thrust of the five star for automobile crash tests is that you don't have to know what the differences between three-star, 4-star or five star. it becomes an actionable device to tell relative safety ratings of different vehicles. that's one of the reasons our five star framework wasn't meant to be a checklist of all the security things now shall do. it was more of a public adaptation of the things you had invested in. when the public becomes more savvy or interested in this as a buyer criteria they can add any consistently tell people what -- tell people what they're doing. i think one that just came to mind because it did a webinar yesterday is there was a congressional action from chairman royce of the house foreign relations called cyber supply chain, management and transparency act of 2014 asking for food labels for software.

if you still to the government you should have a bill of materials so the third party, no having a security defect and they should be patchable. you can. >> and how much of the software industry hated this bill. just yesterday we did a webinar with the financial service industry where they said that's a great idea that they basically are now saying to all the big software providers we want to see a food label of the software you are selling a senior commercial goods. that's what this done. they didn't ask with the other two things but what this allows you to do is make a more informed decision. could that allow organizations to tell who is better or worse hygiene lacks one thing i'm telling my friends is if you're going to buy an internet connected device it better be patchable. that's a simple thing to ask for. the other thing is don't buy a interconnected device if you don't really need. i think part, you must be this

tall to ride in it of thanks and if you're going to connect it and expose the must have the ability to fix it. so with that, does anyone in the audience have a question? we have a microphone. feel free to also say what you think we should do for the actionable decision-making. go ahead. >> so one thing that, i'm a security practitioner as well and what it thinks i've noticed as a look at these devices and i stop for the ethnic okay, if i want to see how secure this device is, what would have to deal, and i think about and think about and think about. compared to what i would have to do for a piece of software on my computer or the computer itself, it's unbelievable. and i do this. like i have the cure to do this. i don't want to have to buy to toasters and take one of them apart and start connecting, look, it's a certificate and clear memory, that kind of

thing. i think the problem that calls for the star rating or whatnot, i think it extends farther in this world than it ever has before. it's kind of weird in that there's a level of transparency here that even those these devices are more ubiquitous, they are even more opaque than the more complex ones we're used to in cyber. >> and it may be illegal for you to do analysis, right? >> exemptions spring to life at the end of october. >> thanks for the comment. let's take three of these and throw them into the melee. over here. >> for the video, please. >> there is a new security research exemption for research on including iot devices, security research that conforms to the limitations of the exemption. the base of everything the consumer product is loosely

covered by this extension which allowed for the circumvention, not being a violation of the dnc for the purpose of testing and analysis of the code and consumer products in order to analyze them for the integrity of the code. >> cannot ask for a follow-up? my voice is so loud. >> for the recording. >> i'm in a different generation than you were and we used to play games with peoples minds. so if i something in my house and he knew somebody was monitoring it, i would just play with the information online. assumes we know we're nowhere passing laws that makes it illegal. they're collecting information on and it illegal for me to play games with their mind. that's what my real question is a. they will turn into a security thing and by the way, you just

can't -- >> is one of the reasons a lot of the research community to send it up on this cycle of exemptions, to try to come and look at the white house hacker community as an untapped domestic resource, that can find and approve, find and get them fixed more quickly, then why would we activate? there were quite a few prominent researchers and patients that tried to get exceptions for medical devices, automobiles and this broader category. >> we will see all sorts of messing with smart homes. it will not mr. obey by individuals. microsoft's twitter run amok points to people messing with your house to turn into a fascist -- we see amazon at the personality where it's only begun respond to radio and television ads so we can look forward to subliminal messaging

going into television ads designed to trigger your in house and i to advise things or perhaps attack is the mother with the a lot of gaming but it could happen below the mouth of actual individual intervention which will be large corporations and ai messing with people. >> we could easily have several panels but we probably won't. you were next. >> looking at issues without with industrial control systems, stuxnet, et cetera, how do we address those before they're happening with smart homes or can we or do we have to just wait and see? >> that's a good question. so some of the issues without with industrial control systems, i think it's kind of an open secret that they are widely considered highly vulnerable and highly exposed, and there's high consequences from their failure. we saw recently there was an iranian guy who is charged with

hacking a damn. luckily apparently the gate was not operable remotely and the wasn't that much water behind the dam. i don't know that we'll be able to handle all of those disasters. i don't know what the impacts will be i think to some kind of a planned response is important because we will need of some kind of response if and when that does happen. but doing all we can before that by having this design later that takes security into account is going to be really important. >> being proactive certainly has the benefit that if we look at other historical legal contest that the context, in environmental regulation we need to wait for ever to actually be a far bigger was until the cuyahoga river was inflamed that we passed governmental law and is one of the most aggressive liability regimes that we have. rather than waiting for a river

on fire event, it might be a more desirable and more logical strategy to be proactive and to think through the optical pathways for crafting both responsibilities and structures of information transfer for we have a river on fire and information security context. >> we may not get to it but one topic usually comes up is the lack of any sort of software liability as part of the issue. and also it stymies activating the insurance world as well to cover residuals. but one thing we should not assume is just because you can connect to the internet doesn't mean you are required to do so, especially in industrial control systems. one of the things i am -- i lose sleep over, if you play with children from things that should not be connected but our

advanced default password you can change if you wanted to. i used to say instead worry about sophisticated nation-state attacks on these things, maybe first you should handle meta- ms one of which is a free attack tool. if you can't handle that, you can handle anything. but below that i realized what a second, we are not even patching known vulnerabilities. there was a stunning graphic that showed 97% of the successful attacks lash it would be to just 10 known vulnerabilities at a habitat available for more than a decade. and i said wait, maybe the lower level, the minimum hygiene is make sure your industrial control systems are not nakedly exposed to the internet. i think we have a lot of things we could and should be doing but the easy way to secure the 30 year old industrial control system is to not have been exposed to the internet. something like stuxnet that bridged the gaps because a bunch of other factors but we are taking significant elected risks

through are really unnecessary elective attack surface. i saw you first, and then you. >> and russell with stanford university's hoover institution. i to question. there's a lot of focus and talking about software assurance year, given the fact the iot's, the iot in the home as toasters, ovens, refrigerators, dryers and washers, we are not looking at hardware assurance as the bulldozer and then with hardware. and since this supply chain for a lot of these things is coming from overseas, what are your thoughts on hardware safety speak with a lot of the work we do when we talk about those differences and adversaries, the third wha one is, the fourth ons different in composition or the hardware firmware software stack is wildly different than you might see in an enterprise

device. so in some cases there is, componentry, and others it's like you buy a pallet of some embedded chinese chips for the cheapest that day and to my be different the next day. there's no assurance and given the margins on some of these small devices their number is likely to be assurance on some of these things. there is an experiment with underwriters laboratories to make a cyber seal. initial round will be a medical devices and industrial control systems. but the likelihood when we talk about different economics for the home and for consumer, this might be a kickstarter size thing with two employees in the garage an and a mighty the next thing bob bork 3.4 billion. it doesn't usually get completely scrapped and rewritten. this is a particularly pernicious issue, including the hardware you referred to. >> going back to your earlier point about nest energy

fluctuation arbitrage, there's that at the bottom end is odmg george's butt off rental auction sites at the height and when your nest is brought to you by enron. the entities applying it to is engaging in fairies practices that would be found illegal everywhere the risk of that which is not even hacking. that's just simply manipulation. >> i think what we will end up with is we will have some minimum standard of care. think about a commercial restaurant. you can't just have a commercial restaurant. even though the hacker can hate any regulation, there are times when the government asserts its will for public safety and good in the form of minimum kitchen sanitation code. there may end up being something like a gold star seal or is more of a carrot. will have to come to a point where device that can be a certain threshold will allow discerning citizens to go by those and onl only those. they may not be as deterministic as an underwriter's laboratories

guarantee. you had adversaries and a lot more complexity. but i also think what we will end up doing is having to employ a whole lot more segmentation and isolation in the way we set up our dependence. you don't have to connected to everything else. it's going to take us a lot of stumbling and fumbling before we get there. any one else on that point? >> i will just briefly, but one of your points. on the point of a minimum standard of care for security, the federal trade commission has instituted a reasonableness standard for security and all companies and in all products as they consumer protection measure. they are enforcement activity, over 50 actions with respect to security and reasonableness is the hallmark of activity and there's a report called start

with security report that provides a list of practices that have been considered interest enforcement actions at its intended partially as an existing document to startups that are trying to struggle through these questions of hardware and software security in their new devices. >> there's a sister organization called build it secure. their unique focus is on very small kickstarter size projects where they are creating guidance and reference architecture that is going to make a device on a raspberry pie here so you might do in a secure way. or if you use -- necktie to take popular small electronic low-margin iot platforms and provide free guidance and reference architectures that there's a better chance of it being done less horribly, better chance of less horribly? all right.

>> earlier he would also ask about ideas for what we know to do to fix things. one of the things as i actually am starting monday going to be a cybersecurity analyst for the state department, and i don't have anything smart in my house. if i were going to have something smart in my house i would have become routers and i would completely put all the internet of targets behind one router on one end, had in it comes to the other and put anything that are wanted in level are wanted in of are wanted in level us to get on on a completely different subnet and different brand, probably wired by the same token what i would like to know and like the opinion of you is i thought considering some people don't want to use the internet of things, to have a mandatory rule or law that every device has a mechanical non-software controlled on-off switch so i can shut off the internet and

that were that they can physically be turned on to software and hacking. there's a click to turn off my tv is wi-fi, to turn off my refrigerators wi-fi, the ovens wi-fi and so when. that would be a good viable first step to help the people who don't have enough security since. there's a switch right back here, click it and you'll be fine. >> smart switch to a dumb device, right? >> in fact we were car shopping about three years ago and i tried to fight even though i knew hackers had look at most of the cars, i could do to which car had the best security program. fast-forward three years later, i first thing this is some really intelligent security person at every car company and three years later i still can't

get the edge to what the best programs are. one of the more stunning moments when i was on a trip was i said to my wife this car has 4g lte wi-fi standard in all vehicles. and she said, he said doesn't that make you want to buy this car instead of the other? she said i don't think you know my husband. [laughter] but then he said you could always shut it all. she said i'm not an engineer but in persia i can't cut it -- shunted off. i called the next morning and sure enough, you can't shut it off. you should subscribe to customers how much it still functions when it's not connected or how much, what a failsafe mode if it were compromised, would be greatly safer connection. these are the discussions we want to stimulate such that we we start making recommendations to consumer electronics companies we have released a list of options they can choose from a spirit and help consumers to know to ask that question.

because unless you are married to security pro or study it might not even know to ask that question. of the card manufacturer, it's a multi-thousand dollar purchase your investing in, and it's something you care about that didn't agree to you just. to help consumers know which russians to ask and to put pressure with their buying dollar on companies to have good policies in place, have opened the door policies with researchers who find false, to have feedback loops, information attempt to consumers about whether there's a kill switch for it human override it comes to come its autonomous car and something is going on the wrong that was not anticipated, code is written by james. we can't and to do everything to does and what i can't buy a 50 page paper without making a typo. it just doesn't happen because we are humans. code is written by humans and so sometimes i am come you have mistakes and i'm a firm believer in the importance of maintaining

human override in circumstances where an unforeseeable event causes something to go off the rails. >> a lot of systems in medical clinical environments usually have requirement for an analog override. i think we are losing that discipline in some of these other safety critical use cases. we will have to find a way to get back. i saw, alan, was next. spent colin friedman, department of commerce. do are part of the government that are strongly encouraging, cooperation between vendors and security researchers but i wanted to talk about what we can do to sort of leverage some of the market forces independent of just combating control regulation one example i will fire out is collaboration between the national association of realtors and industrial consortium to have a checklist as you are selling your home. if you're backing him you want to know what's in there. you know to get the first look

at, the hvac system looked at. there's a checklist to say at least what smart devices are known and when were they built? is not the best for security because it's not written about security but it's a good start. so are there other economic forces we can use to sort of collaborate so as not just consumer versus defender but you can do some large powerful commercial forces on the side of the consumer? >> i like your example. one of the things we talked about in the paper is the right to be forgotten for homes when you resell your home, you change the law. when you resell your home did you delete all the data, personal data about you? like what does it look like? would you have to just change the entire thermostat becaus bet is time because it is tied to your account with your password and you just handled your password to the new people who move in? thinking about those things, kind of the entire lifecycle of the device, if it's afraid for

him are one of those things that tends to survive ownership of the home itself, how do you, how do you as a consumer, that buyer of the new place or the seller of the old place, do that? maybe your fridge just keeps buying meat and having it sent to your house and you are begins removing and you just get all this meat shipped to your house. how do you stop it with you don't have the password for the amazon account to stop it what happens? so i like your specific example. >> building off that come countries can this goes off, what are the basic interoperability standards between competing manufactures? an example in the 2025 nightmare scenario is imagining that you have each been in your house is coming from a separate and because you acted to peace do. what happens when your kitchen stops talking to your bathroom? what happens when siri and alexa

are jostling to grizzley fulfill your competing demands or perhaps crying on each other and sending white? there's no real guarantee manufactured while these guarantee some sort of basic interoperability other than whatever they worked out amongst themselves the item how we legislate the equivalent to what the smart home is are some standards on that but i don't think that's been looked into in a or what happens when the manufactures go to war with each other or there's glitches between the two where you have -- every mistake we made with a computer architecture will now build into our homes. something to look forward to. >> i would like to take a parallel from automotive lemon laws.

the reason the market wasn't sufficient was this information asymmetry with the seller knew more about its history than the buyer so that was a device put in place that did not add more information but maybe you get an escape clause if you found something, lemon law. you can argue those are not necessary now to with carfax what is more transparency about the events and maintenance that went into that vehicle. that's at least our part, they are not big fans of legislation or power structure. but most seem to be okay with the idea of transparency to enable free market choice. that's one of the reasons we have tried to talk about food labels or demonstrate if it is patchable. what of the things we're telling people in the meantime while we don't have five star rating is i look for vendors who have disclosure programs. to your initiative, in lieu up on the information i might be able to glean about automobiles there's a short list of car companies who have or about of

inviting researchers report today that my assumption is someone with that front door welcome mat instead of an implicit beware of dog sign is more likely to look at issues and fix those issues than an organization that doesn't. it's not causal but is something i can act upon. i think one of the strongest issues will be free market forces and the best way to unlock those is to have more transparency to enable the free market choice. you and then right here. >> in the commercial industry for smart buildings and smart kitchens and so forth, they talk about a 35% saving in operating costs. there's a couple words i haven't heard in this discussion. one of them is ip version six is probably necessary. the other is there's a whole

list of local and regional building code and building inspector issues that go on in terms of doing that, that retrofitting is almost impossible, design it initially becomes the answer your another word that probably hits the car thing, too, is something called emp, either by terrorists or by natural causes like a solar flare can bring down the whole network. .. maybe taking the point too far in the direction you said that if you look at the software update today and iupdates todays

the access to do the update, if you go to any of the rental car agencies, they might have a fleet of 100 cars in that location. how many hours does it take her vehicle if they have to go out and do that and when do they take them out of the service so they are no longer producing revenue? i could see if you go to a restaurant and they say we can't serve any food that requires refrigeration because we are waiting on a person to update the refrigerator like in the commercial cooling space. >> [inaudible] >> on your cell phone they have automatic updates. maybe there's something you could do but then again, that means you must be connected to the internet and that's one of the things that greatest opens up because they've already you have a better window i would say to be able to wait and maybe you

don't have to shut down before you update so that connecting to the internet part is what makes you have to shut the fridge down before you can go and use it. >> let's take one more question then there will be some closing remarks. i think you have the microphone here. >> i'm with greg on the smart home with the jetsons and i want to know where my flying car is. [laughter] but seriously, if you look at cars in the highway safety institute i and all the testing they do, until there is some entity that actually tasks -- not talking about standards that are voluntary but talking about people that crash in the equivalent -- how -- the

consumers will never really know what is safe and what isn't until the actual testing. and so, in order to accelerate something like that, you were talking about liability. if you were looking at places like the mayo clinic, you have closed liability on the vendors. if your software fail software e is a beach, you are liable through contract. unless there is a consumer movement to demand liability on the manufacture who's bringing something into my home that has this vulnerability that is known, then without those two

things i'm not sure that's just relying on the goodwill of manufacturers to do the right thing because we know that is simply not going to happen to push the product out the door with no volatilities because they can. >> here's where we get into the interesting legal terms when we're talkinweare talking aboutl objects, a chair, table, refrigerator to their concert and protections as a matter of the law under the version of the uniform commercial code that's been incorporated by state legislatures into all contract walls so that gives certain rights of recourse. so we have these kind of protections for physical objec objects. the software has generally been shared with these license agreements that say you use it

at your own risk. whatever happens, not our problem and when it was the chapter of your latest book that got lost and you got the blue screen of death on your laptop, you were annoyed that you kind of don't put it. buthat's the blue screen of dea, a medical device is real death. so here we have this physical space of liability and a higher level of consumer protection because of the information disparities. and over here, we have this norm for software. these are clashing in the context and that's what we needed to resolve. the courts are going to need to struggle with it and that's where the rubber is hitting the road i guess. >> and for a future discussion, one of the ways i met andrea a couple of years ago is posing on the question of its software

liability the best idea for all others and especially when it comes to flesh and blood as we are now encountering the signal to place the cost burden on the party come and the best position to avoid the risk and they can offset the residual risk with those we have elsewhere. so this will come to the head and maybe it is the first candidatcandidate hittite assaut driving car but i think it is what will trigger the condition and it's better to have a plan before that moment into heavy knee-jerk reaction. let's do a 32nd closing remark in any particular order. it's a national safety board. >> if someone has written a lot about the air travel i absolutely agree i would love something like the national transportation safety board for the internet of things.

it's the safest thing i can possibly do given the oversight of it is interesting to have something like that. to make sure that it doesn't happen again to patch the vulnerabilities. i don't know what it would take to create a cultural shift that it would be a great thing. in the next that burdens down dn entire neighborhoods in america something like that i don't think it would be a cyber attack to blame someone, that's something of a glitch or property damage. >> to return the investment to the shareholders until it becomes a monumental significant

financial issue for organizations maybe they can't and maybe that is one of the spaces we should start looking at or how do we make cyber safety with carrots, sticks, market demand, whatever it might take. that might shape and shift the landscape more than some of the other things. >> my final thought is coordination opportunities playing on that last point while some of these would argue that duty is to maximize the profits and cut corners on security. different organizations will argue long-term maximization of corporate value instead requires investment in the r&d into building the product that will engender loyalty from the customer base. coordinating and rewarding those behaviors across all parts of the ecosystem. for example the security exchange commission is strongly

encourages and requires disclosures of material breaches of security by the publicly traded companies. they made some comments that perhaps the disclosures are not quite the level that they were hoping for. and coordinating on the marketplace that's coming from part a. of the enterprise with the generated disclosures coming from part d. and looking at the big picture story how they care about the security or doesn't care about security and what affirmative measures are they taking to be the best version of themselves. it bolsters the economy as a whole.

andrea, bo and some others from the whole room is going to take a river on fire before anyone would listen in our stubbornness that you know what, we are going to try and build relationships and use empathy. sitting right there started a pretty intense exchange of educational awareness in the industry as he talked about said it would take proof othat it wom of medical device to trigger the corrective actions. the week before they issued the first-ever safety communication from zero proof of harm because through the dialogue they concluded the impact for the corrective action and now on the guidance so the idea of saving

lives. it was in the collaborations to be pursued together and for now they catalyze the discussion to take it to the next stage and thanks to the panelists. [applause] >> with the senate in recess

booktv is in primetime on c-span2. the san antonio los angeles and virginia book festival's. are eroded to the white house coverage and online interactive resources to where they visited the middle schools to honor 79th graders for their wedding videos in this year's student student n competition. a special thanks to the visit. you can view the visits that

students can.org. he's got dallas mike allen of politico to offer his thoughts on the efforts to unite the party behind donald trump. you will be able to watch but starting at eight eastern. coming up this weekend on the newsmakers program the governor of puerto rico. monday they missed a $400 million debt payment. another $2 billion of loan payments are due over the summer. he's our guest on newsmakers sunday at 10 a.m. and 6 p.m.. >> the house select investigative panel on intense lives held a hearing last month on what republicans on the panel alleges the sale of fetal tissue. democratic members of the committee argued the

investigation is an attempt to restrict women's healthcare. this is almost three hours. >> of the select investigative panel will come to order and before we begin, i would like to take a moment to address the guests were in our audience today. first of all, we thank each of you for taking the time to come. we think that engaged citizens are a welcome and valuable part of the political process. i only wish every hearing drew the amount of interest that this hearing has drawn for the purpose of this hearing we are going to be examining the pricing of fetal tissue. it's for the select investigative panel to ask questions and have a thoughtful discussion. we welcome you. i do want to remind our guests in the audience come if the chair is obligated under the

rules of the house and the rules of the committee to maintain order and preserve decorum in the committee room, and i know that we all have deep feelings on the issue but we appreciate the audience cooperation in maintaining order as we have a full discussion that we would like to have this morning on this important issue. i also want to welcome each of our witnesses who are here today. and at this time i'm going to yield myself ten minutes for an opening statement. >> madam chair backs >> regretfully, i needed to bring up an issue regarding the packet of materials, the so-called exhibits provided to the staff yesterday. before the opening statements and the reason is because we have just received your opening statement, which was released to the press i just saw it for the

first time, and in your opening statement, you make extensive reference to this package of so-called exhibits and so before you make your opening statement, maybe we can resolve th the isse is otherwise we are going to have to object to the documents referenced in your opening statement. i will go over what our issues are with those so-called exhibits. your staff told us that you and other republican members intended to give these materials to question witnesses today, and it's my understanding that these documents have been given to the witness. in fact several of the witnesses mentioned the documents in their written statements. i reviewed the documents yesterday and some of them were created wholesale by the staff and there was no explanation of the underlying factual

foundation for those materials, the methodology wa that was usen coming up with these charts are some of the graphs that we had, and frankly, i believe them to be misleading. and moreover, the conclusions that are drawn in state as a fact in the staff created index are false. there were others that were sourced to the procurement business but also have nothing to do with the topic of the hearing. they don't distinguish between the various services that provide a number of different specimens for use in biomedical research. now, just to add to this, yesterday the company who we believe the so-called exhibits

came from, stem express sent a letter to you in a coffee to us about the serious problems with these so-called exhibits. i'd ask for unanimous consent to put that into the record. i guess my point is i'm concerned because the so-called exhibits i don't think they are designed to find the facts about fetal tissue research and if they were we could have called them in or taken that position and i don't believe that they are germane as is required by the rule 16 because they don't reflect the credibility that in fact they cast a dishonor on the house. but in addition, if i may because we got the exhibits yesterday and then we got a letter from express, it also

raises troubling questions about where the material came from. if you look at the letter and i hope you've read it, what it says is they believe the panel they've received material directly from mr. david that hadn't been authenticated and was obtained unlawfully. this is part of the whole issue of the investigation in texas as some of these may have been created by him and solve. but the company did is ask that we withdraw the documents until the general counsel of the house of representatives has an opportunity to review them and the proof so madam chair, given the concerns about the factual foundations of these exhibits,

and also given the further concern about how they were created and what they are saying i've ask if we can withdraw the exhibits until these things are figured out. i think the gentle lady for her inquiry. yes we were in receipt of the letter. i don't know anything about the attorney or how truthful their letter is. we do intend and accept the request and we will use that letter in the record and for the hearing today. the documents, let me speak to that for a moment. the documents have been obtained through the regular investigatory work. we have had things that have come to us from whistleblowers, subpoenas, former employees and citizens but filed requests, the panels whistleblower portal and

as i said also, an internet search archive search engine. that is the way the documents have come to us so, the documents that we are going to use for the hearing were the documents we intend to use for the hearing we will accept the letter into the record and -- >> you stated all the documents that formed the basis of the exhibits were received from a variety of sources including whistleblowers. have all of the documents have been been provided to the minority staff of the committee? >> we have provided documents to the minority staff. >> if you provided alhave you pe documents that were used in the foundation for these exhibits? >> i think all the documents have been provided to you and then you have the staff that hat linked the documents -- leaked

the documents to one of the entities. >> i would ask a further inquiry that before we continue might i be asked to inquire the appropriate staff member of the foundational basis for these exhibits particularly exhibit b. number one and number two if there is a chart exhibit what you intend to use. there is an exhibit excerpt of a draft contract between the abortion trade associations which appears to have been created. i would like to ask the staff how the documents were created. >> what do you mean by foundational basis clacks >> if you take a look at exhibit b1, second exhibit b1 appears to

be a chart, and it has three boxes. abortion clinic, procurement business researcher command between the three boxes, there are dollar signs and arrows going back and forth. there are questions and so on. i don't know, i don't know what information this is based on. i would like to know how this was created. if you look at exhibit b. to, for example, exhibit b. to is a document that doesn't say where it's from. it appears to have been taken from a website but this is one of the documents that stem express is saying might have been taken from not their company but someplace else and not talking about fetal tissue but i don't know where that

comes from. the exhibit isn't identified where it comes from but i suspect the witnesses today and the majority somehow try to use this to talk about the so-called sale of the fetal tissue. exhibit number three is just again something taken off a website. we don't know the source of that. exhibit number four appears to be a bar graph, and what it says is procurement business and clinic growth strategy and the number that has a bar graph at exhibit five. we don't know where that information came from so if you are relying on this. this is being presented as a fact but it's not. this is what disturbs me. this is in parentheses excerpts

on the draft contract between -- >> if the gentle lady will yield the -- >> short. >> the draft that you are referencing was created by the staff for discussion purposes. it's created by material that maybe has been said or did to us to the committee and so the documents that you're going to is again submitted to us and before it's something created from the material that has been submitted. now does the gentle lady have a notion? >> that is the concern i would like to be able to question the staff member who created all these documents. if you would like to include in your questioning in your time

discussion -- >> madam chair i think that these exhibits were created from the holocaust and if you won't let me find out what the basis for these are, then i object to the use -- i would make a point of order that these materials are against rule 16 clause number seven of the house and i i've ask for their exclusion. >> i would move to table the point of order. >> the lady has been -- >> i appeal the ruling. >> the motion has been made into the motion is tabled. >> i appeal the ruling of the chair. >> he made the motion to exclude and then i moved to appeal and then you ruled to table it and i moved to appeal it.

>> we will rule on the motion to table first. and the motion is tabled. spec i appeal the ruling of the chair. and i ask for a recorded vote. >> the appeal is denied. we will have the clerk call the roll for the recorded vote on the motion to appeal. [roll call]

[roll call] [roll call] [roll call] the clerk will report the tally. >> on the vote, there were eight

ayes and five nays your work be taken down regarding the assertion that staff quote leak documents to the entity, actually stemexpress. these documents had already been given to witnesses and the press and then were posted to your website. and so i think your words need to be taken down. accusing our staff of leaking that is not true, and those words should be taken down. >> madam chair?

>> ms. schakowsky, the staff had asked for the documents. this was shared before they went to the website, and then they were released to the entity. and in order to take the comments down, the comments have to be personal in nature. so with that, let's begin with our opening statements, and then we received our first panel of witnesses. as i was beginning earlier, i want to welcome all of our witnesses who are here today. i am going to introduce each of you later as we move forward with our testimony on the pricing of fetal tissue. as part of my opening statement, i will present a narrative about the exhibits that today's hearing will discuss.

i said many times my hope is that both parties can work together on some things and today's subject matter should be an opportunity to do so for a couple of reasons. first, at a initial hearing on bioethics and fetal tissue, all witnesses from both sides agree should profit from the sale of baby body parts. nobody. second, the democrats overwhelmingly supported a prohibition on profiting from fetal tissue sales during the 1993 passage of the national disputes of health revitalization act. former congressman dingell passed this legislation out of the energy and commerce committee and former congressman henry waxman admitted the nih bill on the floor to make clear that profiting from the sale of baby body parts was a crime. folks, these two democrat leaders took the oath and so

seriously that they may profiting from the sale of fetal tissue punishable by a 10 year felony. they understood that unborn children do indeed have constitutional rights. there's been a lot of heated debate about the horrible videos that came out last year, at today's hearing will present business documents invoices, marketing brochures and management documents that reveal that one for-profit procurement business and several abortion clinics may have violated the intent of the statute. and the blacks than prohibition passed overwhelmingly by a democrat controlled house. we've invited former u.s. attorneys and others to help us understand is conduct in light of the existing statute. we look forward to working through this material in a thoughtful way, and asked my colleagues on the other side to

join in a productive discussion about the statute that your site past. before i turn to introducing the documents i want to call your attention to five posters that will help to visually follow the discussion. the first chart presents three entities involved in the business of selling body parts. that chart depicts that the middleman, the procurement business, pays the abortion clinic for fetal tissue and it's been paid by the research or the customer. this second chart is a website screen grab from the procurement business of how to buy baby body parts online. there's a new website, and the baby body parts per given business has been spun off to a new entity. that chart shows the drop down box for every part imaginable, heart, eyes, liver, hans. then click on an xbox and to pick the gestation period. menu click and proceed to

checkout to select your form of shipping. the third chart shows the daily tasks performed by the procurement business employed inside the abortion clinic. once the order is communicated the procurement tech starts her work checking gestation periods, giving consent, procuring tissue and sending to the customer. these are clear trend for violations. our democratic colleagues have concerns over privacy throughout the investigation. i would hope at a minimum they will join us in condemning obvious violations of hipaa which was signed into law by president clinton on august 21 of 1996. the fourth chart summarizes simple sample actual payments from the procurement business to the abortion clinic and from the customer to the procurement business. these are samples for discussion today. they do not present the entire financial picture. the fifth chart shows who bears the responsibility for the

reasonable costs involved in the procurement and sale. next i want to walk the witnesses through the exhibits. i know all the lawyers in them like to focus on every detail, and that is why you're here. it's also important to understand the big picture of what the procurement business was trying to do, especially in light of the waxman prohibitions against profiting from the sale the baby parts in the 93 nih revitalization act. please turn to the exhibits. this is the procurement company brochure that is handed out at national conferences where abortion clinic managers in attendance. notice it says financially profitable, fiscally report, financial benefit to your plan. look at the next exhibit which is a website screen grab of the procurement business. once again financially profitable while also inviting a financial benefit to your own clinic.

evidently the procurement business is not familiar with the waxman prohibitions. now turn the page. the procurement business started in 2010 with three clinics. two years it was up to 30, and into more years it had nearly 100. they were negotiating a contract of over 250 clinics by this year but the comarketing negotiations with the national abortion trade organization fell apart just about the time the videos came out last year. now, you do not have to be a lawyer to see what's going on. you put up a website that offers the part imaginable, and why on earth would anybody ever need a baby scalp? then you pick the gestation period and to check out. to offer that service unique abortion clinics, a lot of abortion clinics. so you grow your number of clinics and to offer the clinics money to sign up. you offer them financial benefit

to join. you tell the clinic that you will do all the work, all the items on the chart to show the workforce of the procurement tech nation. this does not sound like tissue donations for research. this sounds like someone who wants to make money, a lot of money, selling the baby body parts. so i think our witnesses for their generous time today. i welcome them. and get this done i yield two minutes to ms. schakowsky. >> from the outset this investigation has not been an objective or fact-based search for the truth, but a political weapon to attack women's health care and life-saving research and harass and intimidate those who provide these services. this was clear during our first hearing one of the witnesses invited by the republicans drew a comparison between researchers

who use of fetal tissue and nazi war criminal dr. joseph mingle, a comparison at goodbye chair blackburn in your opening statement. another republican witness testified that women who have abortions are quote morally disqualified, unquote from choosing to donate tissue for research purposes. for today's hearing republicans have again invited witnesses who believe that abortion should be illegal, that women should not be permitted or trusted to decide whether to carry a pregnancy to term. some continue to declare that planned parenthood is selling fetal tissue as you just heard for profit, despite the fact that three house committees, 12 states, a texas grand jury have already cleared the organization of wrongdoing. these witnesses endorse and rely upon the video allegations of antiabortion extremists, mr.

daleiden and his associates to support the inflammatory claims. anyone who's been following the facts knows the truth. mr. daleiden the videos are not accurate or reliable and they do not show the unlawful sale of fetal tissue and we will argue today that the so-called exhibits did not make that case either. a grand jury in texas already put mr. daleiden to the test under oath and he failed. that grand jury instructed by the republican senate governor to investigate planned parenthood, instead indicted him for breaking the law for efforts to been trapped planned parenthood. the district attorney handling the case refused to represent it to another grand jury, explained that quote we must aware the evidence leads us. and then she explained, and i quote, anyone who pays attention knows that i am pro-life.

i believe abortion is wrong, but my personal belief does not relieve me of my obligation to follow the law. that standard should apply with equal force here. there is a reason to believe that mr. daleiden, a proven liar when it comes to planned parenthood would be any more truthful but anyone else involved in reproductive health care or fetal tissue research. yet instead of correcting the record that share continues to invoke the. today my republican colleagues likely will claim that it is not just the videos. she has claimed, that share has already claimed there. they may assert that documents that this panel has received or that republican staff have created show the need for further investigation, and this is also false. 16 years ago the subcommittee on health and environment of the house commerce maybe considered similar materials, 16 years ago,

that hearing titled fetal tissue, is it being sold in violation of federal law? featured a fee for the service schedule, sewing amounts charged for types of tissue, transaction logs, with charges for tissue on particular dates and agreements between providers and procurement organizations. that is also featured at employee, dean alberti, who had worked at to tissue procurement organizations, the antiabortion group life dynamics had filmed and released a video interview where dean alberti claimed to have witnessed fetuses quote born alive, doctors changing procedures for donation purposes, and unlawful payment for fetal tissue, exactly the

types of claims made in mr. daleiden to video. and statements under oath, however, dean alberti contradicted his inflammatory claims and admitted during the 2000 hearing that this would statement, not the remarks on the heavily edited video made by antiabortion extremists, were the truth. the department of justice also investigated the allegations of unlawful profiteering that was at the heart of that hearing and concluded that no laws had been broken. no one believes that congress should be allowed to profit by selling fetal tissue. and we fully support the prohibition. however, just as it does for adult organ donation, the law expressly allows reimbursement for costs. in fact, 42 usc 289, the provision that we're focusing on today is modeled on the national organ transplant act which

prohibits quote valuable consideration unquote but allows reimbursement for costs associated with organ donations which can be considerable. allegations regarding possible unlawful profit from adult organ transplantation would not result in a call to ban all organ donations, yet republican lawmakers in the house want to ban fetal tissue donation and research altogether, something that some states have already done. florida, for example, enacted a sweeping the attacking women's health care and banning the donation of fetal tissue. this is tragic for women and families on the gulf coast as summer approaches and researchers race to understand and solve the zika virus. despite chair blackburn's claim that democrats are exaggerating, she says, its importance, key studies have relied on fetal tissue to increase our

understanding of the zika virus. these have been proposed despite the fact that there still is no evidence of wrongdoing related to fetal tissue donation. instead of documents received by this panel show that health care providers are losing money through programs that allow women to donate fetal tissue for research purposes. this was not what congress intended when it voted on a bipartisan basis to allow reimbursement of costs. it is absurd even when you're losing money, providers are still attacked by those who appear to be motivated by opposition to abortion, not the facts regarding fetal tissue donation. this panel is a perfect example. over the course of investigation that share has targeted one clinic, one university and went tissue procurement organization, all of whom were cooperating voluntarily before the chair served them with unilateral subpoenas.

the panel has known since january that southwestern women's options does not take any money for ensuring that women who want to donate tissue to the university can do so. let me underscore that fact, no money is exchanged in connection with a woman's choice to donate fetal tissue to researchers at the university of new mexico. already is the chair served subpoenas and issued press releases tying him to what she was really described as an investigation into the unlawful sale of baby body parts, words we heard today. as the result, the university and clinic have been subject to unwarranted accusations from state and federal officials on harassment of antiabortion extremist. is it any wonder the universities, clinics and others are reluctant to hand over the names of the researchers, students, personnel and doctors so that the chair can amass a dangerous database of their names? for its part, the tissue

procurement company stemexpress already offered to have its procurement director explained its cost structure. that you ignore that offer and instead called this public hearing and invited witnesses who have no firsthand knowledge of the facts to opine about potential criminal misconduct. on its own initiative, stemexpress has submitted a letter to ensure that the panel has the information needed to bring this investigation to an end. this investigation has never been and has no promise of becoming fair or fact-based. our republican colleagues disdain for the facts and for women and their doctors is putting researchers, doctors, and women at risk. it is time for republican leadership to bring this investigation to an end. i ask unanimous consent the met april 18 letter from stemexpress included as part of the record

for this hearing and yield back the balance of my time. >> the gentlelady yield's back. on her you see request, we already agreed to put that into the record. at this time i want to welcome our first panel. senator jeanne shaheen is a u.s. senator from new hampshire. she's the only woman in u.s. history to be elected both the governor and u.s. senator -- >> excuse me. can i just say the letter i want answered is a different letter from yesterday? >> so moved. >> sorry. >> senator shaheen has served in the u.s. senate since 2000 night and as a member of the senate committees on armed services, foreign relations, appropriations, and a shrinking number of a small business and entrepreneurship committee. senator shaheen as a former small business owner and formerly served as the director of harvard university's institute of politics at the

kennedy school of government. welcome. >> senator ben sasse is a u.s. senator from nebraska. senator sasse comes to the senate having spent the last five years as a college president, one of the youngest in the nation. during the first and second terms of president george w. bush he worked in the department of justice and the department of homeland security before becoming a citizen secretary for planning and evaluation at the u.s. department of health and human services. welcome to you, senator sasse. at this time we weekend with senator shaheen for your five minute remarks, and we welcome you. >> thank you very much chairwomen blackburn and ranking member degette, members of the committee. i appreciate the opportunity to appear before you but i do so with great concern. i know you will hear from my colleague, senator sasse from nebraska, and i respect his deeply held personal beliefs.

but if we want to have a civil discussion on this issue we should begin with the facts. news articles today have called into question the validity of the exhibits that will be presented to the panel. this committee's very existence was founded on the basis of highly deceptive edited videos. these videos have since been proven to be misleading and false by multiple independent investigations across the country. in january after thorough investigations into the videos a texas grand jury cleared planned parenthood of any wrongdoing and indicted the individuals responsible for their creation. in fact, 12 other states have also cleared planned parenthood of any wrongdoing, and eight additional states have declined to investigate, citing a lack of evidence. i believe it's now time for the special investigations to end. i would also like to point out

that fetal tissue research has long had bipartisan support. in 1993 congress passed the national institutes of health revitalization act, which permits fetal tissue research. that bill passed with overwhelming we support, 94-4 in the senate, and two and 90-130 in the house. i think it's important to note that that bill was passed on recommendations of a ribbon panel convened under president reagan which was passed with studying the ethics of fetal tissue research. millions have benefited from fetal tissue research. vaccines for polio and rubella were developed as a result of research done on fetal tissue, and research on health issues that touch so many of us, parkinson's disease, diabetes, hiv/aids, i disorders and spinal cord injuries have also

benefited from the 1993 law. if it's the panel's desire to change the law, u.s. legislators are able to do that. but i believe it would be a grave error. that is my point this panel was formed with political motivations. there is very little real interest in an unbiased investigation to uncover facts related to women's health or research. instead i believe that this panel serves as an opportunity for some to once again attack the health care providers who millions of women and families depend on. in february i joined with colleagues in both chambers to ask house and senate leadership to disband this panel and all other congressional investigations that would undermine women's access to health care. not only do i believe that this panel is an inappropriate and wasteful misuse of federal resources but i am gravely concerned that it also put researchers, providers and patients across the country at risk. unfortunately, as a result of

the political rhetoric surrounding this issue we have seen violent acts or threats against women health providers and researchers across the country. i'm very sad to report that this fall, the same month that this panel was formed, a women's health clinic in claremont new hampshire was vandalized not once but twice. the second attack caused so much damage at the clinic was forced to close for nearly six weeks, and this was a real disservice to the women, men and families who rely on the full range of services at the clinic provides. unfortunately new hampshire is not alone. after the release of the deceptive highly edited videos, incidents of harassment against some health centers increased ninefold in just one month. i don't believe that today's hearing is a fact-based objective investigation, but

rather it is a taxpayer-funded political attack based on this credited evidence. i hope it will finally be time to move on. madam chair, if i could apologize for the need to leave early and go back to a hearing. i appreciate taken the opportunity to be here. thank you. >> we thank you so much and we know that you delete and get back, thank you all for having votes this morning, but thank you for the courtesy of your time and for waiting for us. senator sasse, you are recognized for five minutes spent let me just thank senator shaheen as well. i appreciate your being here. >> thank you, madam chairman. good morning, ranking member. thank you for including me. many of us innocent light in the house and like millions of americans watched with great the video footage of abortion doctors and others discussing the sale of baby body parts. as the legislator but more important as a father i have three precious ones, one of my

little girls traveled with me and she's here with us today. more important as a father i support your investigation into commitment to get to the bottom of what is going on. let's begin by stating clearly that we should not have to be a today. the 1993 in the age read by the station act includes california democrat henry waxman said, his commitment to offering what is the most important safeguards to prevent any sale of fetal tissue for any purpose, not just for the purpose of research, any sale for any purpose. it would be abhorrent to allow the sale of fetal tissue and the market to be created for the sale. words are important. the report language and the floor debate created a very clear legislative intent that no one should profit, no one, from the sale of fetal tissue. yet here in today's documents and exhibits we see a business brochure and website urging partner with us and improve the

profitability of your clinic. improve your bottom line. the financially profitable. these are quotes. that business offers a payment per tissue to abortion clinics and it offers to do all the work. that would appear to me that the abortion clinic has no costs and it would appear to be precisely about profit as their marketing literature says. questions of profit and legality matter because we're talking about people. it matters whether or not procurement businesses broke the law. it matters whether or not abortion clinics are lining their pockets to the dismemberment and distribution of children all while receiving tax dollars. it matters because we're talking about a tiny lens of little babies that have dignity. they are broken yet still precious children of actual mothers and fathers. as the committees exhibits indicate, webpages exist where a customer can click on a truck down box that lists every organ

for sale. you can click on your brain, a heart and just like your gestation period and then you proceed to checkout and you decide the method of shipment. we should pause to linger here. our humanity should be repulsed. we should all be sad by this. in committee room and across the country we will have passionate disagreements and discussions about the legality, justic but e and the social applications of abortion policy. like many in this room, like a majority of americans i believe every day is precious and worthy of legal protection even at earliest phases of development. i am unashamedly pro-life but i also understand that many others disagree on abortion policy. our disagreements on abortion will sometimes be seated but wherever possible we should look for consensus. on this basic reality we can't and should agree babies are not the sum of their body parts.

babies are not meant to be bought, and babies are not meant to be sold. babies are just that, they are babies. they are meant to be welcomed and rejoiced over, held and nurtured. we adopt and we foster a mentor them. we offer hope, support and encouragement to the parents. madam chairman, your work can't and does transcend politics. i appreciate also you're concerned with children born alive inside the abortion clinics and with a treatment that they receive. when i think of all the survivors of abortion and i think that your investigation into the sale of baby body parts for profit company makes born alive legislation all the more important. the board of life abortion survivors protection act has already passed the house by a bipartisan vote of 248-177.

i invite my senate colleagues on both sides of the aisle to be working together to pass this bill in our chamber. this law would simply ensure that babies who survive abortions get a fighting chance by requiring medical attention that is equivalent to what would be offered to any other premature baby born at the same stage. know life is disposable. no child deserves to have her life ended cold and alone struggling for breath outside the womb in an abortion clinic. we freakily cheer for the vulnerable, we fight for the minority, protect the powerless against the powerful, and baby girls and boys are fighting for their lives. i encourage my colleagues to fight for them into sports senate 2066, the born alive abortion survivors protection act. we look forward to working the progress o of the investigation. thank you for including industry. >> thank you senator says. we are sorry for our delay and we know that you have to scoot back across the senate for votes

but thank you for your time. at this time i would like to call forward our second panel. and as they move forward to be seated on the panel, i will move forward with introducing this panel to our audience so that we can move forward expeditiously. fay clayton is an attorney with robinson curley and clayton. she practices of civil litigation for a wide range of clients from major corporations to individuals in cases involving fraud, ricoh securities, general commercial matters, contrac contract dispu, officer and director liability and shareholder in partnership concerns. mr. robert raben served as assistant attorney general for legislative affairs with the is department of justice where he drove attorney general janet reno's legislative initiatives

and handled the political challenges of congressional oversight of the department. he founded the raven group, a public policy consulting organization in 2000 continues to serve as president. is a graduate of the wharton school and new york university law school. mr. brian lennon served as a federal prosecutor in michigan and virginia for 15 years at a trial attorney in the is department of justices civil division. as deputy chief of the criminal division, he supervised the health care fraud and computer related crimes unit, among others. he spent four and half years as a judge advocate for the u.s. marine corps, handling both civil and criminal matters. now in private practice, he specialized in criminal defense, particularly health care fraud