from our witnesses. thank you for being here today to share the information that you have in your testimony, and we are going to start with mr. bill conner, who is the president and chief executive officer of entrust, mr. conner we look forward to your comments. >> morning. it a privilege and honor to spend a morning here with you out of the cyber warfare game to discuss and educate what is happening below the screen. i like to focus my early comments on the arms race on one particular vector of security. and it called man in the browser. that vector of security is probably the leading cyber stealer in the world today and it been around a while and it has been impacts small and m medium, business.

specifically, it's known as zeus, it's commonly now combined with spy eye, for hothose of yo who do not know it was the ri e original man in the browser and went by the name spy eye. their tools and technology were next generatiogeneration, they 2010, behind the scenes, as law enforcement began to attack it, the man took his money and ran. now you can buy it a off the internet and buy it with 24/7 support. no longer do you have to create

the code. now you can buy it. how does it work, it complicated. you cannot find it with the traditional software that you have on your desk top, whether it the anti-virus, it cloaked and it targeted at small/medium business, because it for money. it targets a business that probably does not have the technology or banking understanding with it suppliers that know how to work with it. i am a small business and go online to my financial institution, i try to move $10,000 to a supplier, i have an agreement with my bank to have bill pay. i type it in and the bank sees

it, but before they see it, this software wakes up and changes the dollar amount to $10,000 to $100,000, and what the bank sees is $100,000 going to six people. and the bank says it on your ip address and your location and i'll send it back because i want a one time pass code, 30-year-old technology that we are applying to the digital world. it sends it back to the controller of your business and says, please confirm by putting your pass he code in that will expire in 30 seconds that you authorize that transaction. that software wakes converts it back to $10,000 and six payers back to one and you type in your pass code and send

it back and guess what, that $100 thousand is now gone from the bank and the bank loses it and that feeds it back to organized crime in the world. unlike the personal side where i'm protected by fdic, my friends you are protected by nothing as a small/medium business. the contract you have written, if you look around the wonderful country of ours, there's no clear case law, there's case law on both sides of this. because the bank said i did nothing. we had cases overturned and even though the business did four transactions in the last year and 20 transactions happened in had six hours totaling $2 million, and that is what is happening. the technology exists to tedeal with it today and the banks know about it.

our belief is straight forward, much like wauquality, there wast a lexicon to deal with this, we need one. we need to do it over time. that is why education is critical. the second thing you must do is have public private partnership. i can tell you the legislative laws around this do not work for anybody and you have to break public/private at different levels from intelligence to the people like me who try to secure the u.s. government and others to energy grids where the department of energy works with those type of organizations. and finally we must take a unified effort in public and private to defend this, because it an arms race and it a pace as we mentioned earlier. thank you. >> thank you, excellent testimony, i think we will have to recess to we can all go deal with our campaign accounts and

we will be back in about an hour. we really appreciate and look forward to getting into questions with you and exploring it further. we will go to mr. robert dicks, who isjuniper networks which i believe is from your district? >> proudly. >> thank you. we are delighted to have you here, thanks f s for coming th distance to share your information with us. >> good morning, thank you for inviting me to testify about cyber security, our network is a publically held company held in sunnyvale california. the networks are embedded this all manner of the nation's infrastructure, including power plants and water systems and transportation met works name a

few. networks have shown to be resilient but the risk continues to grow and change and our efforts must be sustained. we are working every day to protect against cyber threats through industry collaboration and partnerships with government. let me share just a few examples. in 2007, a group of private companies came together to address the developing of software products. a group of companies set aside their competitive interest to deliver a series of written deliveriables that are available to the at large. they addressed the need for global response by forming the

internet group or the advancement of security on the internet. the competing companies routinely share information in an effort to mitigate abnormal network activity globally because the cause is greater than any one company. across the 18 sectors, we have organizations such information sharing and analysis centers since 1988 working on operational issues and we have sector coordinating councils that were springing out the protection plan. the cross sector coordinating council has been working with the federal senior leadership to advance the mission of cyber security. in fact, we are working with the administration on the implementation for national preparedness and the update of

hspd 7, regarding cyber security. mr. chairman a number of users connecting to the internet and network will continue to grow. and global internet traffic is increasing at 40% to 50% a year and expected to grow to 40 billion users in 2014. the growth in social media is rapidlily changing the workplace and how we communicate. example, an average 10,000 tweets on sunday evening during the super bowl. this is the essence of technology, it lets us do what we could never have imagined and includes those with bad motives. it has changed the banking and sharing of personal information. and so this discussion must be a

discussion on economics. there's two sides. if we focus on technology and technology development, we are likely to miss the technology and solution adoption. the market is delivering information at an unprecedented pace in history but adoption of available solutions has not kept pace and should be a topic further examination and discussion. many low cost solutions are available on improve any user's protection profile. and accordingly there are things we can do together. it is reported that some of's % of the vulnerables are the result of no cyber security. this is basic blocking and tackling. it makes it more costly for the bad guys to do harm. when our nation was confronted with the threat of the h 1 n 1

virus, we mobilized to tell people how to lower their risk to infection. and we have the same opportunity to educahe ha the public how to themselves. we must move beyond thinking of the challenges of today to think about the risk profile of tomorrow. today's cyber attacks are more complex and difficult to detect and target classes of users, even specific users gaining access to valuable data and causing harm. with the commitment to working together with the collaborative manner, the united states will lead the effort to the critical infrastructure, on behalf of my company, i thank you for the opportunity to testify before you this morning. the threat is real and the

vulnerablities are many and the time to act is now. the american people are counting on us to get this right and we look forward to the -- to working together on this problem. >> thank you. we go to dr. james lewis. doctor lewis, thank you for being with us. we look forward to your testimony as we. >> i would like to thank the opportunity to testify. one thing that military and intelligence experts would agree on is that the cyber security problem is getting worse not better. there's evidence that what we are doing is not working. most experts believe that we will not change our laws and policies until there's a crisis, i hope they are wrong. we recognize the growing

dependence on our economy on cyber space and it was testified last week how iran is eagerly developing cyber attack tools. and fbi director mueller testified that the threat we have comes from terrorism but it will come from cyber attacks. this is spreading from small advanced nations to other groups. there's disagreement on when hackers will disrupt critical services in the united states, but some estimates are in the next coupe of years. cyber attacks has damaged national security and american competitiveness. i was trying to think what i could say that was different and i remembered i had some of the

first meetings in the clinton administration on commercializing the internet. we thought it would be used for e commerce, we did not expect a premier vehicle for attack. we thought if we made tools and information available, if we freed up encryption, people would voluntarily secuprotect themselves. we were wrong. we made the same mistakes when it came to infrastructure protection. the cyber protection varies and usually it's not enough. there's a limit on the governments and companies to cooperate and share information,

in any case we need a coordinated defense. we finally did not expect to face world class opponents as you heard from some of the ea y earlier testimony, even mid-range with access to world class tools. we under estimated threats and legal obstacles and i would like to point out that congress roger's bill would be useful if we could get it passed in removing some of the legal obstacles that hamper ourability to provide an effective defense. the big telecom companies are pretty good at securing themselves but the other sectors are in bad shape. some people say regulation is burdensome, but if we do not protect ourselves we guarantee attack. regulation does not damage

innovation. partnership and cooperation must be more than an exchange of slogans. australia has a good model, we heard about that, where the government encouraged internet security providers to have a code of conduct to deal with malwear and finding the ways to use dnsec, it a fundamental rule set, the addressing frame work for the internet. we identified problem with it 20 years ago and identified fixes for it six years ago, and this is a approach that if we could get people to move faster would be wonderful. sharing classified information is another way how to do real cooperation. there are opportunities to improve cyber security but

taking advantage of them requires a new approach. we all realize the scope of the problem and everyone wants to do stuff. hearings like this provide an opportunity to find that new approach that will serve national security. i thank the committee for the opportunity and look forward to your questions. >> thank you, we will have a few for you especially to australia model. we will go to mr. larry clinton, chief executive officer of internet alliance. we look forward to your comments. >> morning mr. chairman and members of the committee. there's been a change in the cyber picture in the last 24 months. the main concerns are not hackers and kids in basement, cyber attacks have grown sophisticated using what is referred to as the advanced

persistent threat. apt. they are pros and highly organized and well funded and often state supported expert attackers that use sets of attacking methods both technology and personal. they target a system, if they do, they will breech it. conventional defenses do not work against the apt, they are evading all anti-virus intrusion and best practices, remaining inside the target's network while the target believes they have been removed. it means we need to modernize our idea of what is cyber defense. traditional approaches, including federal regulation will not solve the problem because they will be reactive and not stay ahead of the problem. worse, businesses will be trying to build efforts in house to

meet the demand instead of dealing with the security. our biggest problems are technology. they are economic. independent research has consistently shown that the single biggest barrier to combats the threat is cost. president obama's cyber abuse study showed that the tools exist in the marketplace but are not being used because of cost. to reach an acceptable, not ideal, acceptable level of security in infrastructure would require a 91% increase in spending. the private sector has been responsive to combatting the threat. average spending is $67 million a year with government, inclu includiinclud include -- we have never had an instance of serious break down, similar to what we have seen in

the environmental arena. this success is due in large part to the flexibility generated by the current system that relies on voluntarily terry partnerships where an industry can manage the system's best and use their knowledge to respond rapidly in a fashion they believe can best protect the system. never the less, there's a great deal that congress can do and the commerce committee can do to improve our cyber security right now. first of all, we need to get the government's house in order. the gao and doe inspector general has seen systemic problems in managing cyber space and that needs to be addressed immediately. with we need to provide the right mix of regulation. electric utilities, water transportation, the current structure can be used to motivate and fund needed cyber

advancements. for industries where the economics are not inherent to a regulatory structure, adding one will make us had less secure impeding the putting in place of security. we need to spur greater security and investment and a good example is roger's bill that passed the committee a couple weeks ago, which used liability reforms to stimulate sharing. that is one of the many things that needs to be released to help the situation. we need demonstrated security improvements and greater use of private insurance, streamline permitting and licensing. this incentive based approach was spelled out in 2008 and was endorsed by president obama in the policy review in 2009, but the multiple trade association

and civil liberty security paper in 2010 and the house task force in 2011. a great deal of work needs to be done to see how they can be used but in the meantime, reform and rodgers information sharing bill should be done and passing that package of cyber security reforms would be a historic and politically achievable goal. ladies and gentlemen of the commerce committee. you are dealing with the invention of gun powder, mandating thicker armor will not work. deeper moats did not stop the attackers. we need a different approach, a creative approach that engages the private sector with government, not have the government control what the private sector does, we look

forward to working with you. >> mr. clinton, we appreciate your testimony. next our final witness is phyllis schneck, executive of mcaffry. we look forward to your comments. >> good morning chairman walden and other members of the sub committ committee. thank you for your interest in cyber security. my testimony will focus on four areas. the communications unique role in cyber security, policy recommendations to enable greater cross sector cyber reexhilararezi reexhilarare -- may father is one of the first in super computing in the country. and taught me how to write code and i know how to exploit code

but i am passionate about protecting that. outside of our company, i ran the fbi program and grew the program from 2000 to 33,000 and today chair the national board of -- has companies with the fbi under the same roof and other organizes in government. a bit about my country, we are based in santa clara, we protect businesses and individuals and government all over the world from security attacks. we enjoy driving the innovation that goes directly to the hardware, the buck stops at the

hardware, the attackers can get in several ways but when a hardware knows when to not follow a attack direction, then we have the attacker. there's two kinds of companies and agencies around the world, those that know they are owned and those that don't. we are looking at the mass movement of money markets and jobs between countries and companies and the threat destruction. they have no legal boundaries or policy boundaries and in many cases they have plenty of money. they have no obstacles to execute on our infrastructure, which leads us to the role of the internet service providers. in the days when i sent my packets between my sister's and mine, there was nothing there but one address and another, but now we have a series of routes

and the enemy has used our great cyber infrastructures that we built around the world as a mass executive transport system for malware but it is delivered to the grid. isps can play a key role in cyber security. they are doing it but they have challenges one thing they can do is detect the malware and imagine if our network fabric was smart enough to not route bad traffic and only good traffic and demand more secure technologies from the market. demand that they are armed to not let a malware run. as we said earlier, it up to every system to be hardened and every company and user to harden

their enterprise. the challenge of the isp today? you have the store communications act. it prevent sharing information outside the telecomm, so imagine, we cannot make that rule because we cannot combine our information together. secondly it costs a lot of money. clean band width costs money and users are not willing to pay that money. first and foremost we can put threat intelligence together and globe a map of where the enemy is at any type we see a risk profile in every address on the internet, other companiy ies an governments do that, if we can share, we can make a global picture and prevent it from running. keep the enemy out. so for the policy recommendations we support the recommendations in the representative thorn barry's

work and sharing tax reforms and tax credit ares and enabling the government to finally facilitate the good information sharing to put that information together to not only provide liability protections, protections for privacy and civil liberties but to balance out the advance that the adversery had over us to now so we can feed it to the fabric and have it grow and feed us the information in return. we have to work on this legal and policy frame work for global information sharing and thank you very much for requesting our views on these issues, i look forward to answering any questions. >> impressive testimony. thank you, thanks for all the work that you do to try to keep us secure. we will go into our question phase and i wonder, mr. clinton, you talked about incentives and

were fairly specific. can you dive down deeper of what that means? >> certainly, sir. thank you. we are supportive of the approach that was articulated in the house task force report that a menu of incentives needs to be presented, because different industries are attracted by different things. the banking industry may be buying an insurance incentive and the utilities perhaps by getting rid of the out dated regulation that is based in a anaalog form, you need a set of incentives and on the other hand, you need agreement on what needs to be p