>> >> there is as many as 6. 4 billion internet products in use worldwide

this year. the growth is expected to be significant including estimates of 20 billion products connected worldwide by 2020. and makes a dave very large issue ended economic one there is great potential for innovation but also for serious risk but really that is what we are pursuing. october 21st some of the most popular web sites but distributed against dynamic networks was made possible by and secure internet of vice - - devices that

could beat infected with now where. once similar attacks targeted a journalist they raise questions about the security of internet enabled devices and the potential against cyberattacks of devices used may have lacked the functionality to allow users to change their default user name and password read no we have to practice good hygiene to change the default user name and password. with products lacking common-sense manufacture -- they perales at risk so this

is an area we need to explore also how long these unsecured devices remain in use. reported the these were used infected devices first manufactured as early as 2004. and with these updated products to further expose the users to the security risk finally recognizing did say global issue with a little more are infected with the of malware. and then based in china. and then to address the problem going forward.

and first to understand the internet of things that we can't afford when devices from security. industry must play a central role in delacorte word so thank you for allowing the hearing to take place. >> good morning to the of witness panel in to talk

about those cyberattacks on those popular web sites that were knocked off line on october 21st. with this massive connected devices with the terabytes of traffic overwhelming the system preventing lead did -- legitimate traffic it was brief and then it was unique with those armies of compromise to devices. such as baby monitors or many consumers to realize. from these everyday devices. that is why these seven and

so successful by continuously scanning the internet even with uh factory default. that functionality is security but in fact the most common password is password. the cybersecurity must change to ensure they are not vulnerable to a device. and with a number of hearings that issue has been raised and discussed in each of the hearings and to have the manpower in the resources that is why this

so important what we add industry here today in by those of bases -- devices with the supply chain as well as of their responding in the market. and with dozer ongoing groups. so will be like changing. but then also to see meaningful leadership from industry how to address the challenges. now welcome to our witnesses i am pleased to yield the balance of my time to the gentleman from ohio.

>> also the chairman to both subcommittees for the subcommittee hearing and as we mentioned those that were caused by a devices to the internet the attack cadillac of adequate security measures the basically exploiting with the user names and passwords with those devices with that ability to have the upgrades of securing devices through good cyberhygiene practices

but we're all too familiar with this issue then one of the most common things matter what type want to protect consumer data with top priorities we are reminded again for the guidelines but there is a delicate balance and we must encourage industry to encourage best practices to not hinder privacy and security ip sheet did gentleman for yielding and i yield back. >> now we go to the gentle lady from illinois. >> with the report with americans realizing hell

vulnerable their devices are they lost access because the lab mass the distribution and to join with the representative in requesting a hearing like this. and with the update the federal policy. mocking from identity theft and from the presidential election. is supported by the russian government's and i strongly believe the is the

cyberattacks edition be troubling to everyone. and with the 2016 election is over the day after two b.c. that the operations are successful only encourage a similar tax to him have distrust of political process of western democracy. everybody must grapple with this on a bipartisan basis and protect from for interference. russian interference exploited holes on the server segment hackers that carried out there october october 21st attack. so the internet of things

and the fidelity devices have less protection from now where and they are slow to install security patches. once if it was hundreds of thousands serve millions of devices they access to an army of devices traffic from the devices which intern is a popular websites. and then to call on the ftc

to work with piety manufacturers and changing of the defaults passwords. with the cybersecurity standards and you cannot count the manufacturers to do that on their own. but consumer watchdogs to take the leading role to perot sabres security but unfortunate the same time with the republican majority in to cripple the enforcement ability.

into required the ability to assume privacy cases that they reported out of committee in those areas buyback to those consumer protections that they can afford to be left shoulder bolt in they can survive a pattern of high-profile cyberattacks and then the written testimony as much of a failure of policy as technology but we should not be content with failure in the longer. invest continue the work for years to come.

>> and we share in this concern. and now the testimony for the expert witnesses for this senior vice president for the level three communications think you very much turnon your record from. -- microphone. >> to the ranking members. regarding the recent cyberattacks with those posed by former abilities with those 500 markets with the footprint and the traffic of the daily basis have a unique perspective several years ago to actively monitor

communications to mitigate threats on the networks on the broader internet. mona tran14 billion security evens the proliferation for benefits of consumers by connecting their devices of other everyday items to the internet with a lack of adequate security measures pose a significant risk to those in the community. those that have that identifiable password. and with those credentials that they cannot change. they also force consumers to follow the updates themselves. the global nature that they are shipped to foreign countries that have yet to

embrace sound and security practices. they have very little way to know when they have been compromised and like a personal computer or a phone they're more likely to notice compromise to devices may go launder periods of time in september the three research labs begin to track a family with the malware devices impacting not just those devices but potentially anyone on the internet. it has affected nearly 2 million devices on the internet. and the new attacks bore alarming with the ease of which the attackers. they relied on just a fraction of the total available compromise with

the potentially significantly greater havoc. approximately 150,000 devices that bandwidth that threatens the internet. that primary motivation in laissez pay ransom for the attacker. another cases they're out to create mischief. and then to actively take steps to address these. in with that public awareness campaign with the steps they can take to protect themselves those who are working collaborative flee with the industry

partners with the implementation and excluding proliferation of devices and dave will continue to expand as they continued to work collaborative fleet to reap the benefits of this technology. thank you for the opportunity afford to taking your questions. >> thank you for taking time out of your schedule. now we will turn to the fellow from harvard university the kennedy school of government kinky for being here with a forward to your testimony. >> committee members thanks for having me in having this important hearing.

i may security technologist. i am not speaking for any of them. but they don't know i am here. >> it is a secret nobody knows on the internet either. [laughter] that this is just that keeps things cold. that the car is not a mechanical device this is the internet of things. i come to the world of computer security men want to give you for truth from my world the first attack is easier than defense.

make this complexity is the worse. and is hard to secure for now hours worth of reasons. with the most complex machine man has ever built. attackers have the advantage. the more we connect the more one affects the other. talk about vulnerability is with the webcast set allows them to take down the websites. and the amazon accounts with a g mail account in twitter account and target corporation that was the vulnerability this is hard

to fix because of a to secure a things come together. and the internet empowers the attackers it is a tool to make things more efficient. and allows that to be possible otherwise. and that code which was made public anybody can use that and you can rent time on line is this on. caller: right now i did not recommended but it can be done. this is more dangerous it was benign the internet of

things affects the direct physical matter cars thermostat's airplanes the real risk to life in property the catastrophic risk. those computers are secure for a bunch of reasons. and to spend a lot of time at this end to talk about this envelope or profit margin, offshore or that cannot be patched. and that takes a while they given new one every 18 months. so the market that the buyer

and seller don't care. the 18 device that works. but it is not part of the decision. so government has to get involved in this haymarket failure in what i needed regulations. as of list of them this is not something dumb market can fix. to city u.s. only regulatory system to affect their products of the world that companies will make one software to sell that everywhere. makes no sense for everybody. it is the first time they

effect though world. in the second point the fbi calls to weaken the devices they have to prioritize security. so already which monitors medical condition, a thermostat, a car, but this is something that we need to do something new about. new agencies were created airplane nuclear power my guess is this would be one of them. this is all coming with the technologies faster than we think government involvement

i would like to get ahead of it but now writing career at the point we need to start making of how these worked with twitter it was okay to let programmers have that special ariane and now we can do that bad now is the world of dangerous things. and maybe we cannot do that anymore and i do not like this. that it can do whatever it wants at all times. but i am not sure we can do that anymore.

>> we appreciate your comments next our guest informant of electrical engineering thank you for joining us. >> to the distinguished members of the committee i represent the academic cyber security research committee i'm at the university of michigan in my laboratory discovers how to protect computers send mobile phones to the automotive airbags i am testifying before you today on the internet of things to provide a perspective with the broader context but in

short it remains in adequate none of these attacks are new were fundamentally new but in this unprecedented. let me make some observations. but there is almost no cost to the manufacturer with several security consumers. and with that standard in the pre-market is a very tangible cost if they put the device into the market corrects several things so. live a bike to highlight those observations. number one security needs to be built into the device not

added dog. but it is too late for effected of risk control. the number three health care communities cannot offer a different fight -- a vice similarly connected disconnecting in the millions of devices are a small fraction of what the market will resemble in 2020 and it will get much worse if those problems remain unchecked. . .

and the nation lacks an independent testing facility at this level of the center as a proving ground for testing the cybersecurity crashworthiness. to protect the national infrastructure, number one,, intensifies the built in cybersecurity hygiene by establishing the milestones encouraging use of the strong cryptography i and areas and support agencies such as the

institute for technology to advance the understanding of this activity and to train those necessary for the robust cybersecurity workforce. study the feasibility of a national embedded cybersecurity testing this up at the such as the national transportation safety board incident prevention initiative such as the national highway traffic safety admin administration and at the testing at the nevada testing site. number four i recommend leveraging the cybersecurity expertise in the agency such as dhs and number five the universities, industry and the government must find the strength and resolve to protect the national infrastructure through partnerships and that

investments in the cybersecurity will pay great dividends. i would like to close by thanking you for the invitation to testify on what i think is an important subject for the country. the committee can find the photographs of the problems and water treatment facilities hospitals and more and i' i woud be happy to take your questions. thank you. >> thank you to all the witnesses. this has been enlightening and we appreciate the recommendations for the consideration. i guess i will start with a couple of questions. as we try to wrestle this issue. we've done multiple hearings and we've had multiple panels come before us and to testify and i think almost entirely basic first do no harm. be careful when you lock things into statute because you can misallocated resources and opponents will know what we have

to do and we can't get out of it and they will do a workaround. so how do we establish a framework that would be appropriate here and have an effect internationally because we don't think all the devices and we might have market power that wbut we are not the biggest market anymore. how do we create a national framework where the stakeholders are driving this in real-time if we don't do something like lock up certain requirements of the statute? >> i think the best way to start is with standards and for us to work on the devices themselves. industries have a number of standards with regards to how they operate the platforms but they don't have standards on how they are supposed to be manufactured and secured. so we were to start with standards and then apply

pressure so i as an industry i'm under pressure to implement standards to be able to serve the businesses and consumers. i think if we start with that standard we are able to apply the pressure to the extent that it can be applied globally, i think we can get some traction and momentum before we have to start regulating. >> i am also a fan of standards and the question is important how do you do it properly. the answer is to make them very and look at what works and what doesn't rather than legislate here's the process into the technology. it has to be the very end and i know you had a driverless car hearing yesterday and i think it is somewhat similar we are going to make the standards on the manufacturers to do things

properly and in the environment where there exists malicious cars out to get you so we have to deal with the devices we can't assume everything on the road is going to be benign and secure. the standards will rise but yes we have to do them properly because if you do them wrong it will stifle innovation. >> there are ways you can do this effectively and in fact i believe that it will promote innovation. i will try to avoid the technical side but say that in the coding mechanism they must be signed in blue ink that didn't assume the existence of the signatures in the future so you should be careful of including the mechanisms. however i would actually say

that they've done a relatively good job at the principle there is no perfect standard but it will be difficult to build in security if we don't have the principles set in place and it needs to have a government leadership as well but it's all about setting those principles many of which are known for over 30 heirs in the cybersecurity community. >> the extent to which you think about this and give us your ideas on how to actually get it because this is my concern that it's so hard to change statute and we don't want this to be an innovation killer in america. we want to lead on this and get it right. i don't think i want my refrigerator talking to some food police somewhere. it just is what it is.

thank you for being here and at this point i will return the balance of my time and turned to my friend and colleague who has been very involved in this, ms. eshoo from california. >> thank you to each of you. i have legislation that i introduced that speaks to this issue. it hasn't gained much traction but what you said today i think puts some wheels on it because it is about security without damaging innovation. we talk about the attacks that take place, but we don't really focus on prevention.

i've asked them what would you do about this and to a person. number one. and number two, the lack of good solid security management. i think we need a good housekeeping seal of approval. and my bill called for them to set the standards, not the congress, because we really don't know anything about that. and we missed the mark by a wide smile. i also think in listening to you this is an issue that should be included in the national infrastructure legislation because this is part of the

national infrastructure. it deserves the kind of protections that you spoke to because as you said, it's not just the computers at the dod. we are carrying them around in our pockets into driving them etc.. given that, what is the framework and how would both mr. bruce schneier and mr. kevin fu and mr. drew, what would it look like? iem giving you a blank slate.

i think we need a new agency. the problem that we are going to have is that we can't have different rule rules if they hae fields or propellers or fixed phone calls or your body. that just isn't going to work. it's all computers and we have to figure out rules that are central. >> we have a continuing majority so i don't think they want to create an agency honestly don't this thing needs to get done. they don't like that stuff. new agencies and regulations, we are dead in the water but we can't leave this issue to be dead in the water. our country deserves much bett better. the risks are too great and the

stakes are too high. nothing motivates the government into action like security and fear. 2001, we had the government, no regulation administration producing new federal agencies 44 days after the attacks. something similar happens and there is no cyber security expert that will say sure that could happen. i think that he will have a similar response. response. i see the choice between the government involvement and no government involvement looking at the small government involvement i would rather think about it now even if you say you don't want this because when some inhabitants into the public says something must be done what do you mean a thousand people just died. let's figure it out fast. i agree with you i'm not a regulatory fan, but we regulate

dangerous things. >> can you do something in five seconds? >> we will have trouble if we don't answer the questions. i fear for the day that every hospital system is down because they bring down the entire healthcare system. i do think you need to spend more time on the free market. i know from my working within jurors that they are brilliant. they are often not given the time of day or the resources to do their jobs. what you need to do is give those people who can do their jobs the ability to do so and incentivize. >> thank you very much. most helpful. >> i would point out we are all engaged in this and both sides. my friend and i have back and forth from time to time. she likes to characterize what we are for and against but we are all committed to try to find

a solution and this is bipartisan, so we appreciate your testimony right after the attack and we will continue to march forward. with that i turned to the gentleman mr. burgess. >> it's been a fascinating discussion back and forth. i was invited up to microsoft in washington and they showed me the house named grace she knew you were coming and set the thermostat for the temperature that you wanted as you came into the kitchen grease might suggest an evil force you. i worried that it would've would communicate with bathroom scale.

it's an interesting world that we have arrived. in your comment about the incentive for someone to do this in the first place and we have all heard sometimes he'd have to think like a criminal or repair servicaterrorist to outsmart thd you referenced the monetization. when i get on and you've got to come up with so many thousands of dollars to some dark website how do you monetize that the doorbell is conversing with twitter? i don't know how that works. >> what we are seeing is they are operating hundreds of thousands of notes and then renting out a small portion to be able to attack websites and

hold them for ransom so if you don't pay me $20,000, your website will be off-line the next 20 days. so very accessible to the successful enterprise. what is the response of the law enforcement agencies that are supposed to be enforced in the wall? >> they are working to identify the bath -- botnet to curtail this. we see they've changed the nature where it is easier to break in to divide us. the device. >> one of the things that bothers me about this until we had the headline grabbing attack, you don't hear about abt

someone being busted for holding someone hostage for 17,000 so you unlock the hospital records or whatever was going on. you can have the password is password or 1234. there also needs to be a societal understanding when they occur and they need to be publicized more than they are. i have heard from folks that there is a risk that the hospital that gets stuck with one of these i is just simply embarrassed and they don't want to go public with the fact to pay the $17,000. so that is easier than going to law enforcement into dealing with all the things that would

happen but that is absolutely critical. and never in any of the discussions i have seen so far has there been a discussion of what happens to people that perpetrate this and it should be swift and severe and public. i suggested another shot at sunrise. i am not trying to be overly dramatic but if i see that medical records and a patient dies as a consequence, that is a capital crime. anyway, i know we are not going to solve both problems today, a, but i wanted to put those out. this is relatively new for most of us. one of the things i like about what the subcommittee did on the data security was on the data breach notification was to set the standard if we don't prescribe the technology because

the technology changes much faster than the congress. i'm worried about creating new federal agencies and the concept that we could delete the federal agencies for every one that we create a. we have a massive job as far as informing the public and that is part of the hearing today. and i hope that we carry that forward quite seriously. >> the gentle lady from illinois is schakowsky. >> lets me ask all of you you talk about how the markets failed us and the government has to play a role. but i'm wondering from you and anyone, given that computers are

ubiquitous in the system is just shocking to me is there a role for the consumer education and consumer action or is this beyond us now to play a role in security? >> we are asking for consumers to shore up the products initiative be the default passwords or that you have to worry about what you click on. these are low profit margin made offshore and the buyer and seller don't care. you don't know if it is used or if it is secure or not and you

don't care. you bought it because the teachers and this is an externality. the fact that it was used by this third-party to attack this other site and it's something the market can't solve because it's not commi, the market is id in that. as consumers, it is putting a sticker to say it costs $20 mo more. i'm not sure that i'm getting a lot of sales. >> in 2015, the federal trade commission suggested the best practices for the device manufacturers to address the security and vulnerabilities, for example, the device manufacturers to test the security measures before releasing the product and minimizing the data they collect and maintain and frankly it seems surprising to me that they

are not already taking these steps but you're saying that right now there are no real incentives. is that what we need to focus on tax >> i think that if we get the incentives right, the technologists will figure this out. it's not rocket science, most of it isn't. but the incentives are not there to build security into the incentivize price and market and features. that's what we die because that is what we can see. i don't think i can get consumers to pry open the hood and look at the details. it's beyond the consumers i know yoinitiative be their problem or something they have to worry about >> so let me ask yo if you wanto comment on that. >> i would agree with my colleague and say from the business perspective there's a lot of incentive for me to make sure the products i buy follow

specific standards before we put them in the network. i like to see more in-depth network. consumers on the other hand don't have that incentive. what they do have is the incentives of the public events and then there is a trip for a mistake over security that they become more aware and push goes back to purchasing products they feel more comfortable with. so i'm going back to the standards and conduct the certifications in standard you see that approval on the device because you don't want your refrigerator talking to the scale were doorbell.

hispanic i would paint a darker picture even if the consumer wants, not many are wher aware y need security that lets me take the example of the hospital asking questions about. it comes down to plain old economics and how much will you pay for it. we think that it's a public go good. everything will be driven by the economic factors and i think the problem is thought to be a public good and from a manufacturing standpoint how much are you going to pay for it and that is a question that needs to be resolved.

>> thank you so much mr. chairman. i want to go back and they mentioned they think they rolled out the wrong way i want to clarify that for the record we are currently at 3.4. by 2020 we will be at 50 billion devices. that is the magnitude of the vulnerability because we are seeing it across our entire economy from so many arenas to virtual space and professor kevin fu, i want to come to you and mention hospitals in the medical device components because in the area that i represent this type of healthcare and work that is done

in the medical field. when you look at the security, you look at the information share in the vulnerability that you mentioned in the testimony going back on pages five and six they involve physical manipulation of the world that could easily lead to harm and then you go on to say a number expressed concern about the devices. so talk about the mitigation strategies and what you see with these devices. what considerations must be given to the healthcare technology and the medical devices and how should we go about addressing that?

>> i don't think i will be able to get a satisfying answer because if you were to be a fly on the wall in the board room on the hospitals were discussing the topic of the assurance of the clinical operations being continuous, at the moment they don't have a plan. it's more we need to get a plan. what can we do and it's some of the security officers saying the problem is we don't know what devices we have and we don't have a good inventory. we get a lot of contraband coming in, but typically it is they clinician to an important network that it is a music player that is simply providing comfort and they don't realize the safety security risk because they are not baked into the devices so the risk is more

about having the assets coming into a very safety critical arena. they are aware of the data to china. this is the kind of thing that consumers are unaware if you take a device like that and you have the concerns that it does t into an environment such as a hospital or medical facility with patient information and things of that nature, these

malicious actors are out there with the vulnerability of these devices and you have some of the concerns that were going to manifest themselves, so how do we make sure that the consumers and users are alerted t the usee vulnerabilities in the software and in the devices when they purchased them so that if they get something like this, they know to get rid of it. >> i would say the biggest benefit another reason they can get compromised so quickly is because they all look the same so the device manufacturer that always the same kind of the users are not configuring the operating system at all. it's having the ability to auto patch into the device can call

home and get a software update. >> the vice chair of the committee yield back and recognizes the gentleman from new jersey. some people may dismiss it as only a few websites going down for a few hours. >> let's talk about the world moving into the internet becoming something. talking about the computers and

phones it's the same better in the devices. while the software and engineering is the same, the fundamental difference between your spreadsheet crashes your car crashes and you lose your life. the computer and software is the same but the effects are you night and day difference. i have a thermostat i can control from my phone and if someone hacks into it, in the middle of winter they conversed by pipes and that is property damage and different from a few websites going down which i agree. it annoyed some people for a while. it didn't hurt anybody.

..

six >> >> but it will not be borne

by the person who bought that but by all of us so it is incumbent on all of us to secure the infrastructure and that is the solution is very similar in conception the technology is very different. >> i have almost question he seemed to believe that regulation of some kind maybe part of the solution by have heard other arguments that regulation of devices connected to the internet will constrain innovation. day would agree quick. >> yes. it will. in the world and dangerous things you cannot just one build it because it did hit somebody's house he may not care of me being drawn but from medical devices that may be that internet era of fun and games is over

because now it is dangerous their actual robots. satellite killer robot sitting there mistaken should be regulated. so this will constrain innovation and so this is what we do know when innovation can cause catastrophic risk is shutting down all the power plants and all the cars it makes a possible police and these are real risks. >> the gentleman yield back. now to the gentleman from new jersey. >> good morning to the distinguished and panel. i do agree this is one of

the more interesting panels so i would like to concentrate on three of them. use a security needs to rebuild than to the security not added don so can you expand when that might occur and talk about the security problems that is a poorly implemented product and in the early design of these devices they can never succeed so that is why you

have to build the end. if you have a residual risk to hand off to the consumer there are some sweet spots we can try to mitigate the risk it is extremely hard. >> how low we did that initially quite. >> but it is all about understanding those risks which risks to except which mitigate or to pass on. >> can that be done through the consumer market or from governmental control? we have mandated air bags and seat belts to be built into the automobile

initially not just added so will this require that governmental mandate correct. >> a do believe long-term it will be a mandate only because my experience working with industry that all had the authority to do the right thing because it don't have the drivers, so just to cite an example from the medical world talk about safety of over-the-counter drugs whiff the poisonings in chicago from cyanide we have the scene that moment with iot but we know that it is there. >> whiff her of observations come to take some comfort millions of and secure devices are small faction of

what the market would resemble in 2020. .com and this is just that the beginning. >> that is correct and to have that security ecosystem and we can fix it we should not give up hope and. >> do have a rough estimate how many are in and 20/20 s index of between 20 and 50 billion a think is a reasonable estimate. >> number seven of the observations there are tens of thousands and cybersecurity jobs in this country but those are insufficient to train a

large number in the workforce the level needed this area. what do the great universities need to do in this regard and also with level of community college greg. >> to play a very important role as redevelop the skills that. actually 209,000 over 1 million unfilled positions globally. but universities need to shift and adapt. right now we're overrun with the students. and then with those positions for cybersecurity and then be wonder why nobody supplies.

and with uh distinguished panel thank you very much. the gentleman from california estimates this is great stuff happening with 2 million of the iot devices may handle the 150,000 were used and the attack. for fr they still capable to carry out new attacks comics gimmickry have taken that as a whole but yet is still a 1.6 million strong. >> and real physical devices quick.

>> botnet is that they're doing attack that the operators can generate any protocol of any application that they want from those machines to direct the attacks of a very specific nature to their target. pdf. >> the saving grace is nobody can afford those 1.7 million notes. so of those adversary to see the power into following similar nature. >> so so to incentivize social security so what types of incentives do believe would be effective with the risks that you have outlined by.

>> all comes down to accountability whether economic or liability. there is no benefit. and then to answer with the yes or no. and with those irt devices. >> and the alternative. and with those devices with the additional specific requirements.

>> so with a wide range of products and then to apply different standards to those devices. >> that allows people to apply specific requirements of which shows devices operate. >> but they do different things. and then with those devices with porous security is pretty clear that this a solution not have a problem. such to extend on that of the abet. if so consumers would

increase the quality of life don't trust it is safe it doesn't take too many more horror stories before they go back to their ways. so to enable innovation in the short term you may see a short-term problem begins you're interrupting the product life cycle but it is actually producing new innovation with car safety regulation. >> you also mention to incorporate of cryptography? >> and there are some cases of medical devices for

instance cryptography does draw more power and can reduce the of battery but in the general case that is probably the right insert to avoid that. >> i yield back. >> this has been informative to me. with the of memorandums like botnet or terabytes but it is interesting in that as going to let him finish his thought but when we write the regulations to address this that we cannot be too

prescriptive and i certainly understand that with the agency's. that we have to be careful in a lot of other areas and then go further. and then to be more specific and to find the right balance. and to be interested is computer science technology there is that thought. >> many of these industries are trying desperately to hire experts. i found one they tended to quit fairly often and at the

career fair you will see a line out the door and for eddy's other industries it is very difficult not only because of those insufficient workers to be trained it appropriate security but because the competition is so great. >> says they say go to work with the general logic? >> that is why they pursue that. and then outside of that district but my refrigerator will send tweets.

>> with your testimony and then to be reinforced many times. so talk to us about vulnerability is and how they are shared. and with those vulnerability is in the consumer world that is a coordinating agency working in concert with d.h. us to collect information and then provide to manufacturers. the other pathway is the rewards between researchers and the company's and the other that is disturbingly popular the before there is of a chance and to evaluate to that report is true. >> talking about that they

will look at the least secure devices one is the general level of security in the recent attacks prompted any conversation you are aware of? to a casino good news even in my own home icy devices in any one on the internet could just break in. i have no good news on the security built-in. >> i yield back. >> the chair recognizes the gentleman from new mexico for five minutes. >> thanks for holding this important hearing for the ranking member. this is an important discussion of cyberattacks

with digital and physical space with the proliferation of cyberattacks all across the country man and to be called out by the national security teams. pertaining to the development of iot with the robust and infrastructure of america, we also know there is more dynamic networks to results from that. currently looking at ways from all devices to monitor protect have to address the issues of dynamics to joining in closely monitor to detect and respond to malicious behavior. talk about the importance of

us moving in that direction with the national laboratories whether in a secure or open space? >> so talk about how to do this type of security well this you have to know your assets that is what you are referring to an second those that matched the specific risk in the third one that we forget is to continuously monitor the effectiveness to deploy the security prospect today may not work at all. beers while i am little skeptical of those that claim and no the networks as a fact most hospitals refuse to look at the security

because they're afraid of radiation therapy devices but they have actually read booted the security product if you're in a facility with nuclear materials i would be very skeptical of the claim of how well they have survived. >> is there a benefit working with these assets? >> i think there could be a benefit with safety critical issues but there is quite a bit of expertise of the imbedded security. however bayberry interdisciplinary problem coming up in my reports they often tell me we don't have the in-house expert with that situation where any try to help you find a partner.

>> as more infrastructure is bought online from inception to delivery what we can do to secure through the internet of things operating systems to secure the protocols. >> so this is part of the problem so that the left talks about lettuce surreptitiously to send copies of your text messages to china on the plus side it was cheaper but we are worried about switching equipment that comes from

china that there could be a hardware switch and these are very complicated questions. anyplace in the stack we could cause an insecurity lots of people are working on this but it is an extreme worrisome issue so this is an american device made in china and many others are meeting countries that may not be as friendly to us as we would like. and while hopefully will detect these things right now there is an edge it is easier to hide the vulnerability than it is to detective. the nsa uses that to spy on

the enemy so there is some good but by and large it is dangerous. >> we need to submit a question relating to the of hardware than we can expect that conversation. >> your time has expired recognize the donald and from texas. >> i have to a mitt last item lost a little sleep preparing for this hearing because we've focused on a september 21st on the strike with over 600 gigabytes per second and then one month later the

same bad actor because after nine years in the navy that the senior staff in four terms of the house i know the biggest threat to our security and prosperity is cyberattacks and cybersecurity but what bothers me the most execution is from the football field here are the defenders that is exactly what they did but yet they have the success 600 gigabit

per second and so in this environment we have to be proactive our government has to be proactive. the people would shake their heads and smile but somehow we have to come together and the love your term meant to elaborate to run for congress and win her should we help out the american economy?

>> thank you. first the built-in not bolted don has been used for many years but i would say to get out in front of a problem to be proactive we have not even done what i consider the five were talking to my students have to do the pre-lab to get firsthand information. that is right get my firsthand information. to pick up for story after horror story. i cannot really that to you begin to have not seen the people that i talk to you we need to go to the university to see with the struggles are happening.

i believe will probably start thinking to have that built-in is economically and know what that would resemble could be more financial incentives? is about corporate liability i don't know the answer of the mechanism but we need to have more congressional visits. >> how do these healthy organization help with cyberattacks? >> i believe that i intrigue entirely whether business buying or consumer buying technology we have the right

incentives whether economic regulation i completely agree with that mindset. i do think there is the significant number with regards to each of those ideals with convenience and use of health and safety. >> very quickly how to approach this from the federal government role. >> and now with the speed of technology they used to be the laws could lead technology and now it is reversed so we have to figure out the regulatory structure that we cannot focus on technology or rely on that because that is the very end.

it is basic and not sophisticated. >> i yield back the balance of my time. >> in the chair now recognizes for five minutes. >> having spent nearly 30 years of my professional career in over technology of what to get more into what we are talking about particularly with the connected devices. but as i understand it, these have been around almost as long as the internet. they have certainly gotten worse over last few years but we know how to defend

them using the technology like the ip packet inspection can you tell us a bit more about those techniques what they had then successful greg. >> every three years we encounter the evolution of the capability. been to have the global internet of the adversaries of the new capability to direct that the capability. so the community has been fairly proactive to investigate what those bad guys are doing to make sure

that capabilities are built into the platform and by redirecting traffic and scrubbing it. what scares us about iot attacks is that typical botnet is in the tens of thousands one of the devices the of the network capability in that we're taking with great notice and with the majority of the defensive techniques targets the way the traditional attacks with amplification?

and regardless of what of traffic looks like woburn to have the upper and lower control so that technology is geared of that control parameter but that big issue is the scale of to comment that dictum -- victim. >> so to get to the heart of the matter be coz from what we have been told this botnet does not use that is an accurate quick. >> correct to have any protocol.

>> so instead of the botnet is bought out of these individuals connected devices and there are millions of them out there that are so numerous that spoofing is a necessary? from those connected devices to make if you want to send a large amount of traffic but with a device like this you don't need that. >> when we were talking about a defensive techniques looking at amplification if you begin to allude to the house those techniques like that package inspection

workout effective friday quick. >> i say probably more effective so the overall capability is more capable but again i will go back to the scale that a lot of that technology is built with the hundreds of thousands of inspections as opposed to the millions. >> but it is safe to say we have a lot of work to do to handle this new threat. >> i yield back. >> i am understand that a brand name devices are

generally safer, it claimed to put on low and manufacturers with the attack that happened and october? >> with specific regards the vast majority from other countries that they have not contemplated that idea to be is in the fashion some were mortified to wrap their heads around cybersecurity because they have every belief consumers would continue to purchase their product spinet this is directed to all of you so water some ways hard red and software manufacturers can band together quite.

>> but together we interdisciplinary. function follows form with the educational system and they don't actually have the education it is very important to educate people in a way to bring the hardware and software together for to be skilled and trained to solve these problems that is something i would do personally with hardware and software

because that cannot be abstract away any more. >> it is challenged. >> thought it is a challenge because the company's that made the deep puerto rico got a tip because they put it in their device say so that to another company then you have a chain so banding together rebury difficult and now giving the reason it is hard. i don't have a good answer.

>> that is why we put him last. >> i would say i greet with cheap iot the focus primarily is on the specific set of applications they get the base line operating system and don't know how all interconnects together. but the emerging iot to be interconnected to be more disciplined with those disciplines together as / zero as to achieve that hire security standards so it is

a long way to go. >> with those cyberattacks and with the same services. >> presumably, yes but because of what was targeted and then to launch an attack.

in net to what extent quick. >> is the entry point to take over the army of the agents but in my testimony i show the medical devices. and through other iot even that we rely on passwords that all is a problem. >> my time is expired high-yield back. >> the chair recognizes the gentleman for questions. >> >> >> with the internet of

things devices dr. it appears one of those reoccurring problems as the and secure operating systems that is easier to infect with the target with the denial of services. have you seen industry react to these issues with the more stabilizing systems or are there other impediments to the switch quick. >> i have seen down but like most there is a wide distribution. i still seek windows xp that is decades old and a water treatment facility in michigan controlling water pumps for the city. windows expertise in is

susceptible to already mideast malware doesn't take anyone much time to cause a problem it is all about the economics blake linear accelerators multimillion-dollar machines certainly one of hospital buys a device that would get a new operating system because it comes with the system but most have capital equipment costs they don't want to have to apply the new mri every tenures issued last 20 or 30 that is why you will still see windows 95 or windows 98 been in hospitals because we say we really want to have the operating system to keep secure they say by a whole new machine. so there was the unwritten assumption the software is maintained but the health

care community felt it should have been kept secure and maintain the from the manufacturing standpoint it was not. >> so those in the act over attack were situated overseas but how'd we protect ourselves from those outside the u.s.? >> i will comment briefly. i think the important thing about computer security is not to put yourself in the secure environment but tolerate the insecure environment we will never have networks that our full of rainbows the network will always be high style we just

need to make sure it can tolerate that malicious traffic however attacks are extremely hard to defend against it is where we are these prepared. >> two things. u.s. regulation especially through the major markets can cause a new environment because companies will not make too devices. it is one device to sell that so we can make a difference like we can with the so many other industries but the doctor is correct ricans never assume that it isn't going to be a combination of the devices to make them more secure which means it is more minority to build the infrastructure controls and it will always be that.

>> i have one more question. >> we have a fundamental belief for those that are based on reputation and the more that they can win collaborate together how much better prepared we will we been. >> one of the biggest concerns of denial of service from hospitals we already know they are targets so the question is how can hospital's best protect themselves from their current threats to prioritize the health care sector question mike and short-term there isn't a lot of mitigating solutions. the best thing that i can

recommend is the inventory of medical devices talking yesterday in the deep just report hospitals don't even know what they are running in their facility in the manufacturers don't know. if they knew we could better understand the risks. >> i yield back. with. >> the chair recognizes for five minutes. >> i will follow-up to displayed more what is your concern that is the device used in the hospital but the hospitals are not aware of what is on those devices and what mechanism should be have for the asa hospital systems are fully aware of what is in their hospital quick. >> right. so to frame the context they

want to make sure that they have operations of the clinical work load so the problem is when you don't know what your assets are hardy project that? if you don't know what ports are open, the manufacturers are not providing enough information so loss bottles staff can do their job to ensure their facilities so to provide that bill of materials was software comes on the device will not completely solve the problem but will help you cannot do step number two until you have stepped number-one before you can effectively control the security mitigation controls. >> that has life sending a - - saving ending implications so what factors are you most concerned

about? of that sector integration that the system is not known ? >> water gas or electric how people laugh and say we don't have security but we will not be laughing when the lights go out to cement looking at sectors is more about interaction. if you ask somebody if they vulnerability one of the web camera can affect twitter people would say no and be answer if this could mitigate the attack and we're not sure. it is the emergent properties that causes those will abilities if you focus

on the sector you're missing the big picture there of computers whether wheels or propellers and they affect each other on the same internet so wait urge you to think illicitly. there are sectors that our more vulnerable or critical but the cause of that comes from. >> so what you're thoughts but if hacking back or some other should be permissible? >> i know this is a fairly large debate within my industry. we have these conversations and other regular basis in free know where a particular exposure exists we can write software to patch that to get the malware of the

system we are better protecting the consumers as a whole. and i think that is a fairly dark road to go down that it is an excuse to provide those right incentives in a potentially has impact that the author writing this offer is a necessarily aware of putting that broad set of devices out be. i see your more of a the consequence and bend the right incentives. >> going back to the question of whether or not we have the appropriate safeguards in place, to moderate 9,000 job openings right now and what are their programs or the degree programs are the certifications that should be offered we are not

offering one at the institutions are training programs is there a degree necessary or do we have to have different types of certifications? >> all of the above especially indebted cyber security is a discipline. and that the community college and graduate studies in for your and with the master's program for the already skilled workers who are experts at designing cars but how do build security into the thinking are there enough opportunities for them to come back to get the training. also the pipeline. with engineering and and to tap the new resources and demographics we need to do much more outreach to

high-school with those kids to encourage them to go into these fields especially women and minorities were. >> i yield back. >> five minutes. >> thanks for being here to elaborate on these issues. is it accurate to categorize these attacks is the international issue greg. >> absolutely. the device manufacturers were for the majority of the locations was foreign. most of what we talk about today would not have a direct significant impact in the october 21st attacks. >> are there any other countries that are focused on these issues right now?

>> yes. there are a number of countries that are very progressive cybersecurity with great britain as an example of the cybersecurity work to the telecommunications sector if you're going to be offering telecommunications services that you have to be certified. >> do you see any type of consensus pdf? >> what recommendations would you give to congress to help the conversation correct. >> i will go back to my original point that i do believe we could get some pressure focused in this

area to have that buying in investment patterns that by setting the standards the domestic and international groups coming to set the standards to force those buying behaviors of consumers that is a major step forward. >> allotted reports are indicating the number of connected devices we heard between 20 and 50 billion devices but what should they think about and general regarding several security or what does that take away? >> i think an innovation is progressing faster than what tends to happen if you go on that biorhythm of lack of unforeseen consequences.

our ability to adapt and respond is what keeps the infrastructure protected so i think i average they have to manage different servers tubal condos products of what they are purchasing then there is a significant consequence sewed to focus on to make sure the market controls are placed with an ever structure is a significant and adaptable win for us. >> with the issue of the default passwords can you elaborate off quite. >> that is intrinsically and insecure one -- any password

system would encourage unwise behavior there are some technologies out there that is called to factor authentication with the mobile phone in addition to a password but at the heart of it we need to figure out other ways and i will encourage the a other witnesses but i feel we really need to retire passwords and kill those soft because they are bringing down the most sensitive systems. >> there's always a role for passwords with low security devices only the sandinista be secure for a short period of time but in general they have outlived their usefulness but with a code that comes your phone one or secure this with my finger print there are many other

systems that give more robust authentication and that would go along way with a lot of the systems to help secure that talking about the different ways to break into things of your vulnerability is the way you are excluded also bad user practice of i could get rid of those or reduce one that would go along way. >> i about of time. >> the chair recognizes a follow-up question. >> this is a little philosophical. you mentioned the tax are easier on this complex system so take that complexity opens up new folder abilities but they build complexity to defend

themselves so is there something we can learn from this quake. >> over the past decade there is a lot of research to move that biological metaphor the security there are some lessons in biological systems that will sacrifice the individual to save the species. one. . .