doing, is we wrote into our supplier agreements and we have 7,000 suppliers around the globe that we want them to consider the framework and all good sense of intel, that's the first step on the journey of needing to impe mentd the framework so what probably will work with our insurers. on the topic certainly with analytics and what's materializing is the new business opportunities, we need to continue on our journey of s.t.e.m. education and increasing the capabilities in math and science. and you hear everybody say it, we're not making enough progress. we're doing our part. i know bank of america is probably doing their part, aig we're all doing our part, but as a collective, we do need to have

even more dialogue and probably more partnership with the government on this. this is a serious issue and will become a competitive issue. >> is this deciding i want to be in computer science in fifth grade or fourth grade or is this something i can recover from if i'm 16 or 18 or 20? >> i think there's vary opinions on that and i welcome the other panelists' opinions on that, but what the data has suggested is that if you don't have the right math and science education k through 12 and especially through high school f you don't go to college f you don't have that basic math and science foundation, it's hard to recover from. you don't have to be a computer scientist but the basic analytical skill you're going to need. so, we spend a lot of our intel teach, which has been a 25-year foundational effort at intel, on

teaching in the classroom, as part of our community effort, we send our own engineers out to teach k through 12 and to really teach teachers how to be better match and science teachers and also teach classes as part of their community service. and i think we just have to continue to extend and extend and really get focused. diversity is also, of course one of the big initiatives for me but we know young girls drop out in middle school from math and science. so that's the other big focus area for us. half of the workforce, we need to keep them interested in math and science. let them know they're school jobs. they're not boring jobs you know. that kind of thing. >> one of the things i've often thought about, and this is a question for all of you, is how do we make it real at a young age for how cool these jobs are? what can you do? do i have to be the a-plus math student throughout high school

you know, and have taken college math at 16 in order to be eligible? i think there's too much ambiguity about what does it take to be eligible? i also think there's not enough of a collaborative process -- we go and legislature as women to young girls but the question is can they really feel this is a fun thing as a group you know, as a seventh or eighth grader that i want to be a participant in? how do we make more of that happen so i'm not the outlier in my group doing this and i'm more the norm? >> i'm living the dream as the mother of a junior high school girl and middle school girl and elementary school. you're right. there's all the dade data around k through 12 education. i was also a teacher before i went to law school. that's the societal attitudes about what's cool and getting your kids into coding camps and coding class. my friend cameron who runs code

dot org. trying to get it as part of our curriculum. we need intelligent people coding and creating algorithm ims that work for society. we need a diverse workforce, that creates a imbedded technology we'll all be living in. it starts at home. it starts at the youngest ages. it starts with letting my daughters play on the computer probably more than anybody thinks is appropriate. they say, mom, i want to be able to program this game. i want to learn how to do this? we'll be looking for coding camps this summer in the d.c. area. it's about attitudes it's about education and it's about being aware of the words you're choosing when you're talking to your young people in your house and in your schools. >> we go out and do a lot of this talking but i know way up there there there's a lot of

women, college students, way cooler than we are, that should be using their time as well going back into k through 12 and talking about their journey and what's happening and, you know these coding camps are really helping. by the way, stanford runs some of them. so, thank you. >> terrific. terrific. we're almost out of time. let me just raise one last question. it's a big question, though. you know what are you hearing internationally from foreign governments and regulators about cyber security? >> i just came back from a large trip india, and cyber security is a big thing. protecting the ways, the way we're talking right now. the other one is the fear of what i call the balkansization. does this increasing chauvinist.

we can keith keep our competitive advantage in terms of the computers and payment systems and phones so on. i consider that to be a bigger issue that's floating around right now. in addition to all the facts, we have to get our act together on the rules of the road in terms of justice and law pursuing criminals where they are. that's work that needs to happen government to government, but there's this other issue percolating of international chauf nichl we need to be careful of. >> i completely agree with that. i, too, just returned from -- i must have followed you guys through india and europe. i have expressed this concern. i'm very concerned. it's under the guise of data protection when i think it's an economic issue for us. >> peter, do you have a last comment? >> we operate in about 90 countries and a key part of the history of this country that was started in china 95 years ago is

its ability to reduce the fear of interacting across borders. and the fear has grown in a way that i think inhibits world trade and growth. and it has to be balanced by a collaborative dialogue between governments. i think the private sector can only go so far in building bridges between societies that have really different views on privacy and the opportunities of innovation that come from a more open data society. >> brian? >> it's complex because it's obviously -- we have a tough time just in the united states. now think of all that times the number of countries times all the things. it's enhanced effort to do it. i agree there's a protectionism that has potentially other motives, but it is really real. you're starting to see it actually affect the ability for

global companies to operate. you have to store your data here, use these providers use this technology you can't have it outside. if you think about a global financial system, a global delivery of any product in the world thshgts is actually working very much against it that i think it takes governments to operate to say, it's okay to have multinational companies. >> it also ruins the potential for the internet to be this great collaborative enabler this place people can express themselves freely and communicate across societies and cultures. the promise of the internet is a truly global way to help people all around the world create a better life for themselves and their families. >> as you could tell we could spend another 45 minutes just talking about this challenge. let's give our panel a real round of applause. thank you. thank you. that was terrific. thank you.

the house returned today from a week-long district. they're working on six bills dealing with house care and they'll consider legislation on the epa's rule-making. c-span will have live coverage of the house. senate starting the work with several executive nominations. they'll vote this afternoon on moving ahead with human trafficking bill and awaiting action for loretta lynch. can you watch the senate on c-span2. senate homeland security committee is looking into why the social security administration counts some people as deceased when they're not. a woman who's been declared dead will testify along with social security inspector general who looked into the agency's record keeping. that starts at 4:00 eastern. we'll have live coverage. transportation secretary anthony fox talks about plans to improve the nation's roads and bridges and how that will improve international/u.s. trade. we'll have live coverage as he

speaks at council on foreign relations at 6:00 eastern here on c-span $3. tonight on the communicators, fcc on net neutrality ruling municipal broad band and subsidized broadbrand program life line. >> what i am proposing that we do is overall the lifeline program, make it concurrent and in sync with the information age. challenge those providers to give more to their consumers, the prices and opportunities have gone down -- have been more explosive for the rest of us. it should be for a life-line consumers. get those providers out of the certification business. that has been the number one problem we've been seeing with not so positive headlines. it is a vulnerability in the system we need to plug. >> tonight at 8 p.m. eastern on

the communicators on c-span2. a look at national cyber security and n-kick with assistant secretary of cyber security of the homeland security department. this was hosted by the american bar association in wash d.c. this is about 50 minutes. >> we're trying to throw c-span off because they focused on that one and widen the lens. you got it. thanks for braving the cold. did everybody get a copy of the blue book outside? that's your reward for coming. please be sure and get one. show your friends and neighbors, put it on your coffee table because it marks you as special

you came out on the coldest day in the last 100 years. allow me for just a second to let you peek behind the aba's bureaucratic curtain. and i say that with all fondness. every year the standing committee is reviewed by a group of folks at the aba. they look at the topics such as programs publications outreach things the community has done in the legal community. holly, of course, puts our reports together. every year we receive top reviews. in preparation for this year's review, we were looking at our previous year and what we had done. what our speakers spoke on at these breakfast events, our annual review, that sort of thing. we noticed something very, very interesting. that is this all of our programs all of our publications, all of our legal community outreach mirrored the current legal issues of the day. and that is what set us apart from all the other aba

committees. i know that could be shocking. we are both timely and relevant to the national security discussion. in keeping with that tradition, we have a unique format. first of all, we have a tag team. dr. andy ozment and donald sutherland they both work for suzanne spalding, alumni of our committee. please tell her we say hello. they will talk about their office's challenges opportunities and priorities in the cyber security world. you have their very very impressive bios so i won't take up precious time reading them to you. i will note that yes, they do work for dhs. we'll have donations at the end to help pay their salaries at the end of the week. let me welcome them to our breakfast and please join me in welcoming dr. ozment and mr. sutherland.

>> well, good morning. thank you, jim, for the introduction. holly, for arranging all this. holly always does such a great job pulling off these events and we enjoy working with her. if i can just give you a tiny bit more introduction. i'm the associate general counsel at the department of homeland security. i'm the associate general counsel for national protection programs directochltd rate. andy is my client. so, we're having some attorney/client discussion here this morning. . it's privileged. >> it's privileged so please don't tell anybody about the conversation we're about to have. originally i reached out to holly and harvey and jim and talked about the idea of doing a briefing on some of the new legislation and the new legislative proposals the new executive order we knew was about to come. they said great let's do that.

the more i thought about it the more i thought, well, this is a great way to put an audience to sleep. is to have a lawyer talking about the mechanics of new legislation. so, andy agreed to come with me. we get to do a tag team. i'm the play-by-play commentator and he gets to do the color commentary. he gets to tell you what all these laws mean new authorities mean and daily operations. >> absolutely. >> so, i was trying to think of a good comparison. you look like a sports talk radio crowd out there, don't you? this -- we're like mike and mike on the radio. well, no -- he's mike and i'm -- well, andy's not a big sports fan, so i'll have to explain that. mike and mike is -- mike is the brains and mike is the braun. one is the arm chair fan and the other was an actual football player.

>> excellent. >> i don't know how that works with us actually but you're the actual practitioner and i'm the straight man. >> i think i just got called the braun and not the brain, so i'm going to take that back. >> well i had the opportunity now. we hope this will be a discussion back and forth and it will be very interactive for you and good opportunity for you to discuss with us later. we'll start by giving you a broad sense of why this is an important time for us to be talking to you. this is a significant moment for dhs in the cyber security field. in late december the congress passed and the president signed several new pieces of legislation to provide dhs and others with new authorities in the cyber security arena. then just a few weeks later in early january, the president sent a new legislative package to the congress on cyber security again, several of which

strengthened dhs's role and address some other issues as well. the president then came to our work site and gave a speech about cyber security issues from our work site, which was a great experience for our workforce. vk of course, the white house cyber security summit was last week. our secretary was very involved with that, a number of the rest of our leadership. and then at the summit, the president released a new executive order on information sharing we'll talk about in a bit that talked about strength of dhs's role. this is a significant moment for us. andy, you want to expand on that at all? >> i'll highlight it. cyber and dhs was a long time in startup mode. when dhs first started it pulled together agencies from across government but they had -- they were existing agencies, so you had something to draw upon as you started dhs. cyber was really new for dhs. you know didn't pull upon an

existing historic agency with great back bench of capability. so, we've been in this surge mode of creating something since the inception of dhs. what i would say the last few months recognized we've come into our own in the last few years. we have a level of capability now that we have extraordinary demand from our customers. and i would say that our customers are three-fold in cyber security. the federal civilian government agencies, state, local, tribal, territorial and the private sector. what we've seen is a few years ago you have to used to go out and really sell people on what we could do for them. now they're beating down the door. i think we've seen that recognized by the president coming to speak at our organization. by the congress formalizing our roles and responsibilities and by the executive actions that have come lately, really giving us even more work to do. i think it's a recognition that the reward for good work is more work.

and we're definitely in that position right now. >> i think there are some great opportunities for dhs, but my client is recognizing there are responsibilities associated with the new opportunities and i think it's great that we have such a capable team led by assistant secretary ozment on this. we thought we would give you a sense of what dhs's unique contribution, what we see dhs's unique contribution is in this field. of course, many organizations in government and outside that have an important role to play. we were just talking at breakfast about the national association of attorney generals and their role. there are so many players. we thought -- andy and i thought we would emphasize three particular areas where dhs plays a unique contribution. the first is that dhs is a strong record of imbedding privacy and civil liberties into its programs. dhs had the first statutorily

created office for civil rights and civil liberties and chief privacy officer. when the department first started, the homeland security act incorporated a number of interesting endeavors, firsts. one of them was to create these two civil libertarian positions that reported directly to the secretary. many of you may know i was the first officer for civil rights and civil liberties at the department. i started the first day with the chief privacy officer, conner kelly is now the president for center for democracy and technology. i remember those first days we started the first days in orientation and started looking at each other, what do we make of all this now? we had offices next to one another and shared an assistant and tried to figure out where to go with all of this. that perspective has really

helped me as i've come back and really been so pleased to see that it didn't just stay on an org chart but these commitments to civil liberties and privacy have been incorporated into the daily life of national protection and program director and others in the department. the commitment to privacy has been written into strategy. it's been written into operational level and daily, taktly, the folks who work with andy are trained in privacy protection and how to get pii out of material they've got to push along before it is pushed along. so, it was very gratifying to me to see that the concept that started with has really begun to take hold within dhs in these regards. i don't know if you want to comment at all on privacy and civil liberties distinctive. >> what i would add is from a cyber security perspective, privacy is strategic. and i say that both as a

citizen, who is concerned about privacy in my own life obviously, but also as cyber security practitioner where i recognize and i think most people in this field to effectively secure cyberspace we need the trust of the people we're working to secure. if we don't build in strong privacy and civil liberty protections and ideally enhancements then we're going to succeed as cyber security practitioners. i think that's a critical point of strength for the department. as dan said, we have two strong organizations intentionally to draw upon. we've really institutionalized privacies ands ive liberties into the processes. i agree that's a core strength for us. >> the second of our distinctives is dhs's expertise in private/public partnerships.

one scholar i read recently said the development of public/private partnerships is the single most important field in homeland. that's a distinctive we have and very important in cyber security field, isn't it, andy? >> absolutely. when i came on board in my organization, i really made explicit something that had been implicit which is within nppd the part of dhs where we work, we are a customer service organization. we don't have any competing interests other than helping those three customers i mentioned before become more secure. and so public/private partnerships are one of our core avenues for doing that. we've been given the job of making the private sector more secure. that's a pretty big job. you don't do it by reaching out and touching companies one at a time. you have to do it through a structure that scales and through an ability to reach a

partner with a few core organizations and have them reach out themselves to cover the rest of the united states. that's really what the public/private partnership means for us. >> the third distinctive i'll touch on is that dhs provides a civilian, nonlaw enforcement interface with the private sector and public on these issues. that's a really critical part of i think, the cyber security environment. you want to elaborate some? >> we should be clear. dhs obviously has key law enforcement organizations that are part of it. secret service homeland security but within nppd and oi cyber security role cyber security and communication, is not law enforcement and we're not intelligence. that goes back to customer service ethos. my only motivation is to help get the bad guys off their

networks and get the company back on their feet again. i'm not trying to prosecute anybody. i'm not trying to gather intelligence. now, those are important actions for the government to take. if i'm on site helping a company, i will encourage them every day to help bring in law enforcement to help prosecute. but if the company isn't comfortable with that they can still help get help from me. i think that's key. that we don't have other competing roles. >> that's a broad overview of the three distinctive areas dhs brings to this field. we thought we would talk you through three recent pieces of legislation, executive order and legislative proposals. we'll run them through one at a time. i'll describe kind of the technical aspects of the piece of legislation and andy will have the fun part and describe what it actually means and what it means for his priorities in his organization, his daily operations and that kind of thing, all right? so the first is in december the

president signed the national cyber security protection act of 2014. let me describe it quickly. it establishes in law the national cyber security and communications integration center, or the n-kick. if have you been to the n-kick raise your hand. some people, good. it codifies the n-kick as a central player in the federal government's information sharing about cyber security risks with the private sector. and codifies the n-kick as an entity that provides cyber security technical assistance and incident response capabilities to the private sector. every time i talk about the n-kick and particularly this piece of legislation i realize we really need to describe the n-kick first. maybe you could do that and then i'll talk about what the legislation did. what is the n-kick? >> so, you're an organization and you need to secure yourself. you're a company, a government

agency and what does it mean to have cyber security? we talk to a lot of folks who are just wrapping their heads around this concept. what we tell them is it's actually not that complicated. as an organization, you need to do three things to secure yourself. the first is implement best practices. and that gets you almost two-thirds of the way home. strong i.t. management and implementing best cyber security practices and those in the cyber security framework, that's a core part of what you're doing. that takes care of sort of the noise. you get 80% of the threats you just solved by doing that. then you have the more sophisticated bad guys. the nation state adversaries the organized crime that are particularly capable and maybe they're really after your organization. so, you've employ mentded best practices. you've raised the bar pretty high. now you do information sharing. the theory of information sharing is this. it's nothing particularly complicated but right now, the bad guys can try the same attack against 1,000 companies.

and if they're not picky you know, they'll hit ten of those companies successfully. and that's enough for them. actually, right now, they can probably hit you know, 200 out of 1,000 they try to be successful. the cost for them is extraordinarily low and they have a really high return on investment. the idea of information sharing is they try 1,000 companies. the first one they succeed in breaking into, learn something. in fact, maybe even the first one that just successfully defends against them learns something, says be on the lookout for this activity shares that. the other 999 companies receive the information and are able to protect themselves. suddenly, the cost of the bad guy is reversed. what used to be a really scaleable thing, they could keep trying at no cost and just keep trying until they succeeded. has been inverted. where every time they try, somebody's likely to learn what they do, share that information now, inbeing on you late everybody else and so suddenly trying itself has cost for the bad guys. that's what information sharing does for us.

that's part two. first part is best practices. second part is information sharing. third part is incident response because ultimately this is about risk management. and risk management almost inevitably means there will be risk that is not -- that is accepted and there will be intruces, for example, that happen. you have to be prepared for when that happens and you have to be able to respond effectively. how does the n-kick help organizations with this? it's not the part of the organization that focuses most on promulgating best practices. it's more on the operational side. i would say they help prevent incidents by information sharing and then they respond to incidents once they happen. in the prevent incidents by information sharing, we send out analytic reports every day all day. these provide a little more high-level context. a threat after is going after this sector and this is what it looks like when they attack or try to intrude upon you. we also send out cyber threat indicators. this is tactical, granular information. if you get an e-mail from this

e-mail address, it's a phishing e-mail, they're trying to break into your organization. so, block this e-mail address. or this i.p. address is sending malicious traffic. be alert if you get information from this internet protocol address. now, that's preventing intrusions through information sharing. as i mentioned before sometimes incidents are going to happen. we also with the n-kick help respond to incidents. at the most basic level, a government agency could reach out and say, hey, we found this tool on our network a bad guy left this tool. tell us what it did and we'll break it down and analyze it and say, hey, this is what this tool does. so you the victim can figure out what happened on your network. we can then take the information about the tool and, again, share it out to our partners. or a company can say or a government agency can say, you know, we've got bad guys on networks, we need help.

operating picture for what's happening on the ground. and all of this activity generates information and we take that information and share it back out. so it's virtues cycle. the more people ask for our help, the more we're able to help the individual company and also derive information we can push out so other companies, other government agencies can secure themselves. what i will tell you for those that haven't been,there it happens in a flashy cool looking room. we have all these screens on the wall showing all this stuff

happening across the world on the internet. and it's really a fun place to go look. a lot of serious work gets done there but it is a cool looking room. so, i highly recommend you take the opportunity for a tour if that presents itself. >> let me give the nuts and bolts of the legislation and it will develop andy a little more. first thing is the composition of the n-kick. under the new law, the center is authorized to have representatives on the floor from federal agencies. primarily those that are leads from different sectors, energy treasury or the like. it's authorized to have law enforcement there which is an important part of the n-kick. state, local tribal, territorial governments are there, authorized by law and are there. and the private sector which includes both owners and operators. but also information sharing and analysis organizations. organizations that group together sectors and represent

sectors there on the floor. so, the -- by statute now the n-kick is authorized to have this multidisciplinary eclectic group of people all interacting together. it's interesting to have in statute that these people are authorized to be there and work together. those of you who are lawyers appreciate the legal issues we've dealt with over the years. it's now in statute. do you to want expand on composition? >> not at all. >> the n-kick by statute now authorized, charged with being an interface for cyber security information sharing, provided shared situational and information sharing related to cyber security risks and incidents across the federal government. so the act provides the authority for the n-kick to provide upon request technical assistance to those who need it and incident response

capabilities or those in the private sector, that could include attribution, mitigation or remediation. you've referenced some of that. there are fly-away teams we reference within the n-kick and authorized by statute to do that work. anything else you want to add there? >> other than -- the only thing i want to add is, you will particularly appreciate why this is helpful to us. now, i have found that most general counsels are happy-go-lucky people willing to let things fly. whatever happens, happens. maybe not. general counsels are usually there to help manage risks for their organization. and they see a lot of risks in bringing in an outside organization to help them out. and so having in statute our responsibility to send for example, a fly away team to help a company out isn't going to eliminate the risk a general counsel sees but it does a lot to mitigate their concerns. when we have incident at critical infrastructure company where we think it's critical we

help them out and every minute matters, the fact that a general counsel can see that we're authorized in statute to take this kind of action helps speed the process along. this is a process where minutes and hours. it's one example of where a positive authorization is really valuable for us. >> of course i have to defend the lawyers. andy's not a lawyer so he's going to criticize our profession, but i will defend the lawyers. i think what andy has just said is absolutely right but also i think approaching cios and those in the information side with this organization, we can help you. who are you? where does this come from? well, now it is laid out in statute directly. in previous years, the n-kick has operated and it's operated under the broad authorities of the homeland security act. it's -- we have had the authority to operate the n-kick but it was under the broad authority of the homeland security act. it required a complicated, look

at this, now flip three pages and here's this and here's this and here's the presidential directive. and that takes -- it takes precious time away from what should be focused on the response. so, the congress decided, we're going to put this in statute. we're going to clearly establish what its authorities are. we're going to eliminate that issue of time. i want to really echo what andy said, as an operational level as attorneys this will be extremely helpful. we've really been talking about the private sector mostly, we've been talking about the private sector. let's look at the second piece of legislation, which really talks about the dotgov environment. i know fizma is everyone's favorite topic. it's a gray way to start off a riveting discussion of fizma. those of you who don't recognize sarcasm there. but it is really helpful.

federal information security modernization act of 2014 grounds in statue dha's role to administer cyber security policies and practices within the federal civilian executive branch. many of you know that the -- that fisma has been around for many years and it has primary produced paper reports that agencies submit through o&b to the congress on their information security practices. and that is an outdated system. and the -- so the fisma act of 2014 really brings us into 2014 and establishes dhs's role. andy, what are some of the implications of the fisma modernization act. >> you make a fisma joke to a group of ceos and they're on the floor laughing. i don't understand which crowd. we think fisma is a great source

of jokes. technologists are known for our rich and normal sense of humor. so, fisma really lays the groundwork for how the government manages its i.t. risks. and that makes it critically important. i think the combination of fisma and some other acts passed this congress really recognize how the world has changed and we're moving from a world where i.t. happened at the very edges of the organization althought the most outer edges of a department or agency, to a world to management your i.t. effectively, there has to be some level of centralization and goffvernancegovernance. whether a department cio has to have cognizance of what has happening in their department. to the government level where dhs can play that role across departments and agencies hand in hand with omb, understanding how agencies are secure, where

they need to make improvements, giving them that feedback. and really holding agencies accountable with omb for whether or not they're effectively managing their cyber risks. the fisma modernization act the federal information security modernization act, i think is what it stands for, gives us the tools we need to do that. so, it's really two-fold in my mind. first, is it establishes and clarifies dhs's role as that governmentwide for the civilian government, measure and motivator of cyber security for departments and agencies. and then the second thing it does, it helps us move away from this thick binder compliance approach to cyber security to an approach where we gather -- we use computers to measure how secure computers are. and that's really where we need to be. when you have millions of computers in the federal government, going around with a clipboard is not the way. you have to use computers to, in fact assess how secure they are. one of the things we got out of

fisma is in fact the positive authorization to do continuous diagnostics and mitigation, which is our program for helping departments and agencies automatically measure how healthy their computers are. they get a tool where they have a dashboard that gives them the status of their own environment. we get a tool where we have a roll-up dashboard across federal departments and agencies where we can help them understand how they stand next to each other. whether one department is particularly lagging whether one department is doing a really great job and we have lessons we can take from that department and share with other departments. so, this is really a profoundly important tool for us. >> just as general counsels from private companies have questions, who is this organization that's going to come in and look at our networks and work with us, agencies have counsel who also ask that question. you have -- you have capability of input on our network? where does this come from?

now it's laid out in statute that dhs can work with omb to work with the technologies onto other agencies. i think that will be enormously helpful on a daily way. the act makes clear the continuing strong role for omb in these issues. omb and dhs enjoy a very strong relationship here and the statute solidifies that in terms of the -- working together. you want to reference that at all? >> no i think that's really a great point. ultimately, if you've been in the federal government you recognize that departments and agencies are most likely to listen to budgets. and so omb has the budgetary hammer that departments and agencies are responsive to. we at dhs will never have that. we look to omb, you know, essentially to be the bad cop and we'red the good cop. that's a more pleasant role for me to be in here.

i think that's a really valuable role. in working together, you know we are helping agencies secure themselves and they are ultimately saying, look this is what's acceptable and not acceptable. >> all right. third area we wanted to talk about, just talk about very briefly, is developing the cyber workforce. this is obviously a major issue. how do we develop people who know how to do this kind of work long term? so the border patrol agent reform pay act of 2014 actually includes language that addresses the cyber workforce. i wanted to ask andy, how many more border patrol agents you expect to now have deployed in the n-kick, but that could be taking us in the wrong directions. just happens to be within that statute. it gives -- within that statute there's a provision that gives dhs sick authorities to the defense department in terms of setting pay scale and centers for cyber professionals. do you want to comment on the cyber workforce development at all? >> all i'll say is maybe we're

patrolling the borders of cyberspace? i cannot overstate how important this is. we literally lose people every day who are willing to come to dhs and work long hours in the luxurious government office environments we provide them flickering fluorescent lights and somewhat dingy carpets. but they're willing to do it because they believe in the mission. ultimately, after a few years, they look around and they say, oh, my goodness, i could make literally six times the salary in the private sector. you know, is one year of work in the private sector worth six years of work in the government for me? and we lose them. now, some of that we just have to recognize. we are never going to have the normal government lifetime career employee in the cyber field of dhs. so we're not building ourselves to work that way. we recognize that we're always have people going back and forth to the private sector and that's healthy. at the same time we have to

have the best talent. and when the pay differential is so incredibly vast as it is right now, and, you know it's a wonderful compliment to us that the private sector is poaching our employees left and right, but it's not sustainable for us so this is really important for us. >> fourth area, friday, the president signed a new executive order. we wanted to address that. a new executive order on the idea of information sharing. and it's designed to try to encourage more sharing of information between the private sector and the government. the executive order builds on the foundation of the n-kick legislation that i talked about previously. we need to have the private sector willing to share that type of information so that's what the executive order is going about, trying to tackle. it encourages the development of private/public sectors.

every company can't have an office here to lobby the hill. you group together. from that grouping you approach the hill or others here. the same thing happens -- or needs to happen in information sharing. this executive order tries to encourage the strong development of associations that will allow this type of information sharing. they are called information sharing analysis organizations. which i think so we're pronouncing as isaos. >> information sharing analysis organizations that people -- that groups organizations, companies, can group together and then approach the federal government. there are a number of isoas -- i mispronounced it. >> not the most delicate sounding names. >> so, there are a number of these already. under the executive order, the president is directing dhs to enter into an agreement with a nongovernmental organization to identify a common set of

voluntary standards or guidelines that will deal with the creation and functioning of these organizations. essentially, this nongovernmental organization will establish standards for private associations. and this will -- the thinking is develop and deepen the development of these private sector information sharing organizations. do you want to comment on that? >> absolutely. so, i mentioned before that there's no way that the government is going to be able to help every company in america secure itself. you know we view ourselves as an enabler. we're trying to help companies understand what best practices are, implement them share information and effectively respond to incidents. those three things i talked about. we have some extraordinarily successful information sharing and analysis organizations right now. they're sector based and they have been doing a great job of protecting their members against

cyber threats. we need more. we need every company in america that has the capability and interest to have an isao available to them and that matches their needs. so what this executive order tries to accomplish is it soflz two problems we were hearing repeatedly from the private sector. one is there were organizations, firms, coming to us and saying, look, we to want be part of an information sharing organization, but we don't fit in any of the sectors where we already have these isaos. they were called isacs. that's a traditional sector model. they said, look, we're a law firm and there's no real sector critical infrastructure sector, for law firms but we face cyber threats. what isac do we join? why is there not an organization for us? why does it have to be on these 16 critical infrastructures? that was one of our first realization. look, trust comes in all shapes and sizes. our job as the government is to

encourage the creation of these trust groups help them share information with each other and then help them f they're interested and willing, share information with the government so we can connect them and that an intrusion over here an attempted intrusion over here quickly shares the information that helps everybody inoculate themselves. we need to work with organizations beyond just these sector-based isacs which have been successful and will thrive under these regimes but we need to accept other organizations. geographic based organizations. some folks have come together in different cities. they're asking us, why wouldn't we recognize them? we frankly said, you're right why shouldn't we recognize you? we should. that's one thing this executive order does. it says look, we'll work with you. you decide what shape you want to take, we'll work with you. the second problem we're trying to solve here are companies would come to us and say, we understand information sharing is important. there is not an organization that currently fits us so we're

going to form an organization. let's do it. okay, what do we do? we said, well, you know, here's the kinds of things an isao does. let's connect you with some more of the effective existing isaos and then it's kind of all on you. you have to do all the work. sorry, we're here for advise and to help, but ultimately we don't have a system set up to help you build a new organization. and we kept getting a lot of companies coming to us saying, look, we're ready to do it. we want to build an organization. don't make us reinvent this wheel every time. again, that was exactly the right thing. and so we said, okay we're going to help you come up with best practices that delineate what an effective isao is. so, when you want to start a group, you don't have to start from scratch invent a theory and come up with it on your own. we'll work with a private sector, a nongovernmental organization, to run a standards process to come up with a set of

best practices for isaos. that's going to take some time obviously, because we want it to be a consultive process. that's the kind of process that led to the development of the cyber security framework, which a really successful way of promulgating thus practices and hoping this will promulgate how you set up an information sharing sharing analysis organization and lead to organizations successfully serving their members. >> so the last thing we want to talk about is the president's information sharing legislation proposal. this, we could have spent the entire hour on. we're going to spend two minutes and just give the wave tops and then turn over for questions. the administration is 2015 legislative proposal sent to congress in january is on information sharing. there were a number of other cyber security related legislative proposals, we won't

touch upon. the relevant for us is talking about information sharing. information with the n kick. and it does that through providing targeted liability protection for companies that share that information with the nkik specifically the proposed language would state no civil or critical cause of action would show or be maintained in any federal or state court against any entity for the voluntary disclosure to the mkik or a private information sharing and analysis organization of cyber threat indicator. you can have information. no federal entity may use a cyber threat indicator received pursuant to this act as evidence in a regulatory enforcement action. against an entity that disclosed

that information. some targeted protection. we could spend literally an hour on this. we're just going to give you the wave tops of it. what this adds to the landscape we've been describing. >> first, dan, i think you called me the brawny earlier. but now the long winded one. companies share information now. that's awesome. that's great. we have formal agreements with over 110 significant sophisticated companies and isals, they share information with us everyday. the information at large. but it's too hard. and we need more companies to share. this legislation will accomplish that. i think there are a few key aspects to it. one is that it's narrowly tailored. a lot of the proposals on

information legislation have foundered because they're so broad. they try to eat the apple at once. but we think it's the right bite and do an enormous amount of good for our national security. so what does it mean to be narrowly tailored? cyber threat indicators. now, your sharing an indicator doesn't mean that you are breached. a company defending itself successfully will learn about indicators all day every day. they'll see attempted intrusions, they'll block them and they'll say, that one was a little different. let me share the key information on so that others can protect themselves. so sharing an indicator does not mean that a company is having to come forward and say hey, somebody broke in. i think that's a really key distinction. it helps the company be less nervous about sharing, but also frankly, it's the information we need. this is the information that network defenders use all day every day to defend themselves. so it's the right information. at the least sort of concern for the company. second, it's not incident information.

as i just said if you have an incident, you need to call in law enforcement, that falls outside the scope of this legislation. if you have a law enforcement investigation, that's a much more rich and deep interaction with the government than just sharing a threat indicator is. and so that's one reason why the legislation is very clear to say that existing relationships, whether with law enforcement or otherwise are not touched by this legislation. it's really only focused on those cyber threat indicators. and that i think, also gives comfort to those who are concerned about privacy and civil lib tyerties. it will help network defenders defend themselves and lower that bar so that companies are more comfortable sharing. >> all right. well, we have thrown a lot out. i think we have maybe ten minutes or so for some questions or jim, i don't know if you want to moderate that but here we go. open to you for questions.

>> sort of bridge the generational gap. i found the last half hour or so not only fascinating interesting, but also understandable. thank you. i hope c-span producers can move this to some other time than 3:00 in the morning because i think a lot of people would be interested in this presentation. we do have time for a couple of questions. i know we're into billable hours for some of you. use your imagination. i'm sure you can bill a client for this time too. first hand up please? second hand. identify yourself and your question. >> david from politico. andy could you talk about what will happen to cyber security in dhs should the shutdown actually occur? there's been some very vague statements. i'm kind of assuming that most of the operational personnel are essential personnel, and so they would remain on the job. is that accurate? what about other programs like

cdm? could you talk a little bit about what happened in problematic versus acquisition? >> i am gravely concerned about the impacts on our cybersecurity efforts if there's a shutdown at dhs. roughly half of our personnel left last time. we're furloughed as a result of the shutdown. it would be, i assume similar numbers this time. what does that mean day-to-day? so the people, the standing watch 24/7 on that nkik watch floor will continue to work there. what i will say though is that a number of contracts could be disruptive that provide the support staff that help those folks. there would be less timely analysis. you send us a file of malicious software software, we'll have fewer people available, fewer resources available to disassemble it and figure out what happened. we'll be less timely in our information sharing and you'll essentially see a slowdown in the operations that need to be

happening in seconds. and that's a real concern. for our programs, like continuous diagnostics and organization, it enables to know the health of their networks. that would grind to a halt during the shutdown. so we're currently working right now with departments and agencyingsagency agencies to select those sensors. that would not happen at all during a shutdown. we also run a program called einstein and we're rolling out einstein 3 which is think about it as a guard house in a fence around the government. and the guard house checks the traffic going into the government and stops malicious traffic. stops attacks. so it literally blocks attacks and intrusions against the government. we plan to roll that out over the next few weeks. moving our coverage of the government from 20% to almost half of the government covered. that rollout would be delayed. there would be no action taken on it during a shutdown.

you might say, well, this government hasn't had this protection in place for a while. what is a few extra months hurt? i'll say, well honestly, we suffer attacks and intrusions every day in the government. and you never know which attack is going to take the critical piece of data and give it to a foreign nation state. so the fact that we will go unprotected for the portion of the government we could otherwise protect for our next year, day, week, month, months is of grave concern to me. >> are you referring specifically to -- >> i am. >> i want to ask a similar question. [ inaudible ] a tremendous amount of information that relates to clients we try to protect. what group do they fall in? where does that come in or does it? >> we have talked here to this

committee about that issue. we need to continue talking about that issue. it's not just law firms. i think of accounting firms as well. you know even, firms areing a regayre ,ing a, ing a ing a aggregator. isao. keep messing up the pro pronunciation pronunciation. that's a project we're talking about with you. but currently, law firms don't fit in one of these particular sectors, which is what andy is referencing. you want to take it from there a little bit? >> law firms are a target of the most sophisticated advocacies. name states organized crime you name it. i ask each and every one of you

ask what your firm is doing to protect its data and the data of your clients because you are very much a target. >> please join me in thanking mike and mike for a terrific presentation. [ applause ] >> under the joint regulations, has no value whatsoever. thank you so much. >> thank you. >> that concludes our breakfast program. thank you. >> terrific. >> to you live now, senate of homeland security committee. social security administration has jody rivers listed as deceased but she's to testify before the agency that she is alive. also, we'll hear from the inspector general of the social security administration on the

latest report on errors in social security records. wisconsin senator ron johnson. he's the chair and watching live coverage here on c-span 3.

>> and just getting ready here

at the homeland security committee, hearing from people on efforts to make sure that the records at the social security administration are correct. we'll be hearing from judy rivers. we saw her just a moment ago. she's been listed as deceased. she's going to be talking about her efforts to convince social security, the agency, that she is alive. we'll be hearing from the inspector general on the latest report that he's put together on some of these errors and social security records. >> this hearing will come to order. first of all, i want to welcome all of our witnesses here.

appreciate your thoughtful testimony. the hearing is called the title is examining federal and proper payments and errors in the death master file. in particular, we have a very interesting witness who has certainly been the victim of inaccuracies in our death master file and miss judy rivers from logan, alabama. when i read your testimony, i would really recommend everybody reading the full testimony, it's quite the story. but i was struck by you said washington, d.c. is the capital of unintended consequences. we'll be seeing that here today. but what i would like to say that we're going to start off with miss rivers testifying and then offer every senator. we'll move on with the rest of the panel. we're time constrained but we

want to hear miss rivers' story. a powerful testament of unintended consequences but i've got a written statement which i'll enter the record without objection and what i'd like to do is turn it to our ranking member, senator tom carper, who has been doing work on this particular issue for i won't say how many but you've certainly been dedicated to try to correct the problem of improper payments in the federal government. so i think you probably have a few words to say and i'll turn it over to you. >> thank you very much mr. joint. and to the witnesses for joining us today. as some of you know, the work i've done on the improper payments, i've done with tom coburn, whose birthday was just this weekend. he's retired. and i know he is here in spirit with us because he hears a lot about the money we're leaving on the table. said, banks, that's where the money is. that's where the money is. there's a whole ton of it as we

know. while our fiscal situation is improving, we've still got a big budget deficit, about one-third of what it was maybe five or six years ago. it's too much. in debt of $18 trillion. many times, the agencies are struggling with tight budgets and facing sequestration. can't afford making $125 billion in improper payments like we apparently made last fiscal year. this improper estimate represents almost $19 billion increase over the previous year. $19 billion increase over the previous year after going down from number of years and increase of $19 billion. these payments come from several problems more than 20 agencies, problems from medicare and medicaid and the department of defense. if we want to improve americans' impression for how we care for the money, we need to sharpen our pencils stop need to make avoidable mistakes that lead to

wasteful spending. congress has taken steps to help agencies to address this challenge. our improper payments first addressed to the house in 2002. the improper payments act required proper payments made each year. 2010, dr. kol burn and i followed up with the improper payments recovery act to expand requirement for agencies to identify, to prevent, and to recover the improper payments. 2012, senator susan collins went further with the improper payments elimination and recovery and improvement act building off a good administration and do not pay program, designed to screen all federal payments and order double check basic eligibility requirements. simply put do not pay allows a government agency to check whether someone should be paid before the government pays them. i think that's common sense.

and how all of these legislative issues are working or are not working and what additional measures we should consider. we'll all spend some time discussing the specific payments to people actually deceased. for example, the office of personal management inspector general reported just four years ago that some $600 million in improper payments made to federal retirees found to have died over the previous five years ago. such problems are not unique, the use by federal agencies of data on individuals who have died will help curb hundreds of millions or maybe billions of dollars in improper payments. i'm actively working with our chairman and administrateive colleagues on this committee to reintroduce legislation from the last congressional session to tackle the very frustrating problem of improper payments to dead people. unfortunately, we have more work ahead. last week, the social security

inspector general released a report stating that 6.5 million people have active social security numbers, who based on social security's own records would be more than 112 years old. i think in maybe our country, we've had just a handful of people actually live that long. now, we're told it could 6.5 million. they're out there, maybe not. a few records reviewed by inspector general seemed to show living individuals born before the civil war. in the real world, public records show only 35 people worldwide are 112 or older. we'll hear today from the social security administration about reference to ensure active information about who's alive or dead and what should be extremely concerning is inaccurate death data may lead to improper payments by many other agencies across the government and also creates

greater vulnerability for fraud and ieft and identity theft. more from today's witnesses. i want to make it clear my view that the administration deserves a lot of credit for many of the initiatives to curb waste and fraud. controller of the office will soon describe that we need to do more and got to use every tool available to put our fiscal house back in order and give the respect they deserve. it's the right thing to do on behalf of the taxpayers of the country who entrust us with hard earned money. i think of the preamble of the constitution. in order to form a more perfect union, in this area, may be any area but we should strive for perfection because everything we do, we know we can do better. in that spirit, i look forward to work with the administration, the chairman our colleague on this committee and outside this committee to make real progress this year on reducing improper payments. thank you so much. >> thank you, senator carper. it is the tradition of this committee that we swear in witnesses. so if you all stand and raise your right hand.

do you swear the testimony you give before the committee will be the whole truth all the truth and nothing but the truth so help you god? [ all ] >> i do. >> first witness is judy rivers. private citizen from logan alabama. she's twice been mistakenly listed as deceased by the federal government. today she will tell her story and the financial impact errors in the death master file on taxpayers and miss rivers, i have to again commend you for be willing to go public with your trials and tribulations and hopefully your story can help prevent this from happening to other americans. so we look forward to your testimony. >> thank you. >> would you turn on your microphone, ma'am? thank you so much. >> there you go. i was told to do that. now, first of all, good afternoon, chairman johnson. ranking member carper, pardon me, and distinguished members of

this committee. thank you for inviting me to speak about my experiences with the death master file. my name is judy rivers and i've twice been listed on the death master file. the first incidence occurred in 2001 and it was actually fairly painless because, first of all, i had no idea that it had actually happened. i had a couple of identity theft situations. someone forced money through my bank, but i had never heard of the death master file and we got those cleared up and then just continued on. the second occurrence happened during one of the last worst periods of my life. i had just spent 17 months taking care of two terminally ill parents and i think i was probably at one of the lowest points in my life at the time. so this situation did not help anything. i could never have imagined i

would reach the point of hope hopeless hopelessness, hopelessness, financial destitution, loss of reputation and credibility unable to find a job an apartment, a student loan or even buy a cell phone. without a social security number, you can do nothing in the united states. suspected as an identity thief, became a way of life for me. during the last five years, every hr person that i have interviewed with police who have pulled me over for perhaps going a little too fast the first thing they do is go through your records, put you through a file, and when you come up as deceased or that the insurance actually, they don't know if it belongs to you or not, then a lot of questions start. and it becomes extremely uncomfortable. i would like to make it clear that all the problems that i've had during the past five years

are not only as a direct result of the death master file. however, the death master file has been like a propagating under all my problems. the death master file situation and the fact i did not have an identity made everything worse. it started when i was providing full-time care to my parents, as i said. when my parents passed away, their home was sold and i had to relocate very very quickly. and my entire life since the age of 17, i have supported myself put myself through school, i have never not had a job, not worked, owned my own firm for 30-something years and really have been very blessed in that area. so when i start looking for a job and an apartment and i'm not able to get one, it's like, wait a minute, what's going on here? everywhere i searched,

everywhere i applied, i was turned down. finally, i had to leave my parents' home quickly so they contacted an old friend and asked if i could borrow a spare room for a few weeks. that few weeks turned into three months. unfortunately, his landlord asked me to leave at that point because i was not on the lease. so i again went apartment searching, again the question of my validity my credibility and the fact that my social security number did not check out. i was unable to find an apartment anywhere. after searching for a period of three weeks and with no choice, and with something that i thought really only happened on television, quite frankly, i had to move into my car. i did some research on the internet. got some basic information on how to do that. and the best places to park, such as a truck stop for protection. so my two puppies and i lived in my car for three and a half months. during that entire time, i was

constantly searching for a room, for an apartment. i kept going out further in the areas of alabama such as logan in order to find someone that probably didn't check that closely, but was still unsuccessful. my situation improved after i ran into an old friend named mary kate. mary kate had a business building and the top of it she converted into an apartment. and knowing my parents very well and being sympathetic to my situation, she offered the apartment to me. i was in the apartment two hours later after the approval. it was huge it was empty, and i felt like i was living in a castle at the moment. no bed, no chair. no sofa, no nothing because all of my furniture was still in

dallas where i was living when my parents became ill. so she even brought me a few houseware houseware items and i was one very happy person. during that period of time, while i lived there i continued my search for a job. i continued my search for a student loan. i had reviewed what was available on the internet and decided that i needed to increase my skills, particularly in the area of project management. so i applied to over 20 online schools and three physical schools for a student loan in order to take the courses and get my certification. everyone turned me down. the information that i received when i asked why i was being turned down always included comments such as your information cannot be verified. your social security number did not match. or we can't find your records.

finally, becoming concerned, i went to my local ssa office and asked them to check my records to see if i was in the files and if everything was fine. they did a very fast check said no, your records are all in order. everything is fine and yeah, you are alive. and i said, well, could there be a mistake in the past? and i was informed at that time that we can't check the past. if had been listed at some time when the new files are created on a weekly basis and sent out, your name would have been removed and we don't retain those. so there was really no way for them to tell me if i had been listed or hadn't been listed, but since everything was in order, it was fine and i thought that i was fine. my situation at that point went from bad to worse. the apartment building that i had lived in and this was approximately a year and a half later, a fire code made it necessary for me to leave. as an office building, it only

had one entrance and exit which was unacceptable in the walker county area at that time. again went on an apartment search. no luck so unfortunately, one more time, i had to move back into the car, again. it was beginning to become a habit. the next thing that happened to me in march of 2010, i was involved in a car accident. a lady hit me rear ended me while i was sitting at a red light. i didn't feel anything hear anything. i woke up in the hospital a few days later and was told that i had seven vertebrae that were in pretty bad shape. they also kept asking me all of these questions and there was a lot of confusion about my insurance, whether i owned the car that i was in, whether i really was who i said i was.

so i called an attorney turned everything over to the legal firm, and said whatever's happening, please get me out of this. i went home, excuse me when i say home i meant the car. i went back to the car. start researching the dmf and frankly, try to find anyone that can help me. during that time, just for your information, i contacted the internal revenue service the social security administration, fcra, everyone that i could think of and every name that came up in my searches for any information or any help. no agency could offer me any help. the first person that i spoke to that offered me any type of insight was pam dixon and nina olson were both a great help to me in providing the information and what to do.

nothing to do no apartment, still no job, still unable to find any kind of job. a couple at my church found out my situation and offered me a camper they had on their property in which to live. i graciously and humbly accepted the invitation and said, i'll only be here for a few months and then i'll be out of your hair. well, actually, i'm still there. the good thing out of it is in fact, that these people have become very close to me. they're very close to parents taken me into their family and i've really enjoyed knowing them. i will tell you that living in a camper and especially with two puppies is not a lot of fun, but i had to do that. the only work i've actually been able to obtain is work such as cleaning houses and care giving. and very candidly coming from an executive position with a

six-figure income, not something you like to do when you have to do it. one of the problems with the dmf really, frankly, it's a bad database that paves the way for billions of dollars of identity theft, tax fraud, health care fraud, medical theft for both the living and the deceased, and the united states government. it seldom goes away when it hits you as in my experience. the problem is when you get one area cleared up such as one credit reporting agency or one banking institution or a report, the problem is someone calls them for a report and when they're on the phone and i've listened to this happen, they say, well, you know, this woman has applied for 23 credit cards in a period of four years. no one needs that many credit cards. she can't be honest. so then you're right back on the death list again. and nothing goes forward.

so it's just a matter of every time you get one spot solved it pops up somewhere else. you get one school to approve a loan, two weeks later you get a notice because they have contacted other people and they have denied the loan. so from a standpoint of trying to handle the entire situation, i really at this time have not figured out a way to control the traffic. and i would like to say this. i had contacted all three cras the major ones the banking financial institutions that provide information. only one company in a period of three years ever responded to me. they didn't answer a phone call. they didn't answer a letter. so i had no idea of what was going on and where. finally, i contacted mr. ron pearlhopes who started the dmf.

ron and his brother, robert, made several conference calls with me. they checked their databases and they told me that i had been listed in january of 2001. and finally checked systems contacted me sending me a letter saying yes, they reported me as deceased and the information they received was directly from the social security administration and that i was listed as dead in 2008. they did not provide the month, however. so i found out where the information was coming from, but i didn't find any way to stop it even though i have been removed from the death master file. so what i am hoping and what i don't understand is that just in the research i've done i've seen over 20 hearings in the senate and in congress on the death master file. so far i've seen nothing come out of any of these hearings.

what i am hoping is that you agree to program to first of all, provide help for victims, because we've got nowhere to go. secondarily, that you will either stop distributing the database or find a way to toss it out, start over again, rebuild it and do it correctly and have a zero mistake. and thank you for having me here. i appreciate it. and please, do something for the government and do something for the victims. >> thank you, miss rivers. very powerful testimony and obviously, that is the goal of this committee hearing is to try to work towards solutions so this doesn't happen to another american. my question is, so you've been removed from the death master file. was that prompted by your action, do you know when that occurred or have you just found out that it just happened?

>> actually and you'll find this a bit funny, i only found out that it happened in the last couple of weeks. i was actually listed on the death master file in 2008. check systems, the one person that answered my letter sent me a letter that was dated august 22nd. the reality is i was still sending them correspondence in october and further. but in this letter, it stated that they have reported me as deceased upon information received from the social security administration and that i had died in 2008. >> but again, there wasn't a process you were working with the social security administration where you fill out some forms, and you knew that your name was removed from the death master file? >> yes, sir. >> you did go through that process? >> several times. >> but you only just found out that you've been removed? >> yes sir. i had the letter, but unfortunately, since the letter

said "send us all your information and we will do an investigation," i actually missed the the part that they said "we did report you as deceased in, they didn't tell me" based on the information of social security, you died in 2008. and then asked me to send them information and they would do an investigation. >> okay. well, we'll ask some of those questions of our other witnesses. and again, i would encourage everybody to read miss rivers' full testimony. it's a powerful story. senator carper? >> thank you so much for joining us. i apologize for what you've had to go through. somebody needs to, and i just want to apologize. on the lighter note, i asked a friend of mine once, tell me about this death master file. what is it? he said to me, with tongue and cheek, it's a file in which you

don't want your name to appear because if it does, you're dead. as it turns out, not always. not always. you're living proof that it doesn't always happen that way. if you had to go through this all over knowing what you know now, what would you do differently and what spefbl would you suggest we do? we have constituent services team in the states and help people with a wide variety of problems. we're called every day and one of the issues we deal a lot with is social security. and if you've been in delaware you call my office congressman john karny, we've been all over this on your behalf. so keep that in mind what would you do differently having heard your testimony? >> right at this moment i really, other than flying up to washington and sitting in the social security administration's office until i found some answers, i don't know what i

would have done differently. having been in the marketing and communications and business development area for 35 years when i found out what was happening, i sit down and created a marketing plan for myself. and i'm very thorough in that area. letter campaign to companies all over the united states. i contacted everyone in the system that i could think of. searched for companies and i found that one thing is if i had experienced a major identity theft right at the beginning i would have been much better off because at that point i would have been alerted, i could have filed a police report and somebody would have started investigating. but at the point where i was no identity theft, very candidly no one really took it seriously and no one believed me. >> the second half of my question is what should we do differently? we serve you and the people of

all 50 states, what should we do differently? >> regarding the dmf totally? >> just to make sure this doesn't happen to other people in the country given what you've learned. >> as i've mentioned, i think the database needs to be cleansed thoroughly. i think an agency should be nut in charge of it that can actually control it. also, i think the sources from which the information is obtained should be clarified. i think very strong regulations should be placed on the agency that are distributing this information because one of the regulations is "verify the information before it's used." i was listed twice. no one ever contacted me. and of all the people i talked to, no one has ever contacted them. the first thing that i would do immediately is i would develop a complete communications program for people, both living people that have been listed as mistakenly and additional, for

families that have been deceased and the deceased person has been used for tax fraud, identity theft, draining the bank account, et cetera. these people have nowhere to go either. and they hurt just as badly as i do. but there is not one web site, there is not one place to call. there is no one that knows anything. i visited 18 separate social security offices. out of those 18 only 12 knew what the death master file was. so even within the social security system, the word is not getting through. these people need to be trained to provide information. >> senator lankford, one question? >> just a point of interest for me how did you prove you're alive? what documents did you have to bring and the final shift on it when you finally had the opportunity to be able to explain it? this is really me, i'm still alive. what were you asked to show to

verify that? >> social security administration asked for your birth certificate, if you have it driver's license with photographic id, they would like to have copies of invoices or correspondence either at your place of business or your home. copies of check stubs, everything you would have to identify you as you and prove that it is you. and they're very thorough going through that material and additionally, all of the same material i included in every package i sent out to every company that i contacted. >> okay. thank you. >> senator peters one question? >> chairman quite compelling testimony, miss rivers. i also feel bad for you and apologize that you've gone through all of this. we've got to get to the bottom of this. this is not the first time i've heard of this case. we actually had a case in

michigan earlier this year with a marine who was listed as dead twice and lost veterans benefits and had the treasury department close his account, a whole host of difficulties. unfortunately, there are others in this situation, not just yourself. the question as far as the timeline, you mentioned in your testimony that in 2008 is where you learned that you were listed as dead, but you also mentioned that you went to the social security administration and they told you everything was okay, not to worry. where was that in the sequence of events and when did the record actually get clear or is it something that constantly you get constantly put back on the list? if you could clarify for me, that would be helpful. >> let me step back and do clarify one thing. i didn't learn that i was deceased in 2008. 2008 was when the problem started happening but i was not aware really what was causing them. that's what caused me to go to the social security office. the actual first time that i found out that i had been listed

as deceased was when, after my accident, the insurance company settled. i went to a new bank and opened an account. and they were happy to open an account, take my money. when i went back three days later to open a savings account, they ran me through the system. the bank manager came over and ran me through the system and said, we can't help you today. and i said why not? and she said "because information we have reported you as deceased" and i demanded to know who is reporting the information and also where it is coming from. and supposedly what day i died. they absolutely refused to tell me anything. by laws and under fcra, i thought i was entitled to that information, however, the bank refused to give it to me and later when i found out check systems was the one that provided that information they've still refused to provide me with anything.

so april of 2010 was when i actually found out i was on the death master file. >> is that when you went to the social security administration? >> again, i had already been several times. >> and you'd gone and told you repeatedly you were okay? >> each time. >> but it was clear you were not okay. you were being given inaccurate information even though you were going into the office. >> correct. >> very good. thank you. >> again, miss rivers thank you for your testimony. i think every member of this committee offers an apology and certainly, our commitment that we're going to work with the people in the agencies to try and create law, create legislation that will prevent this from happening to other americans. so thank you again for your testimony and you're dismissed. thank you. >> thanks. >> our next witness will be shawn bruin and he joins us today from the social security administration where he deserves as a senior advisor for audit in

the office of budget finance quality management. mr. bruin?. >> thank you, members of the committee. thank you for inviting me to discuss steps for integrity of federal payments. i am sean brune at the social security administration. my remarks will focus on our collection of death information its accuracy and how we share it with other agents. we collect death information for beneficiaries who have died and pay benefits to survivors. each year we post about 2.8 million death reports. primarily, from family members, funeral homes, and states. this information serves us well, preventing around $50 million in improper payments each month. over the years we have significantly improved our death information collection process and this information is highly

accurate. of the millions of reports we've received annually, less than one-half of 1% are subsequently corrected. still, we continually strive to improve the accuracy of our records. since 2002, we have worked with states to increase the use of electronic death registration or edr. edr automatically eliminates the death reporting process by enabling states to recognize the name and social security number of a deceased individual against their records before they issue a death certificate or transmit a report of death to us. thus, death information reported through edr is the most accurate possible thing. currently, 37 states, the city of new york and the district of columbia provide death reports to us through edr. we're also currently carrying out a major multi-year redesign of our death information system to make it more efficient and

reliable. accurate information is important, not only for the administration of our programs but because we share the information with other agencies and with the public. as a result of a lawsuit brought against us under the freedom of information act, we must share death information we collect and maintain from non-state sources. we do so by distributing information through the department of commerce. in sharing this public file subscribers are informed and have been informed for many years that ssa does not have a death record for all persons, that we cannot guarantee the voracity of the file, and that the absence of a particular person is not proof that that person is alive. the department of commerce is authorized to share non-state death information on an immediate basis with entities that have a legitimate purpose or fraud for such information. however, the bipartisan budget act of 2013 the public may only

access non-state death information that is at least three years old. congress put this restriction into place to ensure that fraudsters could not use a deceased person's personally identifiable information to seek fraudulent tax refund. we are limited in our ability to share state death information, specifically, under the social security act, we may share state death information with the agencies administering federally funded benefits. thus, we share all of our death information, including state records with the senators for medicare or medicaid services, the department of defense and internal revenue service and others. treasury do not pay portal is an important part of the administration to allow federal agencies to carry out a review of available databases with relevant information on eligibility before they release federal funds.

however, under current law, we cannot provide state death information to the department of treasury for purposes of do not pay. to remedy this, the fiscal year 2016 president's budget includes a legislative proposal that would authorize us to share all of the death information we maintain with do not pay. we know that s 614 cosponsored by chairman johnson and recently considered by this committee also aims to address this gap. we would be happy to provide technical assistance to this committee on its bill. we would also ask congress to support the department of health and human services request for funding to increase participation in edr. because death reports collected through edr are highly accurate we believe that universal adoption of edr would be the single most effective step in ensuring our death records are of the highest quality.

additional i would hope that you will support the robust package of proposals that would help detect, prevent, and recover improper payments included in the president's fiscal year of 2016 budget proposal. finally, i would like to recognize the work of our office of inspector general. most recently in an audit in which they looked at death information in decades' old records. we're pleased to report they found no fraud in that program or any other federal program. we've agreed with the 28 of the 30 recommendations the oig made in this area over the past few years. as i explained in my written statement, these recommendations have led to enhancements in our systems. thank you for the opportunity to appear before you today to discuss this very important issue. i would be happy to answer any questions you may have. >> mr. brune, our next witness is patrick o'carroll jr. inspector since 2004.

and mr. o'carol also served as 26 years of service for the united states secret service. mr. carroll? >> good afternoon, chairman johnson. ranking member carper and members of the committee. thank you for the invitation to participate in this discussion. my office investigates hundreds of cases of social security number misuse every year. but recently, one incident stood out from the rest. a man who opened two bank accounts with social security numbers belonged to people born in 1886 and 1893. we can safely assume people today would be 129 and 122 years of age are deceased. however, according to ssa's database of social security number holders these people are alive. living in the sense that ssa does not have dates of death for either person or number holder records. our auditors followed up and found these two records were anything but unique.

we recently reported that 6.5 million people whose social security records indicate they're over 112 years old do not have a date of death on the social security number record. without a date of death on the ssa's disablesatabase, these people do not appear on the agency's death master file. i should note, none of these are improperly receiving social security benefits and overpayments are not occurring, but these inaccuracies create a significant void in ssa's death data that is available to the public. we've recommended that ssa update the records and dissolve the discrepancies we've outlined in our report. it is relevant to improper payments because benefit paying agencies like hhs and irs and other public and private entities use the death master file to ensure payment accuracy. they know the elimination improvement act of 2012 included

a do not pay provision which requires federal agencies to review list of decease or ineligible individuals before making payments. the death master file is one of those lists. to identify and prevent its own and over agency's improper payments, ssa must collect and maintain accurate death records. it is equally important to ensure living individuals are not listed as deceased in ssa's records. there are less than 1,000 cases each month which a living individual is mistakenly put on the death master file. ssa said it quickly moves to correct it. the agency not found past data misuse, however, we remain concerned because these errors can lead to premature benefit termination and social security underpayments and cause financial hardship and distress to those affected. i've addressed in my written statement recent actions that limit personal information on

ssa's death records and would delay the public release of death data through the death master file. we believe these actions could mitigate some of the issues i just mentioned. ssa must accurately process the death reports it receives to determine a payments to decease beneficiaries and avoid overpayments. in several audits, we've estimated ssa paid billions of dollars to beneficiaries after their deaths. based on our work and recommendations, ssa now matches and cooperates with record holders each month and exchanges data to identify deceased beneficiaries based on enrollment but not usage of medicare. these allow to process information, recover overpayments and refer deceased payee fraud to our office. last year, we investigated over 600 people for deceased payee fraud. these are cases of individuals

who conceal someone's death to legally collect someone's social security benefits. criminal convictions of about 150 people and $55 million in recoveries, restitutions, and projected savings. in one example, a woman collected her mother's social security and federal service benefits for 35 years after her mother died. ssa identified this case through the medicare non-utilization project and referred it to us to investigate. pled guilty to government death and sent to 18 months of house arrest. she was ordered to repay about $350,000 to the ssa and opm. this is a high investigative priority, cases of deceased payee fraud can lead to significant government recoveries and federal prosecution efforts helpdeter others from committing this crime. i want to outline the outstanding work that garnered

national media taepgsattention. we're pleased about the discussion of these issues but i speak for my entire staff when i say we don't do this work to make news headlines. we do this work and continue to make sure the ssa programs and to promote this will be our sole mission. we will continue to work with ssa and committee to address the issues discussed today. thank you again for the invitation to testify and i'll be happy to answer any questions. >> thank you, mr. o'carroll. our next witness is mr. david maynard, the current comptroller of the office of management and budget. held various positions from 1971 to 2003. continues in private sector before rejoining the federal service. mr. maynard? >> thank you, chairman johnson. ranking member carper and distinguished members of the committee for inviting me today to discuss the federal government's ongoing efforts to prevent, to reduce and recapture

opportunity payments. i appreciate the opportunity to provide update on this important topic. our progress with the congress in important support of the ig community over the years has been vital to our efforts. addressing improper payments is an essential component of this payment's effort to eliminate waste, fraud and abuse. when the president took office in 2009, the improper payment rate was 5.2%, an all-time high. since then, the administration working together with the congress has made progress by strengthening the accountability and transparency through annual reviews by inspector generals and expanded requirements for a high priority program such as reporting supplemental measures and on paymentaccuracy.gov. as a result of this effort in

2014, we had a rate of 3.53%. during fiscal year 14, we experienced an improper payment rate increase in major programs including medicare, fee for service, earned income tax credit and medicaid. and unemployment insurance. over the same period other major programs experienced improper payment rate decreases, including medicaid part c, supplemental nutrition and assistance program, and public housing, rental assistance. as in that these changes resulted in a government-wide improper payment rate of.02% or 105 billion. recovered roughly $20 billion through payment recapture audits and other methods in 2014. while progress has been made over the years the time has come for a more aggressive strategy to reduce levels of improper payments than we are currently seeing.

that is why the administration has proposed to make a significant investment in activities to ensure that taxpayer dollars are spent correctly taxpayer dollars are spent correctly. over the years, the administration has worked with the congress on legislation regarding this topic, and these laws have provided agencies with new tools and techniques to prevent, reduce and recover improper payments. the president's fy '16 budget provides the opportunity to build on this congressional support and activities to reduce improper payments. there is compelling evidence that resources can significantly decrease the rate of improper payments and recoup many times their initial investment. examples of promowsals in the fy '16 budget include a robust package of medicaid and medicare

program integrity proposals strategic investments in the irs. a robust package of social security program integrity proposals, a proposal to expand the department of labor's initiative to conduct reemployment and eligibility assessments and reemployment services and improving further the accuracy of the master file by sharing across multiple agencies. in addition. and this began long before we knew what the improper payment rate was going to be for the fiscal year. the office of management of budget issued an appendix to circular controls entitled requirements for effective estimation and remediation of improper payments. agencies were instructed to reexamine improper payment strategies on a number of fronts government wide. these new guidelines were issued in october of 2014 and provide strategies for agencies and

inspector generals to key on improper payments. in addition to these government wide initiatives on february 26th of 2015 the director of o & b sent letters to agency heads for four organizations, dol, hhs ssa and treasury that have the largest priority programs. this direction requires the early implementation of the appendix requirements that i just mentioned by april 30th of this year many the direction further requires that each agency conduct the following analysis and corrective action plan for each program in question. two, review new categories for reporting improper payments, and three, provide analysis linking the agency efforts and establishing internal controls to the internal controls that they have for improper payments.

under this administration, we have focused on the increased use of technology and sharing data to address improper payments. the effective use of data analystics provides insight into the methods and improving the performance and decision making capability. examples of agencies currently using data analytics to prevent improper payments -- ool's integrity center for excellence. improper payments remains a high priority to this administration progress has been made much more remains to be done, and we need your help. we look forward to working with the congress to pass the president's 16 budget, and we expect additional progress as we execute against our new improper payments guide in this fiscal year. thank you for giving me the opportunity to testify, and i look forward to your questions. >> thank you.

our next witness is ms. barry davis, she's the director of financial management government accountability office. >> members of the committee. thank you for the opportunity to be here today to discuss improper payments and the use of death data to prevent payments to deceased individuals. in fiscal year 2014, federal agencies estimated that improper payments totaled $124.7 billion. this represents a significant increase of almost $19 billion from the fiscal year 2013 estimate. the increase can be attributed to primarily increased error rates in three major programs. medicare fee for service, medicaid and the earned income tax credit. these three programs accounted for about 65% of the 2014 estimate. nevertheless, improper payments are a government wide problem. the 124.7 billion estimate was

attributable to 124 programs across 22 agencies. 12 programs had estimates exceeding $1 billion. one large program temporary assistance to needy families without more than $16 billion did not report an estimate citing statutory limitations. in the -- >> say that again please? >> 10 without more than $16 billion did not report an estimate citing statutory limitations in the financial report of the united states government for 2014, gao reported improper payments because the federal government is unable to determine the full extent to which improper payments occur. and reasonably assure that appropriate actions are taken to reduce them. inspectors general are required to report annually on their agency's compliance with criteria. in december 2014 we reported that ten agencies did not comply

with all of the criteria for 2013, as reported by their inspector's general. the two most common areas of noncompliance were publishing and meeting improper payment reduction targets and reporting error rates below 10%. there are a number of strategies that agencies can employ to reduce improper payments including analyzing the root causes of improper payments in order to design and implement effective preventative controls. one major root cause for improper payments is insufficient documentation. for example, hhs reported this as a primary root cause for home health claims and its fee for service program. another driver for many programs, such as the earned income tax credit program. agency's inability or failure to verify eligibility requirements including recipient income or the number of dependents. >> one example is to address underlying root causes.

the do not pay initiative is a web based centralized data matching 16s that allows agencies to review databases. to determine payment eligibility prior to making payments. ssa is uniquely positioned to collect and manage death data to help prevent improper payments at the federal level. ssa maintains two sets of death data. its full death file contains data from many sources, such as funeral directors, family members, other federal agencies and states. the death master file, which is available to the public is a subset of the full file, because it does not contain death data from states. while reviewing death data can be a useful tool for agencies. there are opportunities for ssa to improve the accuracy of the data. ssa's procedures for checkeding, verifying and maintaining death

reports could result in untimely or erroneous death data. we reported in november 2013 that ssa did not independently verify death reports for all social security beneficiaries or any nonbeneficiaries before including them in death records. when data is not verified, this can result in other federal benefit paying agencies, using this data to make improper payments, in our november 2013 report, we identified several types of errors with ssa's death data. we found instances of records where the date of death preceded the date of birth. and ranges of age between 115 and 195 years of age. we recommended they investigate the errors, ways to address them and the feasibility and cost effectiveness of doing so.

we recommended that ssa develop and publicize guidance to more systematically determine access eligibility, and better inform agencies as to when they might be eligible for access to more complete death data. because death data can be a useful tool continuing efforts are needed to help minimize the risk posed by inaccurate and incomplete death data and ensure that agencies receive appropriate access to the data. as a final point we would like to emphasize that with delays from major programs expected to increase, it is critical that actions are taken to reduce improper payments. there is considerable opportunities for agencies auditors and other members of the accountability community to work together with congress in ensuring that taxpayer dollars are adequately safeguarded and used for their intended purposes.

chairman johnson, this completes my prepared statement. i along with my colleague, who does work on the death master file are happy to answer any questions. >> thank you, i was going to point out that mr. bertoni has joined the panel. he may assist in answering questions. i'll start with questions from before brune. did you take a look at the case to see what the current status is? >> the news media did not share the case with us beforehand. i did know that miss rivers was testifying today, i did not look at the specifics of her case, i think it would be unwise to discuss that in an open forum i would be happy to answer questions. >> how many people are you aware of in miss river's position? >> fewer