we recognize that if you are a company operating in certain geographies, you are going to be paying possibly small but you will be paying some kind of inappropriate payments. we recognize that. we recognize that companies have rogue employees who don't follow company policy. even when there is a strong company policy, it may still be the case that somebody in the company does something that is off the reservation. that happens all the time. i did work in this area when i was in private practice, and i know that it's impossible for a big global company to make sure all of its employees are following the law at all times. so there isn't any threshold. i think if i were a company and i were thinking about whether i wanted to self report, i think about a couple things. i would think about, was anyone -- let's say it's a u.s. company. was anyone in the u.s. involved in this? if somebody in the u.s. was involved in this, if somebody high in the company was involved in this, if somebody even high in a foreign jurisdiction was

involved in this, the higher you go the more likely it is that somebody else is going to tell us about whatever happened. i don't like to tell people self-report unless you think you are going to get caught. but there certainly is an element of that. so if you have a serious problem and we get reports from whistle blowers, competitors that didn't get the bid because they didn't pay the bribe. the chances of us finding out -- and we have added to our fcpa resources in terms of fbi resources and prosecutor resources. we're working now with prosecutors and police agencies all over the world. i mentioned the case with brazil and saudi arabia. we gave evidence to the indonesian authorities who prosecuted the corrupt indonesian public officials. so we are all talking to each other and we're sharing information. so if you got something that is a significant issue, you should

seriously think about telling us about it and trying to get credit under the pilot program. we don't want to hear about the brain paid on the deck in argentina to get your package to leapfrog the other packages. we don't want to hear about the gift to the chinese government official that he was given a big box of cigars on chinese new year. we don't need to hear about those things. we don't want to hear about those things. we also don't want to hear about things when you don't really have a sense of what exactly happened. we want you to tell us soon enough but we don't expect you to tell us as soon as you get the hotline call or as soon as you start your investigation because in my own practice experience, a lot of the allegations turn out to be unfounded or turn out to be something else or turn out to be what somebody thought happened that didn't actually happen. so there is no threshold. i think if you're worried about it and it's a serious thing, i think you should tell us about it. because the risk of us finding out is greater and the

consequences to you if you don't and we find out are fairly significant. >> can i ask a follow-up? one of the things that happens in private practice, as you know, is that a client can call you. they've got an allegations. they want you to help. i often call it what kind of alligator do you have by the tail? you don't yet know. but you've got this pilot program out there that's giving you a carrot to rush in so that you get all the benefits of it. and i'm happy to address and be asked what i think the benefits are and what they're not. but the question is for defense counsel is that and advising the company, the company needs to take enough steps to figure out what type of issues. and just like you said just now, you don't want to hear

everything. so it's a real judgement call. how far down the path you go, especially if you don't know if there's going to be a whistle-blower will get to you before we decide to come to you and you're going down that path of taking investigative steps. you're constantly weighing the possibilities that the government could find out before you take those steps. and so like my threshold question, i take it you all also do not have a definitive view as to what point in time a company needs to come in. that you do expect us to take some steps and if you could enlighten us and i know this is one of my concerns about the program. the program is only as good as the individuals who implement it. and so i know that this question is really your perspective.

but at what point, what down that path of investigative steps are you thinking a company better get in? or do you think we should come in immediately? i'm assuming that last question is no. >> i think it depends, which is a typical lawyer answer which you will all give for the rest of your careers. if somebody comes in and they say that the ceo or an example that came from an actual case we have a department in this company whose reason is to keep track of the bribes. and we have paid bribes to the tune of hundreds and hundreds of millions of dollars. >> you know what kind of alligator that is. >> you don't need to know more than that. you may want to make sure that somebody is not crazy in making something up.

if there is a shred of truth on that, you want to do that. somebody says you get anonymous hotline complaint that we've been paying bribes in china to get business from the following five state owned enterprises and we paid even with some level of specificity, you're going to want to look at that and see whether that's true, whether the real -- you even had deals with the state enterprises and whether you paid money and whether the people who are supposedly involved in it actually even worked on the deals. you're going to want to kick the tires on the allegations. we don't expect you to come running into us. but when you have a good reason to think it's true and serious, that's when under the pilot program we would expect you, if you want to get the benefits of the pilot program, that's when we would expect you to raise a flag with us. >> what do you say about the challenge that this program is largely designed to assist corporations and individuals may be left out there and not

getting the benefit of it and then they end up, perhaps, baring the responsibility when there was enormous benefit to the corporation? i guess the benefit would be given back. but how do you address that concern? >> so i think part of the purpose of the pilot program is to encourage -- i know karen has in her files in her firm probably 50 fcpa investigations that doj doesn't know about. that she's done full, complete investigations. she knows what money was paid to what government entities or individuals. she knows who paid it. she knows who in the company is responsible. she's not telling us. we want that information because we want to be able to make cases against those individuals. but we don't have that evidence. part of the idea of the program is to give the company an incentive to come in and tell us something and give them some carrot to do that.

obviously, we don't -- just coming in on the pilot program doesn't mean you're getting a declanation. you may well have to -- you won't have to plead guilty but you'll have to get a deferred prosecution agreement or some other agreement. you may have to get a monitor. the pilot program has a lot of different things that can happen. the idea is to get that information that we know is out there about culpable individuals so that we can make the cases against the culpable individuals. companies can't go to jail, obviously. individuals can. as i said earlier, i think the biggest deterrent to wrongdoing is to prosecute individuals. so that is part of the goal. we have whistleblowers who come forward in these cases and other cases. they may have been in the thick of the wrongdoing. if they come forward and tell us

things we often don't prosecute them. we sometimes don't insist they be held criminally accountable. it's designed to get at the information in karen's files. >> does that put pressure on the companies then to in effect make a judgement about culpability even if there could be differences of perspective on an issue and good faith differences? >> are you asking me? >> i was asking karen. from your practice. >> i was actually going to address somewhat of that. and plus some. obviously, i'm not going to comment about any files that i have. >> any of the 50 files. >> i think this is actually where there's a rub. with the yats memb s with the yats membally yates meo

re-emphasizing and put in place a process about going after individuals and then, of course, the pilot program where we're seeing in the letters, a reference in the letters that the companies must cooperate against the individuals. and, you know, the rub is that if a company and certainly by now corporations out there in america know that you have to have an effective compliance program. i would say that at least my experience is that most companies have very strong robust programs. and so if a company is, in fact does -- comes to their attention that there is an allegation of wrongdoing involved in -- amongst their employees or an employee, a rogue employee, the company is set up to handle that. from an hr perspective. and to remediate, you know, to investigate it and remediate it.

the question is, is the company obligated to tell the department of justice so that they can now go after that individual criminally? of course the department hopes that would happen. that's where the carrot is and the department has the hammer of coming after the company, if it can, for that employee's conduct. so i think that, you know, one of the benefits to the pilot program is that it does encourage companies to come in and as leslie said on significant matters, matters that it, too, has determined to be significant, to cooperate and to enhance through mediation that presumably they, too, are making in the form of punishment, possibly termination and that sort of thing. and at the same time, making

sure that it does not get dragged in and get indicted and hence lose the value and especially if it is publicly traded is the shareholders that will lose that value. i think that companies may, in fact, find that it is important for themselves as a corporation to go and disclose even though it has remediated and taken care of its -- those individuals. but not every time do i think that it's necessary to go into disclose when the company has taken the remediation steps that need to be taken. what sometimes happens -- here is a criticism of what has historically happened and what i believe the pilot program is trying to address. and i don't think it's been around long enough to see if it's actually working in this regard is that often when a company went into

disclose and disclose this incident or this scheme or this group of people engaged in x, y, z, often because this is a conference room practice, the prosecutor across the table from you will say thanks for that. you know, go off and investigate. come back. we'll deal with. but i also want you to look at blah, blah, blah, and it becomes a sprawling investigation. the pilot program -- i know every time she takes notes because she wants an answer. i'm going to give the answer right now. the pilot program has a time limit or self imposed, we're going to try to get this done quickly. leslie and the chief of fraud and others have been very vocal about not wanting to boil the ocean. and that is something i do think is a very worthy effort and goal for the department. because that will scare off companies and has scared off

many companies from coming in and disclosing, believing that we may have to disclose profits and pay fines and we may have to pay millions of dollars in legal fees to investigate ourselves way beyond the problem and not because there's issues out there but because the department wants us to. >> so i think that first everyone should know to the extent that you don't already, very few companies have a legal obligation to report things like an fcpa violation to the u.s. government. the only companies who may have an obligation are defense contractors who in certain circumstances might have to report a violation of the law if it relates to one of their contracts. and companies that are already under some kind of disposition with u.s. government, like a deferred prosecution agreement that they agree going forward if something bad happens during the term of the agreement, that they will report it. they have to report that.

other companies don't have an obligation to report to doj violations of the fcpa. they may have obligations to other regulators for other violations. but they don't have that obligation for us. on the issue of the type of investigation that we expect, i've seen over the years a lot of companies that did way too broad investigations. and in my experience, that wasn't the result of what doj told them to do. doj may say person x who paid bribes in indonesia is also the country manager in malaiysimala. did you look in malaysia? but they're not going to say if you have a bribe in china, you better look at the entire world. but i've seen companies do that. i've seen -- there's one company that i'm thinking of that had a kind of a one off situation in china. and they did an investigation of the entire world. similar situation of a company in russia. did the entire world. they may have good internal business reasons why they want to do that.

but we are not going to be the ones telling them to do that. >> i do think that is a change. there have been times that it's been the idea of the line attorneys to go out and look at other locations. and that's in years past. i do think that the effort and the stated objective to really be more surgical helps companies in making the decision to disclose. because it's not going to be so fearful if, in fact, not only you say it as chief of the criminal division and the chief of fraud and the chief of the fcpa unit, but it's pushed all the way down to the line attorneys and the u.s. attorneys offices throughout the country that you should not be boiling the ocean and you should stay surgical on the issues that's at hand.

>> there are some cases that you do have to boil the ocean but those are few and far between. >> can we shift the focus a little bit now to something you addressed, miss caldwell, and that is the relationship with other states around the world? we have a couple major treaties, the oecd convention, we have the u.n. convention dealing with anti-corruption. what is the relationship again between these treaties and the department's enforcement of the fcpa? >> we work very closely with -- we're a member of the oecd working group on bribery. we go to all the meetings. we participate very closely with them. we brainstorm with them and other member countries. we also work with the countries involved in the u.n., the u.n. effort. we have informal relationships in addition to treaties with countries all over the world. we have information sharing. the fcpa area has really helped us across the board in the

criminal division because the relationships that we formed with law enforcement and with regulators in a lot of other countries has really helped us investigate a lot of other kind of cases. a really important example that we see every day is cyber crime. the relationships that we we developed in the fcpa space have translated into relationships with cyber investigators and cyber crime to me cyber crime is the thing that keeps me up at night as the aeg of a criminal division. it's the scariest thing out there. it pervades everything. so the relationships have really helped. we have formal relationships through the treaties and then we have a lot of informal relationships, prosecutor to prosecutor, agent to agent that have really helped us expand. and the other thing that i think our example in the fcpa space has led a lot of other countries to take anti-corruption more seriously and to bring their own actions.

they prosecuted a corrupt official gathered. >> if i could just follow up on a couple of questions in that regard. as defense counsel representing a counsel w a company who may have an issue in another country, one of the questions that is always considered in whether you go in to disclose is, is the government going to find out about it. is the u.s. government going to find out about this issue? let's say this hypothetical in this other country your client sub does have a local investigation going on into the very issue. could you tell us -- i know that

even your predecessors emphasized collaboration with other governments. is there a lot more and is it continuing to grow that prosecutors are actually picking up the phone and calling each other? does it in fact happen that a prosecutor in another country will pick up a phone and call into doj and say we've got this issue with one of your u.s. companies? >> yes, that happens and probably more frequently it happens that law enforcement in one country will call us or we will call them. that happened in a case we have recently done involving government officials of venezuelan oil company that were taking bribes. we recently prosecuted several individuals in connection with that case. i think it's probably pretty rare these days when there's a really big fcpa case that it's not multijurisdictional and

we're not working with or speaking to and reaching out to foreign officials. yes. that's just going to keep getting more and more pervasive. >> are there certain countries where the relationship between our prosecutors and their prosecutors are pretty tight, where there's a lot of back and forth? >> yes. many of the european countries, but also some countries you might not expect such as indonesia. we do a lot of back and forth with switzerland notwithstanding switzerland's reputation of not wanting to work with other countries. we do a lot of work with the uk, with the netherlands, a lot of work with scandinavian countries. there are certain countries we don't really do work with, for example, russia, china. although i have to say china very recently has started being much more proactive internally in anti-corruption cases and taking them much more seriously.

we have a matter right now that involves cooperation with china which is pretty, pretty new. we'll see how that goes. >> the same vein, i think i recall because i think attorney general eric holder announced it in a speech before that there have been meetings with the prosecutors from various countries that have come togeer to share strategies, techniques, that sort of thing. are those meetings still happening? >> yes, in fact they happen all the time. i would be surprised if there's not someone from the money laundering section sitting in another country. one good example is the fifa investigation, the world soccer governing body. that's something that's involved countries from all across the world. a lot of collaboration, a lot of discussion among prosecutors and investigators. another thing that we try to do

is when we're doing something where there are multiple jurisdictions involved we try to make it where the company has one big resolution so they're not paying us 100% of the penalty and switzerland 100% of the penalty. and the sec 100% of the penalty. we try to make it like a pie. we try to make the pie the right size and divide up the pie. we can't always control that, but we try the control that. in fact, the people we have the must trouble controlling that are u.s. state regulators. >> as a defense counsel, when we're trying to assess disclosure, obviously we're assessing the government may find out about it and we're in another country trying to figure out are those local authorities going to learn about it, are they going to pick up the bat phone and call doj or is the press going to find out about it. i know u.s. prosecutors look at

the newspapers and figure out where to serve subpoenas. i remember that when i was in the eastern district in new york. in fact, i might have learned it from you when you were my chief. are you using a mechanism at department of justice to monitor foreign newspapers? >> yes. we follow foreign reporting just as we follow u.s. reporting. we recently learned about a really cool app that somebody has at the again geneva airport. the app monitors the tails of private jets that land at the geneva airport. it identifies the owner of the tail, looking at the tail it identifies the owner. we learned one of our targets, who is the current vice president of equatorial guinea -- i tell you this because this is all public knowledge. we have seized a lot of his

assets, including one of my favorite cases, united states versus one michael jackson bad tour glove. he was collecting michael jackson memorabilia. one of the things he had was the little white glove. anyway, his plane landed in geneva last week. and it was there for about an hour and then it left. we know about that because of this app that somebody created. the app records the tail number and it says dictator from name of that country landed in geneva. dictator departed geneva. >> oh, my goodness. >> geneva is lovely, but you usually go for more than an hour. >> in that vein, in the law faculty we offer a course on anti-money laundering. for the next generation of lawyers learning these tools, i don't think the app is in the game yet. that's a wonderful revelation. can i ask you, are there situations where you

would simply defer to a foreign prosecution? say they have the resources. it appears there's a lot of activity that occurred in the foreign country. we trust them to get this right, but to be vigorous and fair in their prosecution and therefore not allocate our resources that way? >> yes, we do. we do that all the time. the key to that is vigorous and fair. we may not have confidence anything is going to happen in the other country. we also don't want companies to form shop to go to a country that doesn't have strong anti-corruption enforcement and try to use that as a shield against us doing something when we have a stake in what was done in the underlying criminal conduct. we defer all the time. for example, the individuals were being prosecuted by saudi arabia and brazil. there was no reason for us to also try to prosecute those individuals. in another case we resolved the

case with the netherlands. we did part of the case. they did part of the case. so we do that all the time. >> great. i have been reading in the press just concerns about the enforcement not just in the fcpa but in other areas of u.s. laws abroad and the perception that perhaps the united states is delving too far into foreign legal systems. this could be hurting business activity in a profound way, the notion that the united states has now become the world police. how do you address that allegation? >> so we don't have time to be the world police. we really only focus on things that affect us. one example where we were accused of being the world police, the department was negotiating a resolution with a french bank. bnpp was very vocal to the degree of taking out newspaper

articles and having president holland trying to raise the issue with president obama about the fact we were prosecuting the bank and targeting french companies. in fact, there's been some french legislation proposed to try to thwart us from doing that. germany may think we're doing the same thing with germany. the volkswagen case, it's an ongoing investigation. i won't say more than what has been in the press. vw sent cars to the united states knowing that they violated our environmental laws, lied about it, and put those cars out on the road, hundreds of thousands of cars. should we be prosecuting that? should we be looking at that? bnpp was dealing with iranian and sudanese clients. they had a very large business line dealing with countries sanctioned by the united states. they were dealing with those countries not outside our borders, but using our banking system and using our banks.

they had internal compliance memos where the compliance people would write e-mails which we had saying this violates u.s. sanctions law. this is illegal. they sought opinions from two u.s. law firms. is this illegal? the law firms said yes and they kept doing it. they decided it was more important to get the money from the business than to follow what they viewed as a political u.s. law, the sanctions regime. so i think that we try to keep our focus on cases where it does affect our system. we don't want our system to be used to evade sanctions. we don't want our system to be used for dirty money, as a haven for dirty money. we don't want our companies to be disadvantaged when other companies are paying bribes all over the world. i don't think we're out there prosecuting things we barely have jurisdiction over. we're really trying to focus on the things that we have a real interest in. >> i'll say from a defense perspective that the jurisdictional question is one

that you really need to stay focused on whenever you are asked to assist a company in looking into an allegation of wrongdoing. because if there's conduct abroad, no u.s. folks involved, very little touch to the u.s., if any, it has been my experience and also my understanding from others that that kind of argument really in today's fcpa group really can resonate and it should for the reasons leslie has just said. the department of justice should not be the global police, but it is -- especially when you're doing an internal investigation, it can be very, very tedious in terms of finding evidence that there's no jurisdiction.

it can be very difficult because you're basically trying to prove the negative. but i encourage folks who are in this practice to -- from the very beginning to really focus on the jurisdiction or lack thereof because it can make a huge difference in the end result. >> great. thank you. we have about 25 minutes and have ample time for questions from the floor. i have additional questions as well, but i see we have students from around the world who are here. we have i know members of the press that are here and of course members of government agencies and from private law firms. if you have a question, please raise your hand and she'll get the microphone to you. if you could introduce yourself, we would appreciate that. >> we weren't shy, so don't be shy.

>> i'm with a publication called global investigations review. are you able to talk more about the cooperation you were talking about with the china case in terms of what type of case is it? could you talk a little bit more about what that cooperation involves? >> i can't talk about specific cases because they're ongoing, but we have cooperation with china in a corruption case. we have cooperation with china in a corruption case. we have cooperation with china in an intellectual property case. and we have some cooperation with china in a cyber case. it's spotty. it's early. it's too soon to say whether this is a brave new world where we're going to be working hand in hand with china on a lot of things. the chinese economy is a huge economy as is ours, and we have a lot of mutual interests in protecting intellectual property

and preventing bribery. we are starting to do a little bit of work with the chinese. >> it's also been my experience that the chinese government has become more aggressive in enforcing its own laws. i was on the planning committee for, but the aba hosted its first white collar conference in conjunction with the bar in china and this was last fall, last november in shanghai. a number of prosecutors and judges and defense bar from china were there, and there was a lot of talk about how aggressive not only is the government now but how they expect to continue to grow, which i do think that means there's going to be more collaboration with the u.s. authorities. and given how the u.s. economy and u.s. companies are going there and are there, i certainly think it's prudent as the member of the defense bar to be

counseling clients to make sure you have very good compliance programs in operation, this includes ratcheting up issues at headquarters so they can get addressed. i've seen situations where raids can happen and headquarters necessarily doesn't know about it for a while. >> karen, are you talking in the context of international companies in china? >> yes. >> so doing business around the world? >> yes. >> i have a question about the chinese. >> introduce yourself, please, matt. please introduce yourself, where you are from. >> my name is matt. i'm from china and i'm an international law student here. my question is regarding the cooperation between america and

chinese about corporations. especially the fcpa. i know now that chinese governments have become more and more aggressive attacking corruption issues, but on the other hand so many people talking about the chinese government attacking anti-corruption. the campaign is to attack another part of chinese government, some government officials with different opinions. it is obvious the government started several years ago. why do you possibly review the corruption information to you? especially under fcpa.

how do you evaluate whether you should charge those corporations? do you take a holistic view? do you take some political consideration? >> in corruption cases generally, we often see other countries accusing people of corruption. sometimes the people who live in the united states are accused of corruption in the country where they came from and we have to see whether we get -- for example, there might be a prosecution of that person in the other country and the country may be seeking extradition for that person to be sent back to china -- china is a bad example, but a country where we have a lot of extraditions going back and forth. we have to figure out whether and i will use mexico as an example. we have a lot of extradition with mexico. we have to figure out if this is a political case or is this a real criminal case before we extradite the person to face

charges. we definitely kick the tires when we hear the allegation that a person is corrupt. we have seen an evolution in china from nonenforcement to anti-corruption to arbitrary enforcement of anti-corruption to i think we're seeing now a more even handed, still not perfect, but more even handed enforcement of anti-corruption. i'm not an expert on china or its anti-corruption efforts, but i think part of the reason we're seeing that is china realizes if it wants to be a leader in the global economy, it has to be more transparent and less corrupt. >> very interesting because it does raise the issue of having skills in your office to deal with political issues and understanding the politics in a country too. yes, sir. >> this is a follow up on the last question. china is a country that people are tortured in detention,

particularly sometimes political opponents. they have trials that are bogus. it's a very -- obviously from a u.s. perspective, it's a very flawed justice system. how do you make sure if you're sharing information with chinese authorities on corruption investigations that it's not going to end up being used for types of activities that would frankly violate u.s. standards or just be really embarrassing for the u.s.? >> so i don't know that we've had an example where -- if we have, i don't know about it. an example where we've shared information with china or another country and they've used that information to persecute somebody or torture somebody in this corporate context. and i think that we don't -- our relationships with our foreign counterparts, investigative counterparts and law enforcement

counterparts, tend to grow in baby steps. it has to be a matter of trust. i'll give you an example from just a few years ago. we had a very contentious relationship and lack of trust relationship with of all entities the u.k. regulators. we were fighting with u.k. regulators. we didn't trust them. they didn't trust us. and we've gradually because we've worked on a bunch of cases with the u.k. developed a really good working relationship with the u.k. to the point where we're considering embedding one of our prosecutors in one of the u.k. law enforcement agencies to sort of help those relationships. with these other countries that we don't have a longstanding relationship, we have to develop the trust and the confidence that whatever enforcement action they might take is a real one, an appropriate one, and a fair one. we're not interested in feeding political dissidence to china and other countries.

so that they can be abused inappropriately. we're cognizant of that. we really want to understand what's going to happen and what the system is before we provide evidence that could be used in a trial to another country, including even the u.k. >> can i follow up with a question? karen, is this an issue in your day-to-day practice? nothing specific, but the kind of political ramifications that were raised from the question. >> i certainly think that companies establishing and operating their compliance programs in dealing with allegations of wrongdoing and then making the kind of disclosure decisions that we were talking about earlier all need to factor in those issues. the issues that are swirling around that particular country and enforcement climate.

>> right. >> i want to move off of china a little bit and go back to the transparency you were talking about. the recent settlement papers have all included the guidelines calculation when it comes to penalty, which i think a lot of people appreciate that aspect of transparency. but what i have noticed a lack of is a discussion of how the number that represents the proceeds of the crime has been arrived at and same thing when it comes to calculating disgorgement. i was wondering if you could talk a little bit about how that number gets calculated and arrived at. >> speaking like a lawyer, it varies from case to case, but i think the disgorgement amount is usually the profit. if you pay a bribe to get a $2 million contract and your profit on that contract is $1 million, you have to disgorge that $1 million.

there are criminal fines and penalties which are in addition to whatever you made off the contract and those depend on a variety of factors. how pervasive was the crime, who was involved, was the company a recidivist. there are a lot of factors that are considered and it is very case specific. so when we reference the guidelines, we should be referencing whatever application notes of the guidelines we considered, which we may not say the third time the -- we probably would say that, but we probably wouldn't say this went up to the ceo level, but we'll reference the notes. if you want to go look them up, you can see what exactly those are referring to. we're trying to be as transparent as we can without putting every single fact in. and making the documents too unwielding. >> can i make a comment about the transparency point that's set forth in the documents? earlier, i said i had some concerns with the pilot program

and the detail that's in some of these letters causes me to have concern from the perspective of it may actually deter some companies from wanting to disclose if in fact they think their arm is going to get twisted by the department of justice to agree to the publication of that letter. i know that there's been already talk in the defense bar and within corporate america as to does the department require you to agree, is it part of the settlement discussions, even if they say you don't have to agree is it expected and are you going to feel pressure. as a result, i do think that that type of transparency that is public could be a deterrent

because you necessarily would not see all of that detail in a public document, especially if say, for example, you're a privately held company and you otherwise wouldn't have any sec type disclosure. so one thing that i would encourage the department of justice to consider doing -- and i'll ask leslie on the spot if anyone is thinking about this, and that is obviously transparency when you're negotiating a settlement is very important for the lawyer across the table from you to have a robust and truthful and transparent conversation on how the arrive at these numbers so you get a fair settlement. that is very important and very good. to then take it the next step and put it out into the public so that the rest of the world can see it, i see some good to that if in fact you're not twisting the arm of a company to do it.

it obviously tells the rest of us how doj has arrived at something. but if there's undue pressure, what i would encourage the department of justice to do is do it on a no name basis. publish the detail. publish the information as to the outcome, but don't give the information about what company is at issue. that would still serve the purpose of being informative and also could attract the disclosures the department is seeking. >> so i think we've had this conversation within the department about how much detail should be included under the pilot program if there's a declination. i think the cases you're talking about we had declinations with two private companies. normally when we do fcpa cases, most are public companies and most are with the sec.

in most cases where we declined, the sec will file an action. it will be an action in which the company will probably neither admit liability. that is a public document. when the department gets disgorgement from a company, it's because -- this was the case with the two companies recently -- they're not subject to the jurisdiction of the sec. but we feel very strongly under the pilot program we can't let them keep the profits that they got through an admitted bribery, but we don't want to have secret disgorgement arrangements with companies.

the world doesn't know they entered into a disgorgement agreement. karen being a very skilled defense lawyer wants to have full transparency of what the result is likely to be, but doesn't want anyone else to know about it or at least that her client had the result, which is what i would do too if i were in her shoes. from our perspective, a big benefit of the pilot program is we can put out there in detail less than if we were entered into a deferred prosecution agreement but still enough detail to show a crime was committed and that bribes were paid and that businesses won as a result of those bribes and that notwithstanding the fact this company violated the fcpa by paying bribes because they did everything they were suppose dodd under the pilot program, they are going to get a benefit. they can decide whether they want to participate in that program. they can decide it's not worth it to them to have their name out there in a two or two and a

half page letter as opposed to a long detailed agreement, but from our perspective it's very important to be transparent not just with the companies, but with the public about what we're doing and why we're disgorging money from the company. in the wake of those two recent resolutions, we have gotten quite a number of calls from companies because we laid out the fact in one instance there was $500,000 in bribes paid. we gave a declination. that, i think, has resonated with a lot of companies. oh, i didn't think we would get a declination if we had 500,000 in bribes. we think it's a good thing. i understand why companies wouldn't necessarily want it. the benefits of the pilot program are worth the relatively mild pain of that. i think you really have to compare it to what you would normally get in an sec resolution if the sec were involved in the case.

>> leslie, are you saying it is in fact a requirement that a company must -- do you even ask for the consent? >> our position is the resolutions should be public. if the company is going to be required to disgorge, we don't want that to be something that's done in secret. we want that to be done in public. we feel that -- we hear all these different voices. we hear people saying all you're doing is extorting money. there are companies that are willing to pay money if we would just keep quiet and go away. that's not how we want to operate. we want to show a basis of why this company is paying this money, a bribe was paid, the law was violated, but the company did everything we asked them to do under the pilot program and now they're getting a benefit. world, here's what we're doing and why. we think it is really important they be public. i don't know that we've ever -- i don't know enough about the dynamic in those two cases that

we demand he had do it against their objection because we think it is appropriate. >> has just said, from a defense counsel perspective, what's going to happen then is what happens anytime you're negotiating a deferred prosecution agreement, is that you're going to be debating the language. the declination letter is turning into something between what we used to get in a declination when there wasn't disgorgement because the one thing the pilot program has brought to the table is there has to be disgorgement between private companies. previously you could get a declination without that. you get a short, sweet letter. never be made public. now we've got the pilot program that's given us something between that, what it used to be like and the non-pros and

deferred pros where you now have a letter that is, in fact, going to be made public that has language about the conduct. and it's important as to defense counsel that you, because this is what you do whether it's the s.e.c. or doj, the non-pros, is that you try to really address how the language is going to read because the impact it can have on your brand, it can have a tremendous impact on your company, whether you're publicly held or not. so it's -- it is, you know, something that companies, when companies are trying to evaluate whether to voluntarily disclose, participate in the pilot program or not, you know, these are factors that they should consider and would consider. >> great. >> hi. i'm dan. i'm a law student here at gw and my question is about disgorgement and if there was a

violation the fcpa and then there was a profit and the company has paid taxes to the government on that profit. how those are taxes factored into the disgorgement and what's the rationale behind that? >> so, sadly, most companies don't pay taxes on income that they earn overseas or they pay very little taxes, but we would not take that into account. we would require disgorgement of the entire profit, but i honestly have never seen that scenario because most companies operating overseas don't pay taxes, certainly not taxes attributable directly to that transaction. >> i'm ben and i'm coming from -- the question i have related to disgorgement as well as the pilot program is that to what extent can we assume that the real historical declinations that always were a sweet and

short letter nowadays will pretty much be cases where there is very little evidence of an actual bribe, and the reason i say that is because it seems to me that if you hear about a case and the company, let's say, refuses to participate in the pilot program and refuses to disgorge, you will not allow them to have a short letter or a declination anymore. i'm trying to see the line. >> so i think we still do declinations in cases where for whatever reason we can't prove our case. so we may conclude a bribe was paid but we lack jurisdiction, so we may decline prosecution for that reason. we may think that the circumstances were very suspicious, but we can't -- we couldn't prove a bribe at the end of the day. so we might issue a declination, and those would be short declinations. the kind you were talking about. it's only when we conclude that the company has violated the

fcpa and they're reaping the benefits of the pilot program that we feel that we need to -- if we conclude that they have violated the fcpa and they should disgorge. for example, if we don't have just diction, we're not going to be asking for disgorgement. if we don't think that we could prove there was actually a bribe as opposed to money went missing and we don't really know where it went, it could be corrupt employees embezzling, we're not going to ask for disgorgement, but when we think we can prove there was a bribery and we're going to decline prosecution because the company did everything we asked in the program, we think it's very important for us to lay out that there was a crime and that because of the company's conduct and the way they addressed the problem, we're going to decline prosecution but they're going to give back their profits. >> we have time for one more question. >> thank you. i'm mark. i'm a reporter. i have a question for you about

restitution. at the last big conference of the uncapped countries, a number of countries put forward a resolution in essence asking that the developed countries make available part of the proceeds in fcpa cases, and in particular i believe some of those countries wanted to be able to participate in settlements as they're being negotiated. has that issue come to the fore in the department, and what is the department's view on that? thank you. >> so i haven't heard that exact issue in the fcpa context. we see that issue or a variation of that issue in the kleptocracy context where, for example, when we seized $800 million in swiss bank accounts that belonged to the corrupt uzbeki official, there was one claimant to that money, the government of uzbekistan. so we see that. that's obviously something that

the people who were involved in the wrongdoing were associated with the government of uzbekistan, so we would have to -- we wouldn't necessarily be willing to agree to give the money back to them because they might just put it back in a different pocket. so in the kleptocracy context, that's a typical thing, where the government, wherever the corrupt official was, that government will chaim an interest in the funds, so we do deal with that. we generally fight that. we recognize that the entire government is not corrupt and that the government itself was a victim in some way of the corruption of its official, but we try to work to get the money to the extent we're going to give be giving 34u7b back to the count, we work to get the money back to them in a different way so we can be sure it's not going to be used by the corrupt officials just to be put back in a different swiss bank account. i haven't seen it in the fcpa context but i could see sort of a similar rationals might apply, that we don't want to give bribe

proceeds -- we don't want to give money that was paid to get contracts through bribes back to potentially the same officials who got the bribes. >> well, please join me in thanking leslie caldwell for this wonderful presentation, particularly with regard to transparency as to the work they do on a daily basis, but the fact you're here and talking about these important issues, and from the -- thank karen popp for the perspective from practice, and i think that we were able to get a nice balance on the issues and something that i think developed the issues with the perspective from the government and from the private sector. so thank you very much for coming. please join me in thanking the panelists. [ applause ] >> and we will have a reception

outside across the hall in the d. kelly lounge. tonight a discussion on school segregation throughout history with investigative journalist nikole hannah-jones. that event hopsed by the columbia journalism school airs tonight at 8:00 eastern on c-span. now, also this evening a panel look at how the trump administration could approach health care issues and drug pricing. that event hosted by the milken institute in new york on c-span2. this weekend on american history tv on c-span3, saturday evening at 7:00 eastern from president lincoln's cottage in washington, d.c. we'll have a conversation with candace shy hooper about her book "lincoln's

generals' wives." >> so you can see too that women have a means of reinforcing either the best in their husbands or the worst, and that's what this study is. >> then at 10:00 on "real america," the 1953 film "american frontier." >> they flashed the word from the field to the office in willisston and then to the central office in oklahoma. day and night our little telephone board was lit up like a christmas tree. calls from new york, california, houston. bit by bit we began to realize how big a thing this was. >> the film promoted the financial benefits for farmers of leasing land for oil exploration and was funded by the american petroleum institute. sunday morning at 11:00, panelists discuss the life and legacy of novelist, journalist, photographer, and social activist jack london and how his

novel "the call of the wild" influenced generations of western novelists and writers. >> he always looked back to the natural land, to his ranch, to the beautiful scenery in california and elsewhere in the south pacific to center himself and to find release and relief from the rigors and the depredations of the cities. >> at 6:00 eastern on american artifacts with he visit the military aviation museum in virginia beach. >> this airplane among a couple other types basically taught all the military aviators how to fly and many guys never seen saw an airplane coming from the farms and anywhere you can think of, and the first airplane they saw was the boeing steerman. >> for our complete american history tv schedule, go to cspan.org. here are some of our

featured programs thursday, thanks giving day, on c-span. just after 11:00 a.m. eastern, nebraska senator ben sasse on american values, the founding fathers, and the purpose of government. >> there's a huge civic-mindedness in arican history, but it's not compelled by the government. >> followed at noon with former senator tom harkin on healthy food and the rise of childhood obesity in the u.s. >> for everything from monster thick burgers with 1420 calories and 107 grams of fat to 20 ounce cokes and pepsis, 12 to 15 teaspoons of sugar, feeding an epidemic of child obesity. >> then at 3:30, wikipedia founder jimmy whales talks about the evolution of the online encyclopedia and the challenge of providing global access to information. >> once there's a thousand entries then i know there's a small community there. there's, you know, five to ten

really active users. there's another 20 to 30 that they know a little bit, and they start to think of themselves as a community. >> a little after 7:00 a look at the year's long effort to restore and repair the capitol dome. at 8:00. justice elena kagan reflects on her life and career. >> then i did my senior thesis which was a great thing to have done, it taught me an incredible amount, but it also taught me what it was like to be a serious historian and to sit in archives all day every day, and i realized it just wasn't for me. >> followed by justice clarence thomas at 9:00. >> genius is not putting a $2 idea in a $20 sentence. it's putting a $20 idea in a $2 sentence without any loss of meaning. >> and just after 10:00, at an exclusive ceremony in the white house, president obama will present the medal of freedom, our nation's highest civilian award, to 21 recipients,

including nba star michael jordan, singer bruce springsteen, actor cicely tyson, and philanthropist bill and melinda gates. watch on c-span and cspan.org or listen on the free c-span radio app. and now to a house hearing on the cyber security of electronic and internet-connected device that is people use daily. we heard testimony from witnesses who made recommendations for how congress can best address cyber challenges while protecting consumers in the public and private sectors. held by two energy subcommittees, this is 2 1/2 hours.

>> i'll call to order the subcommittee on communications and technology and our joint committee hearing with the subcommittee on commerce, manufacturing, and trade. good morning, everyone. i'll start with opening statements for our side and for our subcommittee, and then i think we go back and forth. so we'll work this out. i want to thank the two subcommittees for coming together on this very important topic that i think we all share a deep concern about. we live in a world that's

increasingly connected. our smartphones are now capable of locking and unlocking our front doors at home, turning on lights, checking the camera for packages left on the doorstep. we're able to measure our steps, check our baby monitors, record our favorite programs from wherever we have connectivity. we'll soon be able to communicate or -- we can communicate with our offices, too, but commute to our offices in driverless cars, trains, buses, have our child's blood sugar checked remotely and divert important energy resources from town to town efficiently. these are incredible potentially life-saving benefits that our society is learning to embrace. but we are also learning these innovations do not come without a cost. in fact, recently we encountered a denial of service attack on a scale never before seen. this attack effectively blocked access to popular sites like netflix and twitter by weaponizing unsecured network devices like cameras and dvrs.

once these devices came under the command and control of bad actors, they were used to send dns requests that's rendered the dns servers ineffective. as i understand it, at the beginning of this attack, it was virtually impossible to distinguish malicious traffic from other normal traffic, making it parly difficult to mitigate against attack. so how do we make ourselves more secure without sacrificing the benefits of innovation and technological advances? knee-jerk reaction may be to regulate the internet of things. while i'm not taking certain level of regulation off the table, the question is whether we need a more holistic approach. the united states cannot regulate the world. standards applied to american design, american manufacture, american sold devices won't necessarily capture the millions of devices purchased by the billions of people around the world so the vulnerabilities might remain. any sustainable and effective solution will require input from all members of the ecosystem of the so-called internet of things.

we'll need a concerted effort to improve not only device security but also coordinate network security and improve the relationships between industry and security researchers. we're all in this thing together. and industry, government, researchers, and consumers will need to take responsibility for securing this internet of things. so today we'll hear from a very distinguished panel of witnesses on some of the approaches that can be brought to bear on this challenge. my hope is that this hearing will help to sustain and accelerate conversations on our collective security and foster the innovation that makes the internet the greatest engine of commerce our world has ever seen. i thank our witnesses for being here. we appreciate your willingness to share your expertise. and i look forward to your testimony. at this time, i would yield to ms. blackburn for an opening statement. >> thank you, mr. chairman, and i also want to welcome our witnesses. and we appreciate your time. you know, we did an internet of things hearing in march 2015,

and at that point i talked a lot about the convenience that this brings to us in our daily lives and about the opportunities that it will open for us. i think now as we look at it, as the chairman said, you look at the cost. you look at the maximized use that exists. i think that by 2020 the expectation is 3.4 billion devices that would be in this universe of connected. that means we have vulnerabilities that exist, entry points, and we'll want to discuss some of those vulnerabilities with you today, get your insight, and see how we as policymakers work with this wonderfully exciting, innovative area in order to make certain that americans have access but they also know that there is, as the chairman said, security as

we approach that, and with that, mr. chairman, i yield back. >> gentle lady yields back the balance of her time. we'll now -- i'll yield back the balance of my time as well. now turn to my friend from california, the gentle lady ms. eshoo for opening comments. >> thank you, mr. chairman. first of all, i want to express our collective thanks from this side of the aisle to you for responding to our request to have this hearing. mr. pallone, mr. mcnerney, ms. schakowsky, and we all made the request and we were grateful to you for holding the hearing because we think this is, obviously, a very large issue and something that concerns the american people. in fact, americans are

connecting more devices to the internet than ever before. most of us carry at least one in our pocket, but as technology evolves, we're seeing a proliferation of everyday items and appliances that connect online. this is good. today everything from washing machines to lightbulbs are now capable of connecting to the internet. the business world also relies more and more on the internet. in fact, internet-enabled objects to drive their efficiencies to produce lower costs. there are as many as 6.4 billion -- billion with a "q, "-- internet of things products in use worldwide this year. the growth in this market is expected to be significant, including estimates of over $20 billion internet-enabled products connected worldwide by 2020. so this is not a small market. it makes it a very large issue. it is an economic one, and we

don't want to damage that, but it's something that needs our attention. there's great potential for innovation as more devices become connected. but there's also the potential for serious risk if they're not properly secured. that's really what we're pursuing here. we need to look no further than the major attack on october 21st that crippled some of the most popular websites and services in our country. the distributed denial of service attack against dynamic network services, known as dyne, was made possible by unsecured internet of things devices that attackers were able to infect with malware. this army of devices was then harnessed by the attackers to bring down dyne's servers. similar attacks in october targeted a journalist and a french cloud services provider. these attacks raised troubling questions about the security of

internet-enabled devices and their potential to be used as weapons by cyberattackers. for example, it's been reported that some devices used in these attacks may have lacked the functionality to allow users to change the default user name and password. we already know that an important way to prevent cyberattacks is to practice good cyberhygiene which includes changing default user names and passwords. when products lacking the common sense functionality are manufactured, shipped and eventually connected, they put users and the internet as a whole at risk. so it seems to me that this is an area that we need to explore with our witnesses. there's also the issue of how long these unsecured devices can remain in use. the dyne attack reportedly used infected devices that were first manufactured as early as 2004.

manufacturers may no longer update products that have been in use for so long, further exposing users in the internet to security risks. finally, we have to recognize that this is a global issue. level three communications estimates that a little more than a quarter of these devices infected with the malware that was used in the dyne attacks are located in the united states. one of the major manufacturer of products that appear to be particularly vulnerable is based in china. this is important to keep in mind as we explore how to address this problem going forward. so this hearing, i think, is a very important step in helping us, first of all, to all understand what lessons we should take away from these recent attacks. the internet of things offers exciting possibilities for innovation, but we can't afford to ignore the risks that come when devices are designed without security.

whatever the ultimate solution is, i think industry must play a central role in the effort to address these issues, and i look forward to hearing from our witnesses today. you play a very important role in this. with that, thank you again, mr. chairman, for allowing this hearing to take place, and i yield back the balance of my time. >> the gentle lady yields back the balance of the time. the chair now recognizes the gentleman from texas, dr. chairman burgess. >> thank you, mr. chairman, and good morning to our witness panel today. thank you, mr. chairman, for holding the hearing and allowing us to have this discussion about the recent cyberattacks. several popular websites were knocked offline for several hours on october 21st of this year. hackers used malware to create a botnet, a gargantuan amorphous mass of connected devices to

flood a domain server with terabytes of traffic overwhelming the system and providing legitimate traffic from accessing those devices. in this case, the result was brief, but the outages were on consumer facing websites. the incident is unique in that it wasn't someone's desktop or laptop but it was the armies of compromised devices that launched these attacks without the knowledge of the device owners. many of the devices are regular household items such as baby monsters, dvrs, web cams, and many consumers do not realize they do need strong cyber protections on even these everyday devices. but that's exactly why this attack and others like it has been so successful. the malware that created this botnet spread to vulnerable devices by continuously scanning the internet for internet of things systems protected only by the factory default manually generated user names and passwords. the balance between functionality and security is not going to be resolved in the near term.

consumers want the newest and fastest device. they want it as soon as possible, and they have not employed adequate security protections. in fact, the most common password is the word password. the culture surrounding personal cybersecurity must change to ensure that the internet of things is not vulnerable to a single insecure device. the subcommittee on commerce informing and trade has explored cybersecurity through a number of hearings, including our disruptor series. cybersecurity, the issue of cybersecurity has been raised and discussed at each of these hearings. the government is never going to be big enough to have the manpower and resources to address all of these challenges as they come up, which is why it is so important and i'm grateful we have industry here today to discuss this with us because they must take the lead. recent attacks present a unique opportunity to examine the scope of the threats and the vulnerabilities presented by connected devices and learn how

stakeholders are considering these risks throughout the supply chain as well as how consumers are responding in the market. we have learned about a number of best practices and standard-setting projects that are ongoing with various groups. it's an exciting time in the growth of interconnected device, the growth of the internet of things. it's really going to be life changing for so many -- in so many industries. but we also need to see meaningful leadership from industry about how to address these real challenges. again, i want to welcome our witnesses, and i'm pleased to yield the balance of my time to the gentleman from ohio, mr. latta. >> thank you very much. i appreciate the gentleman for yielding. and i also appreciate the -- both chairmen of both subcommittees for holding this very important subcommittee hearing today on the cybersecurity risks associated with connected devices. the last month we witnessed one of the largest distributed

denial of service attacks. the attack against dyne revealed the impact that a lack of adequate security measures in these devices can have on the broader internet community. by simply exploiting weak security features such as default user names and passwords, hackers could leverage hundreds of thousands of network devices and compromise several major websites. that is why it's essential under the internet of things device manufacturers, security by design and have the ability to apply patches or upgrades. consumers much be vigilant in securing devices in order to guard data and fully experience the benefit of the internet of things. as the co-chair of the committee on the internet of things working group, i am all too familiar with this issue. cybersecurity is among one of the most common things that's mentioned in all of our working group briefings. no matter the -- no matter what type of iot from health to energy applications, securing

devices, protecting consumer data is a top priority. today we are reminded that there's a need for iot security guidelines that keep pace with rapidly evolving technologies. however, there is a delicate balance between oversight and regulatory flexibility, and we must encourage the industry to establish best practices that will not hinder innovation and protect consumer privacy and security. and with that, i appreciate the gentleman for yielding, and i yield back. >> the gentlemen yields back their time. we'll now turn to the gentlelady from illinois, ms.schakowsky, for opening comments. >> with each report of a new cyberattack, americans increasingly realize how vulnerable their devices are. on october 21st, americans lost access to sites such as twitter, amazon, and spotify because of a massive distribution denial of service or ddos attack against dyne, a domain naming system company. in the wake of that cyberattack, i joined with representatives

pallone, eshoo, degette and mcnerney in requesting a hearing like this. i appreciate it very much that we're having it on this important issue. we need to better understand our vulnerabilities and update federal policy to stop such attacks in the future. the motivations of hackers vary from identity theft to actually undermining public trust. they go after consumers, businesses, and even presidential elections. the u.s. intelligence community found that hackers supported by the russian government put their thumb on the scale in 2016. i strongly believe that use of cyberattacks by a foreign actor to manipulate our democracy should be troubling to everyone. this problem does not go away now that the 2016 election is over. the day after the election, a wired article reported, quote, that russia perceives those

operations as successful, experts say will only encourage similar hacks aimed at shifting elections and sowing distrust of the political processes in the western democracies, unquote. everyone, whether your candidate won or lost last week, must grapple with this, and i hope that we'll work on a bipartisan basis to protect our democracy from foreign interference. russian hackers exploited holes in security on computers and servers. the hackers that carried out the october 21st ddos attack directed their attack through the internet of things. the internet of things is usually -- is uniquely vulnerable to cyberattacks. iot devices often have less protection from malware and manufacturers are often slower to install security patches. manufacturers put consumers at further risk by using default passwords or hard-coded credentials.

once hackers find out what those passwords are, they can hack hundreds, thousands, or even millions of devices. that's what happened in the dyne attack. hackers accessed an army of iot devices by exploiting default passwords. they then used that army to attack dyne. traffic from the iot devices overwhelmed the service and shut it down, which in turn cut off americans' access to many popular websites. you don't have to be a tech expert to see the terrifying potential for future cyberattacks. so it's time now for action. two weeks ago, ranking member pallone and i called on the federal trade commission to work with iot manufacturers to patch vulnerabilities on their devices and require the changing of default passwords. we also called on the ftc to alert consumers about potential security risks. we need stronger cybersecurity standards for all devices that could be attacked or used to launch a cyberattack.

given the nature of cyber attacks, we cannot count on iot manufacturers to do the right thing on their own. they have little financial incentive to improve security, and their customers may not even realize when their devices are being used to harm others. consumer watchdogs like the ftc must take a leading role in promoting cybersecurity and holding companies accountable when they fail to provide adequate protections. unfortunately, at the same time that the threat to consumers from cyberattacks are rising, the republican majority is pushing legislation to reduce the ftc's authority and cripple its enforcement capabilities. stopping irresponsible behavior by companies requires strong consent orders and the ability to pursue privacy cases. the so-called, quote, process reform, unquote, bill that republicans reported out of committee would threaten the ftc's ability in those areas. instead of rolling back consumer

protections, we need to face today's cyberthreats head-on. consumers can't afford to be left vulnerable and in the long run manufacturers can't survive a pattern of high-profile cyberattacks that undermine consumer trust in their products. in mr. schneier's written testimony, he called the dyne attack, quote, as much a failure of market policy as it was of technology, unquote. we should not be content with failure any longer. i want to thank the chairman for listening to our request for a hearing, and we have to continue our work on this issue in the months and years to come. >> the gentle lady yields back her time. we thank you very much for your request. we share in this concern, obviously. it's a bipartisan issue. we look forward now to the testimony from our expert witnesses. we're glad you're all here. we'll start with mr. dale drew, the senior vice president, chief security officer for level 3 communications. mr. drew, welcome. thank you very much. turn on your microphone and have

at it. >> chairman walden and burgess and ranking members eshoo and schakowsky, thank you for the opportunity to testify on behalf of level 3 communications regarding the recent cyberattacks on our nation's communications landscape and the ricks proposed by vulnerabilities found in iot devices. level 3 is a global communications company serving customers in more than 500 markets in over 60 countries. given our significant network footprint and amount of traffic we handle on a daily basis, level 3 has a unique perspective on threats facing our landscape. several years ago we established the threat research labs to actively monitor communications for malicious activity helping to detect and mitigate threats on our networks, our customers, and the broader internet. every day our security team monitors more than 48 billion security events, detecting over 1 billion unusual or suspicious pieces of traffic. the proliferation of iot devices represents tremendous

opportunities and benefits for consumers by connecting cameras, lightbulbs, appliances and other everyday items to the internet. the lack of adequate security measures in these devices also poses significant risk. vul they'rabilities in iot devices stem from several sources. some devices utilize default and easily identifiable passwords that hackers can exploit. others use hard coded credentials that users are not able to change. many lack the capability of updating their firm ware forcing customers to monitor and update themselves. the global nature of the marketplace means many products are manufactured in and shipped to foreign countries that have yet to embrace sound and mature cybersecurity practices. iot devices are also particularly attractive targets because users often have very little way to know when they've been compromised. unlike a personal computer or phone, which have end point protection capabilities and the user is more likely to notice when they perform improperly, compromised ito devices may go

unnoticed for longer periods of time. in september 2016, level 3's threat research labs began tracking a family of malware targeting iot devices. the bad actors were lempageing the infected devices to create ddos botnets impacting not just those devices but potentially anyone on the internet. the malware has affected nearly 2 million devices on the internet. it resulted in major multiple websites going offline and the new attacks are alarming for their scope, impact and ease in which the attackers have employed them. also worrisome is these attackers relied on just a fraction of the total available compromised iot nodes in order to attack their victims demonstrating significantly greater havoc for these new threats. level 3 detected approximately 150,000 iot devices to generate more than 5 gigabytes a second. a significant amount of bandwidth. the primary motivation for these

attacks appear to be financial. hackers utilized ddos to overwhelm businesses, threaten to take their business offline unless they pay a ransom for the attacker. in other cases, they are out to create mischief. although level 3 has not been a direct victim of these attacks, we're proactively taking steps to address these. we have contacted manufacturers of compromised devices to inform them of the problem and for them to take appropriate action such as firmware updates or recalls. we've engaged in a public awareness campaign to educate consumers and businesses about the risk of iot botnets and steps they can take to protect themselves. we're also working with our industry partners to monitor this evolving threat and implementation of mitigation techniques. with the exploding proliferation of iot devices, so too will the threats they pose continue to expand and evolve. it will be imperative to work collaboratively and address and mitigate iot security risks that we can reap the benefits of this

exciting and transformative technology. thank you again very much for the opportunity to testify, and i look forward to taking your questions. >> mr. drew, thank you for taking time out of your schedule to be here as well. we greatly appreciate it. now turn to mr. bruce schneier, a fellow at the berkman klein center at harvard university, lecturer and fellow harvard kennedy school of government and special adviser to ibm security. thank you for being here. we look forward to your testimony, sir. >> thank you chairman walden, burgess and ranking members. committee members, thank you for having me, and thank you for having this very important hearing. i'm bruce schneier. i am a security technology gist and while i have an affiliation with harvard and ibm, i am not speaking with any of them and i'm not sure they know i'm here. >> it's a secret. nobody on the internet knows either. >> as the chairman pointed out, there are now computers in everything, but i want to

suggest another way of thinking about it, in that everything is now a computer. this is not a phone. this is a computer that making phone calls. or the refrigerator say computer that keeps things cold. an atm is a computer with machine inside. your car is not a mechanical device with computers, but a computer with four wheels and an engine. and this is the internet of things. and this is what caused the ddos attack we're talking about. i come from the world of computer security, and that is now everything security. so i want to give you four truths from my world that now apply to everything. first, attack is easier than defense. for a whole bunch of reasons. the one that matters here is that complexity is the worst enemy of security. complex systems are hard to secure for an hour's worth of reasons. and this is especially true for computers and the internet. the internet is the most complex machine mankind has ever built by a lot, and it's hard to secure. attackers have the advantage.

two, there are new vulnerabilities in the interconnections. the more we connect things to each other, the more vulnerabilities in one thing affect other things. we're talking about vulnerabilities and digital video recorders and webcams that allowed hackers to take down websites. there are stories of vulnerabilities in a particular account that -- i saw one story, vulnerability in an amazon account allowed hackers to get to an apple account which allowed them to get to a gmail account and a twitter account. target corporation. you remember that attack. that was a vulnerability in their hvac contractor that allowed them to get into target. and vulnerabilities like this are hard to fix because no one system might be at fault. there may be two secure things come together and create insecurity. truism three, the internet empowers attackers. attacks scale.

the internet is a massive tool for making things more efficient, and that's also true for attacking. the internet allows attacks to scale to a degree impossible otherwise. we're talking about millions of devices harnessed to attack dyne, and that code, which somebody smart wrote, has been made public. now anybody can use it. it's in a couple of dozen botnets right now. any of you can rent time on one, on the dark web to attack somebody else. i don't recommend it. but it can be done. and this is more dangerous as our systems get more critical. the dyne attack was benign. a couple of websites went down. the internet of things affect the world in a direct and physical manner. cars, appliances, airplanes, there's real risk to life and property, real catastrophic risks. fourth truism, the economics don't trickle down. our computers are secure for a bunch of reasons.

the engineers at google, at apple, microsoft, spend a lot of time at this, but this doesn't happen for these cheaper devices. ms. eshoo talked about this. these devices are lower profit margin that are offshore. there's no teams and a lot of them cannot be patched. those dvrs, they can be vulnerable until someone throws them away. and that takes awhile. we get security. i get a new one of these every 18 months. your dvr lasts five years, your car for ten, your refrigerator 25. i'm going to replace my thermostat approximately never. so the market really can fix this. the buyer and seller don't care. mr. burgess pointed this out. the buyer and seller want a device that works. this is an economic externality. they don't know about it, and it's not part of the decision. i argue that government has to get involved. that this is a market failure, and what i need are some good regulations.

and there's a list of them, and dr. fu is going to talk about some of them, but it's not something the market can fix. and to speak to mr. walden's point, yes, i'm saying that a u.s.-only regulatory system will affect the products in the world because this is software. the companies will make one software and sell it everywhere. just like, you know, automobile emissions control laws in california affect the rest of the country. it makes no sense for anybody to come up with a two versions. and i think this is going to be important because this -- for the first time, the internet affects the world in a direct and physical manner. and the second point i'll make very quickly is we need to resist the fbi's calls to weaken these devices in their attempt to solve crimes. we have to prioritize security over surveillance. it was okay when it was fun and games, but now already the stuff on this device that monitors my

medical condition, controls my thermostat, talks to my car. i've just crossed four regulatory agencies, and it's not even 11:00. this is going to be something that we're going to need to do something new about. and like many new technologies in the 20th century, new agencies were created. trains, cars, airplanes, radio, nuclear power. my guess is this is going to be one of them, and that's because this is different. this is all coming whether we like it or not. the technology is coming. it's coming faster than we think. i think government involvement is coming. i'd like to get ahead of it. i'd like to start thinking about what this would look like, and we're now at the point, i think, where we need to start making moral and ethical and political decisions about how these things worked. when it didn't matter, when it

was facebook, twitter, e-mail, it was okay to let programmers -- to give them a special right to code the world as they saw fit. we were able to do that. but now that it's the world of dangerous things, that it's cars and planes and medical devices and everything else, that maybe we can't do that anymore. and i don't like this. i like the world where the internet can do whatever it wants, whenever it wants at all times. it's fun. this is a fun device. but i'm not sure we can do that anymore. so thank you very much, and i look forward to questions. >> thank you very much. appreciate your comments. now to dr. kevin fu, ceo of everta labs and from the university of michigan. >> good morning, chairman walden, burgess, ranking member eshoo and schakowsky and distinguished members of the joint committee.

my name is kevin fu. i represent the academic cybersecurity research community. i am, as you -- at the university of michigan where i conduct research on embedded security. my laboratory discovers how to protect computers built into everyday objects from mobile phones and smart thermostats to pacemakers and automotive air bags. i'm also ceo and co-founder of the health care security start-up berta labs. i'm testifying before you today on the insecurity of the internet of things as related to the recent attacks on dy ne. i'll provide a perspective on the evolving cybersecurity risks framed in the broader societal context. in short, iot security remains woefully inadequate. none of these attacks are new. none of these attacks are fundamentally new, but the sophistication, the scale of disruption, and the impact on infrastructure is unprecedented. let me make some observations.

we are in the sorry and deteriorating state because there's almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers. has a consensus body or federal agency issued a meaningful iot security standard? not yet. is there a national testing lab to verify and assess the premarket security of iot devices? no. is there tangible cost to any company that puts an insecure iot device into the market? i don't think so. so i'd like to highlight eight oks about this iot insecurity. number one, security needs to be built in to iot devices, not bolted on. if cybersecurity is not part of the early design of an iot device, it's too late for effective risk control. two, good security and bad security look the same at the surface. three, the health care community does not issue different advice for flu transmitted by cough versus flu transmitted by

sneeze. similarly, both connected and disconnected iot devices carry significant cybersecurity risks so it's important to consider both conditions. four, the millions of insecure iot devices are just a small fraction of what the iot market will resemble in 2020, and it will get much worse if these security problems remain unchecked. five, unlike inconvenient security problems for your tablets or notebook computers, iot's insecurity puts human safety at risk. innovative systems will not remain safe if they are not secure. six, i consider security a solution, not a problem. better cybersecurity will enable new markets, promote innovation, and give consumers the confidence to use new technologies that improve the quality of life. seven, maybe surprising, but there are over 209,000 unfilled

cybersecurity jobs in the usa, and that's just this country. and eight, the nation lacks an independent testing facility at the scale of a federally funded research and development center as a proving ground for testing premarket iot cybersecurity crash worthiness and testing embedded cybersecurity defenses. let me conclude with five recommendations to protect our national infrastructure. number one, incentivize built-in hygiene by establishing meaningful milestones encouraging use of strong cryptography in these products. two, support agencies such as the national science foundation, the national institute for standards and technology to advance our understanding of iot security and to train the hundreds of thousands of students necessary for a robust cyber security workforce. three, study the feasibility of standing up an independent national embedded cybersecurity testing facility modeled after,

for instance, post-incident initiatives such as the national transportation safety board. incident prevention initiatives such as the national highway traffic safety administration, nhtsa, and the survivability and destruction testing at the nevada national security site. number four, i recommend leveraging the existing cybersecurity expertise within agencies such as nist, dhs and darpa and, five, i believe that universities, industry, and the government must find the strength and resolve for protecting our national infrastructure through partnerships and that investments in embedded cybersecurity will pay great dividends to our society and our economy. i would like to close just by thanking for you the invasion to testify on what i think is a very important subject for our country. the committee can also find photos of illustrative iot problems in water treatment facilities, hospitals and more in the appendix of my written testimony, and i'd be happy to

take your questions. thank you. >> dr. fu, thank you. and thank you to all of our witnesses. this has been very enlightening. we appreciate your testimony and recommendations for our consideration. i guess i'll start with a couple of questions as we try and wrestle this issue. over the last six years, we've done multiple hearings on cybersecurity threats to the united states. we've had multiple panels come before us and testify, and i think almost entirely they said, first, do no harm. be careful when you lock things in to statute because you can misallocate our resources and our opponents will know what we have to go do and we can't get out of it, and they'll just go do a work around. so how do we establish a framework that would both be appropriate here but have an effect internationally because we don't make all the devices and we may have market power but we're not the biggest market anymore. how do we create a national

framework where the stakeholders are driving this in realtime and we don't do something stupid like lock certain requirements into statute? mr. drew, can i start with you and we'll just work down the panel? >> i think -- i think the best mace to start is with standards. i think the best place to start is for us to define how we intend on solving this problem on the devices themselves. industry has a number of standards with regards to how they operate these platforms once they purchase them but they don't have standards on how they're supposed to be manufactured to be secure premarket. so i believe if we were to start with standards and apply pressure -- so i'm as an industry, i am under pressure to implement standards in order to be able to serve businesses and serve consumers. i think if we start with that standard, then we're able to apply that pressure, and to the extent that pressure can be applied globally, i think that we can get some traction and some momentum before we have to start regulating.

>> all right. mr. schneier? >> i'm also a fan of standards. and your question is a really important one. how do you do it properly as to not -- >> it's a balance. >> stymie innovation and i think the answer is to make them technologically invariant. i continue to look at the pollution model as something, what works and what doesn't. what works is here is the result we want. figure out how to do it in the most cost effective way possible rather than legislate, here's the process, the technology. the standard has to be technologically invariant. you had a driverless car hearing yesterday. and i think it's somewhat similar. we're going to make standards on the dliferless car manufacturers to do things properly, about you we're going to assume an environment where there exists, you know, malicious cars out to get you. so we'll have to deal with the rogue devices. we can't assume that everything on the internet or everything on the roads is going to be benign and secure. but standards will rise -- raise the tide.

but, yes, we have to do them properly. you do them wrong, and it will stifle innovation. do then right, i think it will help innovation. >> dr. fu? >> yes, i think there are ways you can do this without stifling innovation. i believe that a well designed cybersecurity framework will actually promote innovation. i'll try to avoid the technical side, but i'll just say, you know, of course, encoding mechanism would be unwise. if you decide to encode that all forms must be signed in blue ink, that didn't assume the existence of esignatures in the future. so you should be very careful of encoding mechanism. however, principles you can encode. i would say that nist has done a relatively good job encoding principles. there is no perfect standard. but it will be very difficult to build in security if we don't have these principles set in place, and it needs for buy-in from industry. it needs to have government leadership as well.

but it's all about setting those principles which many are known for over 30 years in the cybersecurity community. >> all right. most helpful. the extent to which you can think about this some more and give us your ideas on how to actually get it to the right place, because this is my concern, that if we're not careful, we lock something in and it's so hard to change statute, an we don't want this to be an innovation killer in america. we actually want to lead on this and get it right. i don't think i want my refrigerator talking to some food police somewhere. it just is what it is. so we need to get this thing right. so thank you for being here. at this point, i will return the balance of my time and turn to my friend and colleague who has been very involved in this, ms. eshoo from california. >> thank you, mr. chairman. and thank you to each one of you, the witnesses. i think you were absolutely terrific.

i have legislation that i introduced that speaks to this issue. it hasn't really gained much traction. but what you said today i think put some wheels on it because it is about security without damaging innovation. we do -- we talk a lot about the attacks that take place, but we don't really focus on prevention. throughout the valley, silicon valley, no matter who i've met with, i've asked them the same question. what would you do about this? and to a person, they've spoken about hygiene, the lack of hygiene in systems, number one. and number two, the lack of

good, solid security management. i don't think -- let me put it in the positive. i think we need a good housekeeping seal of approval on this. and i think that, and my bill called for nist to set the standards, not the congress, because we really don't know anything about that. and we miss the mark, we'll miss it by a wide mile. exactly. so i also think in listening to you, especially mr. schneier, that this is an issue that should be included in national infrastructure legislation because this is part of our national infrastructure, and it deserves the kind of protection that you spoke to because, as you said, everything is a computer. it's not just the computers over at the dod. we're carrying them around in

our pockets, driving them, et cetera, et cetera. so given that, what is the framework for it? how would both mr. scnneier, dr. foo and mr. true, what would it look like? what would it look like? we place -- i'm giving you a blank slate. what would you write on that slate to be placed in the national infrastructure bill? whoever wants to start. mr. schneier? >> i actually think we need a new agency. the problem we're going to have is that you can't have different rules if it has wheels, propellers, makes phone calls or is in your body. that's just not going to work. these are all computers. we're going to have to figure out rules that are central.

>> wait. we have a continuing new majority. so i don't think they want to create an agency honest thely that this thing needs to get done. they don't like that stuff. >> so i think -- >> new agencies, new regulations, we're dead in the water. but we can't leave this issue to be dead in the water. our country deserved much better. and so i'm really not joking. it is a little bit of fun but, you know. >> i don't think it's going to go that way. >> oh, good. >> they're getting involved regardless. the risks are too great and the stakes are too high. nothing motivates a government into action like security and fear. in 2001 we had another small government, no regulation administration produce a new federal agency 44 days after the terrorist attacks.

something similar happens in the internet of things. there's no cyber security expert that will say, sure, that will that. i think you're going to have a similar response. so i see the choice is not being government involve the and no government involvement. i'd rather think about it now even if you say you don't want this. because when something happens, and the public says something must be done, what do you think 1,000 people just died? that we have something more than, i don't know, let's figure it out fast. so i agree with you. i'm not a regulatory fan. but this is the world of dangerous things. we regulate dangerous thing. >> doctor, can you do something in five seconds? >> i would say we are going to have some serious trouble if we don't answer these questions. i fear for the day when every hospital system is down, for instance, because an iot attack

brings down the entire health care system. i think you need to spend more time on the free market. i know working with manufacturers that the engineers there are brilliant. they are often not given the time of day from their executives. they are often not given the resources to do their job. what you need to do is give those people the ability to do something and issue sentivize their executives. >> thank you very much. most helpful. thank you, mr. chairman. >> i would just point out we're all engaged on this, both sides. my friend and i like to have back and forth all the time. we likes to say what we are for or against, which we may or may not. we are trying to find a solution. we scheduled this back in october right after the attack. and as soon as we were back in town, we were having it. we will continue to march forward. i turn to the gentleman from

texas, mr. burgess. >> it's been a fascinating discussion back and forth. before i knew about the internet of things i was invited to microsoft in washington. they showed me the house they had. in fact, the house was named grace. you knowing you walk up to the door, grace turned the lights on, set the thermostat for the temperature that you wanted. as you came into the kitchen, grace might suggest a meal for you. like mr. walton, i worried that grace's refrigerator would communicate with the bathroom scale and lock down the blue bell ice cream on me. so it's an interesting world in which we've arrived. mr. drew, i'm really fascinating by your comment and your written testimony about the inseptemberive for someone to do

this in the first place. and we've all heard since 9/11 sometimes you have to think like a criminal or think like a terrorist in order to outsmart them. you referenced the monetization. i get on ransomwear, you have to give bit coins to some dark website. how is your doorbell conversing with twitter? i don't know how that works. >> what we are seeing is the botnet operators are operating hundreds of thousands of nodes and renting them out to people to be able to attack web sites and hold the web sites for ransom. if you don't pay me $20,000, you're website will be offline for three days. it is is 40 to 45 attacks a day, 16 grand an attack. >> that is happening right now? >> it's happening right now. >> i know you're not in law

enforcement. what is the response of law enforcement who are supposed to be enforcing the laws? >> they are working diligently to find out who is in charge of the botnet, as well as the representativers of the botnet and making arrests in order to curtail this. but what we have seen is the iot of things changed the nature of the game of this where it's much easier to break into those devices. they go unnoticed for longer periods of time. >> here this is one of the things that bothers me about this. until we had this headline grabbing attack because it was so massive, you don't hear about someone being busted for holding someone hostage for $17,000 so you unlock their hospital records or whatever was going on. one of the things it has talked about is making the public aware. you can't have your password as password or 1234.

but there needs to be a societal understanding of reporting crimes when they occur. and to some degree, these need to be publicized much more than they are. i have heard from folks in the fbi that, yeah, there is a risk that a hospital that gets stuck with one of these things are simply embarrassed. and they don't want to go public with the fact that they were paid the $17,000. you are given instructions how to get the bit coins, where to deliver them. so that is actually easier than going to law enforcement and dealing with all the things that would happen with law enforcement. but that's absolutely critical. and never in any of the discussion of this that i have seen so far has there been really the discussion of what happens to people who are caught who perpetrate this? and it should be swift and severe and public.

i suggest another hearing shot at sunrise. i'm not trying to be overly dramatic. but if you lock down medical records and icu is a patient dice as a consequence, that is a capital crime. anyway, i know we're not going to solve all the problems today, but i just wanted to put those concepts out there. this is relatively new for most of us. i think one of the things i like about what the subcommittee did on data security was -- on data breach notification was set the standard we don't prescribe the technology. because the technology changes much faster than congress. i'm nervous about creating new federal agencies. we could delete two for every one we create. i have two to recommend to the league very quickly that deal with health care. but i know the standards need to

be there. and the other thing is we have a massive job as far as informing the public. that's part of this hearing today. i hope we carry that forward quite seriously. thank you, mr. chairman. i yield back. >> the chair recognizes the gentleman lady from chicago. >> let me ask all of but let me start with mr. schneier. you have talked how government has to play a role. but i'm wondering from you and from anyone, given that computers are ubiquitous and your example targeting through the hvac system, which is shocking to me, but is there a role for consumers, consumer education, consumer action, or is this beyond us now for individuals to actually play a

role in security? >> i think there's a role for some. but really we're asking consumers to shore up lousy products. it shouldn't be there are default passwords. it shouldn't be you have to worry about what links you click on. these devices are low profit margin and made offshore. the teams expand. and the buyer and seller don't care. so i might own this dvr. you might own it. you don't know if it was used. you don't know if it's secure or not. you can't test it. and you don't care. you bought it because of the features and the price. you purchased it because of the features and the price. the fact that it was used by this third party, not him but by a third party to attack this other site,t'