>> we know who gave the instruction to the diplomatic service and it was jonathon palace chief of staff to the prime minister.ff we found no evidence of a written instruction but then there were no written instructions except occasionally scribbles on the newspaper. >> it seems to me that the postwar reconstruction issue is the issue of what the effect would be of an invasion is the most catastrophic aspect of all judging by your report. .. and from judging by your repo, i think one needs to have seven different paragraphs. you make clear that no ministers or others incorporate detail analysis of risk and

capabilities and so on. but whose responsibility was it to commission that ultimately? >> it must come back to a center and head of government which is the prime minister. >> ultimately the prime minister. the thing that i think surprised so many people about this report in so many places is bethis looks like a war that was pushed through to a large degree i one man, and, therefore, where appropriate a response. the failings that flowed from it. that hasn't been done and is a central criticism of the report that has been made. is it tony blair who was responsible for the failing in t paragraph 617, which i'm sure you're familiar with? >> is this in the executive summary? >> yes. >> may i look it up to remind

myself?. >> 617. >> yes, we say that at no stage ministers or senior officials commission and systematic evaluation of risks and options. >> asking who is really responsible for that. >> i think he would say all of those involved but ultimately it has to be -- >> you were telling me that so many senior officials were told to shut up. >> no.>> som the i was reporting what is on the record, that the ambassador in cairo said attila graham to centracenter why don't enter ths officials, colleagues who were relevant.. and was told her reasons of security and sensitivity, probably because he was whollyly wrong, he shouldn't do that again. any such messages should go direct from anna ballis the concern in the region to the head of the diplomatic serviceri personally. that was what happened.

but as to the commissioning ofbt the review, you can blame, if you wish, all of those who failed to initiate such a review but the fact is it should've happened. it didn't happen and thepened. itnsequences are there in plain for all to see. if i'm allowed another moment on this, it is for me personally given my own history that failure on security sector reform was one of the very worst aspects of the whole failed enterprise -- >> we are leaving this program to go live to capitol hill where to house energy and commerce subcommittee's are holding a joint hearing about the security of there's electronic and internet connected devices people use every day. lawmakers on your from private sector, cybersecurity experts.

[inaudible conversations] [inaudible conversations] [inaudible conversations]

[inaudible conversations] [inaudible conversations] >> i will call to order the subcommittee on communications and technology in our joint committee hearing with the subcommittee on commerce, manufacturing and trade. good morning, everyone. i'll start with opening statements for our side and for our subcommittee and then i think we go back and forth. to work this out. i want to thank the two subcommittees for come together on this important topic that i think we all share a deep concern about.

we live in a world that's increasingly connected. our smart phones are not capable of locking and unlocking our front doors at home. turning on lights, checking the camera for packages left on the doorstep. were able to measure steps, check baby mortars, record of favorite programs are where we have connectivity. we will be able to communicate, we can to make it with our offices but commute to her office in driverless cars, trains, buses, have our child's blood sugar checked remotely. these are incredible potentially life-saving benefits that our society is learning to embrace but we are learning these innovations do not come without a cost. in fact, recently we encountered a denial-of-service attack on a scale never before seen. this attack effectively brought access to fiber sites like netflix and twitter by weaponize and secured network connected devices like cameras and dv ours. once these devices came under

the command and control of bad actors there used to send a flood of dns request though they rendered a dns servers ineffective. us understand the beginning of this attack it was virtually impossible to distinguish malicious traffic from other normal traffic making it particularly difficult to mitigate against attack. how do we make ourselves more secure? without sacrificing the benefits of innovation and technological advances? knee-jerk reaction might be to regulate the internet of things. while i'm not taking certain level of regulation off the table the question is whether we need a more holistic approach. the united states cannot regulate the world. standards applied to american design under the manufacture or american soul devices will necessary to capture the millions of devices purchased by the billions of people around the world, so vulnerabilities might remain. any sustainable and effective solution will require input from all members of the ecosystem of the so-called internet of

things. we would need a concerted effort to improve not only device security but also cordoning network security and improve the relationsrelations hips between industry and security researchers. we are all in this thing together. industry, government, researchers and consumers will need to take responsibility for securing this internet of things. so today went from a very distinguished panel of witnesses on some of the approaches that can be brought to bear on this challenge. my hope is this hearing will help to sustain accelerate conversations on our collective security and foster the innovation that makes the internet the greatest engine of communications and commerce the world service and i think our witnesses for being here. we appreciate your willingness to come and share expertise. it is helpful in our endeavors and i look forward to your testimony. at this time i would yield to ms. blackburn for an opening statement. >> thank you, mr. chairman. and also want to welcome our witnesses, and we appreciate your time. we did an internet of things

hearing in march 2015, and at that point i talked a lot about the convenience that this brings to us in our daily lives, and about the opportunities that it will open force. i think now as look at it as the chairman said, look at the cost. you look at the maximized use that exists. i think that i 2020 the expectation is 3.4 billion devices that would be in this universe of connected. that means we have vulnerabilities that exist, entry points, and we will want to discuss some of those vulnerabilities with you today, accurate insight and see how we as policymakers work with this wonderfully exciting innovative area in order to make certain that americans have access, but they also know that there is

security as we approach this. with that i yield back. >> gentlelady yield back. we will now, i'll yield back the balance of my time as well. now turn to my friend from california, the gentlelady yield this issue for opening comments. >> thank you, mr. chairman. first of all i want to express our collective thanks from the site of the aisle to you for responding to our request to have this hearing. mr. pallone, mr. mcnerney, ms. schakowsky, ms. degette and myself all made the request, and we are grateful to you for holding a hearing because we think this is obviously a very large issue and something that concerns the american people. in fact, americans are connecting more devices to the internet than ever before.

most of us carry at least one in our pocket, but as technology evolves we are seeing a proliferation of everyday items and appliances that connect online. this is good. today everything from washing machines delight both are now capable of connecting to the internet. the business world also relies more and more on the internet. in fact, internet enabled objects to drive their efficiencies and to produce lower cost. there are as many as 6.4 billion, billion, internet of things, products in use worldwide just this year. the growth in this market is expected to be significant, including estimates of over 20 billion internet enabled products connected worldwide by 2020. so this is not a small market. it makes it a very large issue.

it is an economic one and we don't want to damage that but it's something that needs our attention. bears great potential for innovation as more devices become connected but there's also the potential for serious risk if they are not properly secured. that's really what we are pursuing your. we need to look no further than the major attack on october 21 that crippled some of the most popular websites and services in our country. distributed denial-of-service attack against dynamic network services, known as dyn, was made possible and secure internet of things devices that attackers were able to infect with malware. this army of devices was then hardest by the attackers to bring down dyn's servers. some attacks in october targeted a journalist and a french cloud services provider. these attacks raise troubling questions about the security of

internet enabled devices and the potential to be used as weapons by cyber attackers. for example, it's been reported some devices used in these attacks may have been -- lack the functionally to allow users to change the default username and password. we already know that an important way to prevent cyber attacks is to practice good cyber hygiene, which includes changing default usernames and passwords when products lacking the commonsense functionality are manufactured, shipped individually connected, they put users and the internet at a whole at risk. seems to me this is an area that we need to explore with our witnesses. there's also the issue of how long the unsecured devices can remain in use. the dyn attack reportedly used infected devices that were first manufactured as early as 2004.

manufacturers may no longer update products that have been used for so long, further exposing users and the internet to security risks. finally, we have to recognize that this is a global issue. level 3 communications estimates a little more than a quarter of these devices infected with a malware that was used in the dyn attacks are located in the united states. one of the major manufacturer products that appear to be particularly vulnerable is based in china. this is important to keep in mind as we explore how to address this problem going forward. this hearing is a very important step in helping us first of all to all understand what lessons we should take away from these recent attacks. the internet of things offers exciting possibilities for innovation but we can't afford to ignore the risks that come when devices are designed

without security. whatever the ultimate solution is, i think industry must play a central role in the effort to address these issues and i look forward to hearing from our witnesses today. you play a very important role in this. so with that, thank you again, mr. chairman, for allowing this hearing to take place. i yield back the balance of my time. >> that chair now recognizes the gentleman from texas doctor chairman burgess. >> thank you, mrburgess. >> thank you, mr. chairman. good morning to our witness panel today. thank you, mr. chairman for holding a hearing and allowing us to have this discussion about the recent cyber attacks. several popular websites were knocked off-line for several hours on october 21 of this year. hackers use malware to create a botnet, a gargantuan amorphous mass of connected devices to flood domain server with terabytes of traffic,

overwhelming the system, preventing legitimate traffic from accessing those devices. in this case the result was briefed about the outages were on consumer facing websites. the incident is unique in that it wasn't someone's desktop or laptop, but it was the armies of compromised devices that launched these attacks without the knowledge of the device owners. many of the devices are regular household items such as baby monitors, webcams and many consumers do not realize they do need strong cyber protections on these everyday devices. but that's exactly why this attack and others like it has been so successful. the malware that created this botnet spread to mobile devices by continuously scanning the internet or internet of things assistance protected only by the factory default manually generated usernames and passwords. a balance between functionality

and security is not going to be resolved in the near term. consumers want the newest and fastest device. they want it as soon as possible and do not include adequate security protections. in fact, the most common password used the word password. the cultures run a personal cybersecurity must change to ensure that the internet of things is not vulnerable to a single insecure device. the subcommittee on commerce, manufacturing and trade has explored cybersecurity through a number of hearings including our disruptor series. cybersecurity, the issue of cyprus to issue of cyprus could is raised and discussed in each of these hearings. the government is never going to be big enough to the manpower and the resources to address all of these challenges as they come up, which is why it is important, why i'm grateful with industry here today to discuss this with us because they must take the lead. recent attacks present a unique opportunity to examine the scope of the threats and the

vulnerabilities presented by connected devices and learn how stakeholders are considering these risks throughout the supply chain as well as a consumers are responding in the market. we have learned about a number of best practices, standard-setting projects that are ongoing with various groups. it's an exciting time in the growth of any connected device, the growth of the internet of things. it is really going to be life-changing for come in so many industries but we also need to be -- need leadership about address these real challenges. again about to welcome our witnesses and i am pleased to yield the balance of my time to the gentleman from ohio. >> thank you very much, and i appreciate the gentleman for yielding. i also appreciate both chairmen of both subcommittees holding this very important subcommittee hearing today on the cybersecurity risk associate with connected devices. as mentioned in the last month will witness one of the largest distributed the know of service

attacks caused by devices connected to the internet come for the internet of things. the attack against dyn rebuild the impact that a lack of adequate security measures in these device can have on the broader internet community. by simple exploding week security features such as default usernames and passwords, hackers could easily leverage hundreds of thousands of networked devices and compromise major websites. that is why it is essential under the internet of things device manufacturers and executed by the design have the ability to apply patches or upgrades. into his but be vigilant in securing devices through good cyber hygiene practice in order to guard david and experienced the benefit of internet of things. as co-chair, i am also fully with this issue. cybersecucybersecu rity is among one of the most common things that is mentioned in all of her working group briefings. no matter what type of audio tea from health to energy application security device and

protecting consumer data is a top priority. today where we might identify is the need for iot security to guidelines to keep pace with rapidly evolving technologies. however, there is a delicate balance between oversight and regulatory flexibility and we must encourage the industry to establish best practices that will not hinder innovation and protect consumer privacy and security. with that i appreciate the gentleman for yielding, and i yield back. >> the gentleman yield dr. tucker we will turn to the gentleman from illinois, ms. schakowsky for opening comments. >> thank you, mr. chairman. with each report of a new cyber attack, americans realize how vulnerable their devices are. on october 21 americans lost access to sites such as twitter, amazon and spotify because of a massive destitution to dial-up service, or ddos attack against dyn. in the wake of that cyber attack i joined with representatives

alone, ms. eshoo, ms. degette and mr. mcnerney in requesting a hearing like this. i appreciate it very much that we're having it on this important issue. we need to better understand our bullet is an update federal policy to stop such attacks in the future. the motivations of hackers very from identity theft to actually undermining public trust. they go after consumers, businesses and even presidential elections. the u.s. intelligence community found that hackers supported by the russian government put their thumb on the scale in 2016. i strongly believe that use of cyber attacks by a foreign actor who manipulate our democracy should be troubling to everyone. this problem does not go away now that the 2016 election is over. a day after the election a wired article reported quote that russia perceives both operations a successful come experts it

will only encourage similar hacks aimed at shifting elections and sowing distrust of the political processes in the western democracies, unquote. everyone whether your candidate one or lost last week must grapple with this threat and hope that will work on bipartisan basis to protect our democracy from foreign interference. russian hackers exploited holes in security on computers and servers. the hackers they carried out the october 21 ddos attack directed their attack through the internet of things. the internet of things is usually, he is uniquely vulnerable to cyber attacks. iot devices often have less protection to malware and manufacturers are often slower to install security patches. manufacturers put consumer at risk by using default passwords or hardcoded credentials. once hackers find out what those

passwords are, they can hack hundreds, thousands or even millions of devices. that's what happened in the dyn attack. hackers accessed an army of iot devices by exploiting default passwords. they then used that army to attack dyn. traffic on the iot devices overwhelmed the service and shut it down, which in turn cut off americans access to many popular websites. you don't have to be an expert to see the terrifying potential for future cyber attacks. so it's time now for action. two weeks ago breaking them up alone and i called on the federal trade commission to work with iot manufactures to patch one of those on their devices and we -- to change a default passwords. we called on the fe ftc to alert consumers about potential security risks. we need stronger cybersecurity standards for all devices that could be attacked or used to

launch a cyber attack. given the nature of cyber attacks we cannot count on i.t. manufacturers to do the right thing on their own. a little financial incentive and the testers may not even realize when the devices are being used to harm others. consumer watchdogs like the ftc must take a leading role in promoting cybersecurity and holding companies accountable when they fail to provide adequate protections. unfortunately, at the same time that the threat to consumers from cyber attacks are rising, the republican majority pushing legislation to reduce the ftc's authority and cripple its enforcement capabilities. stopping irresponsible behavior by companies requires strong consent orders and the ability to pursue privacy cases. so-called quote process reform unquote bill the republicans reported out of committee would threaten the ftc's ability in those areas. instead of rolling back consumer

protections we need to face today's cyber threats head on, consumers can't afford to be left vulnerable. in the long run manufacturers can't survive in outer of high profile cyber attacks that undermine consumer trust in their products. in mr. schneider's written testimony come he called the dyn attack quote as much of the of market policy it was the technology unquote. we should not be content with failure any longer. i want to thank the chairman for listening to our request for rehearing and we have to continue our work on this issue in the months and years to come. >> gentlelady yield backer time. we thank you very much for your request. we share in this concert obviously in a bipartisan issue. we look forward to the testimony for our expert witnesses. we are glad you here and we will start with mr. dale drew, senior vice president, chief security officer for level 3 communications. mr. drew, welcome. thank you.

turn on your microphone and have at it. >> chairman walden and ranking members, thank you for the opportunity to test a half of level three. regarding the recent cyber attacks in our nation's communications landscape and the risks posed by phone bill is founding iot devices. level three is a global communications company serving customers in more than 500 markets and over 60 countries. given a significant number for print and out of traffic we handle on a daily basis of level three has a unique perspective on threats facing our landscape. several years ago levels are established the third research labs to actively monitor communications from malicious activity hoping to detect and mitigate threats on our networks, our customers and the broader internet. everyday our security monitors more than 48 million security events, detecting over 1 million unusual pieces of traffic. the proliferation of i.t.

devices represents tremendous opportunities and benefits for consumers by connecting devices such as cameras, lightbulbs, appliances and every other day items to the internet. the lack of adequate security measures in these devices supposes significant risk. vulnerabilities and iot devices them from several sources. some used default and passwords that hackers can exploit. others utilize hardcoded credentials that are not, users are not able to change. many devices lack the capability of updating their firmware forcing commuters to install the updates themselves. the global nature of iot device workplace means many products are manufactured in and shipped to foreign countries that is yet to embrace that amateur cybersecurity practices. iot devices are particularly attractive targets because users often every little way to know when they've been compromised. unlike your personal computer or a phone which input protection capabilities, comp was iot

devices make the unnoticed for longer periods of time. in september of 2016 level threes threat research labs began tracking the family of malware targeting iot devices. the bad actors are leveraging the infected device to great ddos botnets impacting not just those devices but potentially anyone on the internet. the new malware has affected nearly 2 million devices on the internet. a result in major websites going off-line at the new attacks are alarming for their scope and impact i of these which the attackers have employed them. also these attackers on a just a fraction of the total available compromise the iot note in order to attack th their victims. demonstrate the potential for greater havoc of these new threats. level three detected a proxy when a 50,000 iot devices we use jimmy more than 500 gigabits per second of traffic. a significant amount of bandwidth of the fabric of the global internet. the primary motivation of these

attacks to appear to be financial. hackers utilize ddos two of them businesses, threat to take this off-line in less than pay a ransom. in other cases tha the attackere sending out to great mischief. although level three hasn't been a direct victim of these attacks were proactively taking steps to address these. we have contacted the manufactures of countless devices to inform them of the problem. we have engaged in a public awareness campaign to educate consumers and businesses about the risk of iot botnets and steps they can take to protect themselves. we are working collaboratively with our industry partners to monitor this threat and implementation of techniques. with the exploding proliferation of i.t. devices so will the threats posed intend to expand and evolve. it will be imperative for all stakeholders to continue to work collaboratively address and

mitigate iot security risk that we can week the benefits of this exciting to know. thank you again very much for the opportunity to site and i look forward to taking your questions. >> thank you for taking time out of your schedule to be as well. we greatly appreciate it. now turn to mr. bruce schneier, a fellow at the berkman klein center at harvard university, lecturer and fellow harvard kennedy school of government and especially pfizer to ibm security. mr. schneier, thank you for being here. we look forward to your testimony. >> thank you, chairman walden, ranking members. committee members, thank you for having me and thank you for having this important hearing. i'm bruce schneier, a security technologist and while i've been a solution with both harvard and ibm, i'm not speaking for any of them am not sure they know i am here. [laughter] >> it's a secret. nobody on the internet knows either. [laughter] >> as the chairman pointed out, there are now computers and

everything but a want is just another way of thinking about it and that everything is now a computer. this is not a folder this is a computer that makes phone calls, or refrigerators is addicted to keep things go. atm is a computer with money inside. your car is not a mechanical device. it's a computer with four wheels and an engine. this is the internet of things and this is what caused the ddos attack we are talking about. i come from the world of computer security, and that is now everything security. i want to give you four truths from my world that now apply to everything. first, attack is easier than defense. for whole bunch of reasons the one that matters here is that complexity is the worst thing as security. complex systems are hard to secure for an hour's worth of reasons. this is especially true for computers and the internet to the internet is the most complex machine mankind has ever built by a lot and it's hard to secure.

attackers have the advantage. there are new full abilities in the interconnections. the more we connect things, the more vulnerabilities in one thing effect of the things. we are talking about the vulnerabilities in digital video recorders and webcams that allow hackers to take down websites. there are stories of our abilities in a particular account, one story, vulnerability in an amazon account allow hackers to get to an apple account which allows them to do a gene of account to a twitter account. target corporation, remember that a tactic that was a vulnerability. full abilities are hard to fix because know one system might be at fault. there might be to secure things come together and create insecurity. truism three, the internet empowers attackers.

they attacked to skip the internet is a massive tool for making things more efficient and that's also true for attacking. the internet allows attacks to scale to decree impossible, otherwise. we are talking of millions of devices hardest to attack dyn, and that code which somebody smart road, and it public, now anybody can use it. is in a couple of dozen botnets right now. any of you can rent time on the dark web to attack somebody else. i don't recommend it, but it can be done. this is more dangerous as a systems get more critical. the dyn attack was bound to a couple of websites went down. the internet of things affects the world and a direct and physical manner. cars, appliances, thermostats, airplanes. there are real risks to life and property and there's real catastrophic risks. for the truism, the economics don't trickle down. our computers are secure for a

bunch of reasons. the engineers at google, apple, microsoft spent a lot of time is not it doesn't happen for these cheaper devices. ms. eshoo talked about this. these devices are lower profit market, offshore. there's no teams, and a lot of them cannot be patched. those dvr's, they will be vulnerable until some of those the way, and that takes well. we get security because i get a new one of these every 18 months. your dvr last for five years, your car for 10, refrigerate 15. i replaced my thermostat approximately never. the market really can fix this. the buyer and seller doctor. mr. burgess pointed this out. the buyer and seller want a device that works. this is an economic externality they don't know about and it's not part of the decision. i argue government has to get involved, that this is a market failure.

and what i need are some good regulations. there's a list of them and dr. fu will talk about something but this is not something the market can fix. ttuesday to mr. walden sport, yes, i am saying a u.s. only regulatory system will affect the products in the world because this is software. companies will make one software and sell it everywhere just like automobile emissions control laws in california affected the rest of the country. makes no sense for anybody to come up with two versions. and i think this is going to be aboard because this, for the first time the internet affects the world and a direct physical manner. the second part, very quickly, we need to resist the fbi's calls to weaken these devices in their attempt to solve crimes. we have to prioritize security over surveillance. it was okay when it was fun and games but now, already the stuff

of this device that monitors my medical condition, controls my thermostat, talk to my car, i have just crossed for regulatory agencies and it's not even 11: 11:00. this is going to be something that we are going to need to do something new about. and like many new technologies in the 20th century, new agencies were created, trains, cars, airplanes, radios, nuclear power. my guess is this will be one of them. that's because this is different. this is all coming whether you like it, it's coming faster than we think. i think government involvement is coming, and i would like to get ahead of it. i would like to start thinking about what this would look like, and we are now at the point i think where we need to start making moral and ethical and political decisions about how these things work. when it did not account when it was facebook, twitter, e-mail.

it was okay to let programmers, to give them a special right to code the world as they saw fit. we were able to do that, but now that it's a world of dangerous things, cars and planes and medical devices and everything else, that maybe we can't do that anymore. i don't like this. i like the world the internet can do whatever it wants whenever it wants at all times. it's fun. this is a fun device. but i'm not sure we can do that anymore. so thank you to much and i look forward to questions. >> mr. schneier, thank you very much. appreciates comments. we will not go to dr. kevin fu, ceo of virta labs and professor at the university of michigan. dr. fu, thank you for joining us. please go ahead. >> good morning, chairman walden, ranking member's kind of

distinguish most of the joint committee. my name is katherine fu. i represent the academic cybersecurity research community. i met university of michigan why conduct research on and bad security. my laboratory discovers how to protect computers built into everyday objects ranging from mobile phones and smart thermostats to pacemakers and automotive airbags. i'm also ceo and cofounder of health care cybersecurity startup. i'm testifying today on the insecurity of the internet of things as related to the recent attacks on dyn. i'll provide perspective on the evolving cybersecurity risk, frank in the broader context. in short, iot security remains woefully inadequate. none of these attacks are new. none of these attacks are fundamentally new but the sophistication, the scale of destruction and impact on infrastructure is unprecedented. let me make some observations.

we are in 82 state because its almost no cost to manufacture for to point products with poor cybersecurity to consumers. as a consensus by a federal agency issued a meaningful iot security standard? not yet. is there a national testing lab to verify and assess the premarket security of iot devices? no. is there tangible cost to an economy that puts integer i.t. device into the market? i don't think so. i'd like to live at eight observations about this insecurity. number one, security needs to be built into iot devices not bolted on. cybersecurity is not part of the design of an iot device, it's too late for effective risk control. good security and that security look the same at the surface. three, the health care community

does not issue different advice for flu transmitted by cost versus flu transmitted by sneeze. similarly both connected and disconnected iot devices carry significant cybersecurity so it's important to consider both conditions. number four, the an integer i.t. device are just a small fraction of what the i.t. market will resemble in 2020 and it will get much worse if the security problems remain unchecked. five, unlike in convincing to the problems for your tablet or notebook computers, iot's insecurity puts human safety at risk. innovative systems will not remain safe if they are not secure. six, i consider security a solution not a problem. better cybersecurity will enable new markets, promote innovation and give consumers the confidence to use new technologies that improve the quality of life. seven, it may be surprising that

there are over 209,000 until cybersecurity jobs in the u.s.a., and that's just this country. and eight, the nation lacks an independent testing facility at the skill of the federal budget research and develop and center as a proving ground for testing premarket iot cybersecurity crashworthiness. let me conclude with five recommendations to protect our national infrastructure. number one, incentivized built-in basic cybersecurity hygiene by establishing meaningful milestones encouraging use of strong crypto to be in these products. number two, support agencies such as national science foundation, the national institute for standards and technology to advance our understanding of iot security and to train the hundreds of thousands of students necessary for a robust cybersecurity workforce. three, study the feasibility of standing up and independent national events cybersecurity testing facility modeled after,

for instance, post into the initiate such as the national transportation safety board, accident prevention initiatives such as the national highway traffic safety administration, nhtsa him and then more unusual places like the survivability of destruction testing of the nevada national security site. number four, i recommend leveraging the existing cybersecurity expertise within agencies such as -- a just and darpa and finally five, i believe universities, industry and the government must find the strength and resolve the protecting our national nccic to the infrastructure to partnerships and that investment and embedded cybersecurity will pay great dividends to our society and our economy. i would like to close, thank you for the invitation to testify on what i think is an important subject for our country. the committee can find photos that illustrate iot problems in water treatment facilities, hospitals in the appendix of my

written testimony and i would be happy to take your questions. thank you. >> dr. fu, thank you and thank you to all of our witnesses. we greatly appreciate your testimony and your recommendations for our consideration. i guess i will start with a couple of questions as we try to wrestle with this issue. over the last six years we've done multiple hits on cybersecurity threats to the united states. we've had multiple panels come before us and testify, and i think almost entirely they said first, do no harm. be careful when you lock things into statute because you can miss allocate our resources, and our opponents will do what we have to go do and we can get out of it and villages could do a workaround. so how do we establish a framework that would both be appropriate here but have an effect internationally? because we don't make all the devices and wind may have market power but we are not the biggest market anymore. but how do we create a national

framework with the stakeholders really are driving this in real-time and we don't do something stupid like lots of requirements into statute? mr. drew, canister with you and we will then work down the pan panel. >> -- can i start with you. >> the best place to start to withstand the i think the best place to start is for us to define how we intend on solving this problem on the devices themselves. industries have a number standard with regard to operate these platforms once they purchased them but they don't have standards on how they're supposed to be manufactured to be secured premarket. i believe if we choose to withstand and then apply pressure which i, as an industry, i'm under pressure to implement standards in order to serve consumers. i think if we start with the standard then we are able to apply that pressure. to the extent that pressure can be applied globally i think that we can get some traction and some momentum before we had to start regulating.

>> all right. mr. schneier. >> i'm also a fan of standard and to think your question is really important one, how do you do it properly is to not like the nation. i think the answer to make them technologically in variant. i tend to look at the pollution model as something what works and what doesn't. what works is here is the results we want, figure out how to do it in a cost effective and possible rather than legislate here's the process, here's the technology. the standard has to be technologically in variant. i note yo you have to drive this car hearing yesterday, and i think it's somewhat similar. we are going to make stand on the drivers car manufacturers to do things properly but we will assume an environment where there exists malicious cars out to get you. so we will have to deal with the devices. we can't assume everything on the internet or on the road is going to be benign and to secure. that standards will rise but we

have to give them probably. if these do the brought it will stifle innovation. do the right i think it will help innovation. >> dr. fu? >> yes, i think there are ways you can do this effectively without stifling innovation. in fact, i believe a well-designed cybersecurity from work will promote innovation. i'll try to avoid the technical side but i will just say of course encoding mechanism would be unwise. for instance, if you decide to encode that all forms must decide in blue ink, that didn't assume the existence of the signatures in the future so you should be very careful of including mechanisms. however, principles i think you can encode. i would actually say that nist has been a relatively good job at encoding principles. there is no perfect standard but it will be very difficult to build in security which one of these principles set in place. it needs to buy-in from industry, it needs to have government leadership as well

but it's all about setting those principles many of which already known for over 30 years in the cybersecurity community. >> most helpful. the extent to which you often think about this some more and give us kind of your ideas without actually get it to the right place, because this is my concern, that if we're not careful block something and it's so hard to change statute. we don't want this to be an innovation killer in america. we want to lead on this and get it right, but i don't think about my refrigerator talking to some food police somewhere, you know. it just is what it is. we need to get this thing right, so thank you for being here. at this point i will turn the balance of my -- my friend and colleague, ms. eshoo from california. >> thank you, mr. chairman. and thank you to each one of you. the witnesses. i think you are absolutely terrific.

i have legislation that i introduced that speaks to this issue. it hasn't really gained much traction, but what you said today i think puts some wheels on it. because it is about security, without damaging innovation. we talk a lot about the attacks that take place but we don't really focus on prevention throughout the valley, silicon valley, no matter who i've met with, i've asked the same question. what would you do about this? and to a person, they have spoken about hygiene, the lack of hygiene in systems, number one. and number two, the lack of good solid security management.

i don't think, let me put in the positive. i think we need good housekeeping seal of approval on this. my bill called for nist to set the standards, not the congress. because we really don't know anything about that. we missed the mark, we will miss it by a wide mile. i also think in listening to you, especially mr. schneier, that this is an issue that should be included in national infrastructure legislation. because this is part of our national infrastructure. and it deserves the kind of protection that you spoke to, because as you said, everything is a computer. it's not just the computers over at the dod.

we are carrying them around in a pocket. we are driving them, et cetera, et cetera. so given that, what is the framework for it? how would both mr. schneier and dr. fu and mr. drew, what would it look like? what would it look like? i'm giving you a blank slate. what would you write on that slate to be placed in a national infrastructure bill? >> i actually think we need a new agency. the problem we are going to have is about we can't have different roles. the computer has wheels or propellers or makes phone calls or agent -- or is in your body. that's just going to work. that these are all computers and we are going to have to figure out rules that are central.

>> we have a continuing new, new majority. i don't think they want to create an agency honestly but this thing speeded for everyone we create we delete spent they don't like that stuff. unit, new agencies, new regulations, we are dead in the water. but we can't leave this issue to be dead in the water. our country deserves much better. and so i'm really not joking. it's a little bit of fun, but you know. i understand but i think -- getting involved regardless. the stakes are too high. nothing motivates a government into action like security. into those once we have another small government now regulation administration produced a new federal agency, 44 days after the terrorist attacks.

something similar happens in the internet of things and there's no substitute expert that will say sure, that could happen. i think you have similar response. i see the choice is not between government involvement and no government involvement. but we don't support government involvement and stupid government involvement. i would rather think about it now, even if you say you don't want this comes because when something happens and the public says something must be done. what you mean 1000 people just died? that with something more than i do now, let's figure it out fast. i agree with you. i'm not a regulatory fan, but these are the world of dangerous things. we regulate dangerous things. >> can you do something in five seconds? >> i would say we are going to have some serious trouble if we don't answer these questions. i fear for the day where every hospital system is down, for

instance, because and i of the attack brings down the entire health care system or i do think you need to spend more time on the premarket. i know from my working with manufacturers that the engineers are brilliant. they often are not given the time of day from the executives. they're often not given the resources to do their jobs. what you need to do is give those people who can do a good job at those companies the ability to do so and incentivize their executives. >> most noble. thank you, mr. chairman. >> i would point out we are all engaged in this on both sides. my friend and i have some back and forth from time to time. she likes to characterize what we are for or against which we may or may not be but we are all committed to trying to figure out how to find a solution, and this is bipartisan. so we appreciate your testimony. we scheduled this hearing back in october right after the attack and this is where back in town, we are having and will continue to march forward. i turn to the gentleman from texas mr. burgess.

>> thank you mr. cherry-pick it's been a fascinating discussion back and forth. many years ago before i knew about the unit of things i was invited to microsoft in washington. and they showed me the house they have. in fact, the house is named grace and you walk up to the door and gracie were coming to the door. raised turn the lights on, set the thermostat for the temperature that you wanted. as you came into the kitchen grace might suggest a meal for you. like mr. walden i worry that graces refrigerant wha which can make it with a bathroom scale and locked down the blue bell ice cream on a. [laughter] >> treadmill. >> it's an interesting world in which we have arrived. mr. drew, i'm fascinated by your comments in your written testimony about the incentive for someone to do this in the

first place. we have all heard since 9/11 that sometimes you get to think like a criminal or think like a terrorist in order to outsmart them. you referenced the modernization. i don't see can i get on ransomware when you log on hospital and you've got to come up with something thousand dollars in bitcoins to some dark website, but how do you monetize that your doorbell is conversing with twitter? i mean, i don't know how that works. >> what we're seeing in these botnets is the botnet operators are operating hundreds of thousands and then renting a small portion of those notes to people to be able to attack websites and hold those websites for ransom. if you don't pay me $20,000, your website will be off line for the next three days. very successful enterprise, 45 and 45 attacks a day, 16 grant and attack. attack. >> happening right now is because that is happening right now.

>> i know you're not in law enforcement. what is the response of our law enforcement agencies that are supposed to be enforcing the laws? >> they are working very diligently to identify the operators of the botnet as well as the renters of the botnet as well as making some arrests in those cases to be able to curtail this. what we've seen is the iot has changed the nature of the game is to it's much easier to break into those devices and they go unnoticed for longer periods of time. >> this is one of the things that bothers me about this because until we had this headline grabbing attack because it was just so massive, you don't hear about someone being busted for holding someone hostage for $17,000, so you unlock their hospital records or whatever was going on. one of the things that this document is making the public aware. you've got to practice good hygiene. you can have your password as password or 1234.

you also, there needs to be a societal understanding of reporting crimes when they occur. and to some degree need to be publicized much more than they are. i have heard from folks in the fbi that there is a risk that a hospital that get stuck with one of these things, they're super embarrassed and they don't want to go public with the fact that they were hacked. pages $70,000, give instruction how to get the bitcoins and where to deliver them, and so that is actually easier than go into law enforcement and even with all of the things that would happen with law enforcement. but that's absolutely critical. and then never in any of the discussion of his that i've seen so far has there been really a discussion of what happens to people who are caught who perpetrate this. and it should be swift and severe in public. i suggested in a daring shot at

sunrise. i'm not trying to be overly dramatic but if you lock down an icu medical records and icu is whether patients die is the consequence, that is a capital crime. anyway, i know we're not going to solve all the problems today but i just wanted to put those concepts out there because this is relatively new for most of us. i think one of the things i like about what the subcommittee did on data security was, on data breach notification, was we will set the standard but we don't prescribe a technology because the technology changes much faster than the congress. i'm nervous about creating new federal agencies. the concept we could delete to federal agencies for everyone we create, i've got to to recommend, very quickly all on health care but i know the

standards need to be there. the other thing is we've got a massive job as far as inform the public, and that is that's part of this hearing today and help we can carry that forward quite seriously. thank you, mr. chairman. i yield back. >> the chair recognizes the gentlelady from eleanor, ms. schakowsky. >> -- from eleanor. >> let me start with mr. schneier. you talked about how markets have failed us and that governments have to play a role. but i'm wondering from you and from anyone, given that computers are ubiquitous, and your example that got into target through the hvac system is shocking to me. ..

you don't know who has used it. you don't really care. you bought it because of the features into the price. this in extra thing. the fact that it was used by this third-party to attack the other site of something that the market can't solve because

it's not the market that's involved in that. it is putting a sticker on it. i'm not sure it's going to get a lot of sales. >> in 2015 the federal trade commission suggested the best practices to aggressive security vulnerabilities for example, they should test security measures before releasing their product. minimizing the data that they collect and maintain. it seems surprising to me that they are not already taking the steps but you are saying that right now there are no real incentives. is that what we need to focus on . i think we forget the rights. most of it is it.

these are solvable problems the incentives just aren't there to build the secure end. we incentivize features. and that is what we buy. that so we can see. i don't think i can get consumers to pry open the hood and look at the details. it's beyond the consumers i know and it shouldn't be their problem. that should be something they have to worry about. >> let me ask for other comments on this. >> i would largely agree. from a business perspective there is a lot of incentive for me to make sure that the software i buy follows specific standards. i would like to see more in the area i do provide an the incentive to those manufacturers. consumers on the other hand don't have the incentive.

the internet has been very adaptable and very flexible to that when there is a large sort of trip or mistake over security that they become more aware than they push those requirements and demands back to the manufacturers by purchasing products they feel more comfortable with. i'm going back to standards in certifications. you know that the device that will be more protected than another device. you don't want your thermostat talking to your doorbell. >> my time is running out. i would paint a darker picture. even if a consumer wants to have that. when they want security it's hard to get. let me take the example of the hostage -- hospitals. it's not because they are not

gleeful about it they can to get that manufacturers to provide them with these vices that can withstand the threats of malware and it comes down to plain old economics. we think it should be built in. everything will be driven by the economic factors and i think the problem is the consumer group thinks that it ought to be a public good and then from that manufactured the same point the question is how much are you going to pay for it quacks that is a question that needs to be resolved. >> the chair now recognize the senate seat. i want to go back. i mentioned the cisco's stats and i think they rolled out of my mouth the wrong way. i want to clarify that for the record. we are currently at 3.4 iot devices per person.

by 2020 will be at 50 billion iot devices. that is the magnitude we are seen it across our entire economy. so many arenas to the virtual space. i want to come to you and they just mentioned house -- hospitals. let's stay with the medical device component because the area that i represent there is a lot of healthcare and work that is done utilizing the iot devices in the medical field. and as you work at the security of course that is a concern. you know you get vulnerability. but you mentioned in your testimony going back on pages

five and six. they tend to head safety consequences during the physical manipulation of the world it could easily lead to harm. a number of hospitals expressed concern about the iot devices. talk to me about mitigation strategies and what you see with these devices and then what special consideration must be given to healthcare technology and to medical devices and how should we go about addressing that. how does iot security affect their assurance at the moment. it doesn't have a plan.

it's more like we need to get a plan. what can we do. we don't know what devices we have. we get a lot of contraband coming in. it has a great acronym. but it comes in typically it is a clinician who accidentally connects the device to a very important network but maybe it is a music player that is simply providing comfort to the patient patients during surgery and they don't recognize the new safety and security risks because they don't have it baked into these devices. the risk is more about having embedded assets coming in in a very critical arena. they don't have a good answer right now and that's because it's not built in.

>> let me go to mister drew. the article yesterday that i'm sure you all saw in the new york times and are aware of. mr. schneider, i'm assuming you read that. this is the kind of thing that they are unaware. if you take a device like that. then you have the concerns if it does get into an environment such as a hospital or a medical facility with patients. these malicious actors are out there with the vulnerability of these iot devices and you have some of these concerns that are going to manifest in themselves. how are we can make sure that

they are alerted to the vulnerability in the software and in the devices. if they get anything like this they know to get rid of it. >> i would say the biggest benefit of iot devices the reason they compromised so quickly is because they all look the same. a device manufacturer they are not really configure rating the devices at all. a new exposure comes out. they can get a new software update and automatically update. that is a thing the thing that keeps that infrastructure healthy. >> the chair now recognizes

the member from new jersey. >> i wanted to ask mr. snyder a couple of questions looking at the attack. they are just a few websites going down for a few hours. what does the attack expose about cyber security generally and why are these attacks losing from benign to dangerous. >> it is really the world it moving. the internet becoming something that affects the world in a direct physical manner. it's the same computers that are in the cheaper and smaller devices. but while the software is a same. your car crashes and you lose your life.

the effects are night and day different. and as these computers start. i have a thermostat i can control for my phone if someone attacks it in the middle of winter they could burst my pipes while i'm here. that's different than a few websites going down. it annoyed some people for a while it didn't hurt anybody. we've seen these attacks against 911 services. we are looking at our infrastructure and our power grid. these are systems that are being controlled by computers. you have them break into a dam a couple of years ago. they didn't do anything. next time they might not get lucky. these are now tools of war and

of national aggression. and even the attacks. they might not be a next time. the piece in the new york times a couple of days ago that talks about how we need to think about this now. that leads me to the next question. the insecurity stems from market failure. and you even compare the problem to visible pollution. i would like to better understand what you mean. can you expand on the market failure and how are these insecure devices like traditional environmental pollution. the insecure effects are often not borne by the buyer and the seller. the person who is still using it. will not bear any of the cost of the insecurity. the manufacturer and the buyer also.

reap the benefit. it was easier to make because it was insecure. there was a societal cost that can be used to attack others and cause other vulnerabilities. like pollution it is something in the environment that neither the buyer nor the seller when they enter their market agreements will go fixed. i think the solution is along those lines. we have to think about what the risk is to the group. what is the national security a national security risk of this for example. it's not to be born by the person who bought that. it will be borne by all of us. it's incumbent on all of us to secure our infrastructure against this risk. i think the solutions are very similar conception. the tech is very different.

>> let me issue one last question. i have heard some of the sec argue that the devices would constrain innovation. would you agree with that? >> yes it well. you cannot just build a plane. i might be a drum. but we sidle the care. i might be. the internet era of fun and games is now over. the robot is just a computer with that. i think they are a mistake. this is can it constrain innovation. if i can be good.

this is what we do when innovation can cause catastrophic risk. it is crashing all of the cars. the internet makes this possible because of the way it is scaled. and these are real risks. >> thank you mister chairman. the chair now recognizes the gentleman from new jersey for five minutes. >> this is one of the more interesting panels that we've have on this extremely important topic. of your observation and recommendations the eight of them that you have given to us i would like to concentrate on three of them. you state that security needs to be built into.

not bolted on. could you expand on that on to how you think that might occur that the security occurs before the device has been manufactured. >> thank you. when we talk about security problems in the media or in the news you often think this is a poorly implemented product. when in fact it was a poorly designed product. if you don't get security built into the early design of these devices it doesn't matter how smart the engineers are. they will never be able to succeed at creating a secure device. that's right why you really need to build in. if you have this residual risk that you hand off to the consumer there are some sweet spots where you can try to mitigate the risk after-the-fact after the fact

but extremely rare and extremely hard. how do we build in initially. >> there's actually quite a bit of this. it's about hazard analysis. it's all about understanding and enumerating those risks. and having them choose which risks to accept and rich risks to mitigate and which to pass on. >> cannot be done through the consumer market. would it require some what of governmental control. they are to be built into the automobile initially and not to be added to the automobile. i do believe in the long term that it will likely require some kind of governmental mandate. even the people that can do it

they don't have the authority to do the right thing. we didn't think about the safety . we will know that it's there and it can cause harm. millions of insecure devices are just a small fraction of what the market will result in 2020. this is just at the beginning and there will be many more by 2020. >> that is correct. on a positive side it means if you take action now we can

actually win this. we can ask a have a very secure ecosystem. even though there are terrible problems today so we shouldn't give up hope. how many devices will be having 2020? >> it doubled from 20 billion to 50 billion. i think it is a reasonable estimate. >> number seven of your observation there are number of those. they will train a lot in the workforce. what does a great universities the great universities need to do in this regard. i think community colleges

play a very important role as we develop the different kind of skill sets. so actually in fact there are 209 thousand as of a year ago in the u.s. the problem is i think universities need to shift and adapt to the changing marketplace right now we are overrun with students. we cannot teach the number of students and yet we are still not meeting the needs in michigan for instance we have the automotive companies talking about the positions for cyber security and they are wondering why no one applies. >> thank you my time has expired. the gentleman time has expired. the chair now recognizes the judgment from california. this is why i love this committee. great stuff happening.

i will start with mr. drew. only a hundred 50,000 were used in the attack that means 1.85 million left. are they still capable of carrying out new attacks. where had they been neutralized in any way. as a whole we have taken steps to try to do different portions of it. it's still a 1.5 1. six strong. and they can detect not just the servers but they can attach real physical devices as well. the one fear about this they are capable of doing something like a shake attack. they are able to generate any protocol any application they want from those machines to be able to direct attack on very specific nature to the targets.

>> we have this hanging over us right now. i think the saving grace is that no one has been able to afford all 1.7 million notes. our biggest fear is that another adversary sees the power of this. and begins to adopt. you recommend what type of incentives do you believe would be effective to prevent the risks that you had outlined. whether it was the can ability or liability. do they employ that good

security. this is a question to all witnesses. answer with a yes or no. would it be feasible to find them. >> in the alternative they could establish minimum security standards. to provide additional sector specific requirements with that be feasible, yes or no please. >> i miss the question. since there is a wide range of products it might be feasible. would that be feasible. >> absolutely. it would provide that.

the area in which they do operate. >> we know because the devices do multiple thing. several things some of the questions so little time. you said that there was no cost to perp dues the devices with poor security. the security is a solution. it should be a solution not a problem. can you expand on that a little bit. they will not embrace those. they own trust. it won't take too many more horror stories before people start to go back to their analog ways. i've used it as a solution enabling innovation.

i would agree with the other witnesses that you might see a short-term problem because you're to be interrupting gonna be interrupting the product development. but in the long-term you can see it actually producing new innovation. >> very good. now you also mentioned that the devices should incorporate strong crypto security. is it isn't that asking a lot for these devices to incorporate this. you can implement crypto on these devices. it is more challenging for instance they do drop more electrical power and can actually reduce the battery. it does cause the risk question but in the general case. it's almost always the right answer. >> i had one more important question but my time has run out.

we recognize the gentleman from kentucky for five minutes. >> thank you mister chairman. this has been incredibly informative to me. this is important. and we are appreciated. i'm gonna let him send the thought. one thing you said earlier. when you write the regulation we will have that to address. if and when we do. we can be too prescriptive because they sign in blue ink. and i certainly understand that. i think a lot of things we've done and legislating have deferred that to the agencies. we also had to be careful to make sure that we seen that when an agency gets a little leeway.

that forces us to be more specific as we move forward. we just head to find the right balance in that. >> i'm interested in the auto industry. you are talking about the audio industry. and then all the sudden time ran out and you didn't finish your thought. michigan is known for estate up quite a bit of manufacturing. they are trying desperately to hire cyber security experts. i found one. they tend to quit fairly often to get other jobs. if understand at the career fair you will see a line out the door for the silicon valley companies in for these other industries it's very difficult for them.

just because of the competition the competition is so great. one of the major companies as about the man or woman going to general electric. maybe that's why they are pursuing that. it is a good marketing strategy. they are. that's what they do. the basic premise that they are constantly involving. this is something we've heard in force forced many times. the identification of vulnerabilities can you tell us about how they are shared nowadays and if they have any recommendations moving forward on information sharing.

>> there are many different things. it's the core needed agency. the researchers. and they provide the manufactures. other past weight. directly between the researchers. it was to sort of a drop in the public. before there was a chance to deploy any kind of mitigating control or evaluate whether or not the report is true. are they can look at the least secure device and then get into the system that way. what is the general level of security included in consumer grade. and have they prompted any conversations that you are aware of about the security.

anyone on the internet could just break in and take complete control. i yelled back. >> the german guilds back. thank you very much mister chairman. this is an important discussion. since the cyber attacks. is a huge challenge. we saw the cyber attacks this year all across the country. included with foreign actors being called out by our national security teams. pertaining to the development of internet of things. which will provide robust

infrastructure for america we know there is good to be more complex dynamics that will result from that. this chatter devices. to monitor and protect against malicious attacks. they address the issue of dynamics. the importance of us moving in the direction and the importance of us doing this. whether it's the net secure space or open space. >> i can say that they have a document that has to do with

this. they enumerate that. that controls that match the significant risks. as consumer and industry is to monitor the effectiveness of those. you deploy the product today. it might be effective tomorrow my network at all. here's where i'm a little skeptical of other agencies that claim they know all of the networks. i know as a fact. they are afraid of tipping over things. very sensitive machines. if they are in a facility that has nuclear materials. there be very skeptical.

to see how will they would. i think there can be a benefit from safety critical issues. i think there is quite a bit of expertise in what is called embedded security many of the national labs. however this is a very traditional problem. i've seen this come up. two different agencies. they will often tell me i don't have an in-house expert on that. let me try to help you. and they usually have a difficult time finding a partner. as more and more of our critical go online. deems connected. will need to be secured. are you able to speak specifically to what we can do

with securing the technology foundation. through the internet of things. operating systems. secure protocols. >> this is actually i think part of the big problem. security has to go all the way down. so someone there talked about that phone would send copies of the text messages to china. on the plus side it was cheaper but you are not going to know and that will be the software. we are worried about switching equipment that we use in our country that comes from china as we worry about the hardware. and these are very, gated questions. and any place in the stack we can cause an insecurity that affects the others. a lot of people are working on

this. it is an extreme worrisome issue when we deal with global manufacturing. so this is in the american device made in china. in many of the devices are made in countries that might not be as friendly to us at all times as we would like. and we have tech battles to check these things it is an arms race. and right now there is an edge on the attacker. it is easier to hide the vulnerability in something like this than is to detect it. we also used it. they use that to spy on our enemies. there is some good here too. i think by and large it is dangerous for us. i think dr. schreiner and maybe submit a question to you. we can expand our conversation on that. the gentleman's time has expired.

they recognize the gentleman from texas for five minutes. welcome mr. drew and mr. snyder and dr. phil. i have to admit last night i lost sleep appearing for this hearing. we focused on september 21 of this year. and then they launched the strike that on the question security over 600 gigabytes per second swarmed them and then a month later on october 21 the same one died. i lost sleep because after nine years as a naval aviator eight years working the senate for two texas senators and four terms of the house i know the biggest threat to our

security and our prosperity is not bombs it's not missiles it is cyber attacks and cyber security. ones and zeros. what bothers me most earlier this year is that the attack was exactly what they told me. they will swarm them. they will score a touchdown. that is exactly what these guys did. they have the success and having 600 gigabits per second swarmed past security. and so in this environment we can't be reactive. we have to be proactive. our government has to be proactive. now i said the word government

and said proactive. some people it shook their heads. and smiled they know those words don't go together. but somehow we have to come together to address this problem. and dr. i love your term about that. we have to have it built and not bolted on. i want to elaborate on this. you ran for congress. he won. how would you ask. what do you think we should do. to help out our american economy to make sure that we control the tax. all right thank you. let me first correct build it in not bolted on. what i would say to really get out in front of this problem and be proactive we haven't

even done what i would consider if i were talking about my students i would say you have to do your pre- lab first before you do the real work. it is going out and getting first-hand information from some of these constituents. that's from getting my first-hand information. i'm just picking up horse story after horse story. i can't believe that you in this manner. i think that needs to happen. there needs to be some congressional visits to these sites. they need to go to the universities. what are the barriers. i believe that likely after you see the same problems you're you can start thinking about we need to head incentive systems built in economically i don't know what these are going to resemble. could they be more financial incentives or penalties. is it more about corporate liability perhaps.

i don't know the answer on the mechanism but i know we need to get more people getting congressional visits to the site to understand where the problems are born. >> if you could write laws how could you write those organizations. the incredible challenge we have. >> i agree entirely with regards to us having the right incentives to make sure whether i'm a consumer buying technology. we have the right incentives or regulation. i completely agree with that. with regards to each of those ideals around health, safety, convenience and use.

with regards to these technologies. your comments about how you would approach this from a federal government role. i think we have in a lot of areas. now were at the point where that speed of technology exceeds the speed of law. used to be laws could lead to technology. now it's reverse. we need to figure out regulatory structure that is invariant. we can't focus on technology and run lan them but focus on people and incentives is that is what is invariant. these attacks are kindergarten step. it's stuff. it's basic. it's not sophisticated. the sophisticated stuff is worse. >> i yield the balance of my time. the chair now recognizes for five minutes. the german from ohio. thank you gentlemen for

joining us today. having spent nearly 30 years of my professional career in information technology i want to get a little bit more into the technical aspects of some of the things were talking about this morning. particularly traditional attacks versus these connected devices. as i understand it these attacks have been around almost as long as the internet itself has. they have certainly gotten worse over the last few years but at least for traditional tax we know that we know how to defend them against using techniques like the ip address. can you tell us a bit more about those defensive technics and why they had been successful in defending against traditional attacks.

>> i would say about every three years or so we encounter an evolution of capabilities regarding those attacks. we have somewhat of a backbone impairment event on the global internet. that is resulting with the adversaries. with the new weaknesses are new technology. and so i would say that the community at large has been fairly proactive as well as reactive in investigating what those bad guys are doing. and making sure that our capabilities are responding by redirecting traffic. what i would say just the enormous potential scale. the typical bot net that is

involved. it's up to a decade has been in the tens of thousands. we now had potential devices in the millions. in networking capability network capability for filtering and describing is not scaled and that sort of a factor. it's something that were taking with great notice and great a pause to make sure that we can invest in our capability and technology to prepare for that. is it safe to say that these defensive techniques had worked because they target the way that traditional attacks use spoofing in implication. i would say with regard to what the traffic looks like itself. how that traffic is executed upon the victim there has been a slight evolution in the way the traffic looks but for the most part it has an upper and lower control limit. that is fairly will

understood. and so the technology is geared to be able to operate within that control parameter. it is a skill in which the devices are coming at that victim and being been able to launch those sorts of attacks. >> so to get to the heart of the matter of why we're here today because from what we've been told doesn't use spoofing or application. it uses what is called a shape attack. it can send any protocol or any packet that wants too. and instead it is built out of these individual connected devices and you would say now there are potentially millions of them out there. that are so numerous that they aren't even necessary. it's a delusion of traffic

from those connected devices. >> if you want to spend a lot amount of traffic now with devices like that you won't need that. i think we need to dig into this a little more than. when we were talking about defensive techniques before. they seem to rely on these attacks if it doesn't use spoofing or implication. and you begin to allude to a little bit how do techniques like this work and how effective are they. speemac i would say. the able to mitigate.

it is built for the hundreds of thousands of inspections at the same time. we have to develop new techniques. the chair recognizes the gentleman from missouri. >> thank you mister chairman. how much blame with the type of attack. the vast majority of the devices those vendors and not

really contemplated the idea that their devices could be used in that sort of fashion. some were mortified and we are trying to wrap their have around how they could deploy cyber security and other manufacturers have no interest in the plane because they have every belief that their consumers would continue to purchase their product. >> this is directed to all of you. what are some ways and that hardware and separate manufacturers can band together to prevent a cyber attack like the recent one?

>> together we are interdisciplinary. i would say the key point here is the disciplinary for this software and the hardware. function follows form. if you look at the educational system. you will see that the people trained on software don't actually had the closest cultures. it will be very important to educate people in a way that brings hardware and software together. it certainly i'm try to do personally. i trained in both hardware and software secant abstract the companies that made those dvr's got a chip with software

on it and they did not inspect it. it is a blob and they put in their device they sold that device to other companies. you have this chain which is very opaque is the handoff to each other. banding together i think it's it can be very difficult. the way we can do that is to and sent it. if i had regulations that will affect each other. then i will give the company's reasons to not to say yet this work i will sell it cheaply. it's hard. i don't have a good crisp answer for that. hopefully mister drew does. >> that's what we put him last. i would say with guards to this. i think with regards to that their focus primarily is on the specifics set of applications out there looking to develop. they get hardware from another

manufacturer. they just develop their applications. they don't know how it all goes together. i'm more emerging iot it is a bit more integrated. we are seeing a lot more disciplined and knowledge with regards to both married mary and both hardware and software together. as well as being able to achieve higher security standards as they interact with each other from device ecosystems. a long way to go. a lot of growth in that particular area. could the recent cyber attacks have been avoided if they registered with more than one company that provides the same services that they provide.

>> presumably yes. what we did see is that a number of the domains that were targeted they held back to another abortive server. third of server. they launch an attack. in this case. back i was i was following specific victims and reacted to that i heard you say that earlier. in the opening i think. is that okay. to what extent did they play a role in these recent cyber attacks that we've been discussing about. they played a key role in because of the entry point to take over this army of unwitting agents the default passwords are everywhere. in my testimony i provided a graphic of the default passwords to medical devices.

there's nothing from stopping the same attack. they are a big problem. the problem that we are line on. thank you all. my time is expired. i yelled back. to make things gentleman chair. [inaudible] internet of things in devices including potential attacks. it appears one of the recurring problems identified in your testimony was the use of insecure operating systems which are easier to target for the denial of service

attacks. have you seen industry react to these issues and move forward more stable operating systems and are their impediments making such a switch. >> i had sort -- scene and move. there is a leader i still see windows xp which is a operating system in critical systems. the water treatment facility. controlling water pumps. windows xp is susceptible to the last decade of malware. it doesn't take anyone more than a kid in their basement to be able to cause a problem. it hasn't happened certainly on the high end of device. the radiation certainly when

they buy a new device. most of them have capital equipment costs. this is what she wants to see. you will see windows 98 machines. in hospitals because when they go to manufacture same we really want to have an operating system that we can keep secure and want to just buy a whole new machine. there was an unwritten assumption that the software would be maintained. i may not had been whip into the agreement with the healthcare community felt it should have been cap secure from the manufacturing sampling. we provided you this device. they were situated overseas. some seek to regulate

devices. how do we protect ourselves from devices that are outside the u.s. if someone wants a change in that's okay. -- if someone wants to chime in that's okay too. the important things about computer security is not to be able to put yourselves in a secure environment but you need to be able to tolerate an insecure environment. we will meal to make networks blissful places full of rainbows. they are always going to be hostile. whatever we put on their asking to be able to tolerate malicious traffic. the attacks are extremely hard to defend against it is two things. i think that u.s. regulations

more major markets. can cause a new environment which raises the tide for everybody. companies are not to make two devices. we can make a difference. with that. we can and some the other industries. it is correct that we can't assume ever a benign environment . we have to make the devices we can touch more secure. and then building infrastructure controls to secure against this malicious minority. and it will always be that. do you want to comment quickly i had one more question. with fundamental beliefs of ensuring that we can try to route that. that more the businesses and backbones can collaborate together i think the better

prepared to be. one of the biggest conservatives. we already know that they are targets in other areas. how can i best protect themselves from these threats and their current acknowledging. in preventing current cyber threats. and they are in a sticky place. there's not a whole lot of mitigating solutions. the best message it i can represent. i thought some discussion yesterday. about a bill of materials software they don't even know what software is running on the inside because they don't know themselves whether on those medical devices.

if we only knew. we could better understand what risks we are taking. i'm going to follow up and if you would explain a bit more about what your concern is that the device is. the device being used in the hospital. they are not aware of what is on those devices and what kind of mechanisms we can have. for the hospital systems. they are fully aware. the hospitals want to make sure that they have continuity of operations. so that i they don't have to shut down. the problem is when you don't know what your assets are how are you can protect that. if you don't know what courts are open to manufacturers they

are not willfully causing harm as far as i know but they are not providing enough information so that the hospital staff can do their jobs to assure the continuity of the clinical facilities. providing a bill of materials. when it enters the hospital. one completely solved the problem but it will really help because you can't do step two. before you can effectively control. so why that has obviously life saving or implications. what other sectors are you most concerned about and this is for the panel, that the sector integration so to speak of devices within the system is not known? >> public utilities, water gas, electric. it surprises me how they just blast about that.