requirements as well as developing tools to utilize that the federal government will provide to do the analysis for the development of a transit asset management plan. it's critical that we have good, solid industry input into the process and develop a process and program that will address the various capacities and technical capacities of the various size agencies we'll have to implement. >> senator warren? >> mr. chairman, thank you and thank you for calling this hearing. i have questions for the next two witnesses. i'll just hold until then. >> okay. >> thank you. >> one last final question. workers rights. you know, we think about the challenges of transit systems operating systems and facing fiscal challenges in the state of good repair status. i also think about your testimony says that nationwide almost a third of facilities used by local transit agencies

to house their operational staff and service their vehicles are in a marginal poor state of repair. are these facilities a threat to the health and welfare of our transit workers? >> first, i think i should be clear that we believe the systems are safe. transit is one of the safest modes of travel we have available to us in this day and age. we also believe strongly there are steps that need to be taken in order to address the safety, not just of the general public, but the employees that work for the agencies as well. there's no question, when you are dealing with an aging infrastructure and the needs required to maintain that infrastructure, employees are going to be working in hazardous conditions with moving vehicles and things of that nature that can make for an unsafe situation. but there are steps that transit agencies take and do take, and i know from my own experience, we focus closely at cta on making sure the operators have appropriate training, appropriate tools, the appropriate protocols in place

to maximize the safety of employees when they engage in these type of activities. but the reality is, for as long as it's going to take to fix this problem, that will require more workers to work in environments where that could become a more dangerous situation than if it were in a state of good repair. >> thank you for your testimony. we look forward to continuing to be engaged with you as we develop the legislation the committee is considering on the transit side of map 21 authorization. we appreciate your testimony. >> thank you, mr. chairman. >> let's now hear from our three transit agencies about their work trying to maintain their systems to a state of good repair. as i call them up, i want to remind all our witnesses, their full statements will be included in the record, and we ask you to summarize your statement within five minutes or so so we can enter into a dialogue with you.

the first witness is mr. joseph casey, the general manager for the southeastern pennsylvania transportation authority. septa service is important to a number of my constituents as well. i appreciate your willingness to appear before the subcommittee today. i know senator warren would like to introduce dr. beverly scott. i think this moment is a good time to do so. >> thank you very much. it's my great pleasure to introduce dr. beverly scott who is the general manager of the mbta and the administrator for mass dot rail and transit. dr. scott is responsible for managing the mbta, overseeing the commonwealth's 15 regional transit authorities and massdot's freight and passenger rail program. dr. scott has tremendous expertise in these issues, not only in massachusetts, but nationally. her career in public transportation industry spans more than three decades and

includes executive and senior leadership positions with some of the nation's largest public transit systems. prior to coming to the mbta, dr. scott served as chief executive officer and general manager of the metropolitan atlanta rapid transit authority, marta, where she was the first woman to hold that position. additionally, she served as general manager and chief executive officer of the sacramento regional transit district, srdt and she served as the general manager of the rhode island public transit authority, ripta. she is recognized for her extraordinary leadership and thoughtful advocacy and advancing increased investment for effective and efficient transit infrastructure. she is a leader in her fieldtra innovator of change by president obama and the u.s. department of transportation for her long record of strong leadership and

innovation in the transportation industry. we are very pleased to have you in massachusetts and very pleased to have you here today in washington. thank you. >> senator, thank you so much. >> thank you, senator warren. sounds like our system could use a doctor. finally, the third witness is mr. gary thomas who serves as the president and executive director of the dallas area rapid transit. thank you for joining us. mr. casey, we'll start with you and move down the aisle. as i said, your full statements will be included in the record. please try to summarize in five minutes or so, then we can get into back and forth. >> good morning. chairman menendez, senator warren, i want to thank you for the opportunity to testify in the federal role of bringing this nation's public transportation infrastructure to a state of good repair. i am joseph casey, general manager of the southeastern pennsylvania transportation authority, septa, located in southeastern pennsylvania.

septa is the sixth largest operator in the country and the largest in pennsylvania. septa provides 1.2 million daily passenger trips which are essential in supporting the southeastern pennsylvania region. last year, americans took 10.7 billion trips on public transportation, yet at a time when ridership reaches the highest levels in 57 years, the industry continues to fall behind and the investment required to bring the transit systems to a state of good repair. according to the 2013 conditions and performance report released by the u.s. department of transportation in february, the state of good repair backlog for transit system nationwide has risen to $86 billion. this number is projected to grow by $2.5 billion per year. the report states the total spending on state of good repair from all sources must increase $8.2 billion per year to address this backlog. the funding and operational pressures related to state of good repair are particularly

acute in the large urban transit systems with aging rail infrastructure. infrastructure that accounts for a majority of the state of good repair backlog. cent our current backlog of unmet infrastruct are needs is now $5 billion, nearly three-quarters of which is concentrated in septa's ailing rail infrastructure. our challenges are not unique among large old system -- old rail systems. in northeast illinois, the investment that would be required to bring chicago's regional rail transit systems to a state of good repair would be roughly $20 billion. in georgia, the metropolitan atlanta rapid transit authority, marta, will see their backlog grow to $7 billion by 2024 without additional state of good repair investment. in map 21, congress responded to

the rail state of good repair crisis by creating a new state of good repair formula grant, an increase in funding for the rail transit system to invest in the state of good repair needs. on behalf of the riders in our region, i want to thank the committee for this role and making the program a reality. since 2010, i have served as chair of an informal group of the nation's largest, oldest rail transit systems. the metropolitan rail discussion group that together carry approximately 80% of the public transportation passengers. we continue to maintain, as we have since our formation in 2007, that the long-term, predictable and growing transit program that emphasize state of good repair in the rail transit systems that enable this nation's world class economies is not only good policy, but sound policy as well. to understand the entire cost of

not investing, we need to look beyond ridership and the broader benefits of public transit in our major metropolitan areas. these areas rely on public transportation to fuel the economic growth and competitiveness by connecting eemps to their jobs, allowing commuters to move on less congested highways and mobility options. the nation's economy is damaged when the major metropolitan areas cease to function efficiently as gateways for the movement of goods and people between u.s. and international destinations. maintaining the infrastructure that supports metropolitan rail transit systems is an established national priority and congress must preserve the federal government's 50-year-plus commitment to public transportation and preserve the strength of mass transit in the highway trust fund. we spend too much time focusing on the cost of government

infrastructure program and too little time focusing on the crippling cost of not investing in infrastructure. a short-term patch on the highway trust fund, they will not address the crucial shortfall in investment. if congress takes that approach, either for six months, a year or two years, transit systems will, again, be left without the appropriate funding or budget certainty needed to plan and execute major infrastructure rehabilitation projects. it's been more than 4 1/2 years since the last transportation bill that provided long-term investment and planning. the intervening period has been marked with uncertainty and insufficient funding growth. i urge this subcommittee and the full committee to develop a plan for a multiyear program with funding levels that increase from year to year to meet the growing needs across the country. robust and growing rail transit state of good repair and a fully funded core program that allows aging systems to sensibly

accommodate ridership growth while continuing to address state of good repair needs should be the centerpieces. i want to thank you for the opportunity to testify today and i look forward to answering any questions you may have. >> thank you. dr. scott. >> chairman menendez, senator -- it's showing on. okay. chairman menendez, senator warren, it's a pleasure to have the opportunity to testify this morning. for overall context the massachusetts transportation authority called the t is the fifth largest transit provider in the united states with more than 1.3 million passenger trips per day and close to 400 million trips per year. and that's across an extensive heavy light rail, ferry and bus network. we are also the oldest public transit system in the united

states with a subway system that opened in 1897, the oldest in the country, which still operates every day at peak periods and a commuter rail network that was laid out in the 1830s, among some of the first railroads in the country. a network, which remains today, a vital link for our commonwealth, our partner states throughout new england and the northeast region and the national passenger rail network along the northeast corridor. on our bus side, a critical element of our overall transit network, some of the bus facilities date back to the 20th century having been designed to serve horse-drawn omni buses. as you would expect achieving a good state of repair is a challenge for the t. today, we estimate our backlog of state of good repair at close to $5 billion. it is a challenge that we live every day.

our customers experience with us every day and our employees work to overcome every day. speaking of our transit workforce, the people infrastructure, those who plan, design, operate and maintain our systems, particularly our front line employees, it is also extremely important that workforce development at all levels is not an afterthought as we grapple with our need to achieve a state of good repair. all of this said, while we still have a long way to go indefinitely need a strong federal partner, including significantly increased federal investment in our transportation infrastructure, both in our existing and well-supported new targeted transit investments under the leadership of government patrick, we are making strides through implementation of a serious transportation reform

agenda, including actions to bring transit employee health care and retirement benefits in line with other state agencies. the implementation of sustainable internal productivity and cost containment measures and the deployment of new technologies to improve the overall customer experience. on top of the transportation reform agenda, our governor proposed a way forward transportation program this year to provide much needed increased local funding for the statewide transportation, a self-help plan, if you will, including the mbta and statewide 15 regional transit authorities. this year, it was successful with the help of our legislature, the business and our communities across the commonwealth resulting in the passage of the largest bond package for transportation, as

well as significant new investments in the commonwealth's history, including new state revenues dedicated to funding transportation. the first increase in over 20 years of the state gasoline tax. this increase is aligned with inflation to ensure the level of funding will keep pace over time. the reason i say these things is, as we stress this morning, the absolute criticality of a strong, federal partnership, predictability of funding and significantly increased federal funding to help to turn the tide on this. i want to make it very clear, we appreciate and we respect at the local level we need to step up and do our part as well. that's what you see on the part of our commonwealth. so, what i'll say is that we are -- things have certainly gotten much better, but we are continuing but we are definitely in a great need of continued support by the federal

government. on the side of -- i want to take a little bit now, state of good repair, fix it first, common sense must happen. but, at the same time, we cannot wind up only looking at the whole, not the doughnut. we have to make new targeted investments for growth. so, for us, the most notable of those projects at the federal level is our green line expansion project, which we are moving through the new starts program at this point in time, and this project will, in fact, wind up for us, filling what has been a missing transit link, serving some of the most densely populated communities in the united states. right now, those communities of summerville, medford and cambridge are only within 20% of those communities are within distance today of a rail

station. when this project and prayerfully we will, in fact, hopefully receive an ffga for this project. when that's over, we will be able to provide access for what is over 50% environmental justice communities for within 75% of those communities will be within walking distance to rail, which will significantly wind up decreasing their travel times by 65% to 75% and opening up a tremendous vista, if you will, of new job and economic development opportunities for a much needed community. so, at this point, i mean, we have done everything, asset management -- thank you federal transit administration for support. we believe we are struggling like everybody else but cutting edge in terms of asset management and moving in that direction. performance metrics, this is how we do our work. we are transparent in terms of what we consider the metrics to

be in working with the public. we have also aligned what we are doing on the transportation side with critical public policies having to do with housing affordability, greening, resilience. it's not just transit for transit sake. it is about livability, overall economic competitiveness. in conclusion, as we experience record high in growing transit ridership on increasingly aging systems, reaffirming the federal commitment and partnership with a program that has both predictability and growth is essential to making real progress to turn the tide on the state of good repair backlog. this is one that states and localities cannot successfully tackle on our own. federal partnership and investment is key. with deep respect, thank you very much. >> thank you. mr. thomas.

>> thank you, chairman menendez, and committee members. i appreciate the opportunity to be here. automatic the president of dallas area rapid transit. we have a little different story to tell. we are not over 100 years old. as a matter of fact, we are just over 30 years old now. when the voters of north texas voted to dedicate a 1% sales tax in 1983 to create a transportation agency. today, we operate bus, light rail, commuter rail, fair transit services and hov services in the north texas region covering a 700-square-mile area, 13 cities and 2.4 million people, providing roughly 107 million trips annually. i would also like to add we operate the longest light rail system in north america. so, as you can see, we have had very rapid growth, opening the first light rail segment in 1996 now operating 85 miles. later this year, we will add an

additional five miles as we go to dfw airport. we will open that 4 1/2 months early and under budget. so while our oldest segments are only 18 years old, our growth and subsequent state of good repair is closely controlled by a 20-year financial plan that we strictly adhere to. the financial plan, by policy, ensures we balance our anticipated revenues with the operational expenses, asset management and capital expansion. we are relatively young with over 15 years of asset management experience. a key component is a regularly scheduled asset control assessment that we do on an annual basis and every five years we have an outside consultant come in and see where we are and determine if there's a course of correction that needs to be made. the good news is it's a more unified approach industrywide

regarding the development of transit asset management plans holding each of us accountable for managing our assets spmy. we're supportive of allowing the fta to complete their process and industry time to implement the new policies before making major policy revisions in a new transportation bill. the good news and perhaps the bad news is that we've created a large appetite for transportation choices in north texas. this, obviously, relates to where people live, where they work, and we see that happening surprisingly as some people might find in north texas every day. this appetite requires not only maintaining our existing system, but growth of the system to address the fourth largest and one of the fastest growing metropolitan regions in the country. over 73% of our capital expenditures for the next 20 years is for sgr, leaving very little for growth even though

demand is very great. one of our key areas of growth is what's happening in our core area of our system. right now, we have a hub and spoke system and the hub is a single corridor through downtown dallas. because of the growth of the system and the service we provide and the growth of that service, the track conditions in the core is deteriorating faster than we initially anticipated. this means we'll start a $45 million capital program later this summer replacing over the next couple of years the rail through this core area. additionally, we are planning a core capacity set or group of projects to relieve the pressure on this existing core. therefore, we are strong advocate for the core capacity program initiated in map 21 to be preserved in the next bill. our core capacity project, as envisioned has capacity and

providing future needs. a lot of the new projects go hand in hand with the core capacity as well as state of good repair projects. mr. chairman, in conclusion, in order to continue to provide transportation choices for north texas, we desperately need a long-term, fully funded transportation bill providing stability and predictability for our agency and more importantly for our customers. we applaud the six-year term and the proposed highway bill and the funding levels in the grow america legislation. i would hope this committee would consider both of those and consider the recommendation and merge these two together, resulting in a six-year fully funding bill for transit $1604 billion. of course, where public transit goes, community grows. and on behalf of our board of directors, our 3,700 employees and our millions of customers, thank you for this opportunity today.

and i would look forward to answering any questions. >> thank you all for your testimony. let me first start with a couple yes or nos, if we can. d.o.t.'s conditions and performance report tells us that if recent investment levels are maintained by 2030, the nation's transit system will be facing $142 billion in deferred system preservation. i underline preservation projects. given that federal funding makes up more than a quarter of investments, it seems we have work to do. by a simple yes or no, does anyone believe the current funding levels are enough to help you achieve a good state of repair? start off with you, mr. casey? put your microphones on while doing this i would appreciate it. >> they were insufficient. >> woefully insufficient. >> no, sir.

>> if federal funding remains flat, does anyone believe or is it a possibility, and i have heard, dr. scott, your temperature about the commonwealth. but does anyone believe if we remain flat, additional state and local funding alone can cover the cost of paying down the backlog. mr. casey? >> no. i will say last year the pennsylvania commonwealth passed the transportation bill. it was half of what our needs are going forward to address the state of good repair. so, no, the state actually did their share, i think, but i think the federal government needs to step up and do more. >> dr. scott? >> same, sir. not possible. >> we had a large local 1% sales tax. it's not nearly enough to do what we need to do as we move forward. >> mr. casey, your testimony states state of good repair for large urban rail systems. you noted that the average age

of septa is 83 years old. 103 bridges more than 100 years old. that's a pretty challenging reality for the system. what practical impact do these needs have on your riders on a day-to-day basis? >> we were faced with shutting down a lot of the rail system prior to the transportation bill out of harrisburg. from a practical standpoint, your first issue, slow orders, slow down the track, and then you have weight restrictions and then eventually shutting down the structure. we have, with the funding we have received from the state, prior to the funding from the state, we had no bridge repairs in our capital program. now that we did get state funding, i have 18 bridges i'm addressing in the next five years. just to give you the age of some of these bridges, i'll go through. there's 18 of them.

the construction was 1891, 1900, 1891, 1900, 1896, 1916, a major bridge built in 1895. it's significant because it expands 922 feet. 100 feet in the air, off the ground. i can go on and on. i have bridges here, 1876, 1854, 1834, 1834, 1906, et cetera. we have a very old system. a lot of this was built, you know, penn central, the redding railroad that went bankrupt. little has been done to rebuild these, to replace these structures. we were in dire straight. the state gave funding to help dig out of the hole. as i said, with 103 bridges over 100 years old, we can only address 18 of them.

>> scott, you said something. maybe it's not about bridges but you talked about how your passengers also face the challenges. what are some of those challenges? >> same types of things. slow orders. just inability -- >> for the record for those who may read it and not know what a slow order is. >> there will be a period along the stretch of the track where simply because of the condition it could be a bridge or tunnel segment or whatever. i've got to really, instead of being able to take it at the speeds that it really could go through from its design standpoint, we have to slow it down. sometimes you're talking about taking it to a crawl of 5 to 10 miles per hour which means you can imagine what that means in terms of the commute time for our riders. so it's -- ultimately, get to the point where you have to literally close down a segment. >> let me ask you, mr. thomas,

your testimony notes d.a.r.t. is considering applying to the core capacity program within the new starts account. i think there's often a perception the program is used primarily by much older, heavier rail systems. can you talk about the importance of a federal core capacity program in helping a newer light rail system like d.a.r.t. maintain a good state of repair. >> yes, sir. the program in our case, would be incredibly vital and important as we continue to expand our system. we are at a point now where if we add to our system, we can't get more trains through the single corridor that goes through the downtown area. before we can add anymore to our system, or really, as i tell a lot of folks locally, if something happens on the corridor, a fire happened not too long ago, the fire and department put their hoses

across the corridor. they didn't appreciate the idea of us rolling trains across the fire hose. we had to stop service during rush hour to make sure it dealt with it. the core capacity program gives us the flexibility and the capacity to do that. what we are looking at, mr. chairman, is a combination of projects, understanding that on one hand we have to provide our local match. on the other hand, the core program is limited in size right now. we are looking at how we can reduce the size of the project and maybe combine projects to deal with that capacity issue in our downtown area. currently, we are looking at replacing the rail in the downtown area because of the traffic, the amount of traffic we put through downtown. the trains have already worn through the hardened surface on the rail. so, it's eating through the rest of the steel very, very quickly. we are at a point now where we have got to replace that and

maintain our sgr and at the same time figure out how to expand the system to give us flexibility and capacity through downtown that we need. so that program ends up being important to us as we move forward. >> i have a couple key questions, but i want to turn to my colleague, senator merkley. >> thank you very much, mr. chairman, and thank you to all of you. i want to ask just a limited question that's come from several of my transit districts. given your experience on the ground, i thought you might have some insight on this. this is essentially the situation where the discretionary grant has been changed to a funding formula in the bus and bus facility program under map 21. the result for a couple transit districts is they are having a great difficulty requiring replacement buses in the fashion they did before, which means

they are buying fewer, therefore not getting group bus discounts and they are keeping inefficient buses that need high levels of maintenance en routes that are detriment to the agency. have you experienced in your own respective realms any challenge like this? i invite any of you to answer. >> i haven't, no. >> i haven't, no. >> i have not at the t, but we have 15 regional transit authorities that are smaller systems, and while we keep a good overview from the broad commonwealth level, i can tell you it is more challenging for them. >> thank you. >> from our perspective, i think it relates to the size of the agency and the wherewithal and the forward planning on the larger agencies. in many cases they can accommodate that, and the smaller agencies can't. the trickle of money doesn't buy a bus. you can't save it up that

quickly. >> thank you for sharing that directly from the front line. i'm listening with interest through the questions my colleagues are answering. i'm going to pass this on. >> thank you. >> senator warren. >> thank you, mr. chairman and senator merkley. i want to ask from a different direction, and that is about the economic impact of our transportation infrastructure and the state of our transportation infrastructure. as i see it, the economy turns on transportation infrastructure. this is how people get to work. this is how businesses get their goods to market. without transportation infrastructure or a decaying transportation infrastructure, the whole economy is in trouble. dr. scott, you mentioned the green line extension. i would like, for a minute, to talk about that. this is an extension of the t that would go to one of the most densely populated areas in the

country, principally to summerville, massachusetts. i was very pleased to see that the president included $100 million in his fy '15 budget to get this expansion of the t. what i would like to do is start with this question. can you talk about what the lack of basic infrastructure has done to the economy of summerville, and then we'll talk about the others. >> i will tell you what it's done is stymied it. from one standpoint, just let me talk about the jobs portion of it. it's made it much more difficult for people within the summerville area to, in fact, be able to access good employment opportunities. that's both outside as well as development within summerville. it's made it much more difficult for summerville to attract

business and employment opportunities. what i can say is i always look at things are what they are. just with the knowledge that this project is coming and we are absolutely committed to this project, just look at the development that started to take place already. you go and, in fact, we were delighted that secretary fox actually took time to come through to actually see the project at north point, okay. right there where we have 2.2 million in terms of development office, a residential, a multiuse. union square, another 2 million square feet of development. this is development that absolutely would not be taking place. they are both absolutely right there where the transit is literally at the union square. the station is actually right there where the development is. then you look at what's taking place in places like max pack. so, the growth and the development that is just being

catalyzed if you will. by that green line expansion project. it's just absolutely unbelievable. >> i have walked through. >> i know. >> i've seen this. it really is terrific. i was going to ask the other half. it's expensive up front to make these investments and yet study after study shows when we do, we get enormous economic impact, we get job growth, economic development. so i want to thank you. and i want to thank you for your advocacy on behalf of the green line and your advocacy on behalf of the whole transit system. enormously valuable. >> thank you. thank you. just the american public transportation association at the gross level has done work on this. for every $1 that goes into transit, the multiplier of at least $4 comes in terms of the broader impact.

not just in terms of property values and residential development and all of that, but then looking at it as well in terms of jobs creation. i have seen numbers that for every billion dollars, you are looking at 32,000 to 40,000 jobs that are created. it's not the infrastructure. it's the outcomes and the benefits that we have for people and communities. >> let me extend that over to dallas. i have been looking at the studies there as well. you know, you have gone from amazing growth. going from zero hard rail to miles and miles of a system in 30 years. i saw two recent studies by the university of north texas that estimated $4.7 billion spent between 2002 and 2013 to expand

light rail in the dallas system has already generated over $7.4 billion in regional economic activity, including tens of thousands of jobs that paid in excess of $3.3 billion in salaries, wages and benefits. made the point, also in one of these studies that more than $5.3 billion in private capital transit oriented development projects have been built or under construction or planned near the d.a.r.t. light rail stations. we're over time, but, mr. chairman, if you'll indulge me for a minute. i want to give you a chance, mr. thomas, to talk about how, based on your experience, how capital investment in rail transit can stimulate economic growth and whether or not your experience

in dallas can be replicated in other places around the country. >> it's been fascinating to watch, senator, what's happened in dallas. when we first started, we were focused on getting the rail on the line. obviously to move people safely, efficiently and effectively. there were other people who understood the value of that inf infrastructu infrastructure, the value they could take advantage of, in a good way, for our community. once that started, once people started realizing, now, as we look to other areas and the expansion, it's certainly to move people. it's also the air quality opportunity as congestion mitigation opportunities and the economic development opportunities. there was a point in time when the economy got soft and we had to start talking about a delay. we literally had buses of people showing up at our board meetings to explain to us why it was not a good idea to delay the projects. in large part, it was due to not

just the transportation, but the economic development that was thought about and planned. as you mentioned, the study recently completed by the university of north texas was an update of a study done previously. and that was a very, very narrowly tailored study. because it only looked at projects that were on the tax rolls. so public funded projects, the big hospital expansion, the new civic center, those weren't on that list. it is pretty incredible to see not only the projects, economic development, but the rental rates are part of that study. it shows the increase of rental rates within a quarter mile of the station. we are seeing it over and over, proving out the 4 to 1 benefits that the studies have also shown. >> thank you. thank you, mr. thomas. mr. chairman, would it be okay to ask mr. casey to weigh in from septa's perspective? >> absolutely. >> mr. casey?

>> we have a very old system. in the last number of years we haven't done a lot of expansion. what we are seeing a lot of investors wanting to build facilities, whether it's homes, you know, apartment buildings, et cetera, around the stations and utilizing the benefits of transit for, you know, for their development because it makes it much more attractive. but, again, there's a lot of interest in us expanding the system. there's one in this particular project, the broad street line, one of our heaviest lines, wants to expand into the former navy yard which is attracting companies from all over the place. so there is an expansion. i want to say more and more people in philadelphia are opting or wanting to take public transit in the last 15 years. we have had a 50% growth on the regional rail system. 50%.

the only thing really limiting us from further expansion is capacity. the number of vehicles we have on the regional rail has increased a little bit, but it's minor. the cars are filled up. parking, it's, you know, if i was able to invest, there's no question on my mind you would see easily a double-digit growth in the utilization of those services. >> i want to thank you all for much. thank you for your indulgence, mr. chairman. transportation infrastructure is powerfully important. but not as an end in itself. it is powerfully important because this is how we help our economy move forward. thank you, mr. chairman. >> thank you. one last set of questions for the panel. if you were sitting here instead of there, and being able to write the new transit provisions of map 21 outside of the funding issue, which we collectively

agree on. is there anything that you would change or add that doesn't exist in the law today? >> as far as i'm concerned, i think we need to invest more money into the transit and whether it's -- we have issues from the older properties, but the smaller operators with buses also have issues. the pot just really has to grow. it's been insufficient for us to maintain our current system. >> what i would -- what i would stress is that we have begun to see the threads of it, but i think a focus in terms of performance and not rewarding bad behavior. i think that's important. i think connecting of the dots of state of good repair with things like the going for full funding grant agreements. i think the more we do those kind of things that are self-reinforcing. i am a person who when

people say what keeps you up at night, i come back to work force. making sure there is funding, intentional funding to help in terms of the workforce development. we put less than 0.5% in terms of training and development of our people. the kinds of things that keep me up at night, and i can assure you every one of the operators here, are the issues in terms we are not going to have excellence in terms of the system without the people. i don't want to overdo this, but this is, we have 6200 employees at the t. i can tell you today, there are 800 folks who have the time and the years to be able to retire over 30% of those are in my specialized maintenance areas. when i take that number five years from now, it will become 1800 people who will have the time and years to retire. 38% of them are in my specialized area. signal, track, rail controllers,

you can replace a general manager faster than we're going to be able to do that. to see some synergies between this bill and education, workforce and labor, would be absolutely unbelievable. >> mr. thomas, do you have any idea? >> yes, mr. chairman. i think it's flexibility. as we've seen this morning, each one of our cities is different. each city across the country is different. we all have different needs. we're all in different places. and so making sure that the bill going forward offers the flexibility to each of us to do what we need to do in our respective cities to grow the economy, to provide opportunities to people. i think that's critical moving forward. >> i appreciate those answers. mr. casey, let me ask you, you chair the metropolitan rail discussion group. and one of the group's principles is funding should be prioritized according to need and national importance. to what extent do current

federal programs adhere to that principle, and what changes would you make in that line, if any? >> well, i think it's a recognition of the older systems. and when you look at our system and, you know, our needs, and in philadelphia with the number of bridges, and i think people are shocked to learn that we're responsible for 350 bridges, and i think those infrastructure needs are different than the -- i hate to say dallas might not have those infrastructure needs. i think those issues have to be part of the discussions. you know, one thing i didn't discuss is, you know, our substation, power substations that are, you know, dealing with, you know, 1920 technology that's out there. they have been in operation since in some cases 1920s, 1930s.

and generally they are 40, 50 years past their useful life. those critical issues really need to be addressed as we go forward. and it's not just one or two of them. i mean, i have 15 of those substations that really have to be addressed at one time, and if i have a failure on that, i just can't -- there's -- i can't get the parts. if i fail, it fails and it's down for a long time. >> dr. scott, my understanding is that the mbta is working to develop an asset management plan for a number of years, well before any federal requirements were created in map 21. can you give the committee some details on how are you asset management system works, and has it helped your agency better target its investments? and by any chance has the fta asked you or talked about some best practices that can be considered in new federal asset

management requirements? >> absolutely. first, i do want to -- fta has been right there at the table with us from the very beginning and we were some of the first pilot programs that they really helped to fund in terms of being able to develop the databases and things of that nature. what i will tell you is that it has radically reshaped, i'll be quite candid, in terms of how we've done our capital planning. it's no longer -- i mean this is really a robust involvement on the part of all the departments. you have to be very, very clear in terms of exactly what is the need, what is it going to wind up being the benefit that comes from it. we're beginning now to particularly as we bring our maintenance management systems, we're beginning to actually move into being able to look at life cycles so that we can, in fact, actually change the method in terms of how we do procurements for some of -- you have to have the data to support doing much more in terms of life cycle procurements.

no capital project comes to the table without there being a full look in terms of not only the aspects of safety and absolessens but innovation and resilience, accessibility and also the people implications and the long-term operating implications of those investments. none of that would have happened if we had not been much more thoughtfully and intentionally looking at both the data as well as just changing our decision lens, if you will in terms of how we do resource allocation. it's a work in progress but very, very different than what we had done in prior years. >> mr. thomas, you state that d.a.r.t.'s capital program has mechanisms built in to deal with funding volatility. given years of trust fund instability, the uncertainty of the annual appropriations process on the transit new starts account and even in the

past the government shutdown, how has the volatility impacted d.a.r.t.'s ability to provide reliable transit service? and how are you preparing for possible concerns as it relates to the highway trust fund? >> well, certainly as we -- as i said, the 20-year financial plan ants -- we adjust that annually. obviously we can't -- we don't know exactly what's going to happen for the next 20 years, but we have several economists that work with us to help us identify what's going to happen from a local funding perspective, and then we take a very conservative approach from the federal participate. however, if the trust finished is not funded after the end of this calendar year, it would require us to make significant cuts as we move forward.

we're already in the process of looking at what that would be, what those service impacts would be, in starting to determine where that list is and to communicate what that list might look like to our -- to our constituents in north texas area. >> let me ask you all one final question. i don't know if senator warner has any others. i assume that in some shape or form you survey or deal with the ridership in their views of the operators of the system, the views they may have about potential expansion or curtailment. if i were to ask you switching my role, would your ridership support an increase in a revenue

source, if it's dedicated to the transit system, what would you say? they would say? >> i would say yes. i think the bottom line our riders want to improve service, they want more frequent service, they want better facilities, and in the region, i think, you know, as happened in the state of pennsylvania, it was at least our region was almost unanimous in supporting a transportation bill. and i really think the riders and the citizens of that region would support the same. >> dr. scott? >> i absolutely believe that our public would. i think that there are two pieces to that, however. i think that, um, they will support, but they have to be very clear about what the outcomes are that are intended, and it's about much more than ridership, okay? and the other is, um, i believe -- i just think that

people want accountability, okay? and so the issue, the focus in terms of performance and transparency, but absolutely tied to outcomes that they can be real clear about that they want, okay? and with a real good transparency and accountability, i believe -- and i have another one i forgot to say. that is that i -- you asked the question, i think that at the federal level, to make sure that every dollar that we do -- and you can force this, okay? is to make sure we make shar investing. for every delay, let's make sure it's a smart dollar, so everything we can do in term of technology, we need to be looking at and in terms of resill gent. this is in the capital program. the water tables are changing, don't you bring me stuff that

was built for 100 years ago. so those are once again themes in terms of outcomes that you can drive at the federal level to make every investment we make smart. that also means on the research and development, we are woefully behind in this country in making investments. there have been slashes in our research and development of funding for transportation, and it is sorely, sorely needed. >> mr. thomas? >> the voters within our service area certainly have proven over the years that they are supportive of transit and dedicated funding. when they initially voted to approve a 1% sales tax in 1983 to create an organization that they at the time had no idea what it would do or what it would be capable of doing, and then subsequently have voted by large margins to allow us to issue long-term debt and other opportunities. so yes, sir, i believe so.

>> let me take advantage of the one final -- i promise it will bel final -- we have a debate in the committee, as it relates to gas tax dollars, which the advocates for highway, and of course we're always going to be highways as part of our overall system, but they say a gas tax dollar shouldn't be used for a transit purpose, because, you know, it's the drivers who pay the gas tack who ultimately are funding transit systems. recently, however, we have been seeing general fund dallas to be used in this respect for funding the overall transportation bill. it seems to me as we use more general fund dollars, that argument is increasingly dissipated at the end of the day, because general fund dollars are paid by everybody. so any perspectives on that? i don't know how you deal with

it in your respective states. >> well, i have two comments. the vast majority of our riders also drive automobiles, and they are paying the tax also. but the investment in transit. >> so they take the transit to, let's say, go to work, but they have the car -- >> or they drive to the parking lot and take the train coming in. but the vast majority of the people that still use benefits from transit, from a congestion standpoint, getting riders off the road, it's -- it works hand in hand. i can tell you there's not sufficient highways within philadelphia currently to handle all the automobile traffic. without transit, you know, it would be literally a parking lot. so the transit benefits everyone, everyone in the region, whether it's the people riding transit or the people on the highways. >> that would have its own economic consequence.

if you end up in a parking lot, you're not getting your sales force to the sales, and not getting workers there on time. anyone else want to comment? >> i tell them, i say get out of their old thinking, all this silo, and this is a road dollar, and this is a transit dollar, we're all talking moeblgt and access, nothing is free, and we're all so integrated and interconnected that i just think that's totally old thinking and we just need to step it up and move it up and not disregard it, but don't get stuck in it. >> well, we may have you visit some of our colleagues. you my want to think about how you answer them in that regard. mr. thomas? >> some of our strongest partners in north texas are tex dot and north texas tollway authority. united states, as mr. casey said, it is a collaborative opportunity. >> absolutely. >> well, let me thank all of our witnesses for appears before the

committee. it's very helpful in developing a record, and some of the issues that will undoubtedly be debated among members. i think the testimony makes a powerful case for the need for strong investments to bring our transit system on to a state of of good repair. i look forward to working with you and others to develop a transit title that can begin to meet neither for the next surface transportation bill. this record is going to remain open until a wee from today. with el would ask our witnesses, if you do receive questions, to please to respond to them as expeditiously as possible. they are helpful in dealing with some of the question that is we have. with that, this hearing is adjourned.

the better net content i think we would all agree should remain free from regulation. but as susan crawford has said, it's like confusing the conversation for the sidewalk. of course we want the conversation to be free and unregulated. the fcc has no place rely lating content online. they have always made sure the pathways stay open. today we have a regulated phone system or the vestiges, the fcc doesn't regulate what i say when i call you, but they make sure the pathway is affordable, available, nondiscriminatory and there for everything to use. it's crucial to think about whether those platforms remain

open. the enter net has grown up. a teeny company can get access to the network and become in some cases like google or facebook a huge business. it's vital that that not change as the internet evolves. more opinions on the fcc's open internet policy and the flow and speed of web traffic, tonight at 8:00 eastern, on the communicators, on c-span2. we're live at the new america foundation, on nsa surveillance, and speakers will include technology experts and a privacy lawyer with google. we'll also hear from two members of congress who sit on the house, science, and space technology committee. live coverage on c-span3. this should be getting under way in just a few moments. all right. we're going to go ahead and get

started, folks. hi, and welcome to new america, a nonprofit civic enterprise. dedicated to preserving foundational american values in a time of technological change. i'm kevin bankton, the policy director of the open technology institute, which is the technology and tech develop wing of new america. where we are focused on building a stronger and more open internet for stronger and more open society. i want to thank you for all coming here today and braving the heat, or for tuning in via the webcast or c-span. for today's panel events national insecurity agency, how the nsa surveillance programs undermine internet security. since the first synoding leaks, almost all the controversy an the nsa has been focused on its program to collect phone records under the troy p.a.t.r.i.o.t. act and monitoring of internet communication under section 702 of the fisa amendments act and

focused on how to -- net the nsa has engaged if a wide variety of conduct is in our view threatening secretly undermining encryption tool and standards, inserting back doors into products, stockpiling vulnerabilities in commercial software that we use every day, rather than making sure those security flaws get fixed, building a vast network of spyware inserted into computers and routers around the world, including by byrne nating popular sites like facebook and linkedin, even packing into google and yahoo's private data links. finally, though, congress is starting to pay attention to how the nsa is threatening not just our privacy, but cybersecurity itself. in june last month, the house overwhat you willingly voted to approve two amendments that would defund the nsa's attempts

to undernine standards and insert back doors for surveillance in the communication technologies we rely on. those amendments were sponsored by zoe lofgren and alan grayson and backed by a brought bipartisan coalition. today after flying back from we're going to focus our panel on these issues. which until recently have been ignored, though they were aench sell focus of the own review group in december. this del focusing on the costs to the overall internet security is a follow-up to our panel discussion earlier in the spring about the economic and foreign policy costs of the nsa programs overall, and previews the release of our paper later this month "surveillance costs, the nsa's impact on the economy, information security and internet freedom." with that. cue the representatives.

>> hi, i'm congress democrat won zoe lofgren. thank you for inviting me to be part of today's discussion. i regret i can't be there to talk with you about the important issue, but on june 19th, the house took a big step toward shutting the back door on unwarranted government surveillance by a massive bipartisan margin, the house agreed to an amendment that prohibits the government from searching americans' communication and data without a warrant, and from require the device manufacturers or service providers create back doors in their products or services for surveillance purposes. as many of you know, and action we were discussing today, when an individual or organization builds a back door to assist with electronics surveillance, they place the data security of every person in business at

risk. it's simple. if a back door is created for law enforcement purposes, it's only a matter of time before a hacker exploits it. in fact, we've already seen it happen on more than one occasion. for example, in may of 2014, it was reported that a major security flaw was found in software used by law enforcement to intercept communications that allowed a hacker to listen into any call recorded by the system. fortunately, the amendment passed by the house was a worth while step forward and will make a meaningful difference, but our work is not done. this amendment in june was the first time that congress had the opportunity to debate and vote on the distinct issue of the fourth amendment and the nsa. we need to continue pushing to protect private information and data security. and we need the senate to follow suit. because when the house of representatives had the

opportunity finally to vote on it, the result was overwhelming. the house stood up to the american people and for the constitution. that is something we can all celebrate. where he sent a strong signal if the government wants to collect information on citizens, get a warrant. thank you for your hard work on this important issue, and i look forward to working together with each of you to keep pushing for a safer, more security internet. >> thank you, congresswoman lofgren. next up, representative alan grayson. >> thank you for inviting some el to share this panel on the in the meantime sa, and thank you for the good work that you do to protect privacy and security in america and throughout the world. listen to me, if the chinese government had proposed to put in a back door into our

computers, and then paid a company $10 million to make that the standard, we would be furious. we would be angry. we would do something about it, but what about if it's our own government that does that? that's exactly what the nsa has become, the best hacker in the entire world. when they put in a weakness into the architecture of the software that everyone users, they're making it a weakness not just for their benefit, but for anybody who comes along and knows about it. that's a crying shame. we are entitled to our privacy as human beings, many of our economic activities cannot be done unless done with some degree of security and safety. the protection that the nsa is purporting to provide to americans is actually being undermined by the nsa itself. that has to end. that is why i'm happy that many of you joined me in passing two amendments recently which represented the first substantive limits on the nsa's able to insinuate itself into

our software for improper purposes. one was our science and technology committee amendment, which said that this no longer has to be a short-order cook for whatever the nsa tells it to do, another was a parallel amendment on the house that passed unanimously among democrats and republicans for the same purpose. these are the first steps we are taking to take back or privacy, take back our own security and freedom. i welcome your help in doing that. it's one of the greatest endeavors of modern life, to make sure we can preserve modern life against the encroachments of big brother. i'm congressman alan grayson, thanks again. thank you to both representatives to take the time for both messages and start a too much delayed conversation about the nsa and security, a conversation we're going to tend today. i'd like to invite the panelists

to please come on up. if you're wonders what representative gracin was referring to, we're going to explain what he was talking about. >> joining me on the stage, joe hall, the chief technologist, and who i was lucky enough to get to work with. danielle keel, and the author of our upcoming paper on the costs of the nsa programs, including the cost of security. david lieber, the privacy policy counsel for google here. bruce schneider author, fellow at the birkman center at harvard and here at oti. among his many books and always, including one you can find xwrout side, he's doing some of the original reporting based on the snowden documents, about the nsa's impact on security while

working with "the guardian. qum and amy stepanavich. we're going to break up just the conversation to talk about four sets the things that the nsa has been up to. along the lines of our upcoming paper, and along the lines of the handout that those in the room might have picked up in the front. first we're going to talk about the undermining of crypt ostandards, second the insertion of back doors into products and services. third the nsa stockpiling of vulnerabilities in software, and fourth the range of offensive tactics that the nsa is using. after spending about an hour on those issues, we'll spend a few minutes batting cleanup, tall about in pop recommendations we missed, and then we'll turn it over for you guys for questions.

to keep our communications secure, representative grayson made reference to that, as did the president's review group in its recommendation number 29, talking about the importance of encryption to ensuring the security of our communications online and the continued health 6 the internet economy. so i'm going to i think start with amy to explain what the heck happened? what did the nsa do? who or what is nist, and why is what they do matter? >> the nsa actually has two different -- very, very different missions. the first is signals intelligence. this is a mission that most are aware of, the miss under which they conduct all of the surveillance operations that you've been hearing about pretty much ad nauseam for the last year, the second lesser known

mission is under which the nsa is supposed to be promoting security standards, encryption protocols, pretty much making sure all of your communications stay secure. it's under the information assurance mission that the nsa communicates with nist, the national institute of standards and technologies. nist deals with many, many things. they set standards across the board and so many different types of businesses, jobs, not only encryption, but one of the things they do is set encryption standards. under a law called the computer security act passed in the 1980s, they coordinate with the nsa and the nsa technologists and assurance mission on these encryption standards. however, the computer security act, which was actually very well drafted, made after a lot of collaboration between security experts and kind of the

formative days of the enter net was preempted by a law passed in 2002, 5 being a key date in surveillance laws, because it was post-9/11. the federal information security management act, and it was language not as fine tuned, and allows the nsa, if you look at it closely, to come in and to undermine the encryption standards in a way they weren't able to, or they probably weren't able to under the previous language. so under this law, the nist is required, absolutely required to consult with the nsa on all encryption standards. the amendment that representative gracin alluded to i recallier, this is primary an act that funds -- has not made it to the senate yet, but in that bill an amendment was added on out of committee that says

that the nist is no longer required to consult with the nsa on standards. they are still able to, and this is in recognition of the fact that nsa has a lot of funding, a lot of really smart people who do this work, and they shouldn't be prevented from being ability to help and assist, but they are no longer required to consult, which means that there's going to be a lot more accountability if those encryption standards get undermined. later on, as part of the defense appropriations act, a second amendment, again alluded to by representative grayson, actually is supposed to prevent any funding from being used by the nsa to undermine encryption standards. so not only if the first act passes will nist no longer be required to consult with nsa, but when they do, the nsa cannot act to make us all a little less

secure. >> perhaps bruce can say wee over what nist is doing. can you talk about how the recording indicates that the nsa in fact undermined the standards that were set. >> it's surprisingly complicated. nsa does a lot of undermining of fundamental technology, we learned to intercepting cisco equipment as it's being shipped to the customer and inserting back-door chips. so undermining happens all through the process. what we are looking at here is what happens as products are being built, as standards, protocols, things that affect every example of the product. so it's encryption standards, it is implementationses, it's software, and all of these have examples of the nsa going in and deliberately weakening security, of things that we use so they

can eavesdrop on particular targets. we have one example of a mathematical random number generator, that was a nist standard, that was modified by the nsa to put in a back door. there's a lot of standards where this didn't happen. that's actually a very risky place to do it, because that's likely -- this actually was discovered in 2006. we didn't know who did it, we had some suspicions, and it wasn't until the snowden documents that we had more of the story. more likely you are going to see nsa back doors in places you can't actually see. so you might imagine a operating system in your computer and phone, with an encryption product and program you use that is not as good as we think it is. that would be much harder to find, much harder to pin on who did it, a lot of examples, we'll find these sorts of bugs and they look like mistakes, they could be mistake, they could be

enemy action, enemy action by the u.s. or somebody else. we don't know which programmer did what. so this very active undermining not only undermines or security, undermines our fundamental trust in the things we use to achieve security and it's very toxic. >> it would seem the standards not only undermines the standard itself, but trust in the process, whereby we achieve these standards. i'm curious if someone could speak to the issue -- we were talking about this random number generator, a code that's a part of many products used widely across the internet. can someone speak to the nsa and the role in this, the $10 million that representative grayson mentioned? >> this gets a little xligted as

well, but bear with it. the subtitle of the panel is "it's complicated." >> yeah. so this law, random number generators are extremely important in encryption. in encryption, which is essentially complicated math to make things totally unreadable, you have to generate very big numbers that no one else can generate. they have to be random. if you have a flaw in a random number generator, that means somebody may be able to predict the key, may say here as the shape of the key to your house and cut that key and break into your home. the nsa apparently did this with one particular random number generator. fuls. >> it was hard to tell at first. we knew the generator had been used in a lot of popular products, not only that, but incorporated in a piece of software that other products en masse use. one of the unfortunate things

that we found out, you know, with a lot of this snowden stuff, i'm glad we know it. it's very scary, but i'm better for having known it. we learned that there was a contract. rsa -- >> nsa had paid them -- you could be gracious and say the nsa was tired of configuring -- and just wanted it to be set up out of the box, but no it's the default across the whole product line, so anything that incorps would use in random number generator. now, i think, as far as i can tell, i saw a report that very few products out there in the

wild, at least the ones you can measure by testing web servers, thing like that's correct don't use -- they use other sources of randomness. and so this is sort of one thing if you don't know crypt ographers like bruce, you learn quickly they're some of the most paranoid people in the world, and apparently many of them have moved en masse to change the technologies they use away from ones that have this unfortunate flaw in them to ones we at least don't believe have flaws in them and have toad the test of time against a lot of people banging away at them. >> thanks, joe. i wanted to turn to david from google, and talk about what you think this activity by the nsa means from a company or user perspective. and what you think.

maybe the fact that those efforts were undertaken is maybe as less surprising, but i do think it's important to take a step back from a broader context understand what the government's current view, particularly in intelligence committee's view about the users ease use of encryption. there are minimization procedures under section 2. what those procedures say is that the that notwithstanding a requirement to destroy wholly domestic communications, encrypted communications, whether used by u.s. persons or non-u.s. persons can be retained indefinitely at the direction and in writing by the n system a director. i think it sends an unfortunate

message that the use of en -- particularly with -- that's not a positive. that's not a positive moment for users or for companies. i think it has the potential to bleed over. i don't know that users commonly distinguish necessarily between encryption and other security tools. so while end to end encryption and tools might be difficult to use and hard for ordinary users, there are other things that companies use. two-factor authentication, that's relatively easy to use and implement. if the perception is all of these tools will ultimately be undermined or exploitable, i think that creates disincentives for users not to take advantage and avail themselves of those tools. as a result with future cybersecurity incidents, there's the potential to exact greater harm than there would be if

users were actually paying attention to these issues and being more cautious about how they interact with products and services. also, i'm curious, moving forward, what are the policy options, prescriptions that we have seen so far in how to deal with this issue, the in the meantime sa undermin -- nsa undermining -- >> one of the things is the key between nist and the nsa this is maintaining it statutory requirement, and that nsa taking advantage of that to undermine certain standards. that's dangerous, because the standards are used by developers in lots of commercial products. it's not like about we'll talk about it later where they pick a particular product, but it's the standards used in a sort of variety of things. also a reputation as a standard

sett setter, which is something the united states has been a leader in for many years. so part of it is making sure there's not a requirement in our law that allows the nsa to take advantage of nist. on the other side, i think nist is a body that needs to rebuild its credibility. they have started reviewing their own policy and guidelines. they claim they didn't know what, you know, what was happening in 2006 when this compromise standard was issued. but they are now sort of looking through all these things. they're facing a trust deficit. they need to rebuild that so the u.s. can continue to be a leader in standards, so that developers and ordinary users will trust what they say. >> i saw bruce had something to say? ivities the fundamental issue here that we're seal again and again, is not that the nsa is

spying on whoever the bad guy is that they want to spy on. the issue is they are deliberately weakening the security of everybody else in the world in order to make that spying easier. so when we look at solutions, the solutions are always going to be on the order of force the targeted and not do the broad attack form the broad attack is what hurts everybody. as i think representative lofgren said, once you build a weakened anything, you can't guarantee you're the only person to take advantage of it. once you do any kind of broad tact or surveillance, you suddenly start losing control over what you're doing. it's not the target, it's the fact that it's that broad. >> bruce, you also mentioned you actually wrote about, in fact i think we handed out we have your pieces about a particular policy solution to this issue, where you said to break up the nsa.

can you talk about what you mend by that? >> it's along the lines of what amy talked about. the nsa has two missions in one agency. there is the attack them and the defend us. those were pretty complementary missions all through the cold war, because you saided same expertise to do both, but their stuff and our stuff were different. tapping a soviet undersea naval cable had no effect on u.s. communications. you were able to keep those two missions under one roof because they were physically separate in what they did. what's changed with the internet is that everyone uses the same stuff. you can't hack the soviet random number generator without affecting all of us. so those missions now collide. that's where the problem is. what i view as how to go forward, i think we need a much more formal breaking of the

security mission, the insurance mission, which protects communications from the united states from the world, protects standards, makes us safer from all the attackers out there, from the targeted espionage mission, surveillance mission going after the bad guys. now, additionally, if we get into more complication, that espionage mission is now too complicated. it has two components as well. during the cold war it would be simple. we would spy on enemy government communications. the rules were agencies of a foreign power, we would eavesdrop. that changed after september 11th. now the surveillance is against pretty much everybody. everybody in the country. we get all of the 268 calls going in and out of bermuda not just government ones, but everyone. we get the phone call metadata of every american.

these measures, the broad surveillance measures, government on population surveillance i think have a much more law enforcement like to it. but government espionage, cold war, older, that's a military mission. that's great. government on population surveillance is much more of a law enforcement mission, i think belongs in a law enforcement agency, not in the military agency. that's broadly the way i want to divide things up, to be more in line with what we imagine the rules and regulations governs these different activities should be. >> moving on as a transition to our next discussion about back doors into various products and services, i was hoping may joe could take us on a brief history lesson. it seems when it comes to back door in crypto, we had this debate, called the crypto wars,

the government wanted a clipper chip in secure devices so the government could have lawful access to the data that was encrypted, eventually that didn't happen. could you talk a bit about that? >> sure. >> it seems like we won the crypto wars, but then the nsa kept fighting them in secret. >> encryption is a wonderful thing, but for the longest time it seemed to be entirely the purview of the u.s. military under the nsa. so one of the craziest things that happened in our history is people started to learn about it, and there were independent discoverieses of fundamental cryptographic methods that had been discovered a decade before by other people working in the military, but now you had academics and other people discovering these things and realizing, geez, we're going to have a computerized network future, we might want some privacy, some confidentiality, some security, that we need --

we need to have these kinds of methods outside of pure military control and in the hands of civilians the. so there's this tension going on, what the administration at the time proposed was something called a clipper chip. essentially a chip that had an encryption key on it, where that key was escrowed with the government, the idea being -- actually sharded, cut into two pieces and they wouldb two parts of the u.s. government that would have them, and then if you were doing something bad or they suspected you were doing something bad, they would presumably get a warrant, and then be able to listen in our your encrypted conversations which would sound like gibberish, white noise, it will go with this law order, get this key, and because they had this escrow key, they could then get access to the data. i believe bruce withdraws on

this, i believe, so this amazing group of experts, one of which is up here right now, wrote this extremely compelling paper that bakley said, look, here are the problems technically with keeping copies of keys around in places where you think only the government can get access to them. in fact the eff, electronic frontier foundation commissioned and built a cracker for the clipper chip, i believe december maybe i'm getting things mixed up. >> it's complicated. we were able to argue this is not a good idea and it won't work. a cool book called "crypto" it talks about this back and forth war between the advocates of very complicated math, and people that thought that's only going to make the world a

horrible place, because bad guys will be able to hide stuff from the u.s. government. . what it turns out, we won the cryo wars not only on the key escrow front, but also on the export front, the u.s. government would not let you export very, very strong encryption technologies for many years. after a bunch of wily coders and deep thinkers essentially put a bunch of very secure crypto code on news groups, and if you don't know what it is, you may have to look it up. it may be beyond your time if you're young. when that happened there was no vision we could keep this within u.s. border. one side stopped fighting and we

were happy to move on to other battles in the advocacy realm, but what seems to be happening is they decided we'll fight it in a way they'll never know it. do things like undermine they encryption technologies, intercept routers on the way to customers to put things in there, so you're not even messing with the math, but with physically soldered hardware component. it turns out they've been doing massive amounts of things. -- who knows. >> well, it seems that in the arguments when it comes to arguments against the clipper chip and for allowing export of strong crypto, there was an economic argument, the idea that if we're going to be transitioning a lot of our xun indication to these networks, if we want them to be used, if we want confidence in our transactions and grow that information economy, we actually need it to be secure.

that is the same argument that many have been making in response to what we're learning about the nsa's insertion of back doors into a variety of software products and a variety of services. i was hoping maybe danielle could introduce us into what we've been learning in the past year about those back doors. >> sure. i think joe described the transition between this public attempt to insert a back door to all products and the nsa to have the key. when they lost the public ballots, they turned to the companies and said let's figure out a way to develop relationships, to leverage product design, to convince them to make it easier for the nsa to get access, the idea being only nsa would have access, and i think everyone can explain why that theory is not necessarily sound for security. what we have learned in the past year, the nsa spends about $250 million a year on a program

called sigent enabling, this is one of a multiple of it can knowledges, they coveredly flew product design. i think the words are to shape the global technology marketplace to facilitate our types of collections. so this idea they can convince companies to make it easier for them to get access. so this is inserting back doors into encryption, into end user devices, 4g technology. the goals of this project are wide-ranging, to try to get access in as many different ways as possible. this is kind of a very, you know, private and sensitive way to get the companies on their side to let them insort back doords.

it's not always with the knowledge of the companies that they're inserting back doords. joseph mentioned intercepting cisco router to insert back doors. i think this is the type of the iceberg that the nsa wants commercial products that they might need agents to, but these are also the products that we all use every day for our communications and various different activities online, so it's the idea that they want to indirt a back door only they will know about, so they can insert the information or mall ware or pretty much do recall whatever they want. i think that was a sign i should stop talking so. there's a law called callia,

communications assistance for law enforcement acts, that later applied to broadband providers as well, to make the systems wireable. there's been discussion of expanding that to apply to other online services. can you talk about that debate and what some of the arguments were that you and others in civil society and in the security world had against that proposal? >> sure. in other words, why are back doors bad to security? >> yeah. >> up until about june 5th of last year, which is the first snowden leak was made public, the fbi had been pushing very strongly internally to the obama administration for essentially this argument they maid was they were going dark. the fbi was going dark. what that means is back in the day, all they had to do is get a warrant and use telephonic wire tapping. it used to be as easy as atta

attaching alligator clips and listening in. it got more complicated with circuit switching and packet switching, all sorts of crazy stuff. it got to the point where they passed a law, we call the wiretap law -- it's the tech wiretap laws. that said any provider of services of telephone services essentially must have a way to wiretap people. you must be able to respond to a law enforcement request to wiretap this stuff. the fbi has been saying people don't use phones as much anymore. thesis your what's app. >> i play clash of clans and talk to people via that. there's a variety of ways we communicate these days. over about two yore the nibble arguing we need some sort of fix, some way to make us -- to make these things more bright, so not going dark, but getting

brighter for them so they could get access to this stuff. what surface was essentially a proposal to wiretap all software. it basically said that the fbi could come to you as a maker of a piece of software, with something called i believe a wiretap assistance order, but you would have to see the text of the law to understand what it was, and they would say, we need to get access to this stuff, please do it. if you say, gee, the product is not designed to do that, it will take a while, they would say make sure in the future when we come to you, you can with a nobody turn on the wiretap capability for this stuff. so sort of a way of p ultimating you on notice you needed to build a back door into your products. unfortunately for them this got leaked to the press in an absurd way, when you saw proposals, you get sevened with this order, you're on notice, you knead to

wiretap your users. if you don't do it, you'll get $10,000 a day and it will double every day, which if you do some basic math gets to like all the money in the world is like three or four weeks. to 0e89 totally ridiculous. pretty strong, but totally ridiculous. this gorgeous paper was written to called calea 2, the risks of wiretapping end points, something like that. it made a compelling argument, and i'll shut up in a sec. first was, this was a bad idea. putting back doors in products is fundamentally undermining the structure of the universe if you think about it in a physical reality sense. what i mean by that, everything you do online involves communication. to the extend you want some integrity to know it hasn't changed, you're going to be using products that use encryption or other kinds of

security features. that's not going to work anymore, because they will have these back doors that no one can prove, though the random number generator may give it a run for its money. but the most compelling art is not going to work. think about the firefox or another source browers. if they put a back door, it's easy to put that piece of code out rmt reexile it and turn it into executable software, or without the back door. if you can't do that in the u.s., all of the security development product electric go to the countries. these kinds of things will still be available. you can't suddenly erect a treaty. >> i'm reminded of a particular example in the telecom context where in the mid 2000s, so like

the u.s., greece had systems for lawful intercept of their phone system. they eventually discovered that some unknown adversary, rumored to be the cia -- rumored -- had actually compromised the lawful intercept systems and had been used it for a long period of time to actually spy on the high echelons of the greek government, including its prime minister or president. so a good object lesson is in how these can back fire. any thoughts about the security implications of back doors? >> bit. >> bruce has written an essay on almost everything we have talked about, and they're great. >> the question is, should we compromise the security of everybody in order to access of data of a few? in order to believe that's a good idea, you have to believe

that, one only you can use that compromised path. if in some way no one else can use it. the greek example is an example where that isn't the kay. contingentman lofgren mentioned another example. there's a lots of examples where this global compromise is used by other people that the expect to weak within security you also have to believe, and i don't think this is a good idea, the value of this path to the few outweighs the security of the many. you have to believe that. i think that security in our security, data, information is vitally important to all of us, there is a wide variety of threats out there, and security is one of the ways we protect

ourselves, and what the fbi and nsa are acting is our mission trumps that, then we want access to that person so badly that none of your security matters, matters less. when we talk about harms, how the nsa harms security, this is it. they harm security, because they believe their need for access to the few trumps the need for security for everybody. i mean, that -- that story from greece was a u.s. product, and the greeks didn't even want the feature, the feature of the lawful access want wanted. it was just in the code, so it happened to be there. it came with the product, wasn't turned on, someone snuck in, turned it on, used it. so here's the government having their government communications

breached because of a back door they didn't even want. a back door is put in, three years from now criminals are using it. now what? i don't think this is a difficult trade-off to make. the problem is the nsa is not equipped to make it. this has to be made in public at higher levels. that's why i like seeing some of these bills being proposed that actually has congress making these decisions. at least we have a chance with them recognizing that security trumps surveillance. >> so we do have -- now, we have the president's review group, and recommendation 29. i'm nerd enough to have favorite recommendations in that report, and 29 and 30 are them. urgeling the u.s. government to make clear that the nsa won't mandate any product change, that the vendor doesn't have to change the product to underneath the security the lofgren

amendment, again a pretty broad pi partisan, and ted cannot mandate or even request that a product vendor or service provider weaken their product to enable surveillance. that amendment was vocally supported by google among a variety of group, but david, i was curious if if you could talk about why google chose to support that. >> >> yes. >> the second was with regard to the back door i think it was an important upon the. just really quickly on the

back-door search loophole, section 702 enables the intelligence community to -- prohibits the intelligence community from intentionally targeting the communications of u.s. persons or people in the u.s. what it doesn't really speak as to is what happens when the communication of u.s. persons are incidentally collected. we learned more about that from "the washington post" article that appeared yesterday, about just how extensive that collection is. i think it reinforces the importance of the amendment, because under current law, effectively the intelligence community can -- a blind eye to the fact that there's a large cache being collected, and that are being searched without the protections that the fourth amendment would normally afford. this is something i think that's been core to google's advocacy here for quite some time, that there should be an ironclad warrant for content requirement. that's something the supreme

court at the very least hinted to in some of the dicta from the riley opinion a couple weeks ago. >> the searching of cell phones so we thought it was important, to weigh in and support, you know, on both the backdoor search loophole component, but also prohibit the use of funds, albeit for one year to require company toss build in these sorts of back doors. it would seem sort of -- maybe a year ago this sort of language might have seemed unnecessary, but actually it's important to restore trust that these sorts of things are not being requested, so i think it's a positive step, but i think there's obviously more to be done. again this is an appropriations bill. it was an amendment to a bill, and it's unclear whether it will ultimately survive the entire process.

>> i the story in worst on sunday, i think that will gets them their next pull hitser on this topic. any or comments on this issue? >> one more thing about trust. we're talking about trust and how this destroys the trust. i think it's worth talking about exactly what the trust was. they were invulnerable. we know that security is hard, vulnerabilities are everywhere. what we did trust is that these security technologies, these products would rise and fall on their own merits. that they would be what they were advertised. now that there was some government hand secretly sneaking in and twiddling with

the knobs. that's the failure of truth. it's a big one. something we have to deal with. lying to me when you say this product is secure. you have been made to -- enforced to make changes. not allowed to talk about it. we know this has happened. this happened with microsoft. we know that microsoft has made some unknown changes to skype to make it easier to eavesdrop. we don't know what they are. we don't know how they were done. we know that they happened. now how is that going to play in international markets? german recently kicked verizon out of a large contract because they didn't trust that verizon was behaving in their customers' interest. they didn't trust the nsa didn't come in and force them to do something and then lie to their customer about it. that's the betrayal. and it's a big one because we as

technologyists like to believe that the technology rises and falls on its own merits. >> again, the drilling back from, i think bruce alluded to it. from the broad, broad targeting of neveryone to the more targeted. it isn't going to get rid of the targeted surveillance that they are trying to collect. we talked about many different ways the nsa has conducting surveillance on legitimate targets that it's been able to prove probably have foreign intelligence information. this just eliminates their ability to spy on everybody at any given time which is really what we're trying to continually do is to take it away from everybody as a target to let's look at who the real targets are. perhaps as another commentator said, makes them fish with a pole rather than a net. spinning off bruce's comment about how we don't expect our

products to be perfectly secure. we just don't expect them to be insecure. software does have flaws in it. bugs, vulnerabilities. these things called zero days. what we learned in december in a great expose which some of us are starting to wonder whether it came from a source other than snowden. we learned of nsa's massive catalog of vulnerabilities in a wide variety of widely used products. hardware and software. and basically, they can pick and choose and go, oh, the target has that? here's a vulnerability for that. bruce, can you help us out with like, where did those come from? and what the scheckheck is a ze and where can i buy one? >> software is completely complicated everywhere, and we as scientists, we as a community, we as a tech nologist

do not know how to write and secure code. all software contains bugs and vulnerabilities. you know every month you get a dozen or so updates to your microsoft operating system. those are all closing -- fixing bugs, closing vulnerability. those vulnerabilities can be used to attack systems. remember orearlier i talked about -- amy started with that. the nsa's dual missions. protection and attack. when vulnerabilities can be used for both. if you discover a vulnerability you call up microsoft and say you have this vulnerability. microsoft fixes it. we are now all safe. nobody else can use that vulnerability to attack systems. you discover that vulnerability, call up a criminal and say, look what i found. that vulnerability is now used for attack. it's being used to break into systems, steal money or pa passwards. we in the security community

recognize the way to improve security is by continually researching, finding and fixing vulnerabilities. now the nsa can play either end. they have two missions. they can play defense. use those vulnerabilities to make things more secure or play offense, keep those vulnerabilities in their back pocket and use them to attack systems. but, remember, no targeted versus abroad, those vulnerabilities affect everyone. they are in an operating system in the internet. so now we have this question. what should the nsa do? there's been debate about this. should they hoard them to attack the bad guys? fire cyberweapons? come up with all these reasons why you might want to keep them. but by keeping them as vulnerabilities, we are now vulnerable to them or should they fix them? if you fix them, you are fixing

vulnerabilities of the good guys and bad guys. that's the fundamental debate. and the question comes down to, what's more important? security or surveillance? is it the surveillance of the few that beats the security of the many or is it the other way around? >> so we've learned that the nsa has a very large catalog of these vulnerabilities it's stockpiling and using for its own offensive. the alternative is -- one of the alternatives is simply disclosing them immediately or something in between that. danielle, you've done some research on this in preparation of our paper. what have you seen out there in terms of the discussion of how should the nsa handle this? >> so i think that this is something that this comes up in the president's review group report. but it's come up many times before. and there's a really great paper about the idea of lawful

hacking. and what they talk about is this, you know, this challenge of how -- what's the best and most sort of ethical way to get access to communications for lawful purposes. zero days are -- you'll always find zero days and find some kind of vulnerabilities. so the tendency and when there's this tension between the offensive and defensive capablities might be to say, we might need all of these, which kind of ignores the fact that since you're going to keep finding security holes, you are going to just sort of continue to come up with an ever longer, ever growing list of these holes. and so what they talk about it what a responsible practice looks like where when you find a vulnerability of some kind, you disclose it immediately, unless you have a sort of very compelling and immediate need to use it. so if you are looking for something specifically at that moment and it's a sort of like

high national security reason, you might be able to use that vulnerability and then later as soon as you've used it to get what you needed, then disclose it to the company so the company can patch it and all the ordinary users who are also sort of open to attack because of that can have their software or their products patched. the other thing that they point out which is very true is that software patching isn't immediate. so you can -- even when you find a vulnerability you can disclose it and continue to exploit it as a law enforcement agency for a short period of time until, you know, you sort of run out and then go and look for another way to get in. this is a very complicated issue because there's something strange about the idea at all of exploiting vulnerabilities to get access to information. it's the idea this is inevitable, it's going to happen and we need to figure out a reasonable way to deal with the problem while still recognizing there may be legitimate law enforcement or national security needs. the president's review group says the same thing. the default should be disclosure

of vulnerabilities. sort of immediate and then the only, you know, for a very compelling reason, following sort of a senior interagency review process. the nsa might be able to withhold vulnerability so they can use it. what it says they should not be doing is holding on to them and accumulating their own arsenal of vulnerabilities and not letting, you know, the companies know because that means that sort of all -- general cybersecurity is weakened. so just in case the nsa might need that vulnerability at some point for some target, they have access to it. and so, i mean, it's this all or nothing approach where there's no recognition of the fact that it's actually bad for everyone's security that these holes are out there. these flaws aren't being disclosed and it's not telling the companies so they can patch it and the companies themselves are also looking for these so they can responsibly patch them. it's saying, no, no, we have this information. this came up in the debate about the vulnerabilities.

did the nsa know about the vulnerability. if they did why didn't they disclose it? was because they've also been looking for ways to exploit the open ssl protocol for years so they can get access to things? that is a serious -- that's a serious allegation and it's a serious challenge. of course, they talked about disclosure process that they have. they didn't really say very much about the details of it and about what constituted an extraordinary circumstance. >> so there was this story that was denied that nsa knew about heart bleed. it seems that is not true. but in response, the white house said, by the way, though, we actually do have an inner agency process to decide when to disclose vulnerabilities. we've had it for years. and we are now in the midst of reviving it or revitalizing it in response to the review group's recommendations. that would seem to imply they weren't fully following it before or something.

but i'm curious, what do we know about this so-called vulnerabilities equities process. >> so you touch on a lot of it. we know that the nsa has a stockpile of vulnerabilities. we know that the u.s. stockpiling vulnerabilities is one of the main drivers of the economy of vulnerabilities. it raises the price because the u.s. is willing to pay quite a bit of money for vulnerabilities it thinks it can exploit. so we have this process that they -- kind of like, oh, my god heart bleed. oh, my god, people think we knew about it. what can we do? let's dust off this really old thing that we probably haven't been using for a long time and say this is going to be the process by which we figure out if we're going to review vulnerabilities so they can be patched. it's a multilevel weigh-in process where they are looking at whether or not you're vulnerable versus their o