we spoke of before, is we need an independent entity that does not create the standard or practices but evaluates the standards and practices. an under writer's laboratory for cyber security, if you will, and then organizations could choose to elect a higher or lower level of adoption based on their business plan and their business plan would be improved because they would have access to lower liability costs and lower insurance and better chance to get a federal contract, etcetera, so we are saying that we need a new system, not a government mandate system, but a system where there government roles such as as providing the incentives and there are independent roles and then, responsibility for the, for the owners and operators. now, in those sectors of the economy, where the economics is already built in to a regulatory model, then you can use that

regulatory model, you do not need a new one, you can use it, if you are dealing with the utilities they have' fairly detailed regulatory structure, the problem that they are having is they have mandates at one level so there has to be a correlation done on the government side, but basic we think you need an independent set of entities indicating what needs to be offered and that can be done, and government needs to provide the incentives and industry needs to implement them. >> when you and your sister were trading packets instead of sleeping, that was when this threat was computer to computer. now, we understand it to be bigger than that, brooder than that and whole networks that can be taken down, can you describe

what those threats look like and what should happen there? >> absolutely. we did that over a 1200 bod modem over a phone line. >> i represemember are putting phone in the coupler. >> the threat looks at an instruction that executes off the site of memory. it where the computer grabs the next instruction, what do i do next, it's i'm controlling my will on your machine. whether i'm telling your machine to send out a lot of traffic or adjust something that changes the is things on something that controls circuit relays. my will is being changed on your machine. iep executing on your machine. you can buy these exploits on the net and you can unleash bot nets and it looks like a spreadsheet and you choose an

address to send it. and you are buying someone else's code. it's ca it's called malware, the idea is to catch the ip addresses that are spreading it across the internet and that goes to the global threat sharing. i can not forecast the weather without the weather from all the different states and countries. and that comes from information sharing and theability to he detect an instruction that is doing something that it should not do. that means i can run even if the enemy gets in. the enemy gets in, and the disease is in your body but it will never hurt you. you have to let them in, because they will, and we have to be resistant to that. instead of judging every instruction, are you good or bad, just know what is good and don't let anything else run. and down at the hardware level,

know what should be accessed and not. and block it. >> i'm glad you are on our side. >> and mr. conner as you were talking about zeus merging with spy eye, some of us wondered, maybe that should have gun throu -- should have gone through an fcc process and it would have never happened. okay, now we will get serious. i'll turn to my friend and colleague from florida who has brought so much to this debate. >> i want to thank each of you for your out satanding testimon. this is one of the best panels that has been assembled on a given subject manner and it highly instructive. i cannot help but feel like it's trying to get socks on an

octopus though, it massive. i think that we all have a pretty good sense of what the threat is. i do not think that we have a clear picture of really what to do with it. there are so many agencies. there was a mention of a 1986 law that i want to hear more about. we have talked about public/private partnerships we know that 95% of this is in the private sector and 5% in the government. where do we begin with this? what are the legal roadblocks as any of you see them right now that are holding us back to do what my next question would be, what is the new paradime, if we

have good pieces in place, what should we keep and what do we get rid of and to dr. schneck, do you agree with the notion of mr. clinton's of an underwriter's lab. that sounds interesting to me. i don't know, who wants to begin with what. maybe with legal roadblocks that you know of. i think it was dr. schneck were you the one that mentioned the 1986 law? i'm not familiar with that and what it's blocking. >> so i'm not a lawyer. >> neither am i. >> the overall premise and reason i mention that is the adversary has the,ability to operate quickly because they have though roadblocks. if we can put the instructions together and intelligence together to work as your body does. it attacks a virus that comes in, it knows that it does not belong there, it does not need a meeting to do so.

we need the internet to do the same thing t machineses that route the traffic needs to know when something is bad. that means that we need to get data from all sides of the equation that we control, from the private sector we need to combine it with data in the government sector. and then some of those laws actually prevent the isps from combining the data together. i do not have the answer legallily to make it work and preserving the civil liberties and privacy that is crucial. bought we have to find a way to put in at the indicater level that this is an enemy. >> would that fit in with mr. clintons's idea of an underwriter's lab, or not? >> it's different. >> does anyone tell you that you look like david gergen. i keep looking at you and saying

you remind me of someone. >> i agree, we are talking about kind of different things. first of all, with respect to legal issues, after he got elected president obama had a security review and the largest portion of that is a pen dix a which is a thick document going through all the legal barriers that need to be reviewed. essentially what we have is a whole bunch of laws that were written for an analog world and we are digital now. we need to work out the technology under brush. some of those are regulatory and could be offered as incentives

to get away from burdens. some of them, for example, are duplicates, they are auditing requirements. and we are okay with that but there should be one. there are multiple, local, state, different agencies that are involved in this. so organizations are spending time and money doing redundant things. we should strip away a whole bunch of those sorts of things. and the last thing on where to start, i suggest that congress start by cleaning you will the federal government's roles and responsibilities. and you can make progress on that while we continue to work with the public/private partnership model that we have. >> thank you, i'm out of time. thank you. >> i'll -- i'll yield to the gentlemen from nebraska, mr.

terry, before i do so, we need to get this a pchtppedixa and m get a task force. >> where do we start, mr. clinton? >> we need to start at the federal level and between government at the federal local and state level. so, for example, i mentioned the problem that we have in the utility sector, where we have mandates that exist at at one level, but funding comes at another level and what we have to do is realize that solving some of the cyber security problem is going to cost us some money. unfortunately when you have state and public utility commissioners, they are not wanting to increase the rate base, but we have to find a way to get a pass through on some of these things. a good review and scrubbing of the governmental issues is one place to start. at the same time, we have a lot

of activity already going through the public/private partnership that can use a number of these things. mr. roger's bill is a good example and we need a really concentrated effort on working on these other incentive programs that are started. exactly what do we need to do with the insurance industry to be getting them to be bigger players. >> in what way? >>ly well, you know, i mean, private insurance is one of the most effective pro social motivators that we have, people drive better. they give up smoking etcetera. >> cyber insurance? >> sure, if, the problem that we have in insurance, a couple of problems but one is that we don't have enough date a because the data is being held. >> doesn't google have all of that? >> pardon? >> i'm sorry. >> a lot of the insurance guys -- >> you were so good at humor i tried it. >> a lot of people want to share

data but that runs into anti-trust problems. to share data for rates, but if we could get them to share that, perhaps in a public/private partnership, we would get a better view of what the threat is is, right now they set it at maximum, we think it would bring down insurance rates. when you bring down rates more people will buy the insurance. when morp people are buying the insurance, more insurance companies will come out. and we can use insurance to motivate better cyber execute investme investment. >> mr. dicks, one question for you and you can add on wherever you want. for most users it's a matter of cyber hygiene. you pulled out your soap and you wash, what can we do, and what can you do? >> so, again as i mentioned we

need a sustained national education camp paign that tells the users how to protect themselves. leveraging the resources from the federal government. the irs, postal service and other agencies that interact with citizens and businesses every day, would be a place to help message that, creating and leveraging a model like h 1 n 1, where we have a plan that drives people to a place where they can get information. it would be nice if every member of congress had a link on their web page that directed people to a place to learn basic best practices, no cost or low cost things to do to protect themselves. another piece of blocking and tackling is to ensure operational capability that presents something like a national weather service or a cdc capabilitity where going on

the network s at all times. many of us work together through the national security tell communications advisory committee and delivered a report this 2009, that wanted a joint, public/private, 24/7 operation to detect enemies, we ran into legal barriers. once we got in trying to integrate, the lawyers told us they could not talk to us. they could not share the information. hopefully representative rodgers' bill will break down some of those barriers but we should have the capability of getting a picture of what is going on in the network at all times. we should have a cdc type of

capabilities and it's long overdue. >> gentlemen's time has expired. i believe that mr. waxman is next for five minutes for questions. >> thank you, mr. chairman. and anybody that wants to respond to this question, what do the growing use of smartphones and tablets represent? >> they are just small computers. they have the same vulnerablities that the other machines have that you use. so when you think about the power that is in your hand, you now have theability two followed, it enables the enemy, if it's not secured propertily. it enables an adversary to use it to get into your network. i'll simplify it a lot. peep want to use the home device

at work and once the -- they can launch an attack into the enterprise network because companies are letting people use the small devices. there are technologies to lock it down. we do it and do it worldwide. but you are looking at a massive explosion of the small devices. these devices leverage the cloud because they do not have the processing power that the big machine does. so you have to watch that data at rest and shared resources, your personal information is all over that phone, pictures of your friends and family, and location, if you lose it you want to have the remote capability to destroy it. it's a wonderful device, but it access to all the critical infrastructure, and has access to now your personal information, it brings a wonderful nuisance of fun to

computing but it brings dangers for us to get out in front of. because moblity is growing. >> every now and then i talk to hackers to see what they are up to. one of them told me that price to hack a tool kit to hack a ipod is about $200,000, but for other founds it's like $2,000. so it will force us to watch the big providers. the big isps, responsibility will shift away from the edge, away from the consumer to the service provider. you don't patch your cell phone or program it, you depend, computing is becoming a service and that will change the contours of security and change the requirements for regulation. >> with all due respect, i

disagree with that. if you look at met/kas law and what happened with apple and at&t, the value has shifted. it shifted from the carriers to the end point and it about identity. the threat i talked about, their using a network and the device is a, share fire way to stop that kind of transaction today and it is safe and it's protected and it uses digital signature through a wireless carrier network and on a mobile device with digit signature which is probably why we try to hack the device, it costs more on a ipad or ipod, if you use that probability on that attack vector today, you will not break it. i think there are good pieces and i think the, my personal experience, the minute you think you'll stop it all in the net the work, the id and ip address

is no longer the identity. the number one thing people fake is who you are and what you are and the application of who you are and that is the hardest thing to combat in terms of good guys versuses bad guy s the threat is they have faked your identity and no network can deal with that until they deal with the end point itself. >> i think you'll see the technologies that you are talking about will depend on the service providers ultimately. >> you mentioned in your testimony how communication networks are critical to other infrastructure netnetwork, how s this this address cyber security of communications networks, anybody want to respond to that?

>> well, i think in the opening remarks, a few of you mentioned going on that ntia at fcc that could reduce risk, right? and one of the examples we've heard about is, of course, this measure to get the internet service providers to adopt a voluntary code of conduct to deal with malware. it's a good thing to do. the fcc has an effort to promote the use of dns security, dns sec. not to get too complicated but this is a growing vulnerability. it's relatively easy to fix. other countries have moved faster than the u.s. something question probably do on a collaborative basis. the third thing to look at is some of the responsibilities for other activities, other protocols, this is a place where you don't want the government creating technology, right? it's not for this kind of level

of technology. but you do want to maybe coordinating a response. and so when you look at fcc, when you look at ntia, the dns sec, the ips efforts, some of the there measures, commerce is doing similar things, this is where you can play a big role. >> thank you. thank you, mr. chairman. >> with the committee's indulgence we were going to ask you about the australia and then we all forgot. >> oh. >> without objection, would you mind just addressing the australia -- >> sure. >> yeah. >> well, phyllis talked about this, as well. your ips probably has a pretty good idea of what's going on on your computer at home, right? right now they don't really do very much about it, i think bob talked about this as well, basic hygiene thing that most people don't do. your ips has fairly good knowledge when you're running malware, when you're part of a bot net. what actions can they take to

stop that? and in australia, australia is not the only country that does this anymore. at one point they thought the attorney general will come in and tell the ipss what to do, right? because the ipss were not doing anything. this was a failure, right? and there was a tussle, political tussle at the end of the day the ipss -- australia is a little easier because it's a smaller country. they said, how about we come up with a voluntary code of conduct that will let us deal with the malware threat. and with a little guidance and help and involvement from the attorney general and the australian police, which is roughly equivalent to some of our federal agencies, they came up with a pretty good system. it works pretty well. this will not deal with the advance threat, but it will deal with it, you know, quick. name a country in the world that has the biggest supplier of bot nets used in cyber crime.

it's united states. and it's not because we're cyber criminals, it's because we're incompetent in our defenses. the australian model changes that. we're number one. hey, great. there's some issues and i'll do them quickly. other countries that do this. germany, what happens in germany is you have a pop-up on your screen which says basically we notice you're infected. call this number if you want help, right? the australians and some other countries that do this say, click here and we will clean your computer for you. a few other places that don't go public, they just intervene without your knowledge. you have a privacy issue, you've got to be careful about that. one of the things that comes up over and over again is should we isolate infected computers. should we cut infected users off from the internet? some companies are doing this. you are putting such a burden on me that i'm going to cut you off. big issue.

if you look at the databases where we have data, there's an amazing drop in the rate of infection. so this works. and it would be useful if we followed the australians, the germans, the japanese, the turks. >> i'll give you two other points on australia that are, i think, relevant to this group. australia is also looking at their energy grid and, granted, their energy grid is a little different architecture than the u.s. more like ireland and others. but in the process that we're working with, they're starting with the infrastructure part and the actual production side of the energy creation. one to lock down the authentication of employees in the system within the creation of the power and starting there and then going to the export of that power through the grid as it extends through the different carriers all of the way to the end point in terms of that.

i think they were also involved with other companies here in the u.s. helping them do that. the other piece is, as they look at health care, they think that's a critical area in terms of being able to have health care cards. novel idea when you get to privacy concerns here. but as i say, you can't have privacy without security and policy. >> thank you. and thanks for the indulgence of the committee. i'm going to go to mr. -- oh, doctor, i'm sorry. go ahead, if the committee is okay with that. >> one point, if that's okay. >> yes. >> i think the example on australia is a beautiful example of this need for information sharing. i'll challenge the wording a little bit from dr. lewis, i don't think you meant it this way. the ipss don't know what's going on on your computer. they're not watching your banking, they're not watching you work. they see because they own that block of addresses. they see the bay hav your of that block of addresses as a footprint to protect you from malware. they see that footprint.

like mcafee seeses it reflect on things they own. from that they see where traffic has come in, ridiculously large volume in a short period of time from a certain set of machines and they can look at those machines and say these are infet we'd certain code and they can then, in the australian model let you know. the becomes how do they let you know. it's a great example of that use of intelligence picture. with his work, it can work with the pretty weather picture that mr. diks recommends. but also you have the ability of who is infected where and start looking at these incentives. how do we incentivize the public. most people with the computer doesn't know what it does all night while they're sleeping. if they knew, they would clean it up. it's not that hard. >> i appreciate that. and i appreciate the committee's indulgence in just trying to get more information out here. mr. rodgers, thank you. >> thank you very much. i know we are short on time.

are you familiar with the company did you know tar? >> very much so. >> attribution is difficult. can you briefly, i think it would be good for the committee to hear the story of them and viable company went away within about a month after being hacked and what it does quickly and what happened and why this is important as we move forward. >> if you look at the internet when it was created the little yellow lock. everyone sees the little yellow lock on their browser and on their pc and i think they're safe. very few people know what that little yellow lock means and it's supposed to mean the communication path is secure between you and the website that you're communicating with and who is on each end of that. the problem is, in the ssl world, which is kind of the security level of that, if identity on each side of that may or may not be who it is reported to be. we co-chaired, along with our

assigned, a new standard on that called extended validation because if you go to your super bowl even this past week you will see people advertising, hosting, and selling that little yellow lock for $19 for your business website. the only problem is the verification of who on the end of that is pretty lax. they just look the server and go, that must be you. so the issue was, this one company that provides the little yellow lock, in this case predominantly in the netherlands, was breached and it was breached from iran. just like many other security v vendors have been breached. we get a target every day from country states. our little 350-person company, with no help to the u.s. government, thank you very much, to defend that. this little company got

attacked, just like comode do did, just like others did and they breached that little yellow lock that said who they were and they began to take down the government security because that government used the little yellow lock for all its online capabilities and the people in iran, guess what, used that little yellow lock to say they were google and other people. so anyone in iran that was googling continent in that country was able to give up to the iranian government whatever they were looking at, whatever they were doing. and one government was basically shut down for at least 60 days. and unfortunately to those of us in the security world, we found out about it through the browser form and actually entrust was a partner to that group and it ended our relationship with them prior to that and even we weren't notified. so that talks about, to your question of the legal fr