laura moy. how can a federal data security standard that creates a floor provide for more consumer financial security, while at the same time providing certainty to industries that would need to implement such a standard across all 50 states? >> congressman, thank you for your question. for certain sectors, not including financial services and health care and a couple others, they don't have standards currently, other than in the 13 states or so where they have them. so by congress creating a floor or a ceiling, but we hope a high standard that is for the whole country, you will lift the game and the expectations and the legal responsibilities for those sectors in those places that don't have a standard currently. and again, this is migrated to international proportions. and i think if the members of this committee knew that russia or china or semi-state agents

were about to compromise the payment system, the electrical grid, you wouldn't say let's kick it to the states. let's let them handle it. i don't think you would do that. whatever you do will be helpful, even if directionally. it will be better than what we have now for the sectors that don't have any standard in those states. >> miss moy? >> right, so i would say a couple of things. one is that consumers are protected right now by the federal trade commission section five authority, and the ftc is enforcing that. as we've heard, they've enforced over 50 cases since 2001. and consumers in the other 47 are, you know -- 47 states and three jurisdictions are protected by breach notification laws. so there are protections existing for consumers. i think setting a floor and not a ceiling, as i've mentioned before, there is a clear pattern in terms of what's covered, even by the disparate state laws. so as a practical matter, most companies that have to comply with the laws of multiple states

are just complying with the strongest standard, and are mostly okay. the other states, including -- in fact, many states have a provision that allows an entity to notify some of the -- some consumers who have been affected by a breach under the standard of another state. but i would add on that if we are going to have a federal preemptive standard, as i've said before, it has to be a high one and has to provide flexibility, and not only in terms of what the security standard is, but in terms of what information is covered by the bill. that's a critical element that i think we might be missing here. >> thank you for your response. my second question is addressed to mr. jason oxman and mr. brian dodge. given the ever-increasing sophistication and sheer number of cyber-attacks on our financial institutions and markets do you think a catastrophic attack which can have severe repercussions on the financial system as a whole is

imminent, and what can the federal government do to help prevent such an attack or prepare to respond to such an attack? >> thank you for the question, congressman. the possibility of such an attack is always on the minds of the payments companies that eta represents. and preparation for those attacks is, of course something that is always included in all the operational plans of the companies that we represent. our sincere hope is that something like that never happens. we do recognize the important role the payments infrastructure plays in powering commerce in this country and protecting our customers be they merchants or consumers is always top of mind. we are focused and prepared for that. it is our sincere hope that nothing like that comes to pass. >> thank you. >> in terms of your question about what congress can do, i think the focus on data security to avoid such a catastrophic

event is incredibly important. we believe that the way that you get yourself to a stronger environment is layers of security. and congress can help with that by doing as the house did last month, passing information sharing legislation. but also as we're talking about today, providing clear and strong guidance for businesses on how they should maintain their systems to ensure cybersecurity. and then providing the flexibility for businesses and for regulators to adapt to that threat over time. there's no doubt that the threat is increasing, the level of sophistication is growing fast, and we need to be able to stay involved. the last point is, we need to look to where our greatest vulnerabilities are. the greatest vulnerability now is the merchant community. the cards that we accept at point of sale. the weakest technology -- security technology enabled in the world today. when we move to chip technology without the pin like has been instituted in the rest of the industrialized world, we will still have the lowest level of

security in the world, and fraud will continue to flow toward us. >> thank you. my time has expired. i yield back, mr. chairman. >> time of the gentleman has expired. the chair recognizes the gentleman from south carolina, mr. mulvaney. >> thank you mr. chairman, and thank you to everyone on the panel for helping us try to do something we don't do enough, try and collect information, which is what i'm trying to do. i'm not here to beat anybody up. i have an honest-to-goodness question. i think it's directed to mr. pawlenty and mr. dodge. i welcome everybody to chime in, okay. say that mr. capilano steals my credit card which is possible because he's that kind of guy even though he's not here yet. he goes to the -- he goes to my local gas station or his local gas station, slides it in there, happens to -- maybe he knows my zip code. and buys the gasoline with my stolen credit card. i catch it when my statement comes in next week or get an e-mail, which i think is a service my bank provides which i

enjoy. i catch it, call the bank and say someone stole my credit card and used it to buy gas in massachusetts. they say, okay, we'll take it off your bill. who eats that loss? the retailer, the bank, who eats the loss for the gasoline bought with a stolen credit card? >> first i would say if a pin was required, the fraud would have never occurred in the first place. >> okay. >> you wouldn't have that. secondly, there's a difference between data breach, fraud repayment, and traditional fraud repayment. >> okay. >> there would be based on the contracts that the retailer signed with the card networks, there would be an evaluation of where was the weakest link in the system. so if it was a stolen card, it was reused, then it would probably -- i don't know the answer. that's how it would go. it is determined by -- >> whoa, whoa. is -- >> but on -- in many cases,

almost all cases, an element of fraud was charged back to the retailers. >> mr. pawlenty? >> initially somebody has to give the cash back if it's a debit transaction or value. >> again, i'm -- >> it's the issue -- >> the credit transaction. >> it's the issuing bank and they sort it out afterwards as to who pays what. in terms of who eats most of it initially in our view over the long term of the discussion, it's the banks. >> here's why i ask the question, guys. and -- i have my banker friends come in and tell you, look, we have to do something because we eat all of this loss. last week, i had some convenience store people come and say, look, we have to do something because we eat all of this loss. are both of them eating a little bit of the loss? is that what comes down to? i see some nodding their head, usually a good sign. >> i included in my testimony a schedule of repayment that shows the fees and structure of the

contracts that obligate merchants to repay in the wake of a breach. those are re-issuance costs, costs to re-issue cards, and fraud, fraud associated with the breach. every day on every transaction processed, the merchant pays a fee, an interchange fee, swipe fee. an element is for -- whether fraud happens or not, they prepay every day. how that's divided up by the banks is a great question for them. but we know we pay it on every single transaction. >> i got it. >> congressman, if i could -- >> please, yes. >> the hypothetical you asked has a simple answer. that is the card issuer is responsible for that fraud. a lost and stolen fraud you described is never the responsibility of the merchant. since your card was stolen out of your pocket and hadn't reported it stolen, when the card was used and transaction authorized by the bank at the gas station, the issuing bank has responsibility. you don't, and the merchant doesn't. >> thank you. i think that leads to my next question. does the analysis change -- i think i've got it now -- for a stolen card, capilano steals my credit card, i get it -- he

would do that, too. what if the card is counterfeit? is it any different if someone gets it from target, gets my information from target, create a counterfeit card and use it, is the outcome different? is the distribution -- who bears the loss different? mr. oxman? >> as it stands, the analysis is exactly the same in the case of a counterfeit card. the issuer would have responsibility for that. the merchant would not. the migration to emv chips that we've been talking so much about this morning actually change that calculus. and the responsibility for the fraud after october of this year will actually fall on the party to the transaction whether it's the merchant side or issuing side that has deployed the lesser form of security. not to get too complicated, but if that card that you're talking about has been counterfeited and it was a chip card and the issuer has issued chip cards but the merchant hasn't installed chip readers, then the merchant will have responsibility for that fraud. that's a change to the current system which is the issuer takes responsibility. >> then finally, if i can have

the indulgence of the the chairman for 15 more seconds, the third example of fraud is the online fraud. there's no card present, we're online buying airplane tickets. who bears the risk of loss on that one? >> merchant 100%. 100%, the merchant. it's subject to the fraud cost. >> gentlemen, thank you very much. i appreciate the information. >> time of the gentleman has expired. chair recognizes the gentleman from missouri, mr. clay. the ranking member of our financial institution subcommittee. >> thank you, mr. chairman, and i'm wanting to note that i am so glad to be back in this refurbished hearing room. let me ask, you know at the end of your testimony that not a single company has been found to be compliant at the time of their breach. but in many cases firms that have been breached were at one point pci compliant.

how does your compliance framework lend itself if at all to ongoing monitoring of pci compliance, what role does the pci play in monitoring compliance? >> thank you for that question. yes. 99.9% of the compromises were preventable and covered by the standard. and if you think about our standard, what we're advocating is a move away from compliance to a risk-based approach. and we are advocating vigilance and we are advocating vigilance

and we're advocating discipline and being methodical in close adherence to the standard. security is a 24-by-7 responsibility. it's not a matter of compliance, what we see happens is a company works diligently to bring its organization into compliance, they high five each other on thursday and friday the environment starts to deteriorate. it's about being disciplined, methodical, and paying attention to the fundamentals, sir. >> thank you for that response. mr. oxman, although chip technology is fairly new to the united states, it's been around for decades and is ubiquitous in other parts of the world. given the rapid pace of technological development, we not at the point where other types of security measures are more appropriate for use in connection with u.s. payment cards and payments in general? >> thank you for the question. you're right that the chip is a well-developed technology. the good news is the payments industry recognizes, as you've heard this morning, that the chip addresses one type of fraud that happens to be the most prevalent form of fraud here in the united states today. that's counterfeit card fraud. so the chip implementation will address that type of fraud. but as you noted, other types of security are important, as well,

which is why our industry is deploying a layered secured technology approach which includes the chipping cards. but tokenization which replaces account information with a one-time-use mathematical cryptogram that can't be reused. it secures all entry point into the payment systems. that layered approach with multiple different technologies, as you suggested, is in recognition of the fact that the chip card addresses one type of fraud, but we need to do much more. criminals are much more sophisticated. >> thank you. for anyone on the panel, how prevalent is fraud in the case of online checking? is that pretty secure, can anyone respond to that? >> online checking? >> yes. >> certainly e-commerce is an environment where there's limited security options for merchants to employ right now.

it's a frustration that e-commerce is such a big part of the economy and no strong means of security is a considerable frustration. back to your first question a moment ago, though, i want to note that jason's point about all the levels of the different layers of technology is a good one. that we need to be evolving, finding ways to make tokenization and encryption work specifically for the e-commerce environment. today there's 1.2 billion cards circulating in the united states. most of which have '60s era technology in. later this year when we see more chip cards, we'll see early 2000s technology. we need to do a better job of errors occurring. >> thank you very much for your responses. mr. chairman, i yield back. >> the chair recognizes the gentleman from north carolina, mr. pittinger. >> thank you, mr. chairman. thank you for hosting this

hearing. and thank you, each of you, for being with us today. governor pawlenty, according to the identity theft resource center, financial institutions responsible for less than 6% of breaches in 2014. some could draw the connection from this fact that the financial institutions has been subject to the graham-leach-bliley act since 1999. do you think this is fair? >> i do. i don't think there's much dispute that the financial sector has the best defense and capability and resiliency in the space. as everyone knows in the room, even financial institutions get breached. relative to other sectors, we're more advanced and get breached less. that's not a bragging point, it's about what caused that. it caused investment, caused by investment, hard work, technology. and i believe that graham-leach-bliley set a standard, and people tried to adhere to the standard.

plus, we get examined by regulators to the standard. i would say that contributed to the state of the industry's cyber-defenses in the relative good quality of it. >> thank you. yes, sir? >> congressman, i would note that the annual verizon cybersecurity report is sort of considered to be the gold standard for cyber-reporting. it found last year there were 2,100 data loss cybersecurity intrusions. of that, 277 financial institutions and 167 were retail businesses. there are 1,000 times more retailers operating in the u.s. i don't think we should have the philosophically that a single regulation can guide us to successful cybersecurity -- >> mr. dodge, let me build on that. building on the chairman's statement earlier and reference to legislation, it quotes, to develop and implement a program that ensures security and

confidentiality of sensitive information, it is appropriate to the size, scope, and sensitivity of this information. this is written to create some measure of flexibility so the standards are modified. do you think this is a good approach in terms of creating flexibilities of standards? >> so, you know, we applaud congress for looking at lots of ways to address this issue. i think what's important is that we look at the regulatory environment as it exists today and recognize that the graham-leach-bliley act was written specifically for the financial services community, and there's a very strong regulatory regime that applies to most of the rest of the business community. and that is enforced through the ftc. the ftc has moved aggressively over the last decade and established a clear and strong set of standards that businesses have to comply with. we think that is the way to go -- >> let's refer to this. it says the provision of the bill says a covered entity's information security program shall be appropriate to the size and complexity of the covered

entity, the nature and scope of activities of the covered entity, and sensitivity of the consumer's financial information to be protected. what other flexibilities do you see would be needed that would ensure that consumers are protected but not prevent adaptability for future threats? >> so the language that you cite is not dissimilar. we think businesses have to be a clear understanding of what enforcements are. and the agency as the ftc does today has the ability to evolve the interpretation of the law over time to meet new threats. and businesses of different sizes and businesses that require that they collect different kinds of data should be treated based on their size and the kind of information -- >> and this legislation seeks to do that. isn't that right? >> based on your -- what you quoted, that sounds right.

but as i've said, we believe you need to look at the regulatory environment as it exists today, and work within that. the debate here today is it how do we pass a law that could provide businesses with more clarity and the ability to evolve with the threat. i don't think that the objective should be to shoehorn a law that was written for one industry to apply to the entire business community. >> i don't think that's what this law does, according to what i read. i think it clearly states the provisions reflect the size, complexitiy, nature of scope -- it personalizes it, creates the flexibility. >> and i appreciate your focus on that because we agree with the need for flexibility. we simply are looking at the proposal in its entirety, and it's hard to separate things out without talking about how it would affect it when it's merged together. >> thank you. i yield back. >> the gentleman yields back. the chair now recognizes the gentleman from massachusetts who

did not steal mr. mulvaney's credit card in his hypothetical, mr. lynch is recognized for five minutes. >> thank you, mr. chairman. i appreciate that. i want to thank the witnesses for your testimony. on the question of federal preemption, when we talk about complete federal preemption, we're talking about a federal standard and at least as far as this legislation goes, we're talking about federal enforcement as well, that's being taken away from the attorneys general of the states. even further it looks like the notification for breach will be taken away from the fec and given to the ftc. consolidating that, as well. as well, it might involve, if i'm -- i'm not sure if i'm getting this correct. if we have a federal standard

and a retailer or a business complies with that federal standard, does that imply some type of immunity for the individual retailer if they're complying with what the feds require, is that holding them harmless from any liability? >> i'm sorry, you mean in an environment where there is -- this creates a floor and not a ceiling and states continue to have -- >> well this would be a complete obliteration. total preemption. you'll have one -- it would be a ceiling. would be a ceiling. is that implying some immunity or protection from liability for the complying company? >> yeah. a company would only then be liable as it would be held liable under the federal law. any additional obligations of

the state law that had previously existed would no longer be -- no longer be actively enforced. >> this legislation that would be problematic because, as your testimony indicated, it only recognizes financial harm. there's a trigger -- well, actually, personal -- there's a financial harm trigger. i think there's also a trigger for a very narrow set of personal information. >> actually, i'm not sure if there is -- i thought that -- i was under the impression that the financial harm trigger applies to everything. but perhaps you're right. i'll look at that -- >> if i may, congressman, the provisions of the bill of 2205 also provide for triggers related to identity theft, as well as financial harm. >> yes. although many states, as i noted in my written testimony, either have no harm trigger at all recognizing that consumers want to be notified of breach of certain classes of information and want to be able to safeguard that information regardless of whether or not it could be used for identity theft or financial harm, and -- and a clear

majority of states have either no trigger or a trigger that's broader than just financial in nature. >> one of the problems i have is that this introduces a federal standard. and it takes out the states -- massachusetts happens to have a very robust consumer protection privacy framework that i think will be harmed. we also have -- we've been blessed with attorneys general that have been very active in defending consumers. and some cases as you pointed out, i think the average case of breach in massachusetts, we had 2,400 last year. the average size was 74 consumers. that's not the type of thing that the ftc will go after in my opinion. >> that's right. that's why we think it's critically important if we want to ensure that all consumers are protected by a federal standard. it's important that we have as many people keeping an eye on

what's happening with breaches and working with companies to help develop the security standards and working with consumers to respond after their -- after the information has been breached and to watch out for potential harm that could be coming down the pike. it's important to have the involvement of the state a.g.s in all of that. >> if we did introduce -- i'm in favor of introducing a very high floor across the board that i think would subsume maybe close to 40 states. i would like to have flexibility for states that, number one, they're more flexible. congress is not known for speed at all. having the states out with the ability to provide additional protections especially in the face of the sophistication of some of these hackers is very, very important in my mind. there is incongruity in the bill. it talks about a federal

standard and then says every covered entity will be responsible for adopting a system of security protection that is commensurate with their size, their complexity -- the gentleman from north carolina brought this up in a different context. how do we deal with that where a pizza shop, coffee shop, a bank, banks were a different class. but each and every company is going to be able to right size the level of protection. but in reality, that stream of information that is breached may not be compartmentalized. >> i'm sorry, what do you mean the information may not be compartmentalized? i'm sorry. >> if they hack into your e-mail and password, that opens a whole other door of information that they can access that might not be readily evident, you know, based on where they entered the stream of information. >> right. sorry, may i respond -- >> a very brief answer.

>> sure. yeah. i would say there are log-in credentials that can be -- because people recycle passwords can be used across accounts. that's an important reason. >> thank you. time of the gentleman has expired. the chair recognizes the gentleman from california, mr. royce, the chairman of the house foreign affairs committee. >> thank you, mr. chairman. there has been a lot of discussion here about the current liability, what it looks like. i guess one of the questions is what it should look like. and if i could ask governor pawlenty, i had a question here. when a data breach occurs, how should we allocate the financial responsibility for that breach? for example, if a breach of sensitive customer information occurs at a financial institution and it's shown that the institution did not protect the customer information as graham-leach-bliley requires, do you agree that the financial institution should be responsible for the cost of the breach? >> congressman royce, yes. we believe that the entity that

was negligent or entities, plural, should be responsible for their negligence. >> okay. then governor, should the same be true of the merchant? if there's a breach with a high likelihood of harm being done to the consumer, should the merchant be responsible for the costs associated with that breach to the extent that the entity has not met minimum security requirements. >> congressman royce, absolutely. >> mr. dodge, i would ask if you agree on that point. >> i would tell you that we do agree because that is what happens today. today merchants are obligated if they have a breach by contract signed with the card networks to reimburse the banks for the fees associated with the costs. in addition to the fees they pay every day every time a transaction which is obligated to prepayment of fraud if it happens or even if it doesn't happen. fees are being paid constantly. >> the next question i was going

to ask governor pawlenty is, it's been proposed by some that consumers should receive notification of a data breach directly from the company that was breached even if they have no relationship with that company. wouldn't a simpler solution be to allow the notice to come from the company that the consumer gave financial information to directly while also allowing the company to identify where the breach occurred if it is known? it's my understanding that there is currently no law, no contractual obligation that would preclude a financial institution from identifying the institution where a data breach occurred when sending out a notification to their customer? is that your understanding, as well? >> congressman royce, yes, and of course you might imagine if there's a breach, it unfolds in the early hours and days with a great deal of uncertainty and sense of crisis around it so as people think about what they're going to say publicly and sending out notices,

particularly if it incriminates another company, you want to make sure that you're articulating that correctly and accurately for fear of liability. i think some companies don't name names in those initial notices over some of those concerns. >> you know, as we look at the cyber-attacks and see this increasingly as we talk to the europeans and asian governments, a lot of these are being conducted now by state sponsored or state-sanctioned entities. we actually, for example, see individuals traveling from a certain bureau in north korea to moscow to be trained. then we see their conduct with respect to the banking system in south korea and the attempt to implode the system in south korea with the direct attacks. what can or should be done in the view of some of the panel here to hold these countries accountable in situations like this?

how do we do that? >> to the extent this has evolved into an international dynamic and you have state sponsored or semi state-sponsored activity, the united states has to respond in kind at a level of country-to-country discussions and potential consequences. as you may know, under current law the only entity that can fire back, if you will, in cyber-space is the u.s. government. private entities cannot hack back. and so the deterrent or consequences for this potential can only come from the u.s. government. lastly, there needs to be rules of the road internationally. we have rogue states, semi rogue states acting recklessly, irresponsibly in a very concerted fashion. what you see in terms of payment disruption is relatively minor. the consumers get reimbursed. it's inconvenient, menacing, concerning, you should act on that alone. but compared to some

not-too-fanciful scenarios where the entire payment system is disrupted or another piece of critical infrastructure is disrupted, that's something you need to be thinking about. >> we've seen the iranian attempts here. have you seen that in your industry? >> we're cautious not attribute other than what's been reported publicly but it has been reported publicly. north korea was involved in an incident, an attack that was attributed to them and you've seen public reports of russia, or russian reports. >> thank you. my time has expired. >> the chair recognizes the gentleman from new york. >> thank you, mr. chairman. let me first i guess mr. oxman, let me ask you this question and i get the same line after 9/11 we talked about having all of our intelligence

agencies working closely together, et cetera. so here when you talk about preventing data breaches there's a number of entities that are concerned whether you're a device manufacturer network operator, financial constitution or app developer, seems to me that it would be important that these entities work together to develop an effective mobile data protective solutions and in your estimation is the industry working in a collaborative way all the interested parties doing that and what if anything do you think congress can do to ensure greater collaboration so we can make sure that everybody is working together to try to eliminate this huge problem? >> thank you, congressman meeks. the good news is yes, sir. they're working enormously smoothly together to deploy the things we need out in the market

to secure against these increasingly sophisticated cyberattacks. they're working through pci to deploy next generation security technology like chip technology and cards, like tokenization, and like encryption, to secure points of entry against intrusion. the industry is enormously complicated and involves a number of different players from financial institutions, merchants, consumers, device manufacturers. as we move to new technology, like mobile payments and wearables, it's going to become more complicated. but the good news is we're working very well together to deploy all of these next generation technologies because we share an interest across the ecosystem in ensuring our customers feel comfortable shopping at our stores and using electronic payments. as to the second part of your question, congressman, what can congress do? i think hr 2205 represents the

ideal vehicle for addressing of what we do need congress' help with. that is unifying a patch work of state laws that are inconsistent and incompatible with one other to address how we let consumers know when something does go wrong. criminals are sophisticated and keep acting. we need to make sure we're all on the same page when we let our customers know if something happens. that's where i think congress can be helpful. >> thank you. let me ask mr. pawlenty. i know and i believe from reading your testimony you noted that the emv chip cards have proven very effective. i've got a number of cards to switch out on, make sure you have the chip. one of the questions -- this happens with my daughters, et cetera, they're doing more and more shopping online. people not going to the store as much. they're doing shopping online. and it seems as though that

there are more frauds taking place when people are doing this shopping online. can you discuss ways in which firms are innovating to prevent customers, consumers who rely more on online shopping so we can prevent fraud in that regard. and, again, like i asked mr. oxman, ways that congress can ensure greater data breach protection as we move away from in-store purchases. it seems as the new generation is online -- my daughters won't go to stores anymore. everything's online. what we can do in that regards. >> congressman, great question. as was mentioned earlier, the chip cards will go a long way towards eliminating or greatly reducing card-present fraud for the reasons that were mentioned earlier. that's progress and good, and we applaud that and enthusiastically embrace it. as we've seen in the other emv-adopted countries, the fraud shifts to the online environment. what happens, of course, is if you make an order online, over the phone, or otherwise, you

enter your credit card number and code and expiration date, and away you go. if i have that information from you, i can make the transaction online. it's loose to put it mildly. the future of that in the near term is a technology platform called tokenization which will allow that transaction to occur with a unique set of data that connects needed data to finalize the transaction, but the personally identifiable information isn't necessarily transmitted as part. it's a token. one unique signal that goes. that's coming. it's just around the corner, and it's in market to some extent. the cost is coming down, the ubiquity -- it's becoming more ubiquitous. that will be a big part of the solution. it was invented ten years ago. there will be something else that will come next. >> the time of the gentleman has expired. the chair recognizes the gentleman from maine, mr. poliquin. >> thank you, mr. chairman.

i appreciate it very much. and thank you, all you folks, for being here today. i really appreciate it. mr. oxman, i know you and i both are from maine. probably the safest state in america. we invite all kinds of other folks to come up and enjoy our state. that being said, we are not immune to folks who are stealing our credit card, credit card numbers or using our debit cards fraudulently, what have you. we know there's a problem, the problem is across the country, even the great state of maine. that being said, one of the things that i've heard this morning that i'm delighted about is that there seems to be some common ground, a lot of common ground when it comes to the fact that there is an issue with cybersecurity. we all know it's there. you folks all agree to it. even though you're from different parts of this space, if you will. and i've also heard, if i'm not mistaken, that there's -- there's consensus that we need. instead of 48 individual laws that we have to deal with that one national standard, it would be helpful when it comes to notification.

i'd like to hear from each of you, we'll start with you, governor, if you don't mind terribly, what is on the top of your list? what else would you like to inform this committee about that would be helpful for all the players in the space to make sure our consumers in maine's second district and throughout the country are well protected with bank accounts, credit cards, what have you. what could you advise us today? you're the members on the ground. you're much closer to this problem than we could ever be. please tell us. >> that's a great question. you think about notification, it helps notify people that there was a problem and now we need to clean up the mess. that's little consolation for people who have the mess visited. it's helpful. as to standards, it will help as people raise their game. i think this entire space is going to evolve in a very interesting and probably disruptive fashion over the next ten years. things we're talking about here today in terms of technology platforms as was mentioned earlier will look very differently ten years from now.

i don't think we'll be walking around with pieces of plastic and pins. the whole thing is shifting increasingly to mobile and other ways to make payments. so i would say it's going to come from the technology sector, big changes. good changes. >> mr. dodge? >> i'm glad some attention is being paid to collaboration. i think that's an important outcrop from these catastrophies. this focus. last year, we collaborated with financial services roundtable and electronic transaction association, with a whole bunch of merchant and financial service associations to talk about the challenges. to try to find common ground. collaboration has also found its way into the information sharing, threat information sharing world where businesses can share threat information. the rising tides for -- main term, rising tides lift all ships. the ability to see a threat deflected and share with others what you saw and how you did it. really important, and we congratulate congress for passing legislation on that last

month. i think one of the thing we look toward is how do we enhance the security to the 21st century and beyond. the card security today is weak. it needs to improve. there's a half step on the calendar for later this year. it's only a half step. we need to get beyond that. we want to see congress focus on that and certainly want to see the business community that's responsible for creating those cards to focus on it, as well. >> mr. oxman? >> thank you, congressman. i'm excited about the change in technology we're seeing in our industry. i think if there were one thing for the committee to be aware of, it's that there is no need for an inquiry into the technology because the industry is working together to deploy it. you know, my first job was as a bank teller, summer after first year in college, the heart of the second district of maine. and the hot technology in the '80s was the atm machine. today consumers can buy things with a watch. it's amazing what's happening out there. i think the good news from congress' perspective, the industry is deploying technology safely, securely and reliably. we'll get it done.

>> apple pay, google, four square, these are developing much more quickly than i understand and how to pay with goods and services you buy on line through a mobile device. do you see any problems coming down the road with those types of technology, or is that where it's going to go and where it should go in your opinion? >> this technology is incredibly exciting particularly because it allows us to deploy more robust security alongside. the way to think about it is it's a new means of implementing a payment transaction. initiating that transaction, using your watch or phone instead of a plastic card. and that watch or phone or whatever device has many more security capability than the plastic cards. it's a good thing for consumers. >> unless here in this country we go down this path where we continue to work on this problem and find solutions to it, aren't we exposing consumers and families and businesses to more

cyber-risk if europe is ahead of us and other developed countries, parts of the world are ahead of us? >> may i have that question? i think technology will evolve, and we'll have good answers. particularly mobile will be the future of payments. i think what's key is this information sharing effort that's in progress now. being able to collect information, translate it so it's actionable intelligence, and that will allow us to preempt attacks from organized crime, rogue states, and state-funded actors. >> thank you all very much. appreciate it. thank you, mr. chairman. i yield my time. >> i thank the gentleman. the gentleman from georgia, mr. scott, recognized for five minutes. >> yes, governor pawlenty, i'd like for you to address this and they can chip in, as well. with the challenge for our migration of the emv chip technology in the united states basically due by october 15th,

why are u.s. consumers only now receiving the chip cards when consumers in europe and canada have had them for many years? why are we behind the eight ball? >> there's some unique history as it relates to how europe got to where it is, relating to technology. their telecommunication system, how they did batch processing, how that works relative to how we did it in the united states. i think to sum it up here, i would say the transition from what we had to what we need and where we're headed next has been -- is a very big transition. think about the millions and millions and millions of point of sale terminals that would have to be chip ready. now only about 25% of retailers can even take a chip card. they would have to flip their systems, point of sale systems, back room systems, payment networks have to do the same, the banks have to do the same. it's a massive transition. you know, would we have benefited from it being done

earlier? probably. but we are where we are, now we need to get it done as quickly as possible. this is highlighting the urgency of it. >> okay. now, since we have such a brain trust of cybersecurity before us in this distinguished panel, i want to shift for a moment. are you satisfied and how would you describe the national security threat to our country as a result of cybersecurity as a national security issue? i think it's one we really, really have to deal with. and how would you relate that particularly when we've had attacks on our cybersecurity from china, russia, from iran, from north korea, isis, al qaeda, other terrorist, now our military bases are put on

heightened terrorist attack alert at a level we haven't seen since 9/11. how -- what is it that we need to do more, and how do you address and how do you rate this threat at its present time as a national security issue? governor pawlenty or any of you? >> i'll say, congressman, i would rate it as a clear and present danger. that's why i said what i said earlier. i think for particularly folks who are on the republican side of the aisle, it's comfort -- not as comfortable to say we're just going do something uniform across the country. i think this is elevated. not just the card and processing, but many other aspects of this to a national security issue. we have known identifiable threats to critical infrastructure of this country that would impair not just the economy but the health and well-being of our citizens if

deployed to any sort of scale. so it is a clear and present national security threat that i think needs to be addressed with that kind of urgency and that kind of seriousness and that kind of weight behind it. >> and congressman scott, it is a question that is answered largely by technology. and thank you for your leadership and taking a founding role in the congressional payment technology caucus because technology companies, including many from the great state of georgia are out there deploying systems networks. and there's no question that the payments industry is focused relentlessly on this because of the security of networks and reliability of networks and systems is why consumers choose electronic payments as their preferred method of engaging in commerce. we need to make sure that remains a confident factor for consumers. >> and, mr. oxman, how ready will we be? october's right around the corner.

what are your expectations? have we set that date? have we -- is it accomplishable? >> yeah, congressman, the migration in october to the chip cards is a date that we've set as a milestone. and it's a lot of work to do. 1.2 billion cards in consumers' wallets need to be replaced. more than eight million merchants in the u.s. need to upgrade their systems in order to accept chip cards. that's going to take some time. will we be completely finished by october? the answer, frankly, is no. we won't be all done. we'll be largely there. most importantly, the industry is entirely unified in recognizing the importance of making this infrastructure upgrade. we're doing it, we're working together, merchants, financial institutions, payments companies, and consumers. we're going to get it done. >> thank you, mr. chairman. i yield back. >> i thank the gentleman.

now the gentleman from arkansas, mr. hill, is recognized for five minutes. >> thank you, mr. chairman. i thank the panel for your being with us this morning. on mrs. maloney's comments about graham-leach and the impact on banks having run a community bank for the entire history of graham-leach's existence, i do think it was flexible in the standards when it comes to examination and practice, both in scope of business and not. so i think that's something that's worked well in the financial services industry. one question i have i'd like the panel to react to, what role does liability insurance play? i know in our company we took out the coverage at the modest premium for notification coverage which was sort of what was recommended by the underwriters.

i didn't find it very compelling or particularly useful. but in a large breach, it certainly would be helpful to pay the out-of-pocket expenses. but what's happening in the liability arena on insurance coverages for entities beyond that? what standard are they setting when they come to underwrite a retailer? let's start with you, mr. dodge, about data breach. there's obviously a mathematical loss for one of your members. >> sure. i'll acknowledge i don't claim to be an expert on cybersecurity liability insurance. my exposure to it offers me a little bit of perspective. first, it's an immature market, pretty new, and rapidly evolving. i know the administration is working on ways to make that a more mature, more competitive market. retailers, many retailers are looking into, many have purchased liability insurance as it relates to cybersecurity. i don't have a number, but i suspect the number is growing by the day. and one of the challenges they all face is where exactly to price it. they don't know how much to get,

and they don't know if they're getting a great value for it. but they know that it's important to have. they're working on making sure that that improves over time. i think your point's a good one. >> also in the verizon report that's been mentioned, only about 20% of those breaches are as a result of the retail and banking industry which means 80% aren't. and we haven't heard one question about that today. just last week, i got a letter from the arkansas medical society where over 60 physicians had their identities stolen when they filed their income tax return. didn't know it until they went to hit "send" electronically to the irs and suddenly learned they already filed their return which, of course, they haven't. can you reflect on standards that we've talked about today for that other 80% that we have not -- that's not represented here today? or maybe mr. oxman, you might take that one.

>> thank you, congressman hill. and i do think that is an important issue because the harm that consumers suffer from identity theft can in some circumstances be as impactful as the harm suffered from the theft of financial data. and i think h.r. 2205 does a good job of making sure that all entities, not just retailers and financial institutions and payment companies, but all entities that have storage or access to the sensitive personal information are required to abide by the federal standards that h.r. 2205 would put in place. and i do think that's a very important component of the bill. >> anybody else want to add on that? >> well, i think the fundamentals of the pci standard are applicable across all vertical market. i also share your concern in my discussions with law enforcement that the health care systems in particular will be the next big target. protecting that data and following adherence to the pci standard would benefit those

industries, as well. >> i think it's a little, you know, odd that hipaa, we can't even have a conversation about our aunt's health with a doctor without everybody jumping through hoops. but we've obviously got health care data at risk, that's financial data. and this irs situation is financial loss. i mean, i think this is a serious matter. certainly as serious as having your one's credit card number compromised. so i'm glad to hear you say that you have comfort that the standards in this bill will help in this other 80% of the issue that we're not addressing today. thank you. mr. dodge? >> i would say, you know, we also endorse a strong, reasonable standard, one that provides businesses with a strong expectation of what government considers to be reasonable standard. we believe it should be enforced by the ftc. and we've endorsed the legislation that came out of the energy and commerce committee to do just that. we think it's important as we're addressing this issue that we first look at the regulatory

landscape, and design solutions that fit within that rather than moving regulation design from one industry, in this case the financial services industry, to the rest of the economy. >> thank you for that comment. i yield back. thank you. >> i thank the gentleman. now the gentlewoman from wisconsin, the ranking member of the policy committee, ms. moore, recognized for five minutes. >> thank you very much for that elevation. i just want to thank all of the witnesses for taking the time and being patient with us. and i can tell you that you guys almost -- and ms. moy almost answered my questions when other members were asking it. so i do want to apologize if things seem redundant. let me start with you, ms. moy. you talked about having a federal standard of floor standard. you talked about the ftc really

providing that service at this point. i guess i want your opinion or knowledge about whether or not you think the ftc is currently staffed up and resourced up enough to continue the stewardship. how much more would it cost to do it, how many more employees would we -- do you anticipate? is there necessity to create a new agency? >> so i apologize because i don't have those numbers for you. although i could do some research and try to help you answer that question. i mean, i do think the ftc is doing a pretty good job enforcing data security, specifically with the biggest cases. at the state level, the states are active in this area, as well. also enforcing sometime their own data security standard and sometimes a standard that they are drawing from there, from the authority of their general consumer protection acts, the mini ftc acts.

but -- so i think it's really important, though, to preserve the ability of what the states are doing, to preserve the ability of state a.g.s to continue to provide that important service. and -- and to set our new standards at a level that will continue to preserve protections for pieces of information that would not be covered by the legislative proposals we've seen. for example, in your own state of wisconsin, the breach notification standard would extend to dna and biometric data that's not necessarily covered by what we've seen in some legislative proposals. >> i really would like to know how much this will cost. and in keeping with that same theme, mr. mulvaney was sort of going down this road about who pays for the cost of a breach. and on october 1, 2015, there's going to be a merchant liability shift. we're at the custard stand here, and i've gotten my smartphone to

be able to swipe my card. you know, how much is this going to cost me, or do i just take risks and say i'll just take chances for a few years until i get my business up and start franchising my custard store? how much will it cost me to be compliant? >> congresswoman moore, the good news is for a small business interested in upgrading infrastructure, the costs are very low. you can get a emv chip device from square for $30. >> okay. >> if you want to go that route. or get it from a payments processor for not much more. the cost is very low for the merchant. the good news is that october liability shift date that you're talking about, if the merchant

makes that small investment in the upgrade to chip cards and if the card issuer has issued chip cards, the liability for the fraudulent card rests with the issuer. the merchant is exactly the same as today as long as they have made the investment in the infrastructure. they don't have liability for a counterfeit card transaction in that scenario. it's good news for the merchant. >> that was the answer that was escaping me this entire hearing. i mean, how much is it going to cost gwen's custard stand to do it. obviously there will be a lot of costs for atms and i guess that's a little more costly. how much will it cost to update all the atms? >> yeah, the atms and actually fuel dispensaries, so gas stations actually have an extra two years to upgrade their infrastructure because it's complicated to actually take the credit card equipment out of an atm or gas pump. they don't have to worry about upgrading infrastructure until october of 2017 for those two industries.

>> okay. my last time for governor pawlenty. i guess as the head of the financial services roundtable, i guess i'm curious about why it's taken us so long to do this. why we're behind europe and canada. and you testified we're going to stay behind. >> some of the countries that went to emv didn't have much legacy technology to begin with. they could just jump to it as first adopters. other countries have other histories like the u.k., for example, in an era where telecom was expensive. they loaded up all the transactions and processed them at the end of the day called batch processing. the ability to do real-time communication via telecom had something to do with how and when things evolved. that being said, i think the u.s. has been slow to this issue. but the fact of the matter is we

see the need, obviously everybody does, and moving as quickly as possible to implement it and for good cause -- >> mr. chairman, i realize my time has expired. i want to ask governor pawlenty, are the vikings going to be as bad as they were last season? >> did you say the packers? [ laughter ] >> the vikings? >> i think the big question is how do we get some of that custard. [ laughter ] >> the vikings are going to be better this year. >> the gentleman from florida now, mr. ross, is recognized for five minutes. >> thank you, mr. chairman, and thank you, panelists. i can only preface my remarks by thinking back to the early 1980s when i was installing computer systems, 16-bit processors in pharmacies across the eastern united states. we would use a dial-up modem to update drug prices and process data. at that time "war games" came out starring matthew broderick showing how we can hack into the intelligence computer that started an international war game. and we've evolved today to where you go to walt disney world and get a magic band that has all your data, shows disney exactly where you are, what you're

doing, what ride you want to be on, all your billing information. the evolution of technology has been a tremendous benefit to us. it's given us the path of expanding our commerce and economy tremendously. and obviously it has given opportunities to those that seek ill will against us. and that's why we're here. one of the institutions of higher education, university of south florida, rests in my district. and two years ago, they were designated by the florida legislature to be the center of cybersecurity, an academic program now they have over 100 students seeking masters in this particular arena. my question is, is there a great deal of cooperation between the private sector and the academic sector in trying to innovate ways to continue to fight cybersecurity? anybody can address that. >> i can speak up and say i know the retailers who have sought such partnerships have found welcome partnerships. last year we established something called the retail cyber-intelligence sharing center. at the core of that is a retail

isat and educational opportunities. i know that group has found great partners already in the academic community looking for ways to identify ways to bring future chief intelligence security -- security information officers through the ranks and to share information so everybody has the best skills available today. >> it seems that would be a good partnership even though that's well over 80% of our commerce in the cyber-world is through the private sector. mr. dodge, let me ask you this question because as my colleague, mr. mulvaney, was asking you about who bears the cost of a fraudulent transaction. is it between the banks and the retailers -- is there not in existence any particular either express or implied right of indemnification between the parties that would allow that to be resolved?

>> who pays after a breach and fraud is spelled out in the contract. the retailers are bound by the contracts and unwillingness to if they violate the contract, they lose the risk -- they risk losing the right to accept cards. >> there's a limited negotiation is what you're telling me in order for retail -- retailer wants to accept a mastercard, they accept the terms and negotiations without negotiation? >> it's not a negotiation. you sign the contract presented to you. >> okay. mr. oxman, one of the things we talked about, and you talked about well and in depth, is the electronic mastercard/visa chip. for some time, this has been in practice in the european markets, has it not? >> it has. >> and just recently, you know, had it not been for i guess an executive order, we would not be pursuing it as fast as we are in the united states. >> the reason it's deployed is

the following. in europe, they don't have the ability that we have here to authorize a translation online. when you swipe your card at the point of sale what happens is that transaction is transmitted through a payment network to the card issuer for a yes or no answer. when the receipt is spit out 1.4 seconds later with the yes answer, it's because the transaction was authorized and approved online. in europe, they don't have the infrastructure to do that. ed card authorized the transaction. the chip with the machine isn't going anywhere. >> it's making the decision right there? >> it's making the decision right there. that's why the chip infrastructure is necessary in europe and hasn't been -- >> now we move to protecting the database of all the private information and it's encrypting that particular transaction with a one-time identification. and then that allows anybody who captured that to have nothing? >> that's exactly right.

it takes the account number out of the equation. there's nothing to steal. >> how fast are we moving in that direction? >> very quickly. >> it's going to be the predominant barrier? >> it's being deployed across all retail segments. we have an existing infrastructure that needs to be replaced. we will get there. it's a great technology. everyone is working together to make it happen. >> one last thing. we talked about point of sale defenses today. after the data has been breached and the identity is stolen how effective are some of these companies out there that allegedly protect consumers from having their identity stolen? is that good or is it bad or is it just somebody else's opportunity?

>> i can't speak to think companies. everybody needs to be vigilant. you need to monitor yourself. i want to go back to a point you made a second ago which is about advancing the technology in cards that have been in europe for a decade. the migration that's happening in the united states is only a half step. we're not requiring the pin. the pin authenticates the card holder. we believe there's a redundancy approach that's needed in the cards. >> pin and the chip eliminated -- >> need to have it together and we are not moving to that here in the united states because of the decisions made by the card networks. >> thank you. i yield back. >> thank you. and now the gentleman from arizona is recognized for five minutes. >> thank you, mr. chairman. a little discussion, maybe a little way from the legislation that's being vetted. mr. oxman, from my listening, you seem to be the most technical on the panel. is that a fair --

>> i guess i've been voted. >> okay, can we walk through a couple mechanics? first, the philosophical box i want to work from is, if you and i wanted to design as robust a system as possible, i'm not asking practical but possible today where i still have the use of my financial instruments, my credit cards online, at the retailer in any fashion it may be. what would i be doing? when we sat through something in this regard a couple years ago we had such high hopes for the tokenization handoffs and randomization of the designs of those tokens. is it token plus? if you and i were designing a system here and making sure that as we work on the legislation that it has enough openness to

grab tomorrow's technology, what should we be doing? >> a system designed from scratch would ensure that actual information that can be tied back to you or your account cannot be intercepted. you would make sure you wouldn't transmit information that could be taken by somebody else and used in the same form. that's the real goal of all the layered security technologies that you see deployed today. it's dynamic and it makes sure that intercepting information cannot be useful. the real difference between the chip and the magnetic stripe is it generates a unique security code with each interaction. if you tried to create a counter chip, you wouldn't know the code for the next transaction so it would be useless to you. designing a system from scratch would make sure that the information was dynamic and couldn't be tied back to

anything even if it were intercepted. >> is it a blend of handoff mechanics and a biomechanic? if i'm doing online, an i.p. algorithm behind saying is this an i.p. that matches -- what am i doing to make these things work? >> that's the interesting thing about mobile payments which a lot of great technology companies are moving to deploy. >> you beat me to our last conversation. as we all move to the mobile pay and sort of catching up with the rest of the world, is it technology in my payment systems on this, is that my future of transaction security? >> it is a great future of transaction security because what that mobile device has on there is the token that we were talking about earlier. >> it could have the tokenization, my biodata with my fingerprint and it obviously has

its version of not technically an i.p. but the ability to hand over here's the device that goes with this. >> that's right. the future of technology has all of those elements. as almost as if we have an opportunity thanks to the advances in technology to devise that system from scratch. >> for everyone else on the panel, how do i incentivize that? >> the one point i would make is that jason is absolutely right. the future of payments is in mobile technology and we're going there but we're not there yet. there's 1.2 billion cards circulating in the united states and we need to make sure we're locking that down while we're moving to the next generation. i won't try to wade into the deep technological conversation but we believe this has great potential and mobile technology

and the encryption that is in place today will work for a long time. >> so you devalue the data so that it's useless in the hands of criminals and the three technologies that we've talked about today do exactly that. the point of sale, point to point encryption and tokenization. you bundle those correctly and implement it properly, the value is useless. there's no reason to break in and even if you did, you can't use it anywhere else. >> my fear is much of today's conversation was who holds the liability, who pays, and my fear, at one level that's an absurd conversation to have. we should be having the conversation of how do we build the robust technology so we don't have the problem. >> the good news is it's happening while some of the things you mentioned are a small part of the picture, the rate at which they're growing is rapid and the adoption rate particularly for young people is high. the future that you're shadowing is unfolding. >> yield back.

>> now the gentleman from indiana, the chair of the republican policy committee is recognized for five minutes. >> thank you for being here. i think we're getting close to wrapping up. i wanted to talk a little further about breach notification. i think a couple times you got close to this but i just want to make sure i better understand your position and your organization's position. you stated earlier that you wanted clarity for the business community. i know you support the one-sentence standard that was based on reasonable as found in the energy and commerce committee bill. i think if you look at section four of hr 2205, it has a process that's laid out and frankly is much clearer and more scaleable. it's based and modelled off of what banks have been doing for 16 years under graham bliely.

can you explain from your perspective why you believe 2205's clarity isn't sufficient. >> the graham leach bliely act and the legislation you're referencing were designed primarily for the financial services industry. it was passed in 2000 and enforced over the last 15 years. what we have argued is you have to look at the regulatory landscape as it is today and look at what's been done to other industries. there's been a substantial body of work done by the federal trade commission in enforcing cyber security expectations of businesses. that's established a decade worth of case law that merchants and businesses all under the authority of the ftc understand what the expectations are. >> am i hearing you say that while the energy and commerce bill has a one-sentence standard, you believe that one sentence incorporates the ftc standards? >> i do.

any business that would be forced to comply with it and most businesses today are, don't look at the sentence that would be in the legislation but they would look at what the body of work is and the requirements. >> so i'm understanding your objection, is your objection to who the regulator would be? you believe under the commerce bill it would be a different regulator? >> we think the way that the energy and commerce bill is structured and how it builds upon the work that's undertaken by the ftc today, it makes sense and we believe that's the best way to move the ball forward. >> other members of the panel, i don't know if anyone would like to comment on the clarity of the language. >> i would say while we recognize the brevity of it, to simply say, go act reasonably, that's a negligent standard. we're all under a duty to act reasonably in our daily lives and not be negligent. when you're facing a threat of this nature, to have the

congress say, hey, act reasonably, i think that's underwhelming as a standard and expectation as we enter the age of cyber battles. >> i would agree, particularly when you've got a road map that's worked for 16 years in another industry that you can lean on. i'd like to talk a little bit about how unreasonable delay works in the real world. there's talk about whether a notice should be immediate, could you put some specific time frame on when a reasonable notice would occur. could anyone on the panel comment on whether it's realistic to require a company to notify consumers within a specific set of days? >> i think the challenge of the existing state laws is different states have different requirements for what reasonableness means. obviously all of us in the industry across the payment's ecosystem and retail share an interest in making sure our customers know what happened as quickly as possible. but in some circumstances there are issues that arise.

for example, law enforcement may ask that we delay notification because they're pursuing the criminals and they don't want to interfere with the possibility of apprehension. i think that flexibility is important because there are circumstances in which what one may think is reasonable someone else may decide -- >> is that relatively unanimous on the panel? >> one of the problems with having a harm trigger and risk analysis between the discovery of the breach and notification of the consumers is that it can delay notification to the consumers. one of the reasons that many states have no trigger at all is to ensure the consumers get notification as quickly as possible. >> in my very limited time, can anybody talk about overreporting? it seems to be one of the challenges of what happens in the practical world when you have this big patch work of standards is companies go out and overreport and there's consequences to consumers of that as well. >> once again i would turn to what they're saying on this

topic which is in their conversations with consumers they are not hearing that consumers want to hear less about breach of their personal information. consumers are upset about the fact that they're hearing about so many breaches because they're upset that so many breaches are taking place. they don't want to forego the possibility of protecting themselves. >> they want to be notified when they should be notified if there's a real problem. okay, thank you very much. >> we do see in the idle manufacturing retail space dealers and others paying less attention unfortunately to recall notices because they think they get too many or they're not serious. it's something to keep an eye on. >> thank you. i'd like to thank our witnesses for their testimony today. a little three-hour exercise here. we appreciate your patience. but also i think the panel has been very informative. this is a very important issue to our country. it's a very important issue to the americans that use this system on a daily basis that we give them the confidence that

they can continue to use one of the most aggressive and progressive payment systems in the world. without objection, all members will have five legislative days within to submit additional questions for our witnesses to the chair, which will be forwarded to the witnessing for their response. i would ask the witnesses to please respond as promptly as you're able and without objection all members will have five legislative days in which to submit extraneous material to be in the record. with that this hearing is adjourned. >> thank you.

this weekend join c-span for some commencement speeches. robert mcdonald spoke at the university of utah. the head of noaa and tim scott at south carolina state. tomorrow at noon eastern on c-span. saturday each, a conversation with political cartoonists including gary trudeaux. i think it's a form -- it's a full quality control. you are being affected. good they run everything you do you must be doing something wrong. >> it shows you are still dangerous, a little bit, yes. >> or that you have touched a

sore point for that particular community. >> not all my smoking mr. butt strips made it in. when i wrote about frank sinatra, i went dark in las vegas. jerry brown same thing in california. there are regional -- the most recently, did i something about jeb bush. the dallas paper threw it out because it was too political. too political? the man is running for president. >> some of the remarks on political cartoonists. watch the event tomorrow at 8:00 p.m. eastern on on companion network c-span. for he today that sheds his blood with me shall be my brother. be he so vile, this day shall gentle his condition.

gentlemen in england now abed shall think themselves acursed that they were not here. >> one drop of blood drawn from thigh country's bossom should grieve thee more than streams of foreign gore. >> director of the folger lie larry talk about how politicians use quotes from shakespeare. >> sometimes you have to go with the music of the words. the poetic images, the sound of the rhymes and also the way in which as senator byrd did you are able to pause and linger and stop and keep going. i think he is really using the rhythms of the language, which is something that shakespeare did so brilliantly. so he can take english and can he put it into high gear at one moment and then he can slow

down. that's something that shake peer led shakespeare let u.s. do. >> sunday at 8:00 p.m. >> good night, good night, parting is such sweet sorrow. and it really is. next the findings from a war games exercise from the army and air force folk used on policy and strategy with russia. it was posted by the center for tra teethic and international studies. they talked about the considerations and finedings of the war games as well as their recommendations resulting from the exercise. this is about an hour and 45 minutes.

>> good morning. i'm delighted to present the program. talk about cooperation to competition, the future of u.s. russian relations. forcing reactive measures and re-evaluation of u.s. policy towards russia. russia has used non-linear approaches to take full advantage of u.s. and nato policy limitations.

unfortunately i was not able to participate myself as i was in moscow at a conference organized by russian ministry of defense. in the war game four key considerations for future policy and strategy. this panel presentation will present the findings from the war game and net assessment study that the scholars conducted in preparation for the exercise. views by panelist are their own should not implied the sponsoring service, u.s. army war college. i will briefly introduce our panelists today. in your materials you have the biography. directly to my right is colonel coy from the netherlands army. he's a colonel in the netherlands army and a fellow at the u.s. army war college.

lieutenant joe hilbert is just to colonel coy's right and a career army field artillery officer, has experienced supporting light airborne armored and special operations. directly to joe's right, earned phd in history from johns hopkins university. i guess we are co-alumni. baltimore? home campus. the mother -- from the mother ship. he served as staff historian for several army and joint headquarters, and directly to dr. mcnaughton's right, colonel lay, c-130 master navigator and u.s. air force weapons school graduate. he graduated from u.s. army -- u.s. air force academy -- excuse

me, christopher -- i know these mixups in the services can be a little touchy, with a bs in u.s. history and ma in u.s. diplomatic history from university of central arkansas. and finally to my far right, last and hardly least is lieutenant colonel karen brigamen, strategic intelligence officer with military intelligence experience ranging from tactical to the strategic level. so with that, let me turn the floor over to colonel coy who will introduce the program. >> thank you very much for hosting us. good morning to everybody. i'll explain a little about where we come from and why we're sitting at this table, what led to this. first of all we have five of six students from the u.s. army war college. the sixth student was already moving to his new assignment in europe so he couldn't be here. so actually five of six. we're in u.s. army war college

but in a special program called carlyle scholars program. carlyle scholars program is -- the idea behind it core curriculum in four months instead of eight to nine months, just condense it a little bit so we've got more time to do research, engagements with think tanks or state department. we've been there as well. yeah, to do more research. we want to do our own. we are really motivated to do. that's part of the program. so we started in october 2014, and i won't go to all the steps in the slide. we started 2014 to study into russia. the relationship -- europe russia, actually. it linked into several programs we were doing already at u.s. army war college. over time we had meetings with many respected experts from

think tanks, universities, dod, state department as well. those meetings were to confirm and to improve and to refine our ideas or our understanding of the russian system. so that's what we did over time. so the war game was actually a month ago. prior to that we had many meetings here in washington with think tanks to discuss our view on what we thought that the russian system was like. we used what we call operational design. it's a way to frame the environment, frame the problem and frame the approach to the system. we started with first understanding the problem, so we looked into putin's strategy, trying to figure that out. we used ways and means to define that and tensions within the system, current russian system

and fractures in the system as well. for that environment, we used visualization of russian bear with his own dna moving through a forest. controls that bear, make him move or gears that move counter to the bear. so that's what we used to frame. than we frame some approaches. those approaches are approaches on how to influence russian system. those approaches led to the war game we did in april. >> as mentioned, once we completed the process of design and collaboration with different organizations you saw on the chart, we thought it would be good to take this design and

test it, as close as we could get to random field experiment. in our case, that would be a war game. what you see on the slide in front is how we laid that out. our first problem statement when we looked at the national security strategy and a lot of other strategic documents we talk a great deal about strengthening our enduring alliance with europe. the question is then, well, given that, how should the u.s. consider its policy against russia? how should that impact it? the purpose of the event come up with policy considerations. you see the final objective, final research question, what kind of insights could we gain to inform policymakers. this was the methodology. so as mentioned we met with several different folks along the way building a net assessment.

we took those engagements and divided them into three teams. we had a russia team, a u.s. team and a white cell or control group. the way the war game would work we started in a large group plenary session, presented system, what we currently understood u.s. policy toward russia to be, then let russia and u.s. team go to breakout rooms and either refine or confirm what had just been presented, to build baseline going forward. in each case told two teams, if you're the u.s. team consider yourself members of the national security council or advisers to the president and same thing for the president putin. we brought them back in. each side had an opportunity to brief the other. then a chance for clarification, questions for clarifications from one side or the other, white cell and control group.

once they had baselined policy going into the game, we then provided what we would get with inject or scenario each side would deal with. what we found was, there was not a lot of movement from the way we designed the russian system or presented u.s. policy. we felt like we had a pretty good baseline coming in. after the plenary session a pretty good refinement. so we started with the first scenario, two teams in the breakout, russian and u.s. team. they would confirm the policy they had was still valid. if it wasn't valid, what changes do they need to make. then what was going to be their strategic approach going forward given new environment or given this scenario. they came back into the larger group, briefed each other. it was kind of a courtroom-type setting. they briefed one side of a brief, the other side of a brief and then allowed to provide a

counter argument back and forth and the white cell again would ask questions for clarification. once that turn was complete, we then issued the next inject. the russian and u.s. teams went away, the white cell go through a debriefing process. what did they hear feasible, not feasible, how did they understand what they hear. that's how we gathered the data. we repeated the process. these were the -- should say scenarios we went through with strategic state of the game we wanted to see secure, stable, prosperous europe. alliance national security strategy and our view of europe and russia that acts responsibly and honors territorial sovereignty. five scenarios, first rapid toward energy independence, suspend reality and say if we could go -- completely energy

independent from russia, what would that look like and how would both sides react. the second one probably more plausible and maybe even more urgent is expansion of ukrainian conflict. beyond the line of control if there was expansion in other regions of interest then strategic miscalculation of sorts. third move was uncontrolled nationalism, weaponization of nationalism, what happens when he loses control of that nationalism, falling off the bear, takes off on their own, how then both sides react. the fourth turn you see there, power elites turn against putin. this was not meant to be a coup of sorts. putin no longer in power, how does u.s. interpret it. power leaks, advisers, what would they advise to what is left and how to go forward with it.

the final turn getting beyond crisis less than strategic scenario as much as it was, what is each side, what do they want to see from the other, both from the russian side and from the u.s. side. in the end these were considerations after distilling data from both sides, each of the turns. these were the four key considerations we saw. the first one, compete with russia to maintain international order. it sounds counter-intuitive. we talk a lot about cooperate where we can. what we found each turn as the u.s. side would come in and look for areas of cooperation, the russian side would come in competitively. at one point we had one participant say we're in an environment where we're competitive, we should compete. compete where you must compete and cooperate where you can cooperate. while you would think order would come through cooperation, in this case the competition has to be resolved first. the second one was clearly

articulating a position toward russia, eastern europe and ukraine. when the u.s. team would come in and debrief, we often found there was a little ambiguity toward different players. another piece that needed to come out. the policy had to be clear with regard to each. the third challenge russia in the competition of ideas and influence. that was a consistent comment from the white cell, u.s. lack of good information policy or information strategy. last bullet, somewhat blinding flash of the obvious, with two elections cycles coming up, both in the u.s. and with russia in 2018, clearly that time line needs to be leveraged we felt like from president putin to maintain power. one of the comments was we need to look for what is going to be crimea 2017.

so while we don't -- by no means attempt to influence u.s. election but whatever policy is built it has to survive our own national election and be implemented by a new administration going forward and stepping into russian cycle on the russian side. with this i'll pass off to dr. jim mcnaughton, one of the observers of the u.s. team. >> thank you, joe. i had the opportunity to be a note taker setting in and listening to u.s. teams discussions over the two days of the war game. i just want to start with two general observations and look forward to questions and discussion after our introductory remarks here. my observations really on point one and point two you see on the screen here. having watched a mix of people try to come up with the u.s. policy or what the policy would be with some of these hypothetical situations, it was

very interesting to find out really they were confronting a sea change in u.s. policy. it was clear to them that something had changed in the international environment. the tough part was figuring out what to do about that. they realized that for the last two decades at least our relations with russia in general based on the concept we would encourage russia to become a normal country within european security architecture, european community and that russia would be encouraged to play by the rules and u.s. could treat them as they treat any other regional power around the world. after the seizure of crimea and when conflict erupted in eastern ukraine it become clear that set of assumptions was no longer valid.

everyone could see that sea change. hard part between players trying to formulate in this academic environment what should u.s. policy be, figure out how to compete with russia. it's very difficult to jettison those set of assumptions and long range policies the u.s. work with for many, many years. we considered alternative futures within the war game. it became clear for the next several years, the u.s. would have to be -- would have to manage strategic competition with russia rather than treat russia as another normal country in the environment. second general observations i would like to start with, it's easy to say the united states needs to articulate a position towards russia and eastern europe and ukraine. there's severe challenges we discovered.

joe is absolutely correct that the u.s. team ended up being more reactive than proactive as it struggled to balance several major sets of considerations. the united states policy is not developed simply in washington, d.c. we must take into account nato allies and other partners in the region. a great deal of consensus building and discussions before a policy can be, in fact, clearly stated by our leaders. where we have challenges to develop how policy consensus, the lack of knowledge how russia is going to respond. as we, we could send armaments, lethal equipment to ukraine. each step lacked understanding

of the russian system to where we felt comfortable if we do this, pretty sure russia will do that. that really muddied the water as well, made it difficult to achieve consensus. clearly areas everyone agreed on we really want to continue to cooperate with russia. in areas such as the discussions over the iranian nuclear program. this is something quite important for very valid reasons that we need russian cooperation to continue. how do we manage strategic competition while maintain areas of cooperation with russia. it took a lot of time. oftentimes the result is quite messy when it was time to go into the plenary session and say, okay, u.s. team, what have you come up with as far as the

policy. that was one of our great challenges. turn to our colleague, talk a little bit what he saw observing the russian team. >> thanks, jim. as alluded to i was an analyst, none of us were participants during the war game. we facilitated, observed, took notes. a unique vantage point i would dare say without predispositions, we've been doing this since october. start with a couple general comments. we can speak a little bit more fidelity, granularity from the period. on hold during two-day war game russia was able to operate with strategic flexibility, a good bit more options available.

russian team had more options, less constrained by international norms, laws, alliances. for instance, during one of the turns, armor and troops on the border, cast as defensive move, posture rather than what it was was an overtly aggressive move, which leads me to second point. russia operates with far more robust informational operations campaign. their io remarked as one participants as more less weaponized propaganda. oftentimes russia was able to spin a particular narrative that the west could not easily counter. if they did attempt to counter it takes lead time to gather facts and figures for a more truthful message. that gave again leading to the first point quite a bit more flexibility and how they reacted.

russia had no desire to expand the ukraine. over the two-day war game escalate and deescalate at will. provide a good bit of leveraging to the west rather than argue reducing economic sanctions or moving troops or forces around as they willed. again, speak a little more fidelity during q&a period with that i'll pass over to karen and offer more insights. >> i was also on the red team with chris. i have their two key things. first competitive attitude decision making u.s. and nato policies within the region. the russia team sought strategic flexibility, if you will, not through the development of clear long-term policy but instead through the creation of what they call tools. designed to seize opportunities as they arise.

the russian team saw long-term strategy as ineffective in this complex strategic environment they are operating in. why spend time developing this strategy that we may never use. let's spend efforts on tools that allow us strategic flexibility and also surprise. those tools were frozen conflicts, bilateral agreements, back door economic deals and the development of proxy forces which we've seen them use recently. as one player summed it up, russian -- one player summed up russian's intentions succinctly. we used this quote quite often. he said the russia team played to win while the u.s. played not to lose. diplomatic posturing had little impact on russian behavior throughout the game. as they tried to determine the best way to characterize

president putin, is he a long-term strategist, tactician, what is he? they decided putin was more a chess player. he studies the board and improvises as needed. hence the need for tools vice long-term strategy. the second observation was the russian team decision-making process was driven mostly by the desire to maintain power. second, the return of russian preeminence. in every discussion, decision made the desire to maintain perpetuate the system is evidence. while the team is confident that putin would be in power or as president for years to come, they always considered that position when making decisions. they didn't want to jeopardize elections. that came up in their discussions. we had this election cycle

coming up in sync with u.s. elections. let's not do anything that would put president putin at risk. finally the team made sure the population russian greatness was on the rise. putin machine was returning russia to its rightful place on the global landscape. also, of course, to undermine u.s. and nato actions in the region. with that i'll turn it back over to you. >> thank you, karen. during the war game i facilitated for team white. we could see them come back from rooms and presenting new policy or reactions. there were some and partly repeating what has already been said but some key takeaways i took from there and my team as well.

my team consisted of western and eastern european fellows. sometimes european, how you say that, look on the situation. so partly repeating, u.s. team came back. they were kind of struggling with how to deal with a situation because they were reactive and defensive. they wanted to play within the international rules. they were always waiting for the other side, what would happen and struggling with their position all the time. russians could play more savvy and cunning and more proactive and on the offensive. they would say we'll try something new and look what happens. so that was a big difference between the two sides. we all agree where it comes from. but it's just an observation. second takeaway, everybody talks about nato all the time. not everybody.

but we should have a united nato on this, have consensus. the question is when we're ever going to get that. that's 28 countries on one line. that's what we saw in the game. maybe it's more wiser to address countries and create a coalition of the willing. those willing probably depending on the subject 22, 24 of the 28 countries. that's maybe all you need. that's one of the takeaway as well from the war game looking from team white. >> really interesting exercise. we would love to know more about your net assessment, something that needs to be widely done about russia. personally over the last three

weeks, i've spent more than half of the time in various scenario exercises. four of them actually. one of them conducted by the joint force looking out to changes in human geography, engineering technology looking out to 2035, looking at implications for joint force. i see steve out there. he was there four days with me a few weeks ago. i've also spent a couple of exercises for the national intelligence council global trends publication looking out again to year 2035. last friday over at the germany marshall fund a more near-term exercise thinking about russia. and part of the fun for me is i

always get to play russia. i think some of the notes that we concur on is there's greater flexibility in the means and mechanisms, the timing in which russian can act. the timing in which a russian can act. there is -- constantly, the number one concern is regime preservation. it starts there. i think it's important to think about the ukrainian conflict today in those terms as well. there's a big domestic political aspect to them. one area there has been a lot of disagreement about looking in the near term is whether russia is looking to expand the conflict in ukraine. now i'm interested to hear that in your game russia is not. that is also my personal conclusion, but i think it's a

pretty contentious issue. and we might talk about it more. i did have an opportunity to read your report that's come out. and we will have a link and a copy of this on our website shortly. the report about what the presentation is based upon. there are a couple of things i want to raise that i'd like to hear a little bit more from you before we turn the floor over to the audience. in the executive summary you note that u.s. and russia systems are inherently competitive, especially regarding russia's near abroad, nato asia, and the arctic. i would probably contest the term "inherently competitive." we were inherently competitive during the cold war. i'm more skeptical we're inherently competitive today. i'm not sure what that means. but i think to me what the ukrainian conflict is is mainly

about if you take the russian domestic political aspect out of the picture it's the failure over the last 25 years to come to an agreed european security framework. certainly the contestation and competition in russia and abroad no question. when i look in different theaters, though i think it gets a lot more complicated. i see in some places overlapping interests. a good deal of overlapping interests and two of them would be the arctic and asia, or at least northeast asia. you can point to others as well. joe, you've pointed out, of course, that in this exercise there was the desire to maintain a certain degree of cooperation with the russians on issues that we saw extremely important. iranian nuclear program was one. where for the most part we have been wobble to walk and chew gum at the same time over the past

14, 15 months or so since the conflict began. and you could point to others. for example, the decommissioning of the declared decommissioning -- excuse me, removal from syria and declared syrian chemical weapons in the first half of 2014. the second question i had came to the point and i struggle with this question all the time. you raise the question does putin have a grand strategy. well i would argue that he certainly has strategic goals. whether that adds up to grand strategy, what's the relation between grand strategy and strategic goals, i'm not sure. does the united states have strategic goals? absolutely. do we have a grand strategy?

i wouldn't call what we publish to be a grand strategy. so if you can kind of elaborate a little on what you see as the differences. because is it often said that putin is a great tactician, which i absolutely agree with. but he's not a great strategist and on that i'm not sure i do agree with that. on a third -- and kind of related to this on the earlier point, actually, there's the -- you know it's pointed out that the united states should seek -- on page seven -- seek cooperation with russia on a range of regional and global issues. nonetheless, return to business as usual perhaps through another reset with russia is not possible in the short-term. and i guess, you know, the term "reset" of course is attached to the specific historic moment for the obama administration when they came to power in january of 2009.

but i would argue that the big clinton administration the george w. bush administration as well -- maybe not from day one -- had a strategy for -- we don't need to call it a reset but certainly a major effort to set the u.s.-russia relationship on a constructive path and to work together on many, many issues together. i don't necessarily exclude the possibility that when the next administration comes to power in january of 2017 they're going to look at the panopolyof issues about issues of national security and foreign policy and from that they are going to make

an assessment about the degree to which they want to, for lack of a better term, have a reset with russia. of course it depends what happens now between now and january 2017. i would postulate what would have to happen is the two minsk two cease fire accords would have to be judged to be not in complete violation, still be in effect, per se. from that i think we would already be -- already have seen significant efforts between europe and moscow. if i am -- if we take the point that moscow is not seeking a wider conflict in ukraine, then the tactic to me would seem to be stay below the radar of a violation of the minsk two

cease-fire cords. there is no big offensive in mare openle or any of that. with that pressure relieving sanctions in europe will grow significantly. you'll see some of that probably this summer if that condition holds. more of it at the end of the year, which is sort of the timing of the minsk two cease-fire accords and even more of it in 2016. holding together alliance unity may be considerably harder as we go along. another -- let me two other things quickly, i'm taking up too much time. but it's a -- it's quite good document, the report that you produced. you state that ukraine, this is a quote, would likely be the best place to confront russia and to send a clear message of intent, capability, and will. here i just have why.

ukraine is not a nato member. so it's the hardest, much harder place to send a clear message of intent and capability and will. i think this is at the crux of the dilemma for the obama administration as well as our european allies because we are in kind of a gray zone with ukraine. i guess i would ask you what do you mean to confront russia? what does that mean exactly? and why is it the best place? are you -- it sounds like -- i won't put words in your mouths that you are kind of operating under a domino theory process behind this that with success in ukraine then the russians move elsewhere. or he looks at the chess board

and decides what is the greatest vulnerability. i would submit there's an awfully large difference between undertaking some kind of hybrid or other military action against ukraine versus a baltic state or a nato member. i think and i hope that is a bridge too far. but let's -- i like -- i was vest interested by your point of the coalition of the willing. but that would require a very, well, i guess to what extent would it require a different rule-making framework within nato? what would that mean for nato. if we're more explicitly drawing coalitions of the willing from nato?

i think i'll stop there and give the panel some time to respond and then we'll open up for discussion with everybody. thank you. >> i think we're struggling, taking a lot of notes there, andy. that was very good. so your first question -- counting on that. in terms of inherently competitive and i think you asked the question, is it really competitive in the fact that there are other areas we are we can cooperate or we should