>> the backlog occurred over a period of time for a couple of reasons. one, that the old system that was being used called r.a.m.p. its functionality was not sufficient, and they pulled the plug on the program. so then a backlog, you know, began to grow. additionally, i think, over time, as the federal protective service changed the nature of its work force from a police officer force to integrated force of inspectors that had a lot of different duties, that this particular responsibility of doing the assessment, which fell on them, and which many were not trained for took up an increasing amount of time. they had other duties as well including managing contract guards and contract guard contracts and other things. and so they fell behind, quite frankly. >> it's not part an annual review? it seems like it ought to be done annually to make sure that assessment is up to date all the time.

>> it should be down on a level three and level four building every three years. as i mentioned, it's simply not occurring at this point in time. >> all right. my time is expired. i yield back. thank you, chairman. >> thank you. the chair recognizes miss norton. >> thank you very much. i appreciate the hearing. there are chronic problems at fps. i would like to look at the difference between fps officers and contract guards. so we understand who is guarding these buildings. on page 2 of your testimony, you say you describe the law enforcement authority of fps officers. specifically police powers, including enforcing federal laws and regulations, carrying firearms, et cetera. then, of course, on page 5, of your testimony you distinguish these officers from the contract guards.

who -- this is a very important, i think, to just lay right here on the record is in your testimony. the pso rely on private person laws such as citizens arrest laws. so that means that they can no more than i can do in a federal building. i mean, isn't that technically correct? >> yes, ma'am. they are governed by state law as to the extent of their authority. >> all right. i see. were the nebraska avenue contract guards replaced by federal protective service officers? >> no , ma'am, they were not. >> what is at nebraska avenue? >> contract protective security officers.

>> what was the difference? what was the change? >> i'm sorry. >> what was the change at that nebraska avenue? >> oh, the change was in the oversight of the contract. fps was oversighting the contract. fps was oversighting the contract. we had core responsibilities. contract officer representative responsibilities day-to-day oversight. how the contract is executed. >> fps is supervising or an oversight over these guards at the department of homeland security at nebraska avenue? >> we were. that has been -- that particular responsibility has been now moved to the office of security. >> than is unique, then, only at the department of homeland security does that arrangement -- >> only at the nebraska avenue complex. we still retain that responsibility at hundreds of dhs facilities around the country. >> so i want to ask you to tell us why -- i think we have to ask the department.

i think it's pretty apparent why. they obviously felt they had to be made more secure. and they went to professional security authorities. now when fps guards who guard all the rest of the buildings and the federal employees and the visitors, if someone comes into one of facilities and has a gun, with or without a gun, and decides not to go through the magnetometer, can a contract guard pursue that person? >> yes, ma'am. they can be detained. at that point, they call the fps megacenter who dispatch either a fps inspector or local authorities. >> i asked that because there have been instances reported where contract guards stood by. not when someone had a gun,

but when there was a disturbance saying they could not leave their post. >> every day, ma'am, we have contract guards who are engaged and responding to disturbances, especially at social security offices. i mean, we have literally hundreds of them that happen every year. so contract guards -- >> the contract guard is not pinned on the post? he can go anywhere in the facility where there may be a disturbance. he can pursue someone with a gun even though he doesn't have a gun. >> i'm not sure that i understand your question. >> someone comes through -- >> right. and -- remember what you're there for is for surprises, not for the average person coming through. someone comes through with a gun. >> yes, ma'am. >> i'm trying to find out whether the contract guard who has no gun, can pursue that person? what he must do. >> yes, ma'am. our contract guards are armed. if they see the individual --

>> all of them are armed. >> they are armed, yes, ma'am. is there a central curriculum for how they're trained. >> yes, ma'am. >> who provides that curriculum? >> we do. we lay out the -- we lay out the requirements for the training, and we are currently in development of a national training -- national program for training that we work to employ. >> my time is up. i yield back for the moment. >> thank you. we'll begin our second round of questionings and i'll go with a question to mr. patterson. clearly fps doesn't have enough federal law enforcement offices to respond to all federal buildings in a timely manner. you have to rely on contract guards as your first line of defense. you noted in your testimony that the authority of contract guards to use deadly force comes from state and local laws. in that most cases, they do not have the authority to pursue subjects.

in order to address the threat posed by active shooters, would it be helpful for fps to have the authority to delegate some federal law enforcement authorities to contract guards? do other agencies have this ability and how does it work in those cases? >> yes. if we look across the spectrum of the authority, look at tsa, that's a federalized force. if you look at u.s. marshall service, they have the authority to deputize, which gives them extensive power to direct their workforce in just about any direction they want. then you have the department of energy who has a guard force protecting nuclear plants and other facilities where they have some limited law enforcement authorities that allow them to arrest and do the things they need to be done on an immediate basis.

what we would seek would be to streamline our pso authority structure, and what that means to give us the opportunity when we needed to increase the authority of the pso, we can. for instance, during hurricane sandy, our response to hurricane sandy, we were being requested to provide extensive support to the citizens -- to the folks in new york and our facilities in new york. our vendor quickly ran out of resources to provide to that situation, to that event. we then began to query our other vendors to see if they could help with that response. what we found was we had to go through the state of new york approval process, which took quite a bit of time.

if we had the authority to just more or less empower them at the federal level to go in to do that, then we could have done it more quickly in response. so it would help improve -- it could help improve the pso training. now we could directly provide focus training on the areas we want them to respond in. it was also with the fps mission readiness. yes, sir, anything of that nature would be of help. >> fps does not have many law enforcement personnel. fps relies on state and local law enforcement to be the first responders to the federal facility in the event of an emergency. do these state and local law enforcement personnel have all the authorities and tools they need to respond to an incident at a federal facility, and do you have agreements in place with the relevant state and local authorities to ensure that they respond accordingly? >> from time to time, sir, we do have a problem. if there is an impromptu

demonstration, especially in our smaller cities and towns, if there's an impromptu demonstration or national security event that may take place, we may ask the local law enforcement folks to assist us. in some instances, their response is we can't respond, we would love to respond to you, but we don't want to be held liable for anything. this is a federal event, and we don't have that authority. so if we were able to provide that authority and say, listen, you are now acting on behalf of the federal government, that would clearly give them some relief, if you will, on their willingness to help us. >> there have been some concerns about fps's staffing levels for some time. in fact, language carried in the appropriations bills have required a minimum staffing level. you only have 1,300 employees, but we understand that up to 40 of those employees may have been reassigned to functions outside

of fps. is that correct? and how many fps employees have been assigned outside of fps and why? >> yes, sir. well, when we left i.c.e. and came to nppd, we lacked the infrastructure for things like human resources and logistics and those things. so clearly we had to come up with some staffing levels for that. and that's what we have contributed to. that's the benefit that we derive when we contribute assets as they help us in creating our infrastructure, if you will. >> mr. goldstein, given the number of outstanding work items at fps, can fps afford to assign its employees to other parts of the department? >> it's probably not a question i can directly answer because we

haven't looked at where they are assigned and what the rational for those assignments are, but it's clear that fps still struggles with trying to get the basic job done that we have talked about here this morning in terms of risk assessments and in terms of contract guard oversight and things have you brought up, sir. so i do think that's something you need to look at routinely. >> the chair now recognizes ranking member carson. >> thank you. mr. goldstein, are you aware of any of the shelf technology that would effectively allow fps to digitize their oversight of contract guard certifications and trainings? and do you believe this technology would allow fps to improve oversight immediately? >> we haven't looked specifically at it, but in the course of our work, we have been told by many people that there is off the shelf products that could ready do this job and fps does not have to reinvent the

wheel. >> director patterson, you know, sir, federal law requires that fps have just over a thousand law enforcement officers. how many law enforcement officers does fps actually need to meet its mission and has fps prepared a report that indicates that based on an activity based cost model for human capital, that fps needs significantly more law enforcement officers and what might that number be just generally? >> yes, we have looked at that. given the circumstances of today when we did the assessment, it's about 1,300 law enforcement that would give us the proper leveling, if you, for the commitment that you have today. as that commitment grows, that figure will change. >> thank you, thank you, mr. chairman, i yield back. >> the chair now recognizes ms. norton. >> thank you, mr. chairman. i want to pursue that 1,300 figure.

how many fps officers are there and how many contract guards are there? >> yes, ma'am. today we have a thousand sworn law enforcement fps officers and the contract guard force fluctuates depending upon the requirements. today they are about 13,000. >> have budget cuts or the sequester had any effect upon contracts guards or fps officers? has there been a reduction in personnel in the last two years? there has not been a reduction of the fps staff, but there was -- sequestration did have an impact on the contract guard force in that when buildings closed, there was no requirement for contract guards, as such, we did not have. >> most buildings closed.

those that didn't close -- let me ask you this. were fps officers put on furloughs? >> no, ma'am. no fps personnel were put on furlough. >> and contract guards were affected when buildings closed but otherwise they were on duty? >> yes, ma'am. >> i would like to ask you, mr. goldstein, about the supervision. you talked about a cookie cutter approach or no cross cutting agency approach to security but agency by agency security. now these agencies each have committees. these committees, of course, consist of personnel who are no more than the people who work in the building and none of them have any security background training or knowledge.

is that not the case? >> yes, ma'am, that's correct. >> but they have some significant responsibility for security in buildings. would you describe the role of these lay people in security? >> yes, ma'am, we have done some work that's a couple years old now. it takes a look at the committees and explains that the individuals who make up those committees, as you said, rather tend to be the tenants of the building. and the tenant that has the largest footprint in the building typically chairs that committee. i have gone to and my staff has gone to a number of committee meetings over the years, and they do tend to be made up of lay people. they tend to be, for instance, perhaps the administrative assistant or office manager for a specific agency. people like that. it tends to be frankly a

delegated job that many people don't really want. >> so what is it that they have to do with security? >> they are responsible for taking the information provided them by the federal protective service in making decisions. about what kind of countermeasures they will put in place. and going back to their home agencies to get the necessary funds for doing this. as you know, a process that could take a number of years. >> and of course, through what expertise can they recommend changes in security and get the funds for that? >> they rely on the expertise generally provided by the fps as well as they may call on their

own security people from their agencies or departments to assist them. but the problem is we've described it is you have the security of federal buildings essentially being decided by a lot of lay people over very long period of time. when countermeasures need to be put in place fairly rapidly. >> mr. chairman, i think one of the most -- one of the -- i believe these security committees or agency committees have -- are central points of vulnerability. someone who represents the agency and he says for example, take the department of transportation. i know this only by chance. the department of transportation is close to this very capital. if you go to the department of transportation, you have to get someone in the department of

transportation to come down. even if you have a badge from the united states congress. if you're a member of the public, you can come into the capital. you can use or cafeteria. the department of transportation is a beautiful new building. a new cafeteria. we haven't figured out a way for the public that paid to come in if they have a kid to use the lavatory. can't get into that building. that has everything to do with the committees. do you believe these committees are appropriate as the decision makers on how much security is needed for a specific building so you can have vast differences between the capital and the department of transportation, for example? >> the interagency security committee recently put out some draft standards, which is going to hopefully better professionalize these committees.

fwu we have long had concerns that this kind of -- i call it a three-legged stool. gsa has some responsibility, fps has responsibility and the individual security committees have some responsibility, but that may not be appropriate today as a way to direct and oversee the security of federal property. >> this is, i think, an important issue for this agency to secure. nobody is in charge if there are three possible people in charge. and i submit that these agency committees are really in charge of security in buildings. not the fps and not the contract guards. thank you very much. >> the chair now recognizes former chair of the transportation committee, mr. mika. >> thank you for holding this important hearing. making certain that our federal facilities are secure.

important responsibility. a couple of questions. first of all, mr. patterson, still remain and one of the most devastating attacks i can recall is the devastating bombing in oklahoma. i think more than likely, that was a domestic terrorist attack, but international terrorist act received the use of bombs, the boston bombing. we're probably overdue for another hit, because you can get a lot of explosives and create explosive devices fairly easily

as we have seen. how often are you briefed on intelligence and can you tell the committee who is your -- getting your intelligence information from and how often are you meeting with those folks. >> yes, sir, i can. within the federal protective service, we are really beginning to build a very structured intelligence apparatus, intelligence gathering apparatus. >> but again, there are agencies that do that. >> i'm just saying how we collect it, sir. what we do is we have our folks who are assigned to the joint terrorism task force with the fbi. so you're getting most of your intelligence from the joint task force of the fbi? >> no, sir, we're getting it have a variety of resources. i'll start at the lower level at the fusion centers from the state fusion centers. >> from states?

>> yes, sir. >> how often do you meet with them? >> our folks meet with them every day. >> okay. federal? >> federal from the fbi and from the defense department, from all of the federal intelligence and analysis at the department of homeland security. >> how often do they meet? >> we talk to them every day. >> and how is that information -- the bulk of your people are contract people, 15,000. how is that information delegated? you don't get to every one of the 15,000, but someone in the chain has to be made aware that a certain threat or risk is occurring and make people aware of what we're looking for. >> yes, sir. what we do is immediately once we receive a threat that information is in package so we can commute indicate that. defending on the threat, it may

be classified. if it's classified, we have to figure out how to get it down to the lowest level. >> i have a thousand leos? >> yes, sir. >> are they at each location? is there someone at each location? >> no, sir. >> but there's someone who can get the information? >> yes, sir. we can get those to our folks as well as -- >> how often are some warnings put out? daily, weekly, monthly, periodically, sporadically? >> it just depends. >> it would be good if you could give us the chain of command who you might with and when, just for the record. i'd like to see it as part of the record, if you could. and how you meet with them. i think most of what's happened we still have and there's usually local law enforcement

who are at the final scene. but again, the deficit in intelligent information is what's going to do us in. that's what i want to know pr the history of the committee. i see you have a mass of dogs, how many dogs? for explosive detection? >> i think it's about 74 to date. >> i thought you had thousands. >> no, sir. >> is that contract dogs? >> no. >> you don't? >> no. >> i don't see a lot of explosive detection devices at some of these check points in the federal buildings. i see the metal detectors. the biggest threat right now is explosives. >> yes, sir. >> but i don't see a lot of them. do you have a lot of them out there? >> not explosive detection devices. >> i think you're missing the boat there. i think that's where our threat is. finally, we're a little over.

i guess we let others over a little. but you have a thousand leos. do they participate in live fire testing, training? >> yes, sir. >> do you use simulation? >> we don't do simulation. >> i want a report back, i want to know why you're not using simulation. it's more cost effective. you can train them to the highest levels possible. we use it for our military. none of your guys are in combat. i haven't seen a lot of firing of weapons on the scene. our military are on the scene in combat and a good portion of their training now comes from simulation. you are behind the times. i want a report back to the committee and to me on your proposal to use simulation for training those leos and stop using all the expensive, costly live fire ammunition.

>> may i ask -- can i clarify, sir? are we talking about simulations? >> using simulation training, weapons training, situation training. >> we do have weapons training where we do simulating training, but we don't use simunitions. that's where the officer will have devices that are strapped to him. when another officer fires a weapon, it will tell whether there was a hit or not. we do simulate training. >> i want to see exactly what you have. give us a full report and i want to introduce you to people in simulation training and introduce you to military, very cost effective and save you a lot of those expensive bullets. yield back the balance. >> the chairman now recognizes you, sir.

>> we have had a lot of discussion on resources and management by the fps. you guys are also responsible for managing relating equipment such as security cameras. is that correct? >> yes, sir. >> the way i understand it is there's indications that there's some cameras that may not be working and also no mechanism to track and maintain these cameras. is that correct? >> no, sir, we track and maintain our cameras. we are developing a more robust system to do that more effectively. actually, every time we go out and conduct a security facility assessment, we are tracking that. when our inspectors go out and visit their facilities, they are also looking and inspecting cameras. >> what type of expense has fps acquired or cured by these cameras. insulation, the purchasing and install of them? >> those are all paid for by the

fsc, the building, the participants -- the folks who occupy the facility. >> so what percentage of the cameras do you guys go out and check? i say this because i have several companies on my phone right now i have an app where i can hit and check in all my companies because the security cameras that we have around there. it's an unbelievable asset when utilized correctly. when utilized correctly. it's also a huge personal expense our company has had to take on. but the cameras are worthless if they are not being tracked, if they are not being watched in a percentage of those isn't 10%, it's not 5%, but it's 100% of them. they are all installed for a purpose. what percentage does fps look at? >> when you say --

>> when you're tracking, looking at them, maintaining them, making sure they are even working, what percentage of that? you're saying when you visit the facility. >> no, sir. we're about the business of ensuring all the cameras work. when they don't work, we move forward to work with the security facility committee to either fix the cameras or replace the cameras. >> what i'm trying to get to is are you actively seeking these? >> yes. we want to ensure that the cameras are working. your correct, the security is less effective if the cameras are not working. >> mr. goldstein, what about with jo and the cameras that you guys have? >> we have taken a look at some of the cameras over time that fp has. we have done work and shown a

number of facilities have not had adequate cameras and fps wasn't able to determine when crimes were committed, who committed those crimes, perhaps, when things were taken out of the building. we also know of a number of instances where other tenants, particularly the courts, have become quite frustrated because they did not feel that maintenance of the cameras was sufficient and they took over those responsibilities and paid for them themselves. i continue to here anecdotally we have not done a comprehensive report, so it's not generalizable, but we do hear anecdotes about frustrations with keeping these cameras working and modernized. >> mr. goldstein, you're saying the same thing this committee has heard, too. mr. patterson, that's what i was trying to get out, the frustration behind it. we have technology out there and it's not being utilized.

the tenants, these buildings, the ones that are depending on these cameras, that's supposed to have a layer of security. instead it's become a layer of frustration. and there is a better way to do things. i would be curious if you guys could, or if you use, take a look at it. see if there's a better practice. just the way we're doing it, just spot-checking it, going through it. you heard from mr. goldstein, the committee has heard the same thing, there is a layer of frustration that's taking place. >> yes, sir. and i recognize there is a layer of frustration. i have spent a lot of time talking to the clerk of the courts, irs, security. >> a lot of people are giving lip service. >> i'm not giving lip service.

i'm ensuring when folks are dissatisfied or unhappy with the service that people are happy. respectfully i'm not giving lip service. >> i hope next time we visit, we can see a plan that's laid out. >> yes, sir. >> i would think to think we could improve on this. thank you, sir. i appreciate you giving me the extra time. >> thank you. one final round of questions. mr. patterson, the law enforcement authority for the fps lies in public buildings act. it's our understanding that this authority has been redelegated to other entities such as the chief security office, fema, i.c.e., federal law enforcement training center. why is this law enforcement authority being delegated and -- across dhs and isn't this fps's responsibility? didn't this delegation of authority create the unity of command problem at the

headquarters that dhs cited as the reason from removing fps as the security lead at the headquarters? >> sir, i don't have an answer for you. i don't know why the different agencies or different elements have been granted that authority. i don't have an answer. >> thank you for your time and kroopgs. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel. thank you. we'll now call our second panel.

>> on your second panel mr. david wright local afge, local 918 and general counsel national association of security companies. i ask unanimous consent the witnesses full statements be included in the record. without objection, so ordered. since your written testimony has been made a part of the record, the subcommittee would request that you limit your oral testimony to five minutes. mr. wright, you may proceed. >> thank you, mr. chairman. >> members of the committee, i am president of afge local 918 which represents the employees nationwide. nationwide. i'm also an inspector with the federal protective service since 1986. federal employees and facilities are very vulnerable to attack from both criminal and terrorist threats.

are they as secure as they should be? they are not. is that security effective as this congressional office building? definitely not. solutions include accountability for fps leadership, pushing staff to the field, effective on site security and effective tools for risk assessment and recruiting. regarding the culture of accountability, in 2010, 2013 goa reported problems with guard screener training and certification requirements. there's no excuse for these failures. three years later they should have been fixed. responsible managers should have been held accountable. however, obvious lost in the broad brush of reports, these are not organization-wide failures several of 11 regions almost everything seems to go well. guards receive fps training, untrained guards are not used for screening. firearms qualification is monitored and guards are trained on active shooter scenarios.

in these regions, they trust fps to fail. for these fps employees simply refuse to fail. fps appeared to treat these failures as a structural issue to be solved by reorganization. this resulted in an unclear direction funneled through and extra layer of management who either ignored or missed problems. dhs aided by your oversight should remove the extra layer and fire or demote manager who failed to accomplish critical task or uphold the fps code of conduct. building security is not a tee ball game to build self-esteem. it's serious business with serious consequences. regarding the shift of staff to where service is delivered, the federal law enforcement officers who deliver incident response, arrest offenders, and deliver assessments and guard monitoring are short staffed and struggle to get it all done.

allocation of 68% of total staff to feel law enforcement is not indicative of a lean, agile and hooif high-performing organization. an organization with less than 1,400 employees that had eight senior executives, 39 gs 15 and 138 gs 14s with over half of these assigned to headquarters is top heavy. the remedy is, congress should establish a ceiling for ses, limit gs-15th to 125% of the number assigned to the regions at headquarters and mandate reduction at headquarters to 1.5% of total fte. also allow fps to use building specific charges, at fte when officers are dedicated to the facilities and restore the minimum law enforcement staff to its 2007 equivalent of 1150. regardsing effective on site security services, unlike the senate and house office

buildings where the on site forces comprise of federal police officers, gsa facilities rely on contract guards for this function. fps guard contracts do not use economies of scale to reduce hourly cost. the size of the fps procurement staff is doubled but now takes 400 days to implement a new contract. our remedy, take action to direct the use of federal police officers for large multi-tenant facilities that are open to the public and provide direction to efficiently consolidate guard contracts within the same state or contiguous areas. also mandate a reasonable and procurement staffing model and mandate cost effective procurement options such as potential use of gsa. regarding effective tools for recruiting and risk assessment, fps currently uses an interim risk tool called m.i.s.t. the

gao found it wasn't compliance with government standards and available tools that do. remedy is to mandate fps -- mandate fps expeditiously, acquire and field a compliant risk tool. regarding retention and recruiting, when applicants for federal law enforcement look at fps, one of the questions is are we covered by law enforcement retirement. when told we are not covered by law enforcement retirement, the best and the brightest start looking elsewhere. at the national law enforcement memorial, where the names of u.s. law enforcement officers who have died in the line of duty are inscribed, we recognize the supreme sacrifice of those heroes. among the names inscribed at the memorial are six officers of the federal protective service who died in the line of duty. should any other officer die in the line of duty, their name will be added to that list. if we live and die as law enforcement officers, congress should recognize that service --

that service by allowing us to retire as one. thank you for the opportunity to testify at this important hearing, dedicated officers and fps and employees in federal facilities away your expeditious action on these serious matters. >> thank you for your testimony. you may proceed. >> thank you, chairman. chairman, ranking member carson, i am executive director and general counsel for nastco, the national association of security companies. it's the nation's largest trade association whose member companies employ more than 300,000 security officers across the nation servicing commercial and governmental clients. since its founding in 1972, we have worked with legislatures and officials at every level of government to put in place higher standards for private companies and private security officers. member companies provide security officers to numerous

federal agencies including the majority of the protective service officers or psos under fps. not counting the military services, there are approximately 35,000 contract security officers across the federal government. and the use of contract security is an effective and cost efficient countermeasure for safeguarding federal facilities, employees and visitors. over the past several years, the gao has identified challenge it faces in its mission to keep federal facilities secure including issues related to the pso program. nastco has been working with fps, congress, gao and gsa to address these issues. while the pace of progress on some issues may not be as fast as gao would like, progress is being made. and since the appointment of director patterson in 2010, the diagnosis of dialogue and breadth of cooperation between fps and its security contractors has been unparalyzed. there's no doubt director

patterson and others at fps are committed to improving the program and we are currently working together on a variety of initiatives to improve the pso program. to address deficiencies in fps's capability to provide crucial x-ray and training to psos, fps launched a pilot program that is training and certifying security contractor instructors to provide the training. also this training has recently been revamped and expanded by fps. in the area of active shooter training, we have met several times with fps to discuss fps development of new active shooter training for psos, an effort which is definitely on the fasttrack at fps. and fps is wisely looking at what other agencies are doing with their active training for contract security officers they utilize. we are also working with z pso

lesson plans and visions as recommended by isc and gao of having all pso training instructors certified. in other program areas -- called -- a revision of the manual called smart book, it governs and instructs psos on how to act and not following the smart book would be considered a contract violation. there's a new chapter on active shooter response. there's better language on ts issue of authority and most importantly by design, the format of the smart book will allow for making revisions as needed. fps is undermaking a -- fps is also undertaking comprehensive review of pso post orders and seeking ways to improve its management of pso training and certification data. for this latter effort, we strongly recommend that fps explore commercially available technologies and work closely with its security contractors who is have to provide and upload the data. one area that continues to present challenges is the

pso's authority to act and liability for acting in preventing or responding to an extreme situation such as an active shooter. on this issue congress should consider providing statutory authority to authorize psos to make arrests on federal property. such arrest authority is already provided to contract security officers at other federal agencies. there are other elements of the federal facility process not related to psos that need to be addressed. take, for example, as already been discussed today the decision to implement specific security counter-measures for a facility. in gsa owned or leased buildings, fps is responsible for conducting the facility's security assessment and recommending counter-measures. but the decision to implement those recommendations is solely up to the security committee, which is made up of representatives from the facility's tenant agencies. however, as gao has found,

quote, tenant agency representatives to the fsc generally do not have any security knowledge or experience but are expected to make security decisions for their reconciliationive agencies. and with tightened budgets putting pressure on tenant agencies to accept more risk, it call the into question whether they are making informed risk-based decisions. counter-measures deemed necessary for security should not be rejected because of either a lack of understanding or an unbillingness to fund them. in last congress, nastco supported training for members and challenged decision not to implement counter-measures. in closing, look forward to continuing to work together to find ways to support fps's mission to render federal property safe and security for federal officers, employees and individuals in a safe and effective manner. >> thank you for your testimony.

i'll begin first round of questions. if there's any additional questions following the first round, we'll have additional rounds as needed. mr. wright, you highlight in your testimony challenges with the staffing and a number of law enforcement officers. you point out 67 law enforcement officers are assigned to headquarters. do you know if they were assigned to fps headquarters or other parts of dhs? >> those 67 are assigned to fps headquarters. the point being those individuals do not respond to law enforcement calls for service on a daily basis. in my mind, they don't meet the definition of field law enforcement staff. >> you mentioned the delegation of law enforcement authority of buildings to entities outside of fps and the duplication of security services at other agencies. can you explain and how does

this duplication impact the security of federal facilities and the chain of command? >> of course, most recently was the issue -- >> can you pull the mic a little closer to you or something? >> yes. most recly the issue with the nac in which security staff took control of nac security. recently, in past years, immigration and customs environment has stood up their own security un. they use hr-1315 as their authority, and they assess their i.c.e. buildings across the u.s. it's duplicative in nature. fps conducts those surveys and so does i.c.e.

that's probably the most recent example besides nac. >> you highlight in your testimony differences between how fps oversees and manages it's contract guards as compared to other agencies. for example, you highlight the u.s. marshals. what do those agencies do differently in terms of the authority and training they provide to their guards? >> excuse me, the major difference is that with their contract security officers they have authorized them to make -- be able to make arrests on the federal properties where they are employed. this is statutory authority granted to doe through an act of congress. that is something that we'd like to see considered by congress for the psos at fps. in addition, though, sir, there would also be additional training that would be required with that additional authority. >> mr. wright, have you looked

at how private contractors have been used to provide security at doe, u.s. marshall service and even at dod to identify how fps can better utilize and improve at federal buildings? >> of the three agencies that you cite, dod, doe and marshal service, i work most closely with the u.s. marshal service so i can cite experience there. the contract security officers in these federal courthouses are all hired as former law enforcement. they've all been through some sort of law enforcement being amy. and i'm unsure -- they are deputized by the u.s. marshals who have that authority. they are an effective force in the u.s. courthouses. and it's i think that ability to deputize by the marshals that's most important.

>> you mentioned that most of the federal agencies use contract security officers, contract with security companies to provide training. can you provide us with some examples of what other agencies are doing in that regard, and how that can be applicable to fbs? >> sure. like for instance, doe. they require that the contract security companies that they contract with to provide all the training for the contract security officers there. the training is very comprehensive. it involves weapons training. it involves use of intermediate force. basic training. and all of that training. and many of the agencies, the training that's provided to contract security officers is done by instructors are certified and also they are responsible for 100% of the training. big issue at fbs is that, for

some reason, fbs has held back the authority to provide the x-ray magnetometer training. and because of personnel resource issues, as mr. goldstein pointed out, sometimes that x-ray magnetometer training is not provided to the psos. >> thank you. chair now recognizes ranking member carson for his questions. >> thank you, mr. chairman. mr. wright, what is the fbs' relationship with the facilities security committee from the union's perspective, and do you believe that the committees generally rely on fbs' expertise when evaluating recommendations for counter measures? >> as an inspector, i've work with differing facility security committees across the government. firstly, it's a matter of how serious the agencies take that facility security committee.

if it's a smaller property with fewer agencies, even less budget, they don't tend to take those facility security committee recommendations seriously. we are -- fbs is the experts at the table, for the most part. as you go up in the size of buildings, you have more tenants, more agency heads. these committees tend to, like any other, in some cases undesirable task, it becomes a collateral duty. my experience is that when it becomes a collateral duty, or especially when agency funding is not available for security, then it's the recommendations don't make it through. no matter what an inspector

says, these issues, these countermeasures are not going to be funded. and that's the primary problem with facility security committees, is no agency is funded for security countermeasures. >> how often are members of your association fined or penalized for not having proper documentation for their contract guards. and also, to your knowledge, sir, has any contract guard company working with the fbs been debarred for not fulfilling their contract all duties? >> in terms of the information on the rate or the amount of times that contractors have been fined for not having officers who have their training and certifications, i don't have that information. but nasco, we fully bleemelievet

in those situations proper action should be taken. i think that contractors, they have to pay back for the hours they're provided. then there is also monetary fines. and then also it should affect their performance rating for potential future contracts. we have no problems with fbs being able to enforce the provisions of the contract against contractors. but i think an issue is how this who has the right data. one company has data, then it's got to provide it to fps. and fbs's management system is very problematic. but definitely if there are psos being put on post who don't va the training and certifications in violation of the contract, that company should be held in violation of the contract and punished. >> thank you, sir. lastly, mr. wright, how does the lack of recognition of fps

officers in terms of recruitment and morale of officers. clearly it has an impact, but is it substantial enough that we need to look more deeply into this? >> it affects in the sense that, sometimes you have law enforcement officers past the age of the mandatory retirement of 57 years old. you tend to have officers that stick around perhaps a lot longer than they should. for their own safety and for the public's safety. >> sure. thank you, mr. charl. i yield back my time. >> mr. wright, what is the kind of protocol to respond to an active shooter in a federal building where an fps officer may not be on the scene. can you walk us through the role of the contract guard in that

scenario? >> contract guards are limited by their post orders which are basically subscribed by their private contract. the contracts spell out what the guards -- what services will be provided. that is translated to what the facility needs and goes into the post orders. generally, guards do not leave their post. guards are responsible for maintaining that post, locking doors, let the tenants out and letting the good guys in to come to pursue the active shooter. but generally, these guards will not leave the post.

and as per post orders and basically per contract, which is also tied to state and locality issues with their authority. >> so scenario where an active shooter by a guard may be on another floor and begins shooting, the guard doesn't leave his post? there's no authority that that guard would have to do other than to wait for help? >> correct. technically the guard should not leave that post. in some federal buildings you do have a rover, which is not tied to a post. but those are few and far between. what's going to happen when it happens? we have a lot of good security officers in the field. i think just like any law

enforcement officers, individuals are going to do what they have to do. and then you face the consequences of what comes af r after. >> mr. amatay, you highlight in your testimony the steps fps has taken to improve post orders for the guards at federal facilities. are those orders clear on what is expected and what the authorities are of the contract officers? >> they're getting better at providing that. one thing that we've emphasized is that post orders need to be facility-specific and they need to be tailored to the building. but they do -- in industry view, they are trying to provide better instructions and guidance to the psos, and that includes now this krrecent issuance of a new pso manual.

i'd just like to just respond or just comment on that last question. i would note that in 2010 there were three active shooter incidents involving federal facilities. one was at the holocaust museum, one was at the pentagon and one was at a federal courthouse. in all three incidents an active shooter came in and had a gun and started shooting at the personnel, security personnel, on duty. in all three incidents the active shooter was neutralized. two of those incidents the security personnel were contract security officers. one of the incidents it was a law enforcement officer. so the psos, they do have the guidance and instructions to engage an active shooter and protect self and third parties. and that goes to the issue of the state law and the state powers. and under most state licensing laws, an armed security officer

definitely has the authority to use his weapon to neutralize an active shooter. >> chair recognizes ranking member carson. >> thank you, chairman. my last question. mr. amutay, in your testimony you indicate that members of your association use off-the-shelf technology to effectively manage your contract guards training and certifications. have you shared this technology with fps? if so, when. and have they indicated that they would use this technology? if not, why not? >> that's a great question. i was actually talking with the pso program manager the other day about this issue when i read in previous testimony about how fps is working with the science and technology division to prototype a guard tracking system, for lack of a better terminology, when those systems are commercially available. now i think some of the difficulty is in terms of the

layers of security that fps would need to put on its security officer certification and tracking data management system. but, the bottom line is that whatever system they use, it's going to have to interface with the systems that are being used by the contract security companies. and there are, as mr. goldstein said, there are commercially available technologies that fps might be able to use elements of those technologies on their side. but without a doubt, that is a big problem and i think it can be solved because there's no reason why there can't be a database management system where both the security contractors and fps can access, upload data. the idea that security contractors are sending in paper forms, and then fps is manually uploading that just seems an anachronism. >> thank you, sir.

mr. chairman, i yield back. >> recognize the gentleman from pennsylvania, mr. perry. >> thank you, mr. chairman. so it's my understanding that the federal protective service has four alarm monitoring facilities or mega centers that monitor federal government security alarm accounts. one in maryland, one in michigan, pennsylvania and coll. the centers also have the law enforcement function of dispatching federal protective service officers on emergency call. has your agency ever done an analysis on what the overall operational cost is to maintain the force facilities, including staffing, and whether it would actually be more cost-effective for the taxpayer to move the alarm monitoring function to a commercial monitoring center? >> we haven't looked into that. but alarm monitor something not an inherently governmental function. so i think that is something that someone could look at.

that goes to though the issue of response. when the pso sees something or there is a problem, they should always contact the mega center unless there is an fps law enforcement officer online. but in terms of the management and operation of those mega centers, whether it can be privatized, we have not looked at that. >> would that be something you would seek to do from a cost savings standpoint? is there a concern that there would be a breach in security or a diminution of security by doing such a thing? >> i think in this type of situation whereas the fps mega centers act more in a management function for fps over the contract security officer force, i think that maybe fps would want to retain control of that management function. but that's just something that we've never looked at.

>> thank you, mr. chairman. i yield back. >> thank you. thank you for your testimony. your comments have been helpful to today's discussion. if there are no further questions, i would ask unanimous consent that the record of today's hearings remain open until such time as our witnesses have provided answers to any questions that may be submitted to them in writing. and unanimous consent that the record remain open for 15 days for any additional comments and information submitted by members or witnesses to be included in the record of today's hearing. without objection, so ordered. i'd like to thank our witnesses again for their testimony today. i'm very concerned about what we have learned today. the fps is directly responsible for protecting 1.4 million workers and visitors at federal facilities. we know by experience that federal facilities are targets.

gao has documented numerous security shortfalls over the years and their recommendations remain largely uncomplete. yet, rather than focus on a department's efforts on addressing these problems an enhancing fps, we learn the department has removed fps from its lead security role at dhs' headquarters. we learned dhs has re-assigned fps' resources and staff for other purposes outside of protecting buildings, stretching already-thin resources even thinner. and we learned dhs has taken law enforcement authorities for protecting federal buildings and delegated some of them to department security officers, to fema, to immigration and customs enforcement, and the federal law enforcement training center. unfortunately, this looks a little like what we saw happen to fema. when fema was moved to dhs, dhs

dispersed its authorities and responsibilities throughout the department creating real confusion as to who was in charge for responding to a disaster. and we saw the results of that in the poor response to hurricane katrina. i hope that this is not what is happening here. but when i look at this may 1st memo, it says there is no clear unity of command at nac. this is very disconcerting. frankly, i wonder if we had the correct witnesses here from dhs. because it seems decisions are being made about fps from somewhere else in the department, and it's not clear by whom. i expect we'll have a number of follow-up questions as we assess what we have heard today. if no other members have anything to add, the subcommittee stands adjourned.

today's the final day of the u.s.-africa summit that's been taking place this week here in washington, d.c. president obama will hold a closing news conference this afternoon at 5:00 eastern. we'll have that live on our companion network, c-span. and yesterday the president announced that the u.s. government will invest $33 billion in africa's economy aimed at boosting financial ties with the continent. on our facebook page today, we've been asking you, is private investment in africa better than government aid? sheila says -- investing will expect a rate of return, which

is far better than just giving money away. annette weighs in -- stop all foreign aid until the u.s. has secure borders and everyone here illegally is returned to their designated country. then help others. we invite you had to share your thoughts at facebook.com/cspan. tonight the fetroots nation conference from earlier in year in detroit including the discussion on super pac ready for hillary which recently announced $2.5 million in donations over a three-month period. here's a preview. >> one of the things that's really unique about this organization is that, you know, we're not so -- it would be presumous to think that ready for hillary could dictate what hellry's message is going to be. this is not a campaign. it is focused on building

grassroots army and building grassroots infrastructure. so for every time that hillary goes out and gives a speech about recent things that have happened. voter suppression, we're really echoing that, making sure that our e-mail list knows the key points that she's hit on and giving people opportunities to really join in the efforts that she's promoting. and then also really just using her as a force of personality. so a lot of the imagery that you see on the facebook page and on the e-mail list and other social network channels are things that we've done a lot of testing on and seen that people really respond to, because she is an inspiring figure. >> that was a preview of tonight's airing of the netroots nation conference. watch the entire thing beginning at 8:00 p.m. eastern on c-span. here on c-span3 we continue our look back at the events of the summer of 1974 and president nixon's last weeks in office.

tonight part of the house judiciary committee's day-long debate over article 2 which charged president nixon with abuse of power. also a conversation with a former director of the richard nixon presidential library an museum. he explains why the abuse of power charge was at the heart of the impeachment proceedings and how the committee's vote continues to shape our understanding of presidential power. that's all tonight beginning at 8:00 eastern here on c-span3. while congress is in recess this month, c-span's prime time programming continues at 8:00 p.m. eastern on friday with the western conservative summit in denver. saturday, robert gates, condoleezza rice, and madelyn albright on the situation in ukraine. and sunday on q&a, ronald reagan biographer edmond morris. with live coverage of the u.s. house on c-span and the senate on c-span2, here on

c-span3 we compliment that coverage by showing you most relevant public hearings and events. six unique series, the civil war's 150th anniversary, visiting battlefields and key events. american artifacts, touring museums and historic sites to discover what artifacts reveal about america's past. history bookshelf with the best known american history writers. presidency looking at the policies and legacies of our nation's commanders in chief. electric shurs in history with top college professors delving into america's past. and educational films from the 1930s to the '70s. c-span3 created by the cable tv industry and funded by your local cable or satellite provider. watch us in hd, like us on facebook and follow us on twitter. representatives from google and yahoo! recently testified before a senate committee on

efforts to protect consumer data and security from third party ads and malware. the federal trade commission's privacy and identity protection associate director also testified. senator carl levin serves as the chairman and john mccain serves as the ranking member. for almost a year the permanent subcommittee on investigations has been investigating hidden hazards to consumer's data privacy and security that results from online advertising. our subcommittee operates in a very bipartisan way and our practices and our rules provide that the ranking minority member may initiate an inquiry, and our tradition is for both sides of the aisle to work on investigations together and our staffs work very, very closely

together. this investigation was initiated and led by senator mccain. so i'd like to call on him to give his opening statement first, after which i'll add a few additional remarks. but first, i'd like to commend senator mccain for his leadership and his staff for their anything

but still has his computer infected with malware delivered through an advertisement. at the same time, online advertising has become an instrument -- instrumental part of how consumer companies reach consumers. in 2003, online advertising revenue reached a record-high of $42.8 billion surpassing for the first time revenue from broadcast television advertising which was almost $3 billion less. with the continuing boom in mobile devices, online advertising will become even more lucrative in years to come. in this hearing we'll outline hazards consumers face through online advertisements, how cyber criminals have defeated the security efforts of the online advertising industry, and what

improvements could be made to ensure that consumers are protected online and the internet remains a safe, flourishing engine for economic growth. make no mistake, the hazards to consumers from malware and online advertising are something even a tech savvy consumer can't avoid. it is not a matter of simply avoiding shady websites or not clicking on advertisements that look suspicious. for example, in february of this year, an engineer at a security firm discovered that advertisements on youtube served by google's ad network delivered malware to visitors' computers. in that case the user didn't need to click on any ads. just going to youtube and watching a video was enough to infect the user's computer with a virus. that virus was designed to break in to consumers' online bank accounts and transfer funds to cyber criminals. a similar attack on yahoo! in december 2013 also did not require a user to click an

advertisement to have his computer compromised. a consumer whose bank account was compromised by the youtube ad attack has little recourse under the law as it currently stands. of course, if an affected consumer managed to track down the cyber criminal who placed the virus, he, or relevant law enforcement agencies, could take legal action against that wrong doer. but cyber criminals today are normally part of sophisticated professional criminal enterprises, often overseas. tracking them down is exceedi exceedingly difficult, even for professional security specialists. a consumer has essentially no chance whatsoever of recovering funds from cyber criminals. how can it be that cyber criminals can sneak malware into advertisements under the noses of the most technologically advanced companies in the world? cyber criminals enjoy clever tricks to avoid the current security procedures used by the online advertising industry. one of these key security procedures is scanning, essentially having a tester

visit a website to see if a virus downloads to the test computer. just as normal online advertisers can target their advertisements to run only in specific locations, cyber criminals can also target by location to avoid scanning. for example, if a cyber criminal knows that the facility is responsible for scanning ads are clustered around certain cities, they can target the malicious advertisement in run in other areas so that the scanners will not see it. cyber criminals have used even simpler techniques to bypass security. when law enforcement raided the hideout of a russian cyber criminal network, they found calendars marked extensively with u.s. federal holidays and three-day weekends. these cyber criminals were not planning fourth of july pick nuk nish picnics. they were planning to launch malware attacks when the networks would be at their lowest. this past holiday season on

friday, december 17th, 2013, two days after christmas and four days before new year's eve, cyber criminals hacked into yahoo!'s ad network and begin delivering malware infected advertisements to consumers' computers. malware seized control of the user's computer and used it to generate bitcoins, a digital currency that requires a large amount of computer power to create. independent security firms estimate that around 27,000 computers were ineffected through th infected through this one malware laden advertisement. there have been countless attacks of consumers online. one major vulnerability in online advertising is the advertisers themselves are not under the correct control of online advertising companies like yahoo! and google. these companies choose not to directly control the advertisements themselves because sending out all of those image or video files would be

more expensive. instead, online advertising companies have the advertiser himself deliver the ad directly to the consumer. while it's cheaper for the companies in the online advertising industry to operate in this way, it can 3-d greater hazards for consumers. malicious advertisers can use their control over advertisements to switch out legitimate ads and put in malware instead. the tech companies who run the online advertising industry frequently do not know when such a switch occurs until after the ad is served. because those companies don't control the advertisement, their quality control processes are frequently purely reactive, often finding problems after they arise instead of before. as the online advertising industry grows more and more complicated, a single online advertisement for an individual consumer routinely goes through five or six companies before ultimately reaching the consumer's computer.

that fact makes it easier for the various companies in the chain to disclaim responsibility when things go awry. one instance where that issue was apparent was the attack on major league baseball's website in june 2012. in that case the malicious ad appeared to be for luxury watches and was displayed as a banner at the top of the mlb webpage. that ad was hone to 300,000 consumers before being taken down. in the aftermath of that attack, it was still unclear what entity was responsible for delivery of the malware. one security analyst noted at the time that, "the lack of transparency in multiple indirect relationships in online advertising made assigning responsibility for the attack virtually impossible." one way to get an idea of how complicated the online advertising world and online data connection can be is to take a look at what happens when a consumer actually visits a website where advertisements are served by third party ad companies. when a user visits a website,

that website instantaneously contacts on online advertising company to provide an advertisement. that ad company, in turn, contacts other internet companies who help collect and analyze that on the user for purposes of targeting advertisements to him. each company can, in turn, contact other companies that profit from identifying users and analyzing those users' online activities. ultimately, hundreds of third parties can be contacted resulting from a consumer visiting just a single website. using special software called disconnect, the subcommittee was able to detect how many third party sites were contacted when a user visits particular websites. these contacts are represented in a chart. in this first example -- we'll go to video. we see what happens when a user visits the website of an ordinary business that does not

depend heavily on advertising revenues. in this case, our example is td bank, a company whose website provides online banking services for its existing customers, and more importantly, not to generate income from people visiting the site. for that reason, it does not need to derive a large amount of revenue from online traffic and advertisements. it's very difficult to see, but a few third parties were contacted. by contrast, when a consumer visits a website that depends much more heavily on revenue from advertising based on the number of people who visit their website, the number of third parties can be enormously higher. for example, do we have a technical -- this video shows

what happens when a consumer visits tmz.com, a celebrity gossip website. just to make that point even more clear, here are td bank and tmz side by side. finally, another problem in the current online advertising industry is the lack of meaningful standards for security. the two primary regulators of online advertising in the federal trade commission and self-regulatory groups like the digital advertising alliance and network advertising initiative. the self-regulatory groups have not been active in generating

effective guidance or clear standards for online advertising security. on the government's side, the ftc has brought a number of enforcement actions against companies involved in online advertising for "deceptive practices" pursuant to their authority under section 5 of the ftc act. these cases all involve some specific misrepresentation made by a company rather than a failure toed ed adhere to any gl standards. i will just summarize by saying, on the question of consumer privacy, there are some guidelines on how much data can be generated on internet users and how that data can be used. but these approaches, including verbose privacy notices, "do not track efforts" and notice and choice procedures have only been partially effective. a new approach from preventing abuses of consumer data and privacy may be necessary. a few years ago senator kerry and i introduced the commercial

privacy bill of rights. while updates will be necessary, it provides a framework for how to think about these issues moving forward. one that includes basic rights and expectations consumers should have when it comes to the collection, use and dissemination of their personal private information online, and specifically in prohibited practices, a clarified role for the ftc in enforcement and a safe harbor for those companies that choose to take effective steps to further consumer security and privacy. that legislation also envisions a role for industry, self-regulators and stake holders to engage with the ftc to come up with best practices and effective solutions. consumers deserve to be equipped with the information necessary to understand the risks and to make informed decisions in connection with their online activities. today, one thing is clear -- as things currently stand, the consumer is the one party involved in online advertising

who is simultaneously both least capable of taking effective security precautions and forced to braer the vast majority of the cost when security fails. for the future such a model is not tenable. there can be no doubt that online advertising has played an indispensable role in making innovation profitable on the internet. but the value that online advertising adds to the internet should not come at the expense of the consumer. i want to thank the chairman for working with me on this important hearing and the witnesses appearing before the subcommittee. i thank you, mr. chairman. >> thank you so much, senator mccain. today's hearing is about the third parties that operate behind the scenes as consumers use the internet. in particular, the subcommittee's report outlines the enormous complexity of the online advertising ecosystem, simply displaying ads that

consumers see as they browse the internet can trigger interactions with a chain of other companies and each link in that chain is a potential weak point that can be used to invade privacy or host malware that can inflict damage. we've seen a very dramatic example in the visuals that senator mccain presented to us. as well as is outlined in the report. those weak links can be exploited through -- although consumers, although consumers have done nothing other than visit a mainstream website. the subcommittee's report and senator mccain's opening statement also highlight the hundreds of third parties that may have access to a consumer's browser information with every webpage that they visit. according to a recent white house report, more than 500 million photos are uploaded by consumers to the internet each day, along with more are than 200 hours of video every minute. however, the volume of

information that people create about themselves pales in comparison to the amount of digital information continually created about them. according to some estimates, nearly a zetabyte, or 1 trillion gigabytes are transferred on the internet annually. that's a billion trillion bytes of data. against that backdrop, today's hearing will explore what we should be doing to protect people against the emerging threats to their security and their privacy as consumers. the report finds that the industry's self-regulatory efforts are not doing enough to protect consumer privacy and safety. furthermore, we need to give the federal trade commission the tools that it needs to protect consumers who are using the internet. finally as consumers use the internet, profiles are being created based on what they read, what movies they watch, what

music they listen to, on and on and on. consumers need more effective choices as to what information generated by their activities on the internet is shared and sold to others. i want to thank all of today's witness for their cooperation with the investigation. i'll now call our first panel of witnesses for this morning's hearing. alex stamos, the chief information security officer of yahoo! inc., in sunnyvale, california. george salem, the senior product manager of google, inc. in mountain view, california. and craig spezo, executive director, founder and president of online trust alliance in washington, d.c. we appreciate all of you being with us this morning. we look forward to your testimony pursuant to our rules,

all witnesses who testify before this subcommittee are required to be sworn. so i would ask each of you to please stand and raise your right hand. do you swear that the testimony that you'll give to this subcommittee will be the truth, the whole truth, and nothing but the truth, so help you god? we'll be using a timing system. about a minute before the red light comes on, you're going to see lights change from green to yellow giving you an opportunity to conclude your remarks. your written testimony will be printed in the record in its entirety. we would appreciate your limiting your oral testimony to no more than ten minutes. mr. stamos, you will go first, followed by mr. salem, spen mr. spezel. then after we've heard all of the testimony, we'll turn to questions. mr. stamos, please proceed.

again, our thanks. >> good morning. chairman levin, ranking member mccain and distinguished members of the subcommittee, thank you for convening this hearing and for inviting me to testify today about security issues related to online advertising. i appreciate the opportunity to share my thoughts and to discuss the user-first approach to security we take at yahoo!. i respectfully request that my full written testimony be submitted for the record. >> it will be. >> thank you, sir. my name is alex stamos, yahoo!'s vice president of information security and chief information security officer. i joined yahoo! in march. prior to that i served as the chief technology officer of a artemis interness. i have spent my career building and improving secure trustworthy systems and i am very proud to be working on security at yahoo!. yahoo! is a global technology company that provides personalized products and services including search, advertising, content and communications in more are than 45 languages, in 60 countries. as a pioneer of the worldwide web, we enjoy some of the

longest lasting customer relationships on the web. it is because we never take these relationships for granted that 800 million users each month trust yahoo! to provide them with internet services across mobile and web. there are few key areas i'd like to emphasize today. first, our users matter to us. building and maintaining user trust through secure products is a criticalfocus, and by default all of our products need to be secure by all of our users around the globe. achieve security online is a constantly evolving challenge that we tackle head-on. third, malware is an important issue that's a top priority at yahoo!. it is important to address the entire malware ecosystem and fight it in each phase of its life cycle. fourth, yahoo! fights for user security on many fronts. we partner with other companies to protect the spread of

malware. we have led the industry in combating spam and phishing. we continuously improve our product security with the help of the wider research and security communities and we are the largest media publisher to enable encryption for our users across the world. i'd like to thank the subcommittee for your focus on malware and threat it poses to consumers. internet advertising security and the fight against malware is a top priority for yahoo!. we have built a highly sophisticated ad quality pipeline to weed out advertising that does not meet our content, privacy or security standards. this january we became aware of malware distributed on yahoo! sites. we immediately took action to remove the malware, vethd how malicious creative copty bypassed our controls and fixed the vulnerabilities we found. the malware impacted users on microsoft windows. it was mostly targeted at european ip addresses. users on macs, mobile devices and users with up to date versions of java were not

effected. the malware ecosystem is expansive and complex. a large part of the problem is vulnerabilities that allow an attacker to take control of user devices such as internet expl e explorer, tricks users into installing software they believe is legitimate. we always strive to defeat those who would compromise our customer's security. this means we regularly improve our system including continuously diversifying the set of technologies and testing systems to bet her emulate different user behaviors. every ad running on yahoo! sites and on our ad network is inspecting using the system both when weatcreate and regularly afterwards. our systems prohibit advertisements that look like operating system messages because these ads often tout

false offers or try to trick users into downloading and installing malicious or unnecessary software. preventing deceptive advertising once required extensive human intervention which meant slower response times and inconsistent enforcement. although no system is perfect we now use sophisticated machine learning and image recognition ago gore rhyth algorithms so that we can detect and respond immediately. we are also the driving force behind the safe frame standard. that mechanism allows ads to properly display on a webpage without exposing a user's private information to the advertiser or network. thanks to growing adoption, safe frame enhances privacy not only in driving marketplace of thousands of publishers on yahoo! but on the internet. we promote transparency, quality and safety. we are members of the interactive advertising bureau's

ads integrity task force and we also participate in groups dedicated to prevent the spread of malware. the anti-phishing working group. underground economy forum. separation security trust forum. while preventing the placement of malicious advertisement is essential, it is only one part of a larger battle. we fight the monetizization phase to find ways to validate authenticity of e-mail. spam is one of the most effective ways malicious actives make money and yahoo! leads the fight to ired are kaeradicate t of income. spammers send billions of messages a today that pretend to be from a friend, family member or business associate.

these e-mails are much more likely to bypass spam filters as they appear to be from trusted koents. spoofed e-mails can be used to trick users into giving up user names and passwords, generally known as fbiing. here is now yahoo is helping the internet industry tackle these issues. yahoo! was the original author of domain keys identified mail, a mechanism that lets recipient verify the original origin of the e-mail. now the standard protects billions of e-mails between thousands of domains. building upon that success, yahoo! led a coalition of internet companies, financial institutions and anti-spam groups created the domain based message authentication performance. that standard provides domains a way to provide the rest of the internet what security mechanisms to expect on e-mail and what action a sender would like to take on spoof messages. yahoo! published a strict reject policy. in essence we asked the rest of the internet to drop messages

that inaccurately claimed to be from yahoo!.com users. we hope that every major e-mail provider will follow our lead and implement this common sense protection against spoofed e-mail. it has reduced spam by over 90%. yahoo! also incentivizes sharing to ensure our user's data is secure. yahoo! operates one of the most progressive bug bounty programs on internet encouraging security researchers to report possible flaws in our systems to us via a secure web partal. there we engage researchers and discuss their findings. if the bug turns out to be real we swiftly fix it and reward the reporter with up to $15,000. at an age where security bugs are auctioned off and often used maliciously, we believe it is critical we and other companies

create an ecosystem where security experts are rewarded for not exploiting our vulnerabilities. in january we made encrypted browsing the default for yahoo! mail and as of march domestic international traffic moving between yahoo!'s data centers has been fully encrypted. our ongoing goal is to create a secure enripted experience for all of our users no matter what device or from what country. security online is not and never will be an end state. it is a constantly evolving global challenge that our industry is tackling head-on. threats that stem from the ad pipeline or elsewhere are not unique to any one online company or ad network. while criminals pose real threats we are strongly dedicated to staying ahead of them. yahoo! fights for user security on multiple fronts. we partner with multiple companies to protect and prevent the spread of malware via ticing, we pioneer the safety

standards, led the industry in combating spam and phishing. we are the largest media publisher to enable encryption for our users across the world. yahoo! will continue to innovate how we protect our users. we will continue to fight cyber criminals who target us and our users and we will continue to view user trust and security as our top. priorities. thank you very much for the opportunity to testify. i look forward to answering any questions you may have. >> thank you very much. mr. salem. >> chairman levin, ranking member mccain and members of the subcommittee, thank you for the testify on google's efforts to combat malware on the web. i lead the engineering team that fights the delivery of malware through advertising. ensuring our user safety and security is one of our main priorities. we have a team of 400 full-time security experts working round-the-clock to keep our users safe. one of the biggest threats

consumers face on the web is malware that can control computers or software programs. malware allows vicious actors to make money off innocent victims in various ways. it may even lead to identity theft, atop the list of consumer complaints atop the ftc for 14 years in a row. advertising is a tremendous role in the evolution of the web bringing more products, tools, information to consumers. often free of charge. it is t has allowed the web economy to flourish. in the last quarter internet and ad revenue surged to $21.1 billion. ad supported internet ecosystem employs a total of 5.1 million americans. malware undermines the user's faith in the ecosystem. our incentives to keep our online performance safe for everyone or customers will not continue to use our products. this is why we will be providing the strongest protections against harmful and malicious content online.

our approach to fighting malware is two-prong. prevent and disable. the first piece is prevention. one of the best ways to protect users from malware is by preventing them from accessing infected sites all together. this is why we developed a tool called safe browsing. it checks any page a user visits against a list of known bad sites. malicious sites that have been cleared identified in google's search results. we are the mirs fay juror search engine to provide such a warning for search results back in 2006. today over a billion people use safe browsing. safe browsing is the default for users on google chrome and apple safari browsers which helps protect tens of millions of users. when a user attempts to navigate to one of these malicious sites they get a clear warning advising them to click away. we provide public interface for anyone to plug in and review identified malware. we provide alerts to web masters

who may not be aware of malicious software. a second piece of our effort is disabling bad ads. we have always prohibited mael wa malware in our ads. we proactively scan millions of ads a day to dissabable any we d have malware. in 2013 we disabled more hand 350 ml illion ads. our systems are constantly evolving to keep up with those bad actors. while we may be proactive we are relatively quiet about our technology. malware advertisers constantly seek ways to disrupt our efforts. these efforts are a team endeavor. we collaborate closely with others in the internet community. ten years ago we issued a set of software principles, a broad evolving set of guidelines available online around software

installation, disclosure to users and advertiser behavior. a non-profit offers resources to website owners, security experts and ordinary users. we own and support free websites like virustotal.com and anti-malwa anti-malwareadvertising.com to provide best practices on this topic. we are in constant communication with other economy players notifying each of us about new malware attacks and new trends. just this month we along with facebook, twitter, aol and yahoo! co-founded trustinads.org, how to avoid online scams. another huge piece is consumer education. a great first place to visit are websites like google's software safety center. always use up to date anti-virus software and make sure your

browsers are also up to date. if you suspect you may be infected, use a reputable product to rid of malware. we can always use more help in generating awareness among consumers. malware is a complex problem but we are tackling it head-on with community partnerships. if we all work together to stamp them out, we can make the web a safer place. thank you. >> thank you. >> good morning, chairman levin. ranking member mccain and members of the committee. good morning and thank you for the opportunity to testify before you today. my name is craig spiezle, executive director and president of online trust lines. ota is a 501c3 non-profit with a mission to empower users with control of their data and privacy while promoting innovation and vitality of the internet. i'm testifying here today to provide context to the escalating privacy and security threats to consumers which result in malicious and fraudulent advertising known as

malvertising. as outliesed in exhibit a, incidents increased over 200% over this last year to 209,000 incidents which generated over 12.4 billion malicious ad impressions. the impact on consumers is significant. as referenced, yahoo! experienced an incident resulting in over 300 malicious impressions, of which 27,000 unsuspecting users were compromised. or 9%. for them the infection rate was 100%. as noted, this is not an isolated case. cyber criminals have successfully incertified malicious ads on a range of sites, including google, microsoft, facebook, the "wall street journal," "new york times," major league baseball, and others. the threats are significant. as referenced, the majority and increasing number are by downloads which increased 190% this past year and a drive-by

code is one that when a user simply visits a site with no interaction or click is required is infected. this threat is not new. malvertising was first identified over seven years ago but little progress has been made to attack this threat. the impact ranges from capturing personal information to turning a device into a bot where a cyber criminal can take over a device and use it in many cases to do -- execute a distributed denial attack against a bank, government agency or other organization. just as damaging is the deployment of ransom ware which enrupts a usary hard drive demanding payment to get unlocked. a user's personal data, photos, health records can be destroyed and stolen in just seconds. in the absence of secure online advertising, the integrity of the entire internet is at risk. not unlike pollution in the industrial age, in the absence of regulatory oversight and

meaningful self-regulation, these threats continue to grow. for reference, the development of coal mining and the use of steam power generated from coal is century. jobs were created and profits soared but the environment felt the impact of the industrialization in the form of air and water pollution. today we are at a similar crossroads which are undermining the integrity and trust of the internet. so how does malvertising occur? go to exhibit b. thank you. the most common tactic is a cyber criminal are going directly to an ad network, selecting the target audience and paying for an ad campaign. in the absence of reputation checks or threat reporting once detected and shut down by one network the cyber criminal waterfalls or goes to another network to repeat the exploit over and over.

on the left you see the different tactics of how it is inserted and, again, it is important to note in this diagram the consumers are bearing the brunt of it. also quality brands and websites, their images are being tarnished as well. the impact on the threats are increasing significantly. criminals are becoming experts in targeting and timing, taking advantage of the powerful tools and data available to internet advertisers. they have become what's known as data driven marketers with precision to reach vulnerable segments of the society as well as high net worth target audiences. they have been able to choose day and time of the exploits and the type of device to exploit. in the absence of meaningful policy and traffic quality controls, organizers recognize malvertising as the exploit of choice often remaining undetected for days. recognizing the threats, in 2007

double click established a mailing list which remains one of the primary methods of data sharing. in 2010 ota established the advertising content integrity group focused on security and fraud prevention best practices. this group, a diverse stake holders, leveraged a proving model of threat mitigation and published several white papers including risk evaluation and remediation guidelines. the efforts are small but first step to combat malvertising. reflecting input from leaders including google, microsoft, paypal, twitter and others. as you heard before last june, stop ad ware funded by google and others launched the ad integrity alliance. this january the initiative disbanded due to the members', quote, desire to focus on aggressively defending practices to policy makers and regulatory

bodies. in the wake of the group's demise, recently trust in ads was formed last week. according to the this site its quote, focus is public policy and raising awareness of the threats and how to report them unquote. it's important to note that unfortunately no amount of consumer education can help when a user visits a trusted website that is infected with malvertising. consumers cannot discern good versus malicious ads or how the device was compromising. focusing on education after the fact is like an auto industry telling accident victims who to call after an accident from a previously known manufacturing defect instead of building security features in the cars they sell and profit from. other industries' efforts to focused on click-fraud, fraudulent activities which attempt to generate revenue by manipulating ad impressions. it is focused on operational

issues facing the industry. while the efforts are important, please do not be confused. click fraud isn't related to malvertising or any impact that's harmful to consumers. so what is needed? ota proposes addressing five important areas -- prevention, detection, notification, data sharing, and remediation. such a framework must be the foundation of an enforceable code of conduct or possible legislation. in parallel, operational technical solutions must be explored. i envision a day where publishers would only allow ads from network that is vouch for the awe thuthenticity of the ad which browsers would only render such ads signed and verified from trusted sources. it is recognized that such a model would require systemic changes but would increase accountability and protect the long-term vitality of online advertising and most importantly, consumers. in summary, as a wired society

we are dependent on trustworthy online services. as observed in almost every area of the nation's infrastructure we need to recognize that fraudulent businesses, cyber criminals and state sponsored actors will continue to exploit our systems. for some, malvertising is a black swan event. rarely seen but known to exist. for others, it still remains as the elephant in the room nobody wants to acknowledge or report on. today companies have no obligation or incentive to disclose their role or knowledge of an event leaving consumers vulnerable and unprotected for months or years during this which untold amounts of damage can occur. failure to address the threats suggests the need for legislation not unlike state data breach laws requiring mandatory notification, data sharing and remediation to consumers that have been harmed. as learned from the target breach it is the responsibility of companies and executives to

implement safe guards and to heed warnings of the community. i suggest the same standards should apply for the ad industry. we must work together openly disclose immediate vulnerabilities, even at the expense of short-term profits. it is important to recognize there is no absolute defense against a determined cyber criminal. in parallel, ota proposes incentives to companies who demonstrated that they have adopted such best practices and comply with codes of conduct. they should be afforded protection from regulatory oversight and frivolous lawsuits. perceived anti-trust issues and privacy issues which continually addressed as a reason why not sharing data must be resolved to aid in the realtime fraud detection and forensics that's required. trust is the foundation of every communication we receive, every website we visit, and every transaction we make and every ad we respond to. now is the time for collaboration moving from protective silos of information

to multistakeholder solutions combatting cyber crime. thank you and i look forward to your questions. >> thank you very much. senator mccain. >> thank you very much, mr. chairman. i thank the witnesses. if you put the chart back up about the increase in malvertising. would the witnesses agree that the problem is getting worse rather than better? would you agree, mr. salem? >> [ inaudible ]. >> could you put your microphone closer, please? >> thank you. >> that would help. >> i don't agree that the problem is getting better. wupg within thing -- >> is it getting worse? >> thank you. i don't believe it is getting worse. >> you don't believe that chart then? >> i have not seen that chart. i saw it from the report. our indication where we -- >> so you're saying the chart is inaccurate? >> that's not the information that i have. sir. >> i see. maybe you can provide the

committee with the information you have. mr. stamos. >> sir, our data has been steady on the kinds of attempts we've seen coming inbound. >> would you agree probably the worst attacks come from overseas specifically russia? >> we see attacks from all around. it's usually very difficult to accurately -- >> so you have no accurate data as to where it comes from? that's good. >> we have accurate data as to -- >> where does it come from? >> we see these kinds of attempts from all around the world. you're right. we see a lot from eastern europe and the former russian republic. >> well, thank you for that. mr. salem? >> yes. we also see a lot of the malware itself will come from servers also in russia and also -- >> so this this is an international issue as well as a domestic issue, i would argue.

suppose some individual is the victim of malware. mr. stamos, does yahoo! have any responsibility for that? >> we absolutely take responsibility for user safety which is why we do the work we do. >> so someone loses their bank account, you reimburse them? >> senator, i have always believed the person who is responsible for committing a crime is the criminal. it's our responsibility -- >> even though it's using you as a vehicle to commit the crime? >> senator, we work hard to fight these criminals. >> is that person liable? are you liable for reimbursement for a loss of that individual who used -- that your services were the vehicle for that? >> senator, we believe that the criminals are liable for their actions. >> i see. and you being the vehicle for it, you have no liability. sort of like the automobile that has a problem with it.

maker of the automobile is not responsible because they're person who sold it right? >> no, senator. i don't think that's a correct analogy. >> i see. >> we work vigorously to protect users. every single user is important to us. if a criminal commits as crime we do everything we can to investigate, figure out how they are able the oh to do it and defeat them next time. >> you have no liability whatsoever? >> senator, that's a legal question. i'm not a lawyer. i'm here to talk about security side. >> i'm asking a common sense -- i'm not asking -- >> i think we have a responsibility to users and we take the responsibility extremely seriously. >> thank you. mr. spiezle, you have the five recommendations that you make. in prevention you say stake holders who fail to adopt reasonablet