maker of the automobile is not responsible because they're person who sold it right? >> no, senator. i don't think that's a correct analogy. >> i see. >> we work vigorously to protect users. every single user is important to us. if a criminal commits as crime we do everything we can to investigate, figure out how they are able the oh to do it and defeat them next time. >> you have no liability whatsoever? >> senator, that's a legal question. i'm not a lawyer. i'm here to talk about security side. >> i'm asking a common sense -- i'm not asking -- >> i think we have a responsibility to users and we take the responsibility extremely seriously. >> thank you. mr. spiezle, you have the five recommendations that you make. in prevention you say stake holders who fail to adopt reasonable best practices and

controls should bear the liability, and publishers should reject their ads. are stakeholders adopting reasonable best practices and controls, in your view? >> today that information does not suggest they are doing that. one of the challenges is reluctance to share information among each other. it is isolated now. again, are recognizing that there is no perfect security in the absence of taking reasonable steps to protect the infrastructure and consumers from harm they should be responsible. >> how many americans do you think know that this problem exists? >> this information has been kept very quiet. it's been suppressed over years. the executives of some trade organizations have denied it exists publically. >> we just saw an example of that disputing the malvertising facts. where did you get them since

they don't share your view? >> we are fortunate. there are many players in the industry that see this as a major issue. this week we had a dozen companies come asking for legislation in the eco-system saying they recognize that the absence of this, that the business is marginalized and they need help. the data comes from multiple sources. it comes from the threat intelligence community, ad networks willing to share this information anonymously. they don't want to be public because of the pressure from the industries and the trade organizations. we try to normalize it. i would suggest this data underreports it by at least 100%. we do not know and the lack of willingness to share data is impeding that problem today. >> mr. stamos and mr. salem, do you have the same best practices standard between your two organizations? >> senator, we use about the

same technologies and tests. >> do you have the same best standards practices? >> i believe so so, yes. >> you wouldn't know. >> we work with our ad partners to trade notes and share a lot of the same technologies. >> i have to also add that we actually do communicate. we do discuss different issues that come up. different malvertising trends. >> do you need liability protection to work more closely together? >> we work very closely together. i don't see -- >> why don't you have the same best practices standards? >> we are different organizations, different corporations. >> but you are facing the same problem, mr. salem. >> yes. we communicate about the threats. >> i'm glad you communicate. i'm asking if you will adopt the same best practices standards. >> senator, i believe we already do adopt the same practices but we have diverse implementations which is an important part of security is to have diversity of

ways to combat a single threat. >> senator, if i may add, the ota has convened several multistakeholder workshops of r offering chapman house rules to facilitate data sharing. unfortunately on the response has been addressed internally. we have asked google multiple times, yahoo! the other companies to come to the table. again, the answer has been it's not a problem, it's not one we see we need to address. >> i will go a step further. the chairman and president of interactive advertising bureau in september of 2010 publically stood up and said malvertising is not a problem. it only exists because security vendors want it to be a problem. >> well, then i guess we get back. stamos, do you agree it is a problem? >> i absolutely degree that this united states a problem but we need to keep in context when you look at a graph like that we have to put it next to the malware problem which the numbers are much larger.

there are three parts to it. there is the authors create malware which is about creating safe software. there is distribution of which advertising is the part we are responsible for but is a tiny sliver of the distribution problem of malware. then there is the financial side. from our perspective, we focus a lot on preventing ourselves from being part of the distribution problem but then we fight the entire lifecycle. in the end there is no perfect protection in each of the places. we need to decrease the financial incentives for criminals to attempt to do this in the first place. >> how do you do that? >> in the software side, the companies that make the software try to make it harder for malware to be created. in distribution side we build the analysis systems to make it harder for them to mix up. >> i will look forward to your data on malvertising since clearly that indicates you've got a lot of work to do. even though it may be a, quote,

tiny sliver, i'm not sure that's of comfort to someone who has their bank account wiped out. maybe to you, but it's not to them. >> excuse me, senator. every single user is important. >> well, obviously you are downgrading the importance of this issue when you say it is a tiny sliver, if there is some 200,000 -- >> that's correct. 209,000 identified unique incidents that occurred that were documented. >> i would say that sliver is a pretty big sliver, mr. stamos. thank you. >> thank you very much, senator mccain. let me ask you, mr. stamos, we have testimony here from mr. spiezle on behalf of the online trust alliance that says that ideally we'll have have solution where is publishers would only allow ads from networks who vouch for the authenticity of the ads they serve, and web browsers will render only such ads signed and

verified from trusted sources. it is recognized that such a model would require systemic changes yet they would increase accountability, protect the long-term vitality of online advertising and most importantly the consumers. would you support those kind of systemic changes, mr. stamos? >> thank you, senator. as to the authenticity issue for ad networks, i can only speak to how yahoo! does this. >> no, not how they do it. but would you support what mr. spiezle is recommending? >> so we definitely support the cryptography side. currently technology doesn't exist to sign an ad all the way through but to move to encryption we have moved a great deal of the ad networks in the world to supporting encryption end to end which is what's supported in browsers now. >> is there a reason we can't require that ads before they are put on be verified that they come from trusted sources? is there a reason you can't do that?

>> right now the browser technology doesn't exist. >> does it exist, mr. spiezle? >> the browser technology doesn't exist. think i think we're talking about a combination of operational best practices and technical. it is a complex eco-system with as senator mccain stated with multiple intermediaries. this is a desired state. if we can't vouch for who the advertiser is we shouldn't accept the ads in the first place. that's the first part. that's in the preventative side. but that's operational. >> can it be done? >> pardon me? >> can it be done? >> i believe it is. >> is it done now? >> yes, we have agreements with the ad networks we work with to have them pass information through. if we find they are problematic they we -- >> do they verify? they put on ad? >> i'm not sure. not sure what each network does. >> mr. salem, do you? >> our ad networks are verified, but they can have advertisers

they have direct relationships with. we do not know what the relationships are. >> but the people that you have relationships with verify the cred ability of their advertisers? >> they have a vetting process themselves. i'm not exactly sure. i will say that many of the advertisements come from criminals that pretend to be legitimate companies. even if you said we'll vet them, we have seen problems with sears.com, crosspen.com. they may produce yas with companies that appear, create, they're real. they appear to be real. the vetting process appears to be perfect, but the criminals have made specific companies that look real. >> let me ask mr. spiezle a question what happen can be done now practically that is not yet being done by companies like google and yahoo!? >> to help address the specific threat we held a four-day workshop. in october we published what we call a risk evaluation

framework which i have you here and referenced in my testimony that provides a check list on the onboarding of verifying who the reputation is. this was an example of an operational step. we received -- >> has that step been taken by yahoo! and googlele for instance? >> we make them available. >> have they been taken? those specific steps. >> i don't know. >> i'm not sure what mr. spiezle's steps he's talking about. >> if you had gone to the meeting, you would have known. how come you didn't go to the meeting? >> we are part of a lot of groups working on the problem. >> let me change to a different part of the testimony here. companies today have little incentive, mr. spiezle's testimony, to disclose their knowledge of a security event leaving consumers vulnerable and unprotected during which damage can occur. the suggestion is there be

legislation adopted. similar to state data breach laws that require mandatory notification, data sharing and remediation the to those who have been harmed. do you support a mandatory notification requirement, mr. stamos? >> this is more complicated than breach notification. in the situation you're talking about mavvertising. there is often not a direct relationship with the user. there would be no information to know how to notify them. also in a situation where malvertising is caught early before it has an impact -- >> let me get mr. spiezle's response to that. >> in the context of notification, i agree, it is an incident occurring. obviously, depending upon that most data -- >> let's talk about regulatory authorities. any reason you shouldn't be required to notify regulatory authorities?

>> this is a -- mr. chairman, this is an every day we stop malvertising. i think it comes down to details that you talk about an incident. we are talking about two or three incidents today over a multi-year period when, you know, as google pointed out we are talking about finding 10,000 sites a day. they are finding -- >> breaches or attempted breaches? >> 10,000 a day he was talking about i believe are sites that host malware. and so -- >> how many breaches a day? >> mr. chairman, it's important for us to use the right terminology here. >> mr. spiezle, please use the right terminology. >> so i think -- i think the breach is not perhaps the context that i was thinking about. it is a confirmed malvertising incident where a network or a site is observed and documented, malicious ads go through the site and properties and infrastructure. that's what we are referring to. >> okay.

>> mandatory notification to the regulator? >> in the absence of that that's why there is not good data which makes it harder to go back and find out who is the actual perpetrator. >> putting aside the argument for it, which sounds sensible to me any reason you can't do that? >> i have to get back to you on that. we have to see the details of what you call an malverting incident and report looks like. >> mr. salem. >> i would be careful about making a commitment like that. one thing we try to do is within a community discuss the issues and make sure it isn't public. as soon as you make things public you are talking about -- >> talking about a regulator. >> that would be a public document. we would rather not make some of this information public so the criminals find out how we're detecting them and how we're basically -- >> everything you tell a regulator isn't necessarily public. you can have proprietary information and other information not made public. putting aside that, any reason

you can't notify the regulator? >> no reason. >> would you get back to us after you study what that recommendation is, mr. stamos? yahoo!'s privacy policy indicates that you do provide information to partners of certain personal information so that yahoo! can communicate with consumers about offers from yahoo! and the marketing partners. then you say the companies you deal with, the partners do not have any independent right to share the information. is the sharing of the information prohibited? >> mr. chairman, while privacy and security are intertwined we have a dedicated privacy team. to get into those details -- >> do you know offhand? >> i do not, sir.

>> there is a great emphasis here on education. here's the problem. the business partners of yahoo! and you provide a list on your website of the third party partners, there's over 150 companies that do advertising work alone. you note in the privacy policy that the companies may be placing cookies or web bugs on our computers as we browse. i don't know. how can consumers possibly educate themselves about each of the third parties? there are 150 of them with names like data zoo, deltran, diligent, companies totally unknown to people outside of this room probably. do you think it's feasible, mr. stamos -- the this is my last question -- for consumers to evaluate the security policies and privacy policies of each of

150 entities? is that a practical suggestion? >> that's an excellent question, senator. we are not expecting consumers to make the decisions one on one. that's why we provide privacy options for users and work with folks like the d.a.a. to provide decision-making authority for consumers across multiple partners. i believe that's where we have to go to have the choices up in one place. >> but you're suggesting they educate themselves about each of the partners of yours? >> i am not suggesting that. i'm sorry, i'm not familiar with the language you are referring to. >> thank you. senator johnson? >> thank you, mr. chairman. i would like to start out quoting a couple phrases here to the underscore my feeling on this. i think as the chairman said this has enormous complexity. i think the ranking member said online internet advertising plays an indispensable role.

those are powerful statements in terms of what we are trying to do here. the internet is a marvel. it's created economic activity. certainly improved lives. we need to understand how enormously complex the situation is and it's not easy. the analogy i would use because we are talking about criminal activity and who will be held liable for it. i mean the analogy i use, let's say you have a criminal that even though you have safeguards in a taxicab, the criminal defeats that, takes over the cab and kills somebody. is the cab company to be held liable for that criminal activity? i think that's a more accurate analogy that we're talking about here. the purpose of the hearing is what can government potentially do to help. i think i know who yahoo! is, google is, i think i know how you obtain revenue and make money. i'm not sure about ota and a couple of things surprised me in

terms of the comments you have made. are let me first ask you, mr. spiezle. who are you? where do you get your funding? how do you obtain revenue? >> thank you for the opportunity to provide clarity. the ota, online trust alliance, was founded in 2003-2004 as a working group to address and bring forward the anti-spam standards yahoo! referenced in original testimony through a collaborative effort. in recognizing -- >> who funded that effort? it takes money do that. who funded it? >> the effort was through companies like semantic, microsoft, paypal, lots of companies that came together, sisco. >> do you get funding that way? do you get funding in other ways? >> our funding comes from multiples. we are a 501-c-3. not a trade organization. we have a diverse group of sponsors and contributors as well as grants from dhs and others.

so again, we -- our mission is very clear. we support advertising. but our most important part is improving consumer trust and the vitality of the internet. >> here is what set off bells and whistles in my head. i'm not sure i heard you say it it but the chairman said you talked about the fact that yahoo! and google have little incentive to do what? >> the point -- >> is that accurate? what do they have little incentive to do? >> in the context of the question, if i can clarify, it's incentive data sharing. it's an industry issue that we have been trying to get people to work on together. the incentive is data sharing. >> do you deny that google and yahoo! have an enormous free market incentive to make sure this criminal activity doesn't occur on their networks? >> i think as dominance market players there's a responsibility in how the lack of data sharing and how it's marginalized in the

oak key system and -- >> no, answer the question. doesn't yahoo! and google have enormous financial incentives to try and police this and prevent malvertising and malware? >> malvertising is a small percent of the overall ad industry. to add the operational friction and to change it is a major change in how they operate today. >> you're still not answering the question. >> i don't think there is -- >> you don't think yahoo! or google have an enormous financial incentive to police this and prevent it? >> i think they do. whether they are -- >> okay. here's the point. what can government do better than what these private companies can do? i have sat through hearing after hearing, for example, just this week we talked about the defense department who has been unable to get audit ready in 15 to 20 years. so my point is, is there a role the government

can play that's constructive -- hear me out -- that doesn't actually do more harm than good? as i have been investigating the this, i've been involved in the commerce committee hearing, the first -- the first step we need to take in terms of cybersecurity is information sharing. and the only way we'll get information sharing is to provide liability protection. i want to ask awe three of you, is that pretty much the first thing the government has to do? we have to enact some type of information sharing piece of legislation that provides liability so you will actually share information? mr. stamos? >> thank you, senator. we're in support of information sharing with strong privacy protections for users. we are happy to work on the details, yes. >> do you think it's the first step? >> i think it is an important step. i think something government can do now is work on disrupting the financial side of the cyber criminal networks. >> you are talking about enforcement? going after the criminal ares and enforcing and penalizing the criminals?

>> yes. penalizing criminals and also just making it hard for them to make money. a lot of the guys are selling products, taking credit cards, cashing checks. so even if we can't arrest them because they are under jurisdiction where it's impossible we can make it difficult for them to profit off targeting americans. >> does that require more regulation of the banking industry? i mean some targeted actions there? >> i'm not a lawyer, i don't think -- it's already illegal. it's a focus issue. >> mr. salem, again, what can government do? what's the first step? >> you mentioned looking at being allowed information. to be clear, my team is the one that does the anti-malware advertising and we are happy to speak to our colleagues openly about the different threats and what we can do about it. we actually currently do talk openly. and you know some of the other threats that we have

spoken about trust in ads.org where you have scams basically in tech support industry. these were terrible for consumers. some had malware installed in the computers under the guise of giving a credit car number to people in ina helping them with their computer. we are happy to discuss -- >> that's between companies. what about information sharing with the government so the government can disseminate the information to other people in the industry you maybe don't have a partnership with? the other thing i want to get to is some sort of federal preemption and data breach. we have a data breach standard so you're not having to deal with 50 or more, potentially hundreds of thousands of jurisdiction. is that important? is that something the government can do to be constructive as opposed to hampering activities? >> yes, it would. >> here is my concern. we enact legislation with the best of intentions that actually makes it more difficult. takes your eye off the ball of solving the problem as opposed

to complying with regulations that, i'm sorry, are written by people that aren't even close to as agile, flexible and knowledgeable as your companies. >> you know currently today, you know, we have able to, you know, do our scanning, look for bad ads, look for sites and protect consumers, users, talk to other folks in the industry currently about the malvertising trends. right now we do -- we do not feel like we have problems or there is anything encumbering with us with the communication for malvertising. >> part of my concern about the answers you are are providing here in the hearing is you don't want to alarm consumers. i don't want to put words in your mouth, but i'm concerned that this is a small slice. this is a big problem. right? i want you to answer the question i asked mr. spiezle about the enormous incentives you have.

you mentions, i think in your testimony, a top priority is users matter, user trust, user security is top priority. i think that makes common sense. i will give you the opportunity to underscore the point. >> for google, user privacy, user security is number one. i mean honestly we are an internet business. our users are one click away from going to the competition, one click away from doing something else. we have to prove to them that we take this seriously, that when they click on any ad it is a safe ad and when we deal with third party advertisers they are vetted partners as well. >> yes, senator, we have a huge incentive to maintain user trust. the biggest sites are yahoo! ads run on are yahoo! sites. to maintain those 800 million people around the world we have to maintain the trust of our users and live up to the responsibility. >> i come from a manufacturing background. we have gone through iso certification which, when i

first got into it, i thought it was a good deal for consultants to do iso certification. going through the process i became a believer that this is helpful in terms of providing not only my company the tools to get products under control but to communicate to customers and suppliers that we have the processes under control across a host of different parts of the standard. from my standpoint that certification process would make sense for this particular -- talking about security standards and advertising. is that something yahoo! google would support? some kind of third party certification process that gives consumers the comfort that standards are in place? >> thank you, senator. i think we would support self-regulation to set guidelines. from the actual technical standards this is something we innovate on every day. we have to be careful not to get too prescriptive to where we are living up to a rule and not

doing with we need to. >> that's why i'm talking about a private sector alternative. i want to make sure it is cooperative, not somebody who is set up in business and is hostile to some of the actors in the room. you need a cooperative, flexible, fast moving. these standards have to change, what, daily? >> yes. >> literally, what are we talking about in terms of the level of flexibility we need to have a hope -- and all we can do is minimize this, right? probably? the criminal will be one step ahead every time. you have to change the standards and what we need to do on an ongoing basis, correct? >> correct. we need to evolve and be as nimble as possible to make sure we are a step ahead of the criminals. >> i'm out of time. >> the standards that were addressed earlier that industry came together to address spam and deceptive e-mail dmark, dkim and spf, they are technologies

that can be employed. i would say there could be standards developed that could help increase a trustworthiness in advertising. >> thank you. >> senator mccaskill. >> thank you. mr. spiezle, do you know what percentage of the malware incidents occurred through advertising? i think this is your chart, correct? >> yes. this is a chart -- >> what percentage of malware incidents are attributable to advertising in the year 2013? >> i don't have that specific data. >> how can you not have the data if you know how many display malvertising there was? wouldn't you know the context of the number? >> no. this is very specific to documented cases where malicious ads were documented and observed. we are not looking at click fraud, not looking at search ad or fraudulent ad. >> why not? >> because this is the area that's coming through the pipeline. the critical infrastructure impacting us today through malicious advertising where consumers do not have the

ability to protect themselves. >> if i have malware on my computer, it doesn't matter where it came from. i'm trying to get at the problem here. this is one small piece of it. do you know mr. stamos and mr. salem? is it salem? >> salem. >> what percentage are attributable to advertising? >> we do not know that information. >> does anybody know it? >> we do know the classic way that a consumer gets malware is visiting a site. not the advertisement on the site. that's the classic way where criminals -- >> that's what i'm trying to get at. how much is site-specific versus ad specific? >> the numbers we see from other sources on the number of malware infections are in the tens or hundreds of millions. that's the context in which i put hundreds of thousands here. >> okay. we are talking about less than 1%? >> it's hard to know, senator, exactly where each malware infection comes from. i don't think it's unlikely that it is less than 1%. >> okay. you know, in the commerce committee some of the people in

this room have heard me say this before. part of the problem here is that consumers were not brought along early in the process to understand the importance of being educated and understanding that what they are getting for free is coming at a price of advertising. >> right. >> i don't think you'd argue that we would have a much different internet if it were not for -- in fact the backbone, the foundational backbone of the internet as we know it and the explosion of economic activity and jobs is all around behavioral marketing, correct? >> all about advertising. which is great. advertising supports services that society and businesses get today. >> consumers hear how unfair it is that their data is -- that fur furn tear when they have been shopping for outdoor furniture, they're not making the connection that's why their internet content is free. they don't get that connection.

that's all on you. you have not informed them appropriately about the bargain they are striking. and perhaps what the most helpful in this regard is to figure out what the cost would be. if we were to remove -- if we were to clamp down on government the kind of advertising and the prevalence of advertising on the internet and ability to market on the internet by knowing what people are interested in as opposed to like we know somebody who watches oprah maybe would -- they might want to run an ad for slimfast on oprah. that's what happens in advertising. you try to target your audience based on what they are looking at. you know, does anybody know what this would cost for people to have an e-mail or have a search capability they have if this were not for advertising? has anyone tried to chronify

that so consumers would understand the bargain they are getting? >> senator mccain's number in his opening statement, he talked about the overall eco system being worth $43 billion so that would be the overall cost. >> what is the one thing the government is supposed to do in this space? i think it's catch criminals, right. >> yes. >> why aren't we catching more of these criminals? how much time is your organization spending on the failure of government both nationally, domestically, federally and local and internationally, the failure we've had going after -- and i know it's hard because we're talking about ip addresses that disappear in less than that. >> thank you for the question. it is clearly a problem of epidemic proportions, one of the biggest challenges in cybersecurity best practices is data sharing. it's not just data sharing to government. we have to remove barriers cited

by the organizations in this room, antitrust of sharing this data within each other. that's the first part. in the absence of that we can't peel back the onion, working with the fbi and secret service, this is a very difficult problem to go back to and get -- >> you're saying that the government's failure is because google and yahoo! and their colleagues are not sharing information with law enforcement? >> i'm saying it's a general failure of the industry sharing data among ourselves and with law enforcement of when these incidents are occurring. it's a difficult problem. i between underscore, they are being victimized. i certainly recognize that issue that's hurting their businesses. but we have to put in place the measures to protect and prevent it and also to detect it. when we detect it, we can notify. in the absence of data, we can't notify the either parties to bring down the yards as quick as possible or to look at the

methodology to prevent it from recurring. >> let's try to drill down on that a little bit. mr. stamos and mr. salem, are you all trying to work in a cooperative and moment by moment fashion with law enforcement? >> yes, senator, we have dedicated e-crime team we're in the process of beefing up that when we see an incident where we believe there's enough information, we refer that information to law enforcement, we work with them throughout the investigation. and we've had some success in the discorruption of several cyber criminal networks. there's an interactional component that makes arrest difficult. i would like more information on that. i would like to understand why we are not having more robust success in the law enforcement space since your companies are being victimized and consumers are being victimized by

criminals. >> i can give you a few anecdotes that might help. google constantly being asked for information by law enforcement to give information about cybercriminals and we do that. the few times we've actually approached law enforcement and said we have exact ip addresses, we know exactly where the servers are, they are in the united states, one of the things we're asked to give is show us the fraud and show who was fraudulent, the amount of damages, we don't have that information. that is something where overall we've actually had problems approaching law enforcement to take action. >> for the record would you provide an example of that for us? >> i can do that offline, yes. >> can you give -- one of the things, i think, there's a stress for you all and that is that informing consumers as clear and boldly as many of us believe you should inform them, because a lot of this

can be prevented by consumers as you well know. if you understand the eco system of the internet and the concept of cookies and if you understand what your browser's actually doing. if you understand the power of a click, you can avoid a great deal of danger. but i'm sure some of the stress for your companies is that the more you warn consumers, the more they are going to be afraid to robustly participate in the internet in terms of accessing ads and doing the things that generate a lot of income for the overall eco structure. how can you balance this better? i know it's better than it was when i started harping on this several years ago about informing consumers but the secret about their power, about the individual user's power, i have a great deal of power on this thing. but i got to be honest with you, the only reason i know it because i have an amazing staff that helps me understand

how i can access that power. the average consumer doesn't have a clue. it seems too me the organizations that fund you ought to be more worried about, how the consumer becomes more empowered in this environment. it's the only real way. >> if i can respond, i clearly agree consumers have a shared responsibility to make sure that they are updating their computers and patching their systems and practicing safe computing practices, absolutely. getting back to -- i remain going to a trusted site they know of and type it in, they don't click on a link, all of things we tell them not to do and go to a trusted site is unexpectedly gives an exploit never exposed before, we have a shared information across all of shakeholders here, consumers and networks and publishers alike here. that's why we're having this discussion today. >> my final question, is your

organization, i know that a lot of security i'm guessing if i was a company selling security projects, i would want to invest in you. i would want to make contributions to you. i'm assuming a lot of your contributors are in fact the people who make security products for the internet. >> to the contrary, 50% of funding comes from companies like web md, twitter, websites and web properties depending on consumers to trust services. >> do you provide the services to workshops you provide, are they free of cost or is part of your income that you actually need the revenue -- >> our training workshops are on a cost recovery basis and we hold some throughout the u.s. as well in a range of subjects. >> you don't get any revenue stream -- >> they are designed to cover operating costs of the programs. >> thank you. senator portman. >> thank you, mr. chairman. thank you for holding this hearing. the chart tells it all.

we've seen a dramatic increase in malvertising. it's appropriate we're talking about it and i agree with what senator johnson has said that internet has thrived without the heavy-handed government and we want to make sure that continues, critical to our economy. earlier we talked about a lot of solutions, and i don't understand enough about the problem to understand the solutions to be frank. but rarification standards seems to make sense. you talk about information sharing protocols and talk about liability protections needed to make that work well. i know you aren't lawyers but we'd like more information on that, if you can give it to us for the record. the ad networks themselves, accountable measures makes a lot of sense. we talk some about enforcement and we'll ask about that in a second. enforcement requires the information, which is important to get at what you talked about in terms of the financial

incentives in the system now. i have a question to kind of backup so i understand this problem better. mr. salem, you're with google, kind of a big company and you scan 100% of the ads that enter into your advertising network? is that true? >> we scan 100% of the ads eventually, not every ad is necessarily scanned unless it's hosted by google. >> unless it's what? >> hosted by google. we have third parties and google ads as well. all of the ads that are google are scanned before served. a few of the third party -- >> let's focus on the ads that are google hosted. >> yes. >> if you are scanning all of those ads, then how did the malvertising that ended up on youtube this year circumvent the scanning process? it was a major issue. everybody was aware of it. how did that happen? >> it happen because ads can go bad.

there are a lot of third party components to ads and java script calls and tracking or analytics that happens with an ad. when we scan an ad, the ad looks great. we continually scan ads based on rick, how often they're shown. these ads went bad before we had a chance to rescan them. >> the vulnerability was you didn't have a continuous ability to analyze that ad and it went bad. so what are you doing to address that vulnerability? >> what we have done is we looked at our risk profile on these ads and lowered iter to many of them scanning more often for these. >> and are you scanning often enough to avoid what happened with the youtube malware happening again? >> we believe so. we scan all of the ads we host and rescan them quite a bit. we have hundreds and thousands of ads we take down

continuously. some are based on websites go back or the ad themselves. >> your prepared testimony focuses on preventing disabling malware, both are necessary, i get that. when prevention fails, as it did with this incident what can consumers do to protect themselves from harm inflicted by harm's on google's ad network? >> so just on the incident itself, i wouldn't call it huge. the website itself was on our safe browsing list. users that use chrome and safari were covered by this. also, the specifics were for an unpatched version of internet explorer. this is telling you, these are users that got the malware or exposed. we don't even know how many of them actually downloaded the malware. >> you don't know what the damage was but it wasn't huge? >> we know the potential. when we look at what is the potential when the ad goes bad and look at the last scan, we consider all of that potentially

bad advertising. but that shows us that what can protect a user is knowledge that they need to use anti-virus software and need to update browsers and operating systems. that in general is best practices not even just for malvertising but malware in general. >> let me ask you a question to both of you mr. stamos and mr. salem, about consumers because you talk about how they need more information. what can be done to inform people that they have been infected so that they know it, without tipping off the cyber criminals involved? isn't that one area where for consumers as senator johnson was talking about consumers are going to be key to this, it's impossible for people to know how to react if they don't know they've been infected. how are you going to let consumers know that? >> thank you, senator. as the gentleman from google

said, the cyber criminals are choosing users to attack based on criteria that aren't ours and servers that aren't ours. we don't have the exact list of users or ip addresses which were attacked nor do we have a direct relationship so direct notification is a difficult issue. that's why we do general notification we post on our blog and we had discussion through the press of what happened and then we have a safety and security website we refer users back to to give tips on how they can patch their system and what free anti-virus tools. check whether or not that piece of malware was installed. >> mr. spiezle, any thoughts on that? >> i agree. it's very hard knowing where that ad ran and who it was. there are obviously anti-virus software, the comments of consumers and get notifications from there. there has been a related effort led through the fck and the process with isp best

practices where this detect abnormal behavior coming from an ip address of a residential computer. there's progress in that front, not related to the ad specific but when a device appears to have been compromised and how do you notify. the framework i identify today and outline is built on that framework of prevention, detention notification. there are parallel efforts and i raise that because this is an issue that needs us to move out of the silo of one industry and look what other segments are doing to solve the problems, similar problems. >> in the subcommittee's report it seems to me what senator levin's team is saying, is that you guys don't have incentive you would otherwise have because consumers don't know that the malvertising came from you. how do you respond to that? i think if you don't know to attribute to a particular ad

network, there might be a disincentive to address it, otherwise there would be a much greater incentive if they knew this came from my yahoo! account, the advertising they got on yahoo!. what's your response to that? >> i can say something and clear up misconception. just because you visited a site and got an ad from google, we don't necessarily know who you are. as far as even being able to let people know, oh, this ad was served to you and potentially had malware, we don't know who you are, it is all anonymous and done on purpose that way. that's one of the reasons why someone can't target you specifically with an ad. they can target your gender or age group based on profiling but that's about it. we don't necessarily know who you are. that's not even possible. >> mr. stamos. >> as to the motivation, this kind of incident happens and it has an impact on our reputation

and that trust is absolutely the bedrock of our business. so maintaining user trust is essential which is why we have a security team and trust and safety team and we're working on this issue 24/7. >> but you can't tell your customers that they got attacked. >> we can't tell advertising customers. as mr. salem said, dweent have that information. we can't directly tie bob smith looked at this specific advertisement. >> and if they could have that connection to a particular ad, wouldn't that make for more effective regime and you would be in a position to respond or the ad networks would? >> i believe that would be a significant privacy issue. we're talking about here for us to track individuals looking at. >> something i found really interesting in looking through the material sent in advance, some cyber criminals carry out attacks on weekends and holidays because they figure your guard is down. is your guard down on weekends

and holidays? >> absolutely not, senator, thank you for the question. the systems that do this are automated systems and you're guilty until proven innocent. we scan immediately on upload, before an ad is seen and scan repeatedly afterwards. if anything strange, that ad gets immediately pulled and people get paged and security team works 24/7. >> consumers shouldn't -- if you're worried on weekends and holidays. >> absolutely not. >> glad to hear that. i guess one question i also had was the trustinads.com group that you all support. mr. spiezel, but maybe you can tell us, what can we expect from them? in the near future to address the malware problem? how can consumers get information. >> i can't speak to the organization. we have reached out to them. i can only respond to the website, it's about educating policymakers and notifying consumers what to do when they've been harmed.

so the site speaks for itself. i look forward to finding more information for them as well. >> you think it's going to be effective? >> yes, it has been effective. we've recently just released our study on the tech support vertical and basically one of things we're noticing was when google started clamping down on this terrible scam, they started to go to other sites. what we did was we reached out to colleagues to make sure we stopped this to happening for everybody. >> mr. stamos? >> i totally agree. trust in ads is focused on deceptive advertising in the fraud. one of the reasons it's been put together a single place where you can report the advertisements to make sure to all of the companies involved to take them down and ban the advertisers. >> thank you, sir. >> thank you very much. we thank our participants in this panel very much for your testimony. it's been extremely helpful. we'll move on to our second panel. >> mr. chairman, it's a little disturbing when mr. salem and

mr. stamos dispute facts. ronald reagan used to say facts are stubborn things. i also am not -- i'm a bit disturbed by sort of it's also of it's somebody else's problem in the testimony today, and it heightens my motivation to both reinvigorate legislation that we tried before, but also try to make google and yahoo understand this is a much bigger problem than the testimony -- their testimony indicates they think it is today, and it's a bit disappointing, thank you, mr. chairman? >> just two quick questions? >> we have three votes or four votes in five minutes. >> some basic questions? >> okay. >> i just want to ask yahoo and google, the technical limitations scanning, how many scans are you doing?

what percentage of that, you know, if you wanted complete coverage? what are we talking about? are you able to scan 1%? 100%? >> we scan all ads with 100%. >> but you're rescanning and rescanning. what would be complete coverage versus what percent are you -- do you understand -- is it an impossible question to answer? >> i think that one -- >> could you give it a try for the report? would that be all right? >> the other thing is how many people in your organization are devoted to cybersecurity number of people? i want to ask the government how many they have available. >> as to the last question we scan every single ad, we scan they will multiple times based on different risk metrics. as for the number of people, i would say across the different teams, we have over 100 people working on security, trust and safety. >> mr. salem, do you want to give an answer to the number of people quickly? >> sure, google has 400 people

working specifically on security. we have over 1,000 when it comes out to all of our ad policies and making sure the ads are clients. >> again we thank the panel. you all are very helpful. i want to thank senator mccain for bringing us to this point. i happen to very much agree with his comments and with this -- the thrust of this report. . it's manesha mithal? >> it's mythal. social director of didsh and federal trade commission in washington, and mr. lou masteryia, is the managing director of the digital advertising alliance in new york. we appreciate you both being

here this morning and we look forward to your testimony. i think you know the rules of the subcommittee, that all who testify here need to be sworn. we would ask you both to please stand and raise your right hand. do you swear the testimony you're being to give will be the truth, the whole truth, and nothing but the truth, so help you god? we're going to get as far as we can in the testimony before the votes starts and we'll have to work around and the testimony and the questions, i'm afraid. let's try to do this in eight minutes each, if you could, and we'll put the statements in the record. ms. mithal, please start. >> thank you senator, chairman levin, ranking member mccain and members of the subcommit year. i'm from the federal trade commission. i appreciate the opportunity to present the commission's testimony on consumer protection issues. i also thank the subcommittee for its report that it issued yesterday, which highlights

online threats to consumers. we look forward to working with you on these important issues. the commission is primarily a civil law enforcement agency charged with enforcing section 5 of the ftc act, which prohibits unfair or deceptive practices. we're committed to using this authority to protect consumers in the online marketplace. for example, we've used section 5 to takes several actions against online ad networks. we also educate consumers and businesses about the online environment and encourage industry self-regulation. in my oral statement i'll discuss our enforcement in three areas -- privacy, mall ware and data security. first, we realize to priefer sell we brought many cases against online ad networks for example -- it december according to our complaint, what they didn't tell consumers is that the op out lasted only ten days.

our order requires chitika to tell the truth in the future, provide effective opt-out and destroy the data they collected while the opt-out was ineffecti ineffective. for a littledly -- safari browsers. google placed tracking cookies and gave them a choice to opt out of thinks cookies. google's opt-out instructions that safari users didn't need to do anything, because the default setting would automatically ensure that consumers would be opted out. despite the instructions, in many cases we allege that google circumvented safari's default settings and placed cookies on the computer. though we can't get civil penalties generally, we were able to get civil penalties in this case, because we alleged that google viled a prior order. the second area i'd like to highlight is mall ware. it can cause a range of

problems, to slow performance to key does that stroke loggers this is why several cases have been caught -- without their knowledge. one of these cases against innovative marketing alleged thatle malware was placed through online ads. we have also made consumer education a priority. about basic computer security. we've created a number of articles, videos and games that describe the threats and explain how to avoid and detect it. finally, while going after the purveyors of malware is important, it's critical that ad networks and other companies take reasonable steps to ensure thee not inadvertently allowing users to place -- to ensure they are not showing ads containing

malware. in the pride sector in order to prevent hackers and purveyors of mal -- we've entered into 53 settlements with online and off-line businesses that we charge with failing to reasonably protect consumers' personal information. the cases include -- and more recently fandango and snapchat. there's no one size fits all, that the commission doesn't require perfect security and the mere fact that a breach has occurred doesn't mean a company has violated the law. they apply equally to ad networks. rather, the commission would look to whether the ad network took reasonable steps to prevent third parties from yew online ads to deliver malware.

in closing the commission shares this committee's concerns. consumer privacy, malware and data security. we encourage several additional steps to protect consumers in this area, including more widespread consumer education, continued industry self-regulation, and the enactment of a strong federal data security and breach identification law that would give the commission the authority to seek civil penalties for violation. thank you. i'll be happy to answer any questions. >> chairman levin, ranking member mccain, members of the subcommittee. good morning and thank you for the opportunity to speak at this important hearing. my name is lou masteryia. i'm the executive director of companies have every interest to protect the privacy of consumers data, and i am pleased to report to the committee on the continued success of the daa's

self-regulatory performance. for transparency and control of web viewing data. all of this backed by a growing code of enforcible conduct. the d.a.a. is a cross-industry nonprofit organization founded by the leading advertising and marketing trade associations. these include the association of national advertisers, the-mile-an-hour association of advertising agencies, the direct marketing association, the interactive advertising bureau, the american advertising federation, and the network advertising initiative. these organizations came together in 2008 to develop the self-regulatory principles which were then extended in 2011 to cover the collection of the use of web viewing data for purposes beyond advertising. more recently the daa provided guidance for the collection of data in and around mobile

environments. in 2012, the obama administration publicly praised the daa as a model of success for enforcible codes of conduct req nicing the program as, quote an example of the value of industry leadership as a critical part of privacy protection going forward, close quote. more recently, commissioner olehausen was quoted as calling the daa one of the great success stories in the privacy space. the daa administers and promotes these responsible and xre to provide independence accountability for the d.a.a., the counsel operate collaborative accountability mechanisms independent of the d.a.a. to date there have been more than 30 publicly announced compliance action through the daa program. we believe the daa is a model example of hour interested

stakeholders can collaborate to provide meaningful and pragmatic solutions to complex privacy issues, especially in areas highly dynamic and evolving as online advertising. the internet is a tremendous engine of economic growth, as was mentioned earlier, supporting the employment of more than 5 million americans, and contributing more than $500 billion or 3% of gdp. a major part of that includes the data-driven marketing economy which touches every state and contributes nearly 700,000 jobs as of 2012. advertising fuels this powerful economic engine. in 2013, internet advertising revenues reached $43 billion. because of advertising, consumers access a wealth of online resources at low or no cost. revenue from online tiesing that consumers value, such as online newspapers, blogs, social networks sites, mobile applications, e-mail and phone

services. these advertising supported resources truly have transformed all of our daily lives. intraspaced advertising is essential to the online advertising model. enter spaced advertising is delivered based on consumers' preferences or inferences inferred from data about online activities. research shows that advertisers pay several times more for relevant ads, and as a result this generates greater revenue to support free content. consumers also engage more actively with relevant ads. intraspaced add ads are vital as well. they can stretch the marketing budgets to reach likely consumers. third-party ad technologies all loy small content providers to to large advertisers, thereby increasing revenue. preserving an advertising eek on system that meets the needs of both small and large businesses, and at the same time provides

consumers ways to address their privacy expectations is a reason why so many companies have publicly committed to the daa principles. the daa provides consumers choice with respect to collection and use of web-viewing data. and continue to innovate. among other things, the daa principles call for enhanced notice s. outside of the privacy policy, so that consumers can be made aware of the companies with which they interact while on the net, provision of a choice mechanism, giving consumers choice, not companies. education and stroke enforcement mechanisms. together these principles increase consumers trust and confidence in how information is gathered online and how it is used to deliver advertisements based on their interests. the daa's multisite principles, one of our three codes of conduct sets forth clear prohibitions against certain practices, including the use of web views data for eligibility

purposes, such as employment, credit, health care treatment and insurance. the daa has developed a universal icon to give consumers transparency and control with respect to intraspace data. the icon provides consumers with notice that information about their online interests are being gathered to customize the web ads they see. clicking on the icon takes consumers to a centralized choice tool. the icon is currently served more than a trillion times each month globally, web sites, digital properties and tools covered by the program. this achievement represents an unprecedented level of industry cooperation and adoption. currently on a deckto have version of the daa choice program, more than 115 third-party platforms participa participate. the it offers consumers a one-click option to op out from

all participating platforms. consumers are directed to. daa choice page not only from the icon in and around ads, but also from other forms of website disclosures. over 3 million unique visitors have exercise choice via our choice page. we are also committed to consumers education. the daa launched an educational at your ad choices.com to provide easy to understand messaging, explaining the choice is available, the meaning of the icon and the benefits derived from online advertising. more than 15 million unique users have visited this site. to prepare for the introduction of a daa mobile choice app. for the mobile environments, which we will release later this year we have also recently released guidance how the icon should appear to ensure a consistent user experience in that environment as well. a key feature of the daa self-regulatory program is

independent accountability. all of the principles are backed by robust enforcements, administered by the council of better business bureaus and direct marketing association. 33 public compliance actions have been announced in the past 2 1/2 years, and have khaled both daa participants and nonparticipants alike. we have an obligation to report noncompliance when it happens and cannot be remedied. the daa has championed consumer control that advocates -- and supports the ability of companies to responsibly deliver services desired by consumers. we appreciate the opportunity to be here today. we believe that we have a successful model, and can continue to evolve in this area. >> i just have a couple questions, because we obviously have an important vote going on. you saw the previous --

>> yes. >> do you believe that that's an accurate depiction of maladvertising? >> i do. frankly no matter the number, i believe it's a problem, a serious problem and we're committed to using all of our tools at our disposal. >> why do you think the guys would say that it's not accurate? >> i don't know, senator. >> we haven't done our ownant research, but i have no reason to doubt the statistics. even if it happens to one person, it's a significant problem. it seems that consumers are being harmed, whether it be a, quote, sliver, as are the witnesses testified. or whether it's a widespread on the increase. >> i don't know, but according to the slide, it looks like it is. >> the person, the consumer that's harmed, has no place to

go for help or compensation. do you agree with that? >> i do. i think -- off the top of my head, i would say three things, things like updating browsers, patching software, having an antivirus, antimalware software on their computers second more robust industry self-regulation. i was heartened to see the announcement last month, and third is the enforcement. >> it seems to me there should be -- standards of behavior, standards of scanning, standards to do everything they can to prevent the consumer being harmed, and then if they don't employ those practices, they

should be held responsible. does that make sense? >> it does, and currently we have the authority to take action again unfair practiceses. if a practice causes consumers injury that's in and out outwade be the benefits of competition and not reasonably be avoidable, that could be senior considered a section 5. we have brought over 50 cases against companies that have failed to do that. so that's a tool we can do th that -- >> are you familiar with the legislation that senator kerry and i introduced back in 2011? itches i am familiar with it, and i appreciate your leadership. >> would you do me a favor and look at that again, and if you believe that we need additional legislative tools for you, to look at it, review it, give us recommendations as to how you think it should be best shaped to protect the consumers and address this issue? do you believe it would be helpful if you did have

legislation? >> absolutely. in particular, in the data security area, currently we don't have fining authority, so we have advocated for data security legislation that would give us the authority to seek civil penalties. >> all right. i would appreciate it if you would review what we had proposed. i would do everything in my power to see if senator lefb could get engaged. he's pretty important in some areas. >> i'm not a tough sell in this area, i want you to know. >> thank you. >> i do -- i'm glad you made reference to the question about whether we need additional strong federal policy. your written testimony says the commission kins by par san call and breach notification law. is that still the position of the commission?

>> mr. mastria, have you taken a look at the possible legislation that senator mccain made reference to? >> i am generally familiar with it, but as a self-regulatory body, we do not weigh in on legislation. we leave that to our founding trade associations to do that. >> all right. >> i'm going to try to finish. if not, i'll be right back. >> the association has it requires its members to publish

the names of parties that do data collection for -- or their website and to link to privacy disclosures. is that correct? >> we do require notice and transparency. >> do you remember your members to that do data collection? >> we do require -- they identify on that website which of the not members of your association? >> so if you go to our choice tool, all of those folks participate with the daa, either drikly or indirectly. surge are affiliated with us.

>> not necessarily members? >> we're not a membership organization. companies have to certify that they abide by our standards. >> everybody on that website is affiliated? >> yes. there's a provision in there, about adds.info, and they can see a list of every participating -- >> it is a lisk of all participants affiliated with the daa that to work to be intermediaries in the --. >> and they can opt out? >> there's an opt-out button that effectively opts out everybody. >> it prevents consumers from receiving targeted ads based on existing cookies. is that correct? >> it is based on cookie

technology, yes. the companies still have the ability to collect future data about you as you travel the internet? is that a yes? >> so in some cases yes, but there are prohibitions against the collection of certain data for intra-spaced advertiseling. in terms of what is allowed, they can continue to collect future information. >> i can orchlt speak to what our program covers. >> it does not prohibit the collection of future information. is that correct? >> it does for intraspaced

advertising, but not necessarily if something else is going on? >> in other words if you opt out, they can no longer -- >> that's right. >> do they have to delete the data that they have already collected on you? >> based on the opt out retention policy, they're allowed to keep it as long as there is a business need. >> they're not required to eliminate -- is that correct? >> but they cannot use it for intraspaced ads. if a consumer clears out all

cookies on his internet. then because this is a cookie-based opt-out unless an intraspace advertiser sees that cookie on the person's quiter, they can send a intraspaced ad. aci stating it correctly? >> the clearing of cookies is an issue. in 2012, we enabled a suite of browser plug-ins that soft an issue. >> numbs the opt-out will still function? >> that's right. that's right. >> so the consumer does not have to continually worry about opting out. once they opt out that will continue to be effective? >> it effectively creates a hardened cookie, the way we

jargon-ly talk about it. >> that's helpful. thank you. have you considered an opt-in approach versus an op-out approach? >> there are -- which our codes actually do require opt-in. >> how about the intra-spaced ads? erchlts generally speaking, they work on, as described earlier, there may be an audience that's more interested in outdoor furniture versus -- >> no, i understand. >> have you considered -- no, the opt-out model seems to work especially when you put consumers in control. >> how about asking if you would prefer an opt-in or opt-out

model? >> we don't ask those questions. we do have consumers whether they -- >> but your members, your associates ask a whole lot of questions. >> i'm sorry, who? >> the people who you say are not members or associated with you. they ask a lot of questions. >> is there any reason why you can't ask consumers that? your members could not do that? >> think the reality is we give them -- for data that's generally anonymous. >> there are opt-in procedures. >> i'm not talking about that. i'm talking about the kind of data that is now -- there's only an opt-ous provision.

>> it is based on a choice. >> the choice is opt out of everything or opt out of individual approaches. i'm saying why not give the consumer an opportunity to either opt in or what they currently have, which is to opt out percent or opt out specifically? implts consumer can, as you noted earlier decide to clear their cookies and reset all the opt-outs. >> i guess you're not going to answer my question. >> i apologize, senator, but as i said earlier -- >> you don't think the question is clear. >> no, we don't take a position on policy. we simply run the program as it's effectuated. >> don't you have a code? >> yes, we have actually three. >> why not part of the code, make it part of the code to give

consumers that option. >> we do. >> no, the option i've just described. >> that's not part of the code. the coat is based -- >> why not change the code to give people that option, give people more choices. everyone says you want to give consumers choices. i'm just adding an important choice so you're not bombarded, you don't have to go to try to understand the privacy policies of 150 different companies none of which privacy policies are even comprehensible. we're not going to put you in that position. we can opt out on everything, you can opt out individually on thoughs advertising companies if you can figure it out. why not a third option, an opt-in option to opt in on the time of special interests the reality is we don't force people

to look at privacy policies. >> why not your honor your members to give people that option. that's all i'm saying. >> that's not part of the program. >> okay. ms. mythal, would you give us any suggestion relative to the additional authority which you would like? in addition to commenting on the legislati legislation. >> would you give us -- or soliciting recommendations from you as to any legislation that you would recommend to promote greater privacy, greater choice in terms of the internet and advertising on the internet? uismts would you do that? >> sure, senator. i -- >> no, no, i don't mean right now. i mean for the report, because i've got to go vote. hey, thank you both. it's been a useful hearing. we really appreciate.

thanks for coming. we stand adjourned. today is the final day of the u.s. africa summit that's been taking place this week here in washington, d.c. we'll have that live on c-span. aimed at boosting financial ties. on our facebook page, better than government aid. brian writes -- stop investing in other countries. michelle sell -- i don't think aid should ever be on the table. i think economic and political

partnerships, both public and private are the answer. we invite you to share user thoughts at facebook/c-span. later tonight, including a discuss on the super-pac ready for hillary, which recently announced 2.5 million in donations over a three-month period. here's a preview. >> one of the things that's unique about this organization is it would be presumptuous to think that it could dictate what hillary's message could be. so for every time, you know, that hillary goes out and gives a speech about, you know, recent things that have happened in voter suppression we're really

echoing that, making sure the e-mail list knows the key points and giving people opportunities to joan in the efforts that she's promoting, and then also really just using her as a force of personality. so a lot of the imagery. are things we have done a lot of testing on. she is, you know, an inspiring figure. u that's a preview. watch the entire thing beginning at 8:00 p.m. eastern. we continue our look back at the events of the summer of 1974, and president nixon's last weeks in office. tonight part of the how judiciary committee's day-long debate, which charged president nixon with abuse of power.

also a comfort -- he explains why the abuse of power charge was at the heart of the impeachment proceedings, and ah it continues to -- that's all tonight beginning at 8:00 eastern here on c-span3. this weekend friday night, watergate 40 years later with a cbs special record and president nixon's address to the nation. saturday at noon eastern, a live call in program. sunday night at 8 on our series, the presidency, gerald ford becomes the 38th president of the united states, this weekend on c-span3's american history tv. the head of the national

institute of health told a lot of funding is hurting effort. xofg patient care, american competitiveness, and other subjects. >> welcome welcome to the first of what will be a number of round tables of the a collaborative bipartisan effort that aims to celebration the pace of cures and medical breakthroughs in the united states. as we messagesed last week, as part of this bipartisan initiative. we will spent the next number of months to review the first arc of delivery development and

delivery process to determine what steps that we need to take as a nation we cannot do it alone. for sure. we need the support of and ideas from those of you here today, or certainly watching online. we're going to hold roundtables in washington, perhaps around the country as well, as we hold hearings, and we'll solicit feedback from experts in interested parties throughout the country, with a lot of white papers and a lot of questions. we need a lot of answers, and we need to listen. no idea is too big, no idea is too small. the only way to accomplish or goal is if we work together to enjoy this conversation. we hope to hear from you during that process. you can e-mail your ideas to

cures@mail.house.gov. today we're going to continue or process of soliciting ideas by hosting the first they are dr. francis colins. dr. janet woodcoke, for devices and radio lodgeal health. dean of the university of michigan med school. dr. joe gray. dr. andrew, president of the is a mare tan health initiative and chairman of the project fda at the manhattan institute.

dr. peter uber-. dr. ellen siegle, chair and founder of friends of cancer research. and jonathan lev, chairman of the deerfield institute. thanks for being with us today. i'd like to get know cochair to say a few words and then wee introduce eric cantor. i will say in advance steny hoyer planned to be here today and he had a very last-minute conflict, but in essen we had the number two republican and the number two democrat on board in terms of what we are trying to do to show bipartisan forward march. with that, diana.

it's still fred. >> thank you, i'm happy to partner with you. the 21st century cures initiative has agreed potential to possibly imbalance biomel research and innovation in this country. the understand than the leader in this field for decades, but now we can either work together to improve health in medicine, or we can fall behind. to really dig into how we can more effectively and efficiently tackle the complex -- as fred noted, research and innovation runs on a sort of cycle. discovery, development and delivery. it's in those areas that we want to focus our attention and seek input of leaders like the distinguished leaders who are in our inaugural panel today.

we've had already seen tremendous interest and the attendance today shows the interest. the questions were focusing on will be key to beginning or work towards possible solutions. first, we need to take a look at the current state of biomedical research and inovase in the u.s. what are the drivers? what are the barriers? where is the u.s. leading? and where are we concerned if we are falling significantly behind? second, how does it translate to improving patient care and outcomes and better health and medicine? we know that there are pockets of fantastic progress and promising research being conducted every day across the country. what types of patients are benefiting? where can we focus our attention to reach more patients? third, are there other countries we can learn from?

as both fred and i said, the u.s. may be in danger of falling behind. what strategy and resources are the other countries employs? and finally are there concrete viable actions that we can take to advance biomedical research and innovation in the u.s.? does the nih need more tools to better harness the research? or how can we help -- and/or how can we help the fda modernize the drug approval process to take advantage of the cyclical nature of research and innovation that we mentioned -- discovery, development and delivery. all of these are important questions but they're also hard questions. i think everybody in the room and particularly on this panel today is up for the challenge. i know we can be productive. i look forward to the discussion, and i'm grateful to fred and everybody else from the committee who is here today for joining us in this effort, as

well as the experts who are taking their time. thank you very much. >> i want to first acknowledge the leadership that they are demonstrating here in bringing us together in a bipartisan way fork cussed on all of what -- so thank you -- thank you for the commitment some of you for decades allocating resources, and then affecting good policy to promote what i hope will become common parlance. i know that all of us are about making sure there's access to treatment.

i know it hits the nail on the head -- we've got to get better at making it faster for us to get to cures and making cures of a more reality. good treatment is just not enough. source thank you for the emphasis here. i think it will be a tremendous story of accomplishment for this congress. if nothing else, this congress should be known for making the right choices and setting the right priorities cures, treatment for a better life i think you wantly is a win, win. i know dr. collins, you and i

have had many discussions on this issue, and there are i think all of us here -- in terms of research what can we do to do more? sometimes first is starting to make the right choices, and then setting about how we're going to do more. i congratulate you on this. i would just ask, and i know it is inherent in the nature of the members bipartisan to think outside the bowl. all of us can sit here and talk about breaking down the barriers, you know, spending $ -- taking ten years, spending a billion to develop a drug and bring it to mark is unacceptable. and so how do we think outside the box? yes, it's improving fda

processes, yes it's making choices like the first steps that we took with the gabriela miller kids first research act. that's demonstrative of tough choices. yes, in the scheme of things, $123 million is not the $30 billion we've got to go and protect and grow within nih, but it's a step. it's demonstrating we're willing to make tough choices setting priorities. i really commend the initiative. and again, thank you all, the esteemed panel that's assembled here. we appreciate your work, honor your presence and look forward to the outcome of results.

>> i -- i'm going to ask henry waxman to say a few minutes. i want to introduce some of the members that have been here. 6 kathy moreries rogers. from texas, it's -- from florida a member of the committee as well. >> thank you, mr. chairman.

i think it's important to figure out a way -- and we spend an enormous amount of money and are able to produce products that are life-saving. we've got to encourage more development of medicines, but we have to make them affordable. we don't do anybody a favor if we have a drug that cannot be bought or that the health care system cannot pay for. as we think about new product, new drugs, new therapies, we must evaluate them to see if we're adding more to helping the american people and mankind. or whether we're just layering on new efforts that will cost a lot more, but may not add to the therapy that people are so desperate to have.

thinking outside the box is evidence from this kind of meeting, and this is interesting. i've never seen anything like it in the time i've been in congress, and i will look forward to this group figuring out recommendations i assume to the committee, if it's necessary, we all want to work with you, and it's worth while to hear from people in a setting. i don't know if we can make -- but anytime we can exchange ideas, it's all for the good. >> congressman waxman is just uncomfortable, being to my right, but it is very good to be here. we're going to show our system at its best.

and with the auspices of mr. pa lone, mr. waxman, two of the experts on the democratic side. our system really does work over the next however many months, the country is going to see america's political system and medical system at its best. as we work together to decide how to take things out of the laboratory into everyday life. some of you i know very well. some of you i work professional. professionally. by xharm upton is an honest broker, and he is absolutely making this a top priority, and you're going to see real result. the american people will see real results. i commend you, mr. chairman and mr. gett. i look forward to having the

dialogues, and ultimately as mr. wax man said, coming up with common-sense solutions for cures that make america and the world a better place. >> when we sent out the invites, to spur some thoughts. one, what is the state of biomedical innovation two, what does it mean three how does the u.s. compare to other countries, and how do we make sure to foster innovation.

and as we know keep more jobs in the u.s. what -- whether it's in this country or someplace else. . i know that, you know, for some of you, you've been as i sat down with many of you over the last couple weeks. hopefully the idea's element of that brain has been working. aches then we'rer we're ragly going to have a discussion. feel free to use the mikes, and let's go at it. welcome. thank you for being here again.

it's amazing to sit here around this roundtable, and see so many members i thought to myself that i when mr. max man said he's never seen anybody like this, i nigh this was a unique moment. and much credit for convenes us in what i hope will you a series of conversations. certainly from nih's perspective. and biomed research is a steady predictable trajectory of support. we have not seen that over the last ten years, we've lost more than 20% of our purchasing

power. that has put the system under enormous stress. it has cost jobs ubs because we support about 438,000 jobs and those have been trimmed ruffle of this, but maybe most importantly and most worrisome for the future, it has caused a great pall to fall over the enthusiasm of young investigatoring who is or future. knees to have the confident there is going to be a path for them. we're not lacking in that talent, we're not lacking in their ideas. but we are in fact in a situation paradoxically enough where this remarkable scientific is a distinct mismatch with the ability of investigators to take risks that we in -- it is also

perhaps i think year ---y know if you saw just today an the estimate is the return was 140 to 1 in terms of what it taught us about women's health. and to save lives and reduce costs. in terms of where we're going, the innovation opportunities, we are an extremely energized by the kinds of technology that are possible, wishing to have that unleashed.

that are placed into a particular arrange, that you can basically study human kidney function derived from an individual in a reproduceable way. we are in fact trying everything we can to try to use this crunch as a motivator for creative solutions, working with industry, chairman upton you have commented on which brings together the science. and alzheimer's and rheumatoid arthritis and lupus, working in other ways to try to cut down that ten-year period. and we are, i think pretty

bullish about the potential. just going along with what leader cantor said, i think it's fair to say we are just as excited about curing things as you could imagine. we want to cure alzheimer's, we want to secure cancer, and all of those are potential within reach, but the current system frankly isn't working. nih wasn't really broken ten years ago, but ten years of loss of purchasing power have started to break it. if we have the chance in this kind of conversation to recognize this is not something that is spending, this is an investment, an investment that pays rewards for human health, for the economy, for everything that in fact the government does well, recent analysis by economists indicating that make the most important entrepreneur in the american system is the federal government, yet we november allowed that entry pre

neuroto be what it could. bottom line, if we could have the confidence for a stable trajectory, that would mean the world to an intersurprise which is currently flagging. i don't know if you saw describing a typical situation of a brilliant young scientist in michigan who is at the top of his field post-doc in david ginsburg's lab who should be fought over by ten institutions in the u.s. to find this next creative fact consult position, and he's going to china where he will find himself surrounded by incredible resources, as china continues to increase its support for medical research by 20% a year while we have been decreasing ours steadily over the last five years. we can fix this, but it will take the full power of all of

you and the recognition this needs to be not an afterthought, but a real priority, we are at risk of losing something which has been one of the america's greatest stories. thanks. >> so i have privilege as dean -- so i have the privilege of serves as dean at the university of michigan medical school, and actually being involved in all aspekds from training of the future scientists and physicians to discovery, to application in patient care. so seeing that whole ecosystem. what francis mentioned as to the angst that is instilled by lack of reliability funding levels for nih is absolutely true.

however there are other things that congress could do that would be helpful. the regulatory been overlaid on our faculty and staff over the last several years are ever-growing. these are unfunded mandates. very basic things like depending upon what institute you're dealing with. what branch of government you're dealing with. there are different conflict of interest regulations. this is an administrative burden that has no value added so asking congress to help come up with a uniform approach would be very helpful. similarly, as we look to move our discoveries into

commercialization, we find that there are gaps in the ecosystem. basic researchers can discover mechanisms. we can come up with targets. we can develop medicines and develop devices. but then it requires a large number of other individuals, partners with industry, partners with government, in order to move that forward, because we don't have all that expertise in the university. and unfortunately, those partnerships are sometimes difficult to develop because of regulatory burden. at a very basic level, it would be helpful if in the fda there would be a checklist. our faculty as they move devices forward have found a lot of cooperation from members of the fda that are really trying to help them do their job.

but at least at the initial stages what we've had to develop are navigators. because the complexities of interacting with these agencies are such that our faculty have to be educated. and there are ways to partner with government in a different way to facilitate that interaction. i think it would be very helpful if congress could help move governmental agencies forward so there's uniform conflict of interest. there are ways to access the regulatory bureaus in a systematic way that's more transparent. >> i'm janet woodcock. the center of drugs at fda. if you step back and i'll talk about pharmaceuticals in

particular not some of the other innovations. if you step back and look at the whole ecosystem there's some major barriers that academics and developers alike, face when they try to go from a discovery that they make an in a laboratory to an actual product that's given to patients. in order of, perhaps, ability to deal with this, i think number one, the clinical trial system that we have is not a system. in fact, what is done right now is for every product and they get it at clinical trial, that takes about a year to get a clinical trial together. then they do the clinical trial and shut i it down and if it's successful maybe they'll start another one. they have to do ten different agreements with ten different universities. material transfer and blah, blah, blah and it takes years. and exhausting for investigators. much paperwork. and often, many lawyers. what we're starting to do and

maybe ellen may take about this but we're starting to look at krin cal trial networks to turn the paradigm on its head. a clinical trial network that's funded and when you get inventions that clinical trial network tests the invention, right away, basically and you have multiple, multiple drugs like dying nossics and it can all be -- die diagnosistics. and the product, from a academic or company is given to the network, they evaluate it so there's some distance between the evaluators and tihe inventers. and you get to do head-to-head comparisons in this network because you're testing multiple products as well as the approved therapies at the same time so that could be an advance. groups that have done that like

cyst stick f cystic fibrosis, that's why they succeeded in getting the products on to the market because they have the patients ready and they have genotype. and i'm very interesting in the drug manufacturing. there's a lot of innovation in drug manufacturing. we're having a big meeting in a few weeks about this. right now we have drug shortages that are afflicting the hospitals across this country. we are buy many of our drugs from other countries. and if something would happen, won't be able to get the drugs anymore. hostilities, natural disaster, whatever. and thirdly, that's another thing faced by developers. they have to continue to try to scale up their manufacturing and it's very much like the clinical trial system. very outdated.

very cumbersome. there's now the technologies available to do these continuous manufacturing and make things that could be made in the united states. they wouldn't have to be all over the place. it's environmentally friendly and it's the wave of the future and how drugs should be made. where they're needed. so i think that's another area. and then under the critical path ignition, andy knows a lot about this, there's a whole lot of translational research that needs to be done on biomarkers and many other things that would really aid in getting the products from that -- the person in the laboratory through and into the clinic. and through the clinical development. that's another thing that really should be worked on as a tremendous opportunity. >> mr. chairman, hi, once again, i thank you for your leadership

and leadership of all of you in bringing this together and tell you what a great pleasure it is to be back in this hearingroom again. there have been a couple of words that have been placed before you 12ku67 as ecosystem and francis alluded to risk. it's, i think, important to keep in mind that this process of discovery, development and delivery, is now a very cyclical one and it lends itself to tremendous opportunities with regard to acceleration of that process if we pay attention to the issues of what does accelerate it, namely, the investment of intellectual capital as well as financial capital. francis has already alluded to some of the risks that are now associated with that investment. there are also the risks that have been raised with regard to the regulatory components of this and even on the other end of the spectrum risks that

relate to rewards namely reimbursement and the challenges that are coming from that. so as congress takes a holistic view of the ecosystem and looks at policy changes one, the general themes will be to look as those initiatives that will reduce the risk within this system. and that will promote and enable a greater participation and investment and accelerating cycle. one of those particular things that needs to be addressed is the transfer of data across this cycle. and the opportunity for greater data sharing and greater data integration. there are data challenges on the front end. as we see the transfer of data from investigators to developers. and the challenges of even data sharing among developers as they now need to create integrative products such as the combination of dyiiagnostics and therapeuti

and problems on the other end add janet alluded to the need to look into the clinical trial designs and the way we look at data as it relates to the delivery of these new inventions. so you've put in place an important process that will enable us over the next months to step back and take a look at all of the components of the ecosystem that need attention and reduce the risk that is currently growing and slowing down the process. >> thank you very much for inviting us to be part of this. it's an honor and a privilege. i came out of graduate school and worked for the congressional office of technology assessment and i think, you described this as unusual it certainly i think was the norm for a long time to come together and talk about these critical issues. so in terms of answering the

question of what can congress do, i think you're doing part of the work, which is putting a spotlight on research, science and innovation as a national treasure and as a national priority. if you're prioritizing the research system i certainly follow suit with what dr. collins articulated in terms of the resource issue. i don't think you can escape the responsibilities of congress to make sure these agencies are add kweltly funded. united for medical research is a group that came together around the issue of the nih and the alliance for a stronger fda is a group that i've had the privilege as serving as past president of. this is a group of all of the different stakeholders coming together to say the appropriate dollars that go to the fda are extremely valuable and they're not enough. i think that prioritizing the infrastructure has to happen. it's a critical necessity