disclosure requirements and what's happening beneath the world. thank you. >> thank you. i just think that was a great example of the nation state using its intelligence services to co-op. and by the way, it's no longer a company. >> it's out of business. >> you want to talk about a cost, there was a hack that took this company and is now out of business. >> be careful. it was subsidiary of a public business that still exists that acts like it didn't happen. >> the contracts it had in the netherlands no longer exists. >> that's correct. >> it's an american company that actually owned it. >> that's right. and i think the point that you're on, congressman, is an important one. there are ways of -- we've been attempted to be hacked by this same group. we've watched them try that over the last 12 months. two of the people that own the yellow locks in the u.s. and abroad have been taken down relative to iran being able to

break in and impersonate those pieces. so it's happening every day. >> you can see how -- i thought it was important for the committee to hear that particular case because it shows how sophisticated and dangerous it can be if someone has a purpose other than criminal. i see my time is almost up so i'm going to ask two more questions and close up. i would like you to talk about, we've been through there a long time. it's been very difficult to get to a place where we have a very narrow focus on how to move to the next step. just talk about the challenges of why we think it's been difficult to even get a very narrow change in the law. and, lastly, doctor and maybe dr. diks can talk about this. you talked about hardware. there is much concern about hardware entering our system that may be malicious and very difficult for us to -- well, to understand exactly what that

hardware is doing in our systems. and i'm hoping you can talk about that and what we might be able to do from a regulatory and/or cautionary position on behalf of the united states government to make sure that those type of hardware systems don't enter our system and some of our hardware systems are not exposed when they leave this country to manipulation by foreign nation states. i'll leave it at that. those are two questions i hope you can answer if the chairman is kind enough to let you answer them, that would be great. >> thank you. those are hard questions. great questions. i'm glad phyllis got one of them. you know, the neutral answer is to say when you look at a new technology, it usually takes the u.s. somewhere between 20 and 50 years to figure out how to get an order, look at airplanes, steamboats, railroads, electricities, cars. we're in year 18 for the internet. so we're not doing too bad, i guess. i mean, we have a couple of years to sort this out. a little more pointed answer, we have so many old ideas they have not gone away.

if it it was in pdd-63 which was the clinton administration policy and we're still trying it, it doesn't work. give it up. right? and the second thing is, we've had old laws that are obstacles. you, of course, are trying to fix this but if it's the electronic communications privacy act designed for dial telephones, you have serious issues here. you have business issues, privacy issues. so it's a hard problem and it will take time to work out. but the prevelance of the old thinks has really slowed us down and put us at risk. >> i'd like the record to reflect that mr. lewis and i agree on that last. thank you. so, so, first of all, let me touch on the hardware issue because the whole supply chain, risk management issues, last count 155 supply chain risk

management at issue in the government today. we need to coordinate those issues. quite frankly, organizations like ours, we invest heavily in what we call our branded integrity program because our reputation is how we grow our business. so we invest from concept to delivery in our products, in your hardware and software products. to make this short one of the things that i think this body could help with, as we sit here today and we deal with this supply chain risk management problem, the federal government still continues to buy from untrusted sources. here's a culture of across the government of cost and schedule across the departments and agencies where in order to save five cents on a widget we're buying low cost, low bid, and then we end up in a gray market and we wonder why we have counterfeit or malicious products in our government's supply chain. we should be buying from trusted sources. if there's some reason why we are not going to buy from trusted sources there should be a justification that should be public and the liability should

accrue to whoever the inquirer is. >> can you just comment on that as well? >> i do agree some. i also add that we look at the supply chain and issue of your product integrity. we do rigorous testing on acquisition of any product. we would also believe in leveraging some of the existing standards to focus on a product integrity issue. what you want to know is did that widget you bought is it exactly what you think you bought. that's the hard of the issue. rigorous testing and expanding some of the existing standards. >> just to make sure to clarify for the record, mr. chairman. so we are at risk if we integrate into the u.s. system non-trusted sources of product. i want to make sure i'm clear on that. >> i certainly think it incrieses the risk. >> thank you. >> i used to do this supply chain stuff when i was in the government, sir, on both sides of the table. and a couple points on that. first, right now it's not worth it. you know, it's so easy to hack.

you have to assume that our chinese and russian friends are taking the low cost approach to espionage. why should they not do it? the second one is it's very hard to push this out to a global supply chain. we're not going to be able to get out of that. so this isn't exceptionally difficult issue that will probably force us to think about how we're going to work with foreign suppliers. >> correct. >> right? and there's not really a choice here. so what i do think will happen, i'll just say this real quick. >> yeah. >> right now hacking is so easy, why bother, if we ever manage to improve our defenses, they'll switch the supply chain. >> i appreciate that. i'm -- well, here's the problem i'm like five minutes over on his time and i think members are -- >> this is a clinton we can all agree with, right here. >> the gentleman's time has long ago expired. i appreciate the patience of the committee members who haven't had a chance to ask a question yet. so we'll try and get back on schedule.

mr. doyle. >> thank you. thank you for putting this hearing together and to the panelists, your testimony and your answers to the questions have been very informative. i want to follow up on a line of questioning that mr. waxman had. i know in your testimony mcafee labs predicts an increase on tax on smart phones and mobile devices in the future. it's my understanding your company had partnered with a research facility at carnagie-mellon university lab which was in pittsburgh, the district i represent, about how businesses and employees handle mobile devices security. apparently this study showed that most of lost and stolen mobile devices creates some of the biggest concern for businesses about 40% of the organization surveyed had lost or stolen devices and half of those devices contain business critical data. further, about 50% of mobile users that were studied.

we found out they store their passwords and pin numbers and other numbers on their mobile devices which i am completely guilty of. i'm going to erase as soon as this hearing is over. seems to me that one way to tackle this -- one way to tackle this is to make sure that the devices that employees are using are secure in the first place so that if an employee loses them that the data remains secure or that they can -- you could remove that data from a remote source. so to follow up with what mr. waxman asked you, could you elaborate on what is being done by device manufacturers and app developers to secure their products for commercial use? >> we look at protecting them once they're received. so from what we've worked with, there are a couple of vectors on what they're doing before delivery. one is -- i'll take the application side first. when people download an application, they rarely think about is this application

secure. one of the biggest dangers we see is not did i catch a virus, it's did i go and purposefully download something, a great app that did something neat for me but when it actually is a pretty picture and malcode one of those instructions will get that to be a platform to start shipping back your personal information for sale on the russian underground. the app developer, some companies are very careful on their app market it is and only approve or back to the trusted source, only approved apps are for sale. it's up to the user to be very careful about what you download. >> i think it starts -- we work with all of them. so from the droid operating system to microsoft, the first thing we're working with each of them on is how do you identify the device itself securely and authenticate that back to your company. if you don't know it's connected to your company, you got your first issue and kind of the

consumization and enterprise. the second thing becomes how do you then work with the applications that go into that phone. and each one of those eco system s do that differently. some have sand boxing where they then can use our security or others to make sure they know who is coming in to put that there. they all three have very different testing mechanisms to test those apps in terms of that sand box and how they communicate that back and forth. and then the third thing we're working with each of them on is how do you secure e-mail and content and communication where it's mobile, no different than we did with laptops and desktops before. >> mr. dix? >> good old u.s.-based innovation has delivered today, available in the market today, capability to lock, locate, and wipe those devices on demand. >> we're getting close to maybe having a solution to authentication. it's been the holy grail for about 20 years. just a quick story, help put

this many perspective. there used to be one government-approved rye private company in north korea. you know what they made? they made mobile phone apps. i see a pattern. >> and just another general question for the panel. do you think the fcc has any role to increase mobile device security and what should that be? >> absolutely. in fact, you look at the fcc, the critical infrastructure is there. i spent ten years at at&t and another ten putting electronics and systems into those type companies. it starts with that. you can look at the mobile networks as either good or bad. it can stop the crime i talked about today, if used correctly with technology that cannot be broken today. so i think that if you think of one governing body trying to own each of these pieces, it's folly. i think doe needs to work the private partnership and public partnership for domain, commerce

and treasury needs to work it, i think fcc needs to own that infrastructure around that eco system because to think that the attack vector that the bad guys are taking against us is one size fits all is ludicrous. >> very good. mr. chairman, thank you. >> thank you, mr. doyle. we're now go, i think you are next in order. >> thank you. this question is for the entire panel. maybe start with mr. conner. some have argued that before we entered the cyber security debate we should heed the hip kratic oath and make sure in the first place we do no harm. if there were one caution that you could offer us before legislating, what would that be? mr. conway, why don't you start? >> i think the where i would start as a government is the bully pulpit, frankly. i spent a lot of my personal time and with this team and others spending a lot of time educating.

and i think quality is a great example that this government got right. they did quality, they just got on the bully pulpit and think quality is important. lexicon is not here, still isn't here the way it was. is someone started quality saying i'm going to get the sixth sigma, they would know what it meant when quality started. you heard cost quality, i hear cost of security. we're focused on what it cost. are you focused on the total cost of security or just if the cost to implement something. i would start with education in your bully pulpit. the second thing i would start on is the inability of businesses to talk to governments or to themselves because of anti-trust and the patchwork legislation in the states. i am tired of it being a one-way communication street to intelligence and nothing in return. and i understand they legally can't do it, but as the company

that's tasked with protecting our government and governments and enterprises and citizens, it's pretty folly to me i can only give you information, you cannot give me any. >> thank you. we'll go to mr. dix and move rapidly. >> two quick things. one is to continue to inspire and drive an environment that supports innovation and invest pmt and be cognizant of the fact that the bad guys move fast. we need to have speed, nimbleness, and agility in our ability to respond. attempting to come plooi with a compliance model that takes a long time to build and imp mement slows us down and imposes impediments to our ability to have speed, nimbleness, and agility. >> 2007 -- >> i don't believe your microphone is on, sir. >> 2007 we had an intelligence disaster in this country that details are still classified. 2008 dod super net was hacked.

we were unable to get the opponent off for a week. 2010, google and 80 other companies get whacked, intellectual property. most of this will not report it but it will show up in chinese products in about five years. last year we saw the ability to destroy physical infrastructure using cyber attack. and we have a list that the sis of major cyber events. mainly i got tired of people asking me when would we have a cyber pearl harbor. the list is up to 90. what we need now is to stop saying do no harm, we need to move out and do a coordinated defense. >> dr. lewis, so you think we definitely need legislation? >> i do. and i think there are things -- one thing that we can say now that we couldn't have said five years ago, we now have a pretty good idea of how to do this between the experts up here, some of the other places. there's agencies that have done a particularly good job. we now have a good idea of how to reduce risk and we need to

implement that. >> i agree that we do need legislation. the question is what is the legislation that we need. i do subscribe to the do no harm theory. i think the one thing that i would tell the committee is to understand that this is not a technology issue. it is an enterprise wide risk management issue. the problem we have is that in the cyber security world, all the incentives favor the bad guys. tax are cheap, easy, really profitable, it's terrific business model, defense is hard, we're following the attackers around. it's really hard to show return on investment to what you prevent. and criminal prosecution is virtually nonexistent. so i go back to the last thing i said before i finished my oral statement. understand that you are dealing with the invention of gunpowder. this is an entirely different thing. you can't just take 20th century models and plug it in here because you can pass legislation

that will do no harm that will take away needed resources from where they need to be. we need a creative 21st century approach and a lot of what we're seeing in the public policy world is not that. >> mr. clinton, thank you. last 12 seconds, last but not least, doctor. >> let's take this as an opportunity and unleash the power of the private sector. we built this thing. we didn't build it with security. now we understand this adversary. let us take the information we have, the data we have, the isps see all the mobile phone activity. they can see that. they can protect that. incentivize us so we can still eat when we get done doing it but make sure we build business models around building security in from the hardware up. and i think you will see this world change in a few years. >> i thank the panel for the excellent responses. i yield back. >> thank you, doctor. and we are talking about we're going to lock the doors and not let you out until you give us all the ideas we need to do

here. we'll let you out today, but seriously, in terms of helping us understand how to get this right, you've got a lot of them in your testimony, but if we could help -- if you could help us drill down more specifically, at least within the jurisdiction we had, we would really appreciate very specific suggestions back. we're going to go now to ms. matsui. >> i would have to say this is probably the most interesting and scary testimony i've ever heard. but i think that, quite frankly, our country doesn't realize what risks we have. and i think the things we hear about over the news are things talk about hacking but they're at a level where -- personal level that people understand. this is far beyond that. it really affects every sector of our economy, our country, the way we live. so i truly believe this education process is going to be

very, very important. and i also believe that people like you have to step up to talk about it in ways that the public can understand. the cyber security, everybody sort of understand it but doesn't understand it. so i think with every advance in technology we open ourselves up. and our daily lives can be impacted so much. i wanted to follow up a little bit more on the cloud base services, businesses and governments are now going to the cloud. and what are the unique challenges facing the cloud with respect of cyber security and are we thinking ahead, knowing what we know now, about how we address these challenges? and why don't we just start over here with mr. conner? >> it's something that's getting a lot of attention from everybody. and i think a lot of people are running before they have thought it through. >> okay. >> i think it's very application

and business sensitive depending on what you put in the cloud, some stuff you put in the cloud that user name password sensitive that that's fine. intellectual property in the cloud you've got too issues. the security within the cloud is not the security you have in the mainframe c you authenticate to the cloud is still a matter of how you choose to implement that. i think it's very naive. >> so are we still at a place though where we could start looking at that and incorporate, you know, how we integrate some of these things into some -- the information sharing activitieac. we're still okay right now but right now you talk about the cloud as a very sexy thing so people are now jumping to it. i was curious, too, also about,

dr. lewis, that you mentioned that government should find ways to incentivize companies and the doctor was talking about the same thing, to prevent cyber text. what type of incentives would be the most effective, if your opinion, and i would also like to hear from you, too. >> there's basically four kinds of incentives. there is regulation. and we're going to need some of that. not too much. and it varies from sector to sector. there are tax breaks. i mentioned this to some other -- republican task force on cyber security. they thought this was not the best year to go after that. there are subsidies, right? we might need that. and finally, there's a coordinating effect, right? someone has to lead. and you can find this as maybe a good story from the australian

example. if you pool the industry together and point them in the right direction, they'll come up with some really good stuff and we can find some examples in the defense department where that's worked pretty well. so regulation, tax breaks, subsidies, and that might include building something into the rate structure for some critical infrastructure, and then coordination. >> doctor, do you agree? >> not entirely. i think regulation drives a box around the technologies that you're forced to adapt. your money there, takes it away from science, innovation and, even worse, it shows the bad guy what we're not protecting. but i do favor the rest. i favor tax incentives. thing that allows a company to creative and invest up front in cyber security because the up front investment is fun and a lot cheaper. i testified earlier a couple months ago about small businesses and incentives being needed. we don't realize but the small

and medium businesses make up 99% in some cases of your business fabric. if you think about where some of the newest technologies come from, not just cyber but maybe our next jet engine comes out of a start-up from a couple of bright guys out of college they're not going to invest a whole lot on cyber security when they get that huge grant but if built into that grant is extra money saying you'll get this money from the government only if you prommis to secure it. we could be doing that for all levels of company. >> government does that type of role, though. and i think the part that i'm looking at is who convenes all this anyway? how do you do this so you all work together? you're right, the business sector can work together and have a solution but how do we get to the next point. >> well, i think the first thing you've got to do is make the legal obligation on we sit with ceos and my first public/private, all the ceos agreed until they went to talk to their legal counsel. guess what, then it went

completely dead because no one wants to public when you've got an anti-trust issue of sharing and, second, is the minute you go public you create a standard to be sued criminally as well as civilly. and that is the reality as a government person that doesn't understand, but if your ceo class actions mean something and suits mean something. the minute i say something i now put a different stand dord for me to be held to. >> thank you very much. my time has run out. this is very fascinating. >> thank you. we now go to mr. lat her from ohio. we look forward to your comments as well. >> thank you, mr. chairman. i appreciate it. i thank the panel for being here. for someone who did serve on the cyber security task force, it's almost like you go to your office, do i really want to turn that thing on now or not? if i can go back first, mr. conway, talking about the yellow lock you're engaged with, mr.

rodge rodgers, in a discussion about. you know, a lot of times they tell you if it comes up the https comes up, you're safe. are you telling me that's not true now? >> the only thing i would tell you is unless that chrome goes green, i wouldn't assume that you're safe. >> the reason i ask that, you know, we have to get this message out to our constituents and the american people. and i know a lot of folks see that little yellow lock come up and say i'm fine. i hate to say that my daughters were on some social networking and we had a problem for about four days before somebody could spend -- i don't want to say how much money, to get the thing fixed. we could go back on the computer. but, you know, i'm really very cognizant of the fact now, watch for that https come up because, again, it goes to the whole point, again, let's say you do online banking or people do certain things that we need to be able to communicate that.

that's one thing. if i can ask mr. dix and dr. schneck this question, you talked about the idea of creating trusted relationships online, either through authenticated e-mails, can you explain the idea of how they deliver from the previous measures like spam filters and blast listing? >> lady first. >> let's get off of that one. >> our focus on the trusted relationships with macro are in the bigger. we all need to work together, and we do. organizations such as bob mentioned show the government and private work together. i think we're dealing online today with a world much differenter than spam filter. i used to help build a spam appliance, many companies ago. what we looked at then was only the e-mail vector. now you have the web vector, firewall vector, mobile vector. again, the enemy is faster.

when you start looking at trusted relationships online we had at least 30 different par rom meters just at e-mail. there were all kinds of things and indicators in that note. now you multiply that. from our perspective and protecting against cyber security threats overall the different vectors we have over 1,000 different perimeters of trust that we look at. it's not just established rilgs ship, it's what your behavior been lately within the last two millie seconds and the last two years. >> continue to advance the development and implementation of the national protection is a step in the right direction and that's an example where industry and government working with nist has come together to deal with this issue of identity. every one of my colleagues here has mentioned the issue of identity being a root issue and entire trust discussion we're having here today. there is an effort under way, it's collaborative, and moving

implementation. >> the last comment on that is the irony of this is you think of who are the most trusted identities we use. usually government issued. and i think this is one area our government needs to get out of the u.s. think and into the rest of the world think. >> let me kind of go on with this because, you know, again, when you're looking at, you know, people trusting what they're doing on the internet and banking, i don't care what it is. but you know, when we talk about trust and there was another discussion held earlier, not buying from the low cost, low bid, and you need to buy from that trusted source. how do you know, how do you know that even if you buy from somebody that's trusted that that stuff is still good without -- how do you go through, unless you're testing, you're testing constantly or -- i'll just throw that out to all of you. >> since i brought that up i'll take that first. each of us, manufacturers, have

a network of authorized resalers and distributors that we yultize in the distribution of our products into the marketplace. that's a place to start from. understanding who those authorized providers are. there is also a great deal of work that's going on right now through the trusted technology form in the open group to we create a certain kred dags process for suppliers, working collaboratively with the government again in a standards-based approach to being able to idea this issue. so there is some good work going on right now but the fundamental piece of it in my mind is cultural. we'll still evaluating people and departments and agencies to meet a cost schedule. it drives a certain behavior because it doesn't have security as a paramount foundation of its contact. >> i see my time has expired. i yield back. >> thank you very much, dr. christiansen, you are now recognized for questions. >> thank you, dr. chairman. thank you to all the panelists.