role in security? >> i think there's a role for some. but really we're asking consumers to shore up lousy products. it shouldn't be there are default passwords. it shouldn't be you have to worry about what links you click on. these devices are low profit margin and made offshore. the teams expand. and the buyer and seller don't care. so i might own this dvr. you might own it. you don't know if it was used. you don't know if it's secure or not. you can't test it. and you don't care. you bought it because of the features and the price. you purchased it because of the features and the price. the fact that it was used by this third party, not him but by a third party to attack this other site, it's something that

the market can't solve because it is not a market -- the market isn't involved in that. so i don't think i can educate the consumer. it is putting a sticker says this costs 30%. i'm not sure i would get a lot of sales. >> in 2015 the federal trade commission suggested best practices to address security vulnerabilities. device manufacturers should test security measures before releasing products, minimizing the they collect and retain. and frankly it seems surprising to he me that manufacturers are not already taking these steps. but you're saying right now there are no real incentives. so is that what we need to focus on? >> i think we should. i think we forget the incentives rights the technologyists will

figure it out. the incentives aren't there. we incentivize price, futures. that's what we buy because that's what we can see. i don't think i can get consumers to pry open the hood and look at the details. it's beyond the consumers i know. and it shouldn't be their problem. it shouldn't be something they have to worry about. >> so let me ask mr. drew and dr. foo if you want to comment on that. >> i largely agree with my colleagues here. from a business perspective, there's a lot of incentive to make sure the products i buy, the software that i buy and follows specific standards are manufactured correctly before i put them in the network. i do provide that incentive to those manufacturers. consumers, on the other hand, don't have that incentive.

they have the incentive of public events. it has been adaptable and flexible that when there is a large sort of trip or mistake over security they become more aware. and then they push those requirements and those demands back to the manufacturers by purchasing products they feel more comfortable with. so i'm going back to standards. i'm going back to certifications and standards. you see that seal of approval on the device. you know that's a device that will be more protected than another device. you don't want your refrigerator talking to your scale or your thermostat talk to go your doorbell. >> my time is running out. i would like dr. foo to weigh in. >> even if a consumer wants -- not many consumers are where they need security. when they want security it's hard to get. let me take the example of the hospitals asking why ransomware

gets into hospitals. they can't get the manufacturers to provide them with iot medical devices that can withstand the threat of malware. how much will you pay for it? we think it should be built in. it's a public good. well, how much are you going to pay for it? everything will be driven by economic factors. the problem is the consumer group is thought to be a public good. from the manufacturing standpoint is how much are you going to pay for it. that is a question that needs to be resolved. >> thank you. i yield back. >> the gentlelady yields back. and the chair recognizes the gentlelady from tennessee for five minutes. >> thank you so much, mr. chairman. i want to go back. i mentioned the sisco stats. i think they rolled out of my mouth the wrong way. i want to clarify for the record. we are currently at 3.4 iot devices per person.

and by 2020, we're going to be at 50 billion iot devices. and that is the magnitude of this vulnerability that we have. we move from a physical application to the virtual space. professor foo incident to come to you. misch cow skeu just mentioned that. in the area that i represent, nashville area, there is a lot of health care and work that is done utilizing iot devices in the medical field. and as you look at the security of course that's concern, you look at information share. you get vulnerabilities. but you mentioned in your

testimony going back on pages 5 and 6, iot device tend to have safety consequences or involve physical manipulation of the world that could easily lead to harm. and then you go on to say a number of hospitals suppressed concern about the iot devices. so talk to me about mitigation strategies and what you see with these devices and then what special considerations must be given to health care technology and to the medical devices and how should we go about dressing that? >> thanks for the question. unfortunately, i don't think i'll be able to give a satisfying answer. because at the moment if you were to be a fly on the wall in the boardroom and discussing the topic how does iot security affect the assurance of the clinical operations being continuous, at the moment they don't have a plan.

it is will, well, we need to get a plan. what can we do. it is is usually some of the security officers saying, well, the problem is you don't know what devices we have in our hospital. we get a lot of contra band. it is known as shadow i.t. it has a great acronym. but the shadow i.t. comes in. it is typically a clinician who connects a device to a very important network. but maybe it's a music player that is simply providing comfort to the patients during surgery. they don't realize it is introducing new safety and security risks because they don't have the security baked into these devices. so the iot risk is more about having unvetted assets coming into a very safety critical arena. they don't have a good answer right now. and that's because it's not built in. >> okay. well, then let me go to mr.

drew. and the article in the "new york times" yesterday that i'm sure you all saw and are aware of, secret back door and some u.s. phone data to china. >> yes. >> mr. schneier, i assume you read that. and it looks like you did. if you take a device like that and then you have the concerns if it does get into an environment such as a hospital or a medical facility with patient information, things of that nature, so these malicious actors are out there and with the vulnerability of these iot devices, you have some of these concerns that are going to manifest themselves. so how do we make sure that the consumers and the users are alerted to the vulnerabilities

in the software and in these devices when they purchase them so if they get something like this they know to get rid of it? so mr. drew? >> i would say that the biggest sort of benefit of iot devices, the reason devices can get compromised so quickly is they all look the same. all the devices look the same. the users are not configurationing the operating system at all. that's why they get compromised very, very quickly. having the ability to auto patch. the device can call home, get a new software update and automatically upday. that is the thing that keeps that infrastructure healthy. >> thank you. yield back. >> the gentlelady yields back. the chair recognizes the gentleman from new jersey,

ranking member, for five minutes stkphrp thank you, mr. chairman. i wanted to ask mr. schneier a couple questions. looking at the attack three weeks ago, i'm sure some people may dismiss it as only a few web sites going down for a few hours. in your view, what does the attack expose cyber security generally and why are they moving from benign to dangerous? >> it's really what i talked about the world moving. the internet becoming something that affects the world in a direct physical manner. the computers are the same. we're talk building these computers in our phones, in our computers. it's the same computers that are in these cheaper and smaller devices. but while the software is the same, the engineering is the same is, there's a fundamental difference between your spread spreadsheet crashes and you lose

your data than the car crashes and you lose your life. the software is the same but the effects are night and day different. i live in minnesota. i have a thermostat i can control from my phone. if someone hacks it, they can -- not this weekend. about in the middle of winter they can burst my pipes while i'm here. that's real important different than a few web sites going down. it didn't hurt anybody. we talked about hospitals. we have seen attacks against 911 services. we're looking at our critical infrastructure, our power grid, our telecommunications network. these are systems that are being controlled by computers. hackers broke into a dam a few years ago. it didn't do anything, but next time they might get lucky. russia attacked ukraine's power grid. these are now tools of war and

of aggression. even the attacks against our election system. they are benign but next time they may not be. the election machines are computers that you vote on. >> sure. that leads me to the next question. you and others have said the insecurity of devices stems from market failure. and you even compare the problem to visible pollution. being an environmentalist, i would like to know what you mean. can you, panned on market plan. and how are these like traditional environmental pollution? >> the insecurity effects are often not borne by the buyer and the seller. the person who bought the dvr, who is still using it the next 5 to 10 years will not bear any of the costs of any of the insecurity. so the manufacturer and the

buyer too reaps the benefits. the device was cheaper. it was easier to make because it's insecure. it can be used to attack others to cause other vulnerabilities to be used in conjunction for other insecurities. like pollution, it is something in the environment that neither the buyer or seller when they enter into the market will fix. so i think the solutions are along those lines. we have to think about what is the risk to us as a group. what is the national security risk of this, for example. i mean, there is one. it is not going to be borne by the person who bought that. it will be borne by all of us. so it is incumbent on all of us to secure our critical infrastructure against this risk. so i think the solutions are very similar in conception. the tech is very different.

>> let me ask you one last question. you seem to believe regulation might be part of the solution. i heard some of the fcc argue it could constrain innovation. do you believe that? >> yes. you cannot just build a plane and fly it. you can't. because it could fall on somebody's house. and you might not care. it might be a drone. but we as society care. true for medical devices and dangerous things. it might be that the internet era of fun and games is over because the internet is now dangerous. we start talk building actual robots. but, you know, a robot is a computer with arms and legs that can do stuff. and i personally don't like killer robots. i think they're a mistake, and we should regulate them. so, yes, this is going to constrain innovation.

it's not going to be good. i'm not going to like it. but this is what we do when innovation can cause catastrophic risk. it is crashing all the cars, shutting down all the power plants. the internet makes this possible because of the way it scales. and these are real risks. >> thank you. thank you, mr. chairman. >> thank you. the gentleman yields back. the chair now recognizes the gentleman from new jersey for five minutes. >> thank you. good morning to the distinguished panel. and i certainly agree that this is one of the more interesting panels that we have had on this extremely important topic. professor foo, of your observations and recommendations, the eight of them you have given to us i would like to concentrate on three of them. number one, you state that security needs to be built into

the internet of things, devices not bolted on. could you expand on that as to how you think that might occur that the security occurs before the device has been manufactured. >> right. thank you. we off when we talk about security problems in the media and the news, you think, oh, this was a poorly implemented product. where, in fact, it was a poorly designed product. and there is a subtle difference. if you don't get security built into the early design of the iot devices, it doesn't matter how smart the engineers are, they will never be able to succeed at getting a secure device. that's why you need to build it in. if you have this residual risk that you hand off to the consumer, you can try to mitigate after the fact. but it is extremely rare,

extremely hard and extremely costly. >> how do we do that? how do we build it in initially? >> this is going to get deeper than engineering. let me say in one sentence it's about hazard analysis. it's all about understanding and enumerating and having the manufacturer which risks to mitigate and which risks to pass on. >> can that be done through the consumer market or require some sort of governmental control? we have mandated air bags in automobiles to be built into the automobile initially and not to be added to the automobile. is it your recommendation this will require some sort of governmental mandate or not? >> i do believe in the long term this will likely require some kind of governmental mandate only because in my experience working with the industry, even though they meanwhile, even the

people who can do it don't have the authority to do the right thing because they don't have the economic drivers. they often have different constituencies with each company. we didn't think about the safety of over-the-counter drugs until 1982 with the cyanide poisonings in chicago. we haven't seen that moment for iot, but we know that is there and we know it can cause harm. >> thank you. moving on, number 4 of your observation, for device already deployed, we should take comfort that millions of insecure devices are a small fraction what the market will resemble in 2020. i suppose you mean by that this is just at the beginning and there will be many, many more by 2020? >> that is correct. on a positive side, if we take an action now, we could actually win this. we could actually have a very

secure eco system. even though there are terrible, terrible problems today, we can fix it. so we shouldn't give up hope. >> can you give us a rough estimate. if we have x number of device now, how many devices will we have in 2020? >> i heard the number double $20 billion to $50 billion. so i think that is a good estimate. >> there are tens of thousands of unfilled cyber security jobs in in country existing approaches are insufficient to train a large number in the workforce for what we need in this area. based upon your experience at m.i.t. and more recently in ann arbor. what do the great universities need to do in this regard? and what do we need to do at the

level of community colleges. >> community colleges play an important role as we develop the different skill sets. there are 209,000 unfilled cyber security positions as of a year ago in the u.s. over a million globally. the problem is i think universities need to shift and adapt to the changing marketplace. right now we're overrun with students. we cannot teach the number of students who want to take our security courses and yet we're still not meeting the need. in michigan we have the automotive companies talk building 30 unfilled positions for cyber security. and they wonder why no one applies. >> thank you. my time has expired. thank you very much. >> thank you. the gentleman's time has ex board. the chair now recognizes the gentleman from california for five minutes. >> i thank the chair. and i thank the panel. this is why i love this subcommittee and this committee.

great stuff happening. i'm going to start with mr. drew. in your testimony you noted that 2 million of these iot device have been acted by this botnet. only 150,000 were used in the attack. that means there's 1.85 million left. are they still capable of carrying out new attacks or have they been neutralized in any way? >> they have tried newer portions of it. it is still 1.5, 1.6 million strong botnet. >> and they can attack not just dine servers but real physical device, is that correct? >> a botnet like this or this size, they are capable of doing a shake attack. meaning they are able to generate any protocol, any application they want from those machines to be able to direct attacks of a very specific

nature to their targets. >> so we have some hanging over us right now? >> yeah. the saving grace we have had so far, no one has been able to rent all nodes. our biggest fear another adversary sees the power of this total force and begins to adapt a text that follows a similar nature. >> we can incentivize and following up on mr. lance's question, what type of incentives do you believe would be effective in preventing the risks that you have outlined? >> i think it all comes down to accountable, whether that be economic accountability or liability. right now there isn't any kind of tappingable cost to manufacture, to deploy something with poor security. there is no benefit if they

deploy something with good security. >> thank you. this is a question to all witnesses. i would like you to answer with a yes or no. iot devices span a wide range of products. is it feasible to create one set of standards for all iot device? starting with mr. drew. >> yes. >> no. >> no. >> no. >> okay. in the alternative, the federal government could establish minimum security standards for iot devices and then direct relevant federal agencies to provide additional sector-specific requirements. would that be feasible. yes or no, please? >> i'm sorry. i missed the question. >> well, since there's a wide range of products, there might be feasible to ask the federal government to ask different agency toss apply specific standards to those devices. would that be feasible? >> absolutely. that allows people to apply specific requirements and

regulations to the area in which those devices operate. >> i think no because devices do multiple things. >> i think it depends. >> good. or not. mr. fu, several things, so many questions, so little time. you said there's no cost to produce the device with poor security. that's pretty clear. but that iot security is a solution. i mean, it should be a solution, not a problem. could you expand on that a little bit? >> right. so my fear is that consumers will not embrace technologies that improve their quality of life in the future because they don't trust that it will be safe. it won't take too many more horror stories before people start to go back to their analog ways. so i've used security as enabling. i would agree with the other

witnesses that you may see a short-term problem because you will be interrupting the product development and life cycle. in the long term we will see it producing new innovation, just like what we saw with car safety regulation many decades ago. >> very good. now, you also mentioned that devices should incorporate strong crypto security, cryptography? >> stop leading me, bruce. you can implement crypto on these devices. there are certain special cases like medical device where it is more challenging. for instance, cryptogravy, does draw more electrical power and can reduce the battery. it does cause this risk question. in the general case, it is almost always the right answer to cryptography. >> my time has run out so i would yield back. >> thank you.

the gentleman's time has expired. the chair recognizes the gentleman from kentucky for five minutes. >> thanks. appreciate you all being here. thank you, mr. chairman. this has been really informative to me. usually when i get memorandums and it uses words like bots and terabytes, my eyes glaze over. one thing mr. lance asked one of the questions i was going to ask. one thing that you said earlier, when we write the law that we are going to have to address this if and when we do, we can't be too prescriptive. i understand that. i think a lot of things we have done in ledge slating is a lot of that to the agencies. we say everything will go in good faith. but we have to make sure in a lot of other areas when an

agency gets a little leeway, it forces us to move forward. we have to find the right balance in that. you were talking about, i'm interesting in computer science technology and jobs available. you were talk building 30 full time equivalents. and all of a sudden time ran out. do you remember that thought and can you finish? >> sure. michigan is known as a state with quite a bit of manufacturing purchase and many of these industries are trying desperately to hire cyber security experts. i found one. many have come from the automotive industry. they quit fairly often to go get other jobs. you've got to understand at the career fair, you will see a line out the door for the silicon valley comes, googles and facebooks of the world. it is difficult for them to compete for this talent not only because of the insufficient number of qualified skilled workers who are trained in

appropriate security but because the competition is so great. >> hence, general electric, the young man saying i'm going to go work for a high-tech company. and they say, what, you're going to work for germ electric. sit a good marketing strategy. because they are. they make refrigerators right outside my district in louisville. and they are very high-tech. very high-tech. as a matter of fact, they were showing me one and i could not operate the refrigerator. it makes coffee. >> my refrigerator tweets. >> cyber security threats are off evolving. one is the identification of vulnerabilities. can you tell us about how vulnerabilities are shared nowadays and if you have any recommendations moving forward on information sharing. >> sure.

so there are many different ways to share vulnerabilities in the consumer world. for instance, there is a coordinating agency works in concert with dhs, with idaho national labs and other places to collect information from security researchers and provide it to manufacturers. that's just one pathway. other pathways are bug bounties, rewards directly between the researchers and the companies. and the third way that is becoming a little more disturbingly popular is just to drop it in the public before any mitigating control. >> you talked earlier about the hackers will look at the lease secure device and get in the system through that way. what is the general level of security included in consumer grade in device? have the recent attacks prompted any conversations that you're aware of about the security

included in the devices from manufacturers? >> in my own home, i have seen where anyone on the enter is net could break in and take over complete control. this is a device i picked up in one of those big box stores. i have no security on the built in. >> thank you. i yield back. >> the chair now recognizes the gentleman from new jersey for five minutes. >> thank you very much, mr. chairman. thank you for holding this important hearing to our ranking member. as we know, this is an important discussion since the proliferation of cyber attacks representing a challenge. we saw is the row livation of cyber attacks all across the country and before and afters as well being called out by our national security teams. pertaining on the development of

things which will provide robust and important infrastructure for america, we also know that there is going to be more complex and dynamic networks that result from that. dr. fu, you talked about shadow devices. the national laboratory is looking at using the data from all devices connected to a network to monitor and protect against malicious attacks. it addresses ill defined networks with devices joining and leaving. it constantly monitoring to rerespond to autonomous behavior. can you talk about looking to national assets like our national laboratories and what we can learn for tech transfer opportunities whether it is secure or open space to help us with thiessen defers? >> well, i think what i can do is i can say nist has a document

about how to do this security well. and i hope they are implementing these. you have to know your assets. it sound like that is what you're referring to. the second is to deploy controls that match the risks. and the third one we often forget as consumers in industry is to continue to monitor the effectiveness of the controlsment that's where it gets to the schiffing threat landscape. it might be effective tomorrow. might not be at all. here's where i am skeptical of some areas. most hospitals refuse to look at the security of their most sensitive networks. they are afraid of tipping of very sensitive machines. they have rebooted from very simple security products. so if you're in a facility that has nuclear materials, physical material, i would be skeptical

of a claim to see how well they survived. >> is there a benefit with working with these to assist us in the private sector? >> i think there can be a benefit for safety critical issues for places like lanil. i think there is quite a bit of expertise in what's called imbedded security. many of the national labs. however, this is a very interdisciplinary problem. i have seen it come up in my reports to different agencies. they would say i'm sorry. we don't have an update. let met try to help you. and they have a difficult time finding a partner. >> as more and more of our critical health, finance and infrastructure is brought online, are you able to speak specifically to what we can do

with securing the technology of foundation and supply chains through the internet of things, whether through semi conductor tips, secure communication calls or secure device access management? >> so this is actually i think part of the big problem. security has to go all the way down. so someone there who left talked about that phone that would send copies of text messages to china. on the plus side, it was cheaper. but you're not going to know. that could be the software. we're worried about switching equipment that we use in our country that comes from china. because we worry about the hardware. there might be a hardware switch that will face off hostilities. they are very complicated questions. anyplace in the stack we can cause insecurity that affects

the others. lots of people are working on this. this is an extreme worrisome issue when we deal with global manufacturing. this is an american device in china. many are made in countries that might not be as friendly to us at all times as we would like. while we have tech that will detect these things, it is an arm's race. right now there is an edge on the attacker. it is easier to hide a vulnerability. now we also use that. the nsa uses it to spy on our enemies. so there is some good here too. by and large, it is is dangerous. >> maybe i will submit a question on boundaries pertain to go hardware and we can have an extended conversation in that space. >> i'd be happy to. >> thank you. the gentleman's time has

expired. and the chair now recognizes the gentleman from texas for five minutes. >> i thank the chair. welcome, mr. drew, mr. schneier, and dr. fu. i have to admit last night i lost a little sleep preparing for this hearing all because we focused on september 21st of this year when a botnet launched a strike that on the crest on security over 600 gig bits per second swarmed them. and then a month later oerbg, o october 21st, the same bad actor in dine. as a naval aviator, working as senior staffer for two texas senators and four terms of the house, i know the biggest threat

to our security and our prosperity is not bombs, it's not missiles, it is cyber attack and cyber security. ones and zeros. but bothers me most about what happened earlier this year, is the execution was exactly what coach mchugh told me when i was 9 years old on the football field he drew a line in the sand. here's a defender. here's two of them. we'll swarm them. score a touchdown. that's exactly what these guys did. nothing hard. nothing new. yet they had the success of having 600 gig bits per second swarm nonsecurity. and so in this environment you can't be reactive. you have to be proactive. our government has to be proactive. now, i said the word government

and said proactive. looking around the room here, some people shook their head and smiled. they know those words don't go together. but somehow we have to come together to address this problem. and dr. fu, i love your term about we have to have it built in, not bolted o. i know mr. lance asked questions about that. but i want to further elaborate on it. say you went crazy and you ran for congress. you won. you're a member of this committee. what do you think we should do to help out our american economy to make sure we are proactive instead of reactive? what's our role here in d.c. >> thank you. let me first correct the built in not bolted on. that is a phrase my community has been using for many years. mr. schneier is behind that quite a bit. but i would say to get out in

front of this problem and be proactive we haven't even done, if i were talking with my students, i would say you have to do your prelab before you do the real work. that is actually going out and getting firsthand information from some of these constituents. i'm doing that. that's where i'm getting my firsthand information from executives and engineers. i can't relay to you in this manner because you haven't seen the people i've talked to. i think that needs to happen. there needs to be congressional visits to these sites. i need to go to universities. they need to see where the struggles are happening. the barriers? i believe likely after you see the same problems i'm seeing, you're probably going to start thinking we need to have inseptember issive systems built in economically. i don't know what they will resemble? could they be financial

penalties? maybe? is it about corporate liability? perhaps. i don't know the answer on the mechanism but i know we need more congressional visits about these sites to know where the problems are borne. >> congressman drew, how laws, if you could write laws, how would you write the laws to help your organization to overcome these incredible challenges we have in cyber attacks? >> i believe -- i agree entirely with us having the right incentives whether i'm business buying technology or consumer buying, that we have the right incentives. i completely agree with that mind-set. and i do think that there's a significant number of existing frameworks with regard to each of those ideals around health,

safety, convenience and use with regards to the sets and technologies. >> your comments about how would you approach this from a government perspective role? >> i think we have a serious problem and we have in a lot of areas. the speed of technology exceeds the speed of law. that probably changed in the last decade. now it is reversed. so we need to figure out a reliability structure that is technologically invariant. we can't focus technology and rely on them but people and incentives. that is invariant. technology will change. you're right. these are kindergarten stuff. it is basic. it's not sophisticated. sophisticated stuff is worse. >> thank you. i yield back my time. >> thank you. the gentleman yields back. now the chair recognizes the gentleman from ohio. >> thank you, mr. chairman.

thank you, gentlemen, for joining us today. having spent 30 years of my professional career and information and technology, i want to get a little bit more into the technical aspects of some of the things we're talk building this morning, particularly traditional ddos versus these connected device ddos attacks. mr. drew, as i understand it these ddos attacks have been around almost as long as the internet itself has. they have certainly gotten worse the last few years. for traditional ddos attacks, we know how to the defend them against using techniques like ip address, black listing, or white listing an ip pocket inspection as well as other techniques. can you tell us a bit more about those defensive techniques, why they have been successful in defending against traditional

ddos attacks? >> i would say every three years or so, we encounter an evolution of capability with regards to dos attacks. every three years or so, we have somewhat of a backbone impairment event on the global internet that is resulting of adversaries developing new capability based on new weaknesses or new technology and directing that tecapability to e backbone. i would say the community at large has been fairly proactive and reactive in investigating what the bad guys are doing, the techniques that are evolving and shaping and making sure our capability to respond is built into the platform or in some cases bolted on by redirecting traffic and scrubbing it. so what i would say is what scarings us about iot attacks is just the typical scale.

the typical botnet involved in the past couple of years to the last decade has been in the tens of thousands. we now have the potential of devices in the millions. and network capability for filtering and scrubbing is not scaled at that sort of a factor. so it's something we are taking with great notice and pause to make sure we can invest in our technology to prepare for that. >> is it safe to say the majority of the defensive techniques have worked because they target the way that traditional ddos attacks use spoofing and amplification. >> with regards to what the seaffic looks like definition ishas an upper and lower control that is fairly well understood. so the technology is geared to be able to operate within that sort of control parameter. it's really the big issue is the

scale in which the devices are coming at that victim and being able to launch those sorts of attacks. >> so to get kind of to the heart of the matter of why we're here today, because from what we've been told this botnet doesn't use spoofing amplification. >> it can send any type it wants to. >> the botnet is out of this individual connected devices. and you say there are potentially millions of them out there that are so numerous that spoofing isn't necessary? it is a deluge of traffic from those connected devices, correct? >> correct. if you wanted to accepted a large amount of traffic in the past you would use amplification

attack. in these devices, you don't do that. >> i think we need to dig into this a little more then. when we were talking about defensive techniques before, most of them seemed to rely on ddos attacks that use spoofing and amp lification, how do black listing, white listing and packet inspection work and how effective are they? >> i would say they are probably more effective on nonspoofed traffic. the overall capability to spoof is more capable when the traffic is not spoofed. i will go back to the scale issue. a lot of that technology is build for the hundreds of thousands of inspections at the same time as opposed to the millions of inspections at the same time.

>> my time has expired. it's safe to say we have a lot of work to do and we need to handle new technique toss handle this threat. >> absolutely. >> mr. chairman, i yield back. >> the chair thanks the gentleman. the gentleman yields back. the chair recognizes the gentleman from missouri, mr. long, for five minutes, please. >> thank you, mr. chairman. mr. drew, i understand that newer brand named devices are safer and less vulnerable to cyber attacks. but how much blame would you put on low end manufacturers, cutting corners with security with the type of attack that happened in october? >> well, with specific regards to what happened in october, a vast number was the low end from other countries. we spoke to vendors. the vendors had not really

contemplated the idea they could be used in that fashion. they were trying to wrap their head around it. other manufacturers had no interesting because they had every belief their consumers would continue to purchase their product. >> okay. this is directed at all of you. i guess we'll start with dr. drew, he is teed up there. what are hardware is and software manufacturers to band together on a cyber attack like the recent one? >> so i would say -- >> we won't start with dr. drew. >> oh. >>. >> he's dr. g u. i'm mr. drew. >> we're interdisciplinary. for the hardware and the software, there's a good -- function goals form.

if you look at the educational system you will see the people trained on hardware and trained on software don't actually have the closest cultures in terms of education. i think it's going to be very important to educate people in a way that brings hardware and software together. otherwise, you're not going to have the workforce that will be skilled and trained to be able to solve these problems. that is something i'm trying to do personally. i train students in both hardware and software. because you just can't an tract it away anymore. >> so i think this is a particular challenge -- >> i'm sorry. i need new glass or a different angle. there you go. >> i think it is a particular challenge because engineering operates in silos. the companies that made the dvrs got a chip with software on it. they didn't inspect it. it is a blob and they put it in their device. sold it to another company and

put their name on it and sold it to the consumer. you have this chain which is very opaque. and companies will hand off to each other. so banding together, i think will be very difficult. and the way we can do that is to incent. i'm giving the companies to say yep, this works, i'm going to sell it cheaply. this is -- it is hard. i don't have a good crisp answer. hopefully mr. drew does. >> that's why we put him last. >> yeah, i would say that i agree with regards to chief i.o.t. i agree with cheap i.o.t., the focus primarily is on the specifics applications they're looking to develop. they get hardware from another manufacturer, they get the baseline operating system from someone else and they don't know how it inter connects together.

i would say on more emerging i.o.t., that is a bit more integrated and capable of being interconnected to other i.o.t. devices, we are seeing more disciplined and knowledge with regard to marrying hardware and software disciplines together. as well as being able to achieve higher security standards as they interact with each other from device ecosystems. a long way to go, but growth in that area. >> could the recent cyber attacks have been avoided if the target decided to register with more than one company that provided the same services that dyn provides? >> presumably, yes. what we did see on the dyn attack is the number of the domains that were targeted, they

fell back to another authoritative service and the bad guy detected it and launched an attack against that other server. so you know, in this case, the bad guy was following specific victims and reacting to them as they mitigated and moved. >> okay, i heard you say that earlier in the opening, i think. dr. fu, how's that? to what extent did default passwords play a role in the recent cyber attacks? >> a key role, because it was the entry point to take over this army of unwitting agents to attack dyn. default passwords are everywhere. in my testimony, i provided a graphic for medical devices. there is nothing stopping the same attack from happening to another industry, other i.o.t. products. all passwords are a big problem. the fact that we're relying on passwords at all is a big

problem. >> thank you. my time is expired. i yield back. >> gentleman yields back. thank you. chair recognizes the gentleman from florida. five minutes for questions, please. >> internet of things, devices, present, including attacks on other systems. dr. fu, it occurs the use of insecure operating systems, which are easy, actually easier to infect and target for distribution of service attacks. have you seen industry react to these issues, and move forward more stable operating systems, and are there impediments making

such a switch? >> i have seen industry moved to better operating systems, but like most communities, there is a wide distribution. a leader, maybe not the leader. i still see windows xp, which is a decades old operating system in critical systems. there is a photograph in a water treatment facility in michigan, in my testimony. controlling water pumps for the city. windows xp is susceptible to the last decade of already released malware. it doesn't take anyone than a kid in the basement to cause a problem. it hasn't happened, because no one has wanted it to happen. it is all about the economics. certainly, on the high end devices, like linear accelerators, raid year therapy devices, you're talking about multi-million dollar machines. hospitals get new operates systems, however, most hospitals have capital equipment costs and

they don't want to have to buy a new mr ii. that's why you'll still see windows 95, windows 98, the year is important, in hospitals. because when they go to manufactures, they'll say, oh, sure, why don't you buy a whole new machine. and so there was this unwritten assumption that the software would be maintained. it may not have been written into the agreement. but the health care community felt that it should have been kept secure, kept maintained. but from the manufacturing standpoint, it was, we provided you this device. >> thank you. report shows many devices in the october attack were situated overseas. while some seek to deregulate devices in our own country, how do we protect ourselves from devices outside the u.s.? dr. fu, and if someone wants to

chime in, that's okay too? >> let me just comment briefly. my fellow witnesses, opine. i think the important thing about computer security is not to be able to put yourselves in a secure environment, but you need to be able to tolerate an insecure environment. we're never going to be able to make networks, you know, blissful places full of rainbows. the networks will always be hostile. whatever we put on, it has to tolerate malicious traffic. ddos are extremely hard to defend against, because they cut out the core, and that's high availability. >> so it is two things. i think that u.s. regulations, especially if it is u.s. and europe, major markets, can cause a new environment, which raises the tide for everybody. because companies are not going to make two devices. one device and sell it.

so we can make a difference with us. like we can in so many industries. dr. fu is correct, we can't assume ever a benign environment, touching more secure, which means the devices are more a minority and then building infrastructure controls to secure against this malicious minority. it will always be that. thank you. >> sir, do you want to comment quickly? i have one more question. >> i was just going to say we have a fundamental belief of insuring we can try to route pa packets on reputation. the more that businesses and backbones can collaborate together on data and route traffic based on reputation, i think the better prepared we'll be. >> thank you. one of the biggest concerns for dr. fu, one of the biggest concerns of the denial of

service attacks is the potential impact on hospitals and their patients. we already know that hospitals are targets in other areas, such as ransomware. question for dr. fu, how can hospitals best protect themselves from these threats in their current technology and should industry prioritize the healthcare sector in preventing current cyber attack as soon as. >> well, in the short-term, hospitals are in a sticky place. there aren't a whole lot of mitigating solutions. the best medicine is to really know their inventory. i saw some discussion yesterday in a dhs report about a bill of materials software. hospitals don't even know what software is running on the inside of their facility, because the manufactures don't know themselves what are on the medical devices. if we only knew what was on the medical devices, we could better understand what risks we are taking. >> very much. i yield back. appreciate. >> gentleman yields back. gentle lady from indiana.

>> i'm going to follow-up, dr. fu, if you would explain a bit more about what your concern is? is it the devices being used actually in the hospitals, the hospitals are not aware of what is on those devices, and so what kind of mechanisms should we have so that hospitals systems are fully aware of what's in their hospital? >> right, so let me just frame the context. so hospitals want to make sure that they have continuity of operations of their clinical work flows, so they don't have to shut down, med star shut down for several days in this area. so the problem is when you don't know what your assets are, how are you going to protect that. if you don't know what ports are open, the manufactures, they're not, i would say willfully causing harm as far as i know, but they're not providing enough information so the hospital staff can do their jobs to assure the continuity.

so providing a bill of materials of what software comes on a device when it enter ace hospital, it won't completely solve the problem, but it will really help because you can't do step two until you do step one. know your assets and inventory before you can control security mitigation controls. >> and so while that has obviously lifesaving or life ending implications, what other sectors are you most concerned about, and this is for the panel, you know, the sector integration so to speak, of devices within maybe the system is not known. >> i'll just say public utilities, water, gas, electric. it surprises me how people just sort of laugh about we don't have security, ha ha ha. and you know, we're not going to be laughing when the lights go out. >> so i think looking at in sectors is almost self-defeating. what we're worried about is

interactions. and you know, if you ask somebody a month and a half ago whether a vulnerability in a webcam ra can affect twitter people would say no. we barely know how the internet work in a lot of ways. mr. drew's answer whether this particular defense would mitigate this attack and the answer is we're not really sure. it is the emergent properties of inter connecting everything that cause the vulnerabilities. focus on a sector, we risk missing the big picture. they are all computers, whether they have wheels or propellers or in your body. they affect each other. i urge you to think holistically and not -- i mean there are sectors that are more critical that's obvious, but the cause of the vulnerability could come from nowhere. >> mr. drew, a question whether or not what your thoughts are as to whether or not hacking back or some other form of active

defense should be permissible. thoughts on that? >> i know that this has been a fairly large debate within my industry. it has been a fairly large debate within the u.s. we have these conversations on a regular basis about green, you know, green viruses, if we know a particular exposure exists and we know that we can write software to go out and patch the system on the user's behalf to get malware system, we would be better protecting both the consumer as well as the internet as a whole. and i think that that is a fairly dark road to go down. i think that it is an excuse for us not fixing the eco system and providing the right incentives and right locations. and potentially has impacts that, you know, the author writing software isn't necessarily aware of, as he is touching a pretty broad set of

devices on the eco system. so i would say i fear more of the consequences of that than i do pushing the right incentives and the right layers. >> going back to the question about whether or not we have the appropriate safeguards in place, we have 209,000 job openings right now according to dr. fu, and what are the programs, degree programs or other types of certification programs that should be offered that we are not offering enough at our higher institutions or training programs. are degrees necessary or do we need to have different types of certifications, short of degrees? >> i think we need all of the above. especially, it is a little known discipline called embedded cyber security, but this is very related to i.o.t., hardware and software. we need both at the community college level, both at the four year college, both in the graduate studies, also,

especially in advance master's programs for already skilled worker whose are perhaps experts at building cars or designing cars, but need to know how do you build security into that thinking. there aren't enough opportunities for those workers to come back to get that training. and a final comment is the pipeline. i think in the en skrgineering, have difficulty in tapping different demographics. we need to do much more outreach to high schools and the kids coming up tone courage them to go into these fields, and especially women and minorities. >> thank you all for your work. i yield back. >> sure, thanks to gentle lady, chair recognizes the gentleman from illinois. >> thank you for all being here and taking the time and elaborating on these issues. plch mr. drew, is it accurate as an

international issue? >> it absolutely is an international shooch international issue. the majority of the locations where the devices were located was foreign. you know, most of what we're talking about here today from a regulation perspective wouldn't have a direct significant impact on at least the adversaries that were involved in the october 21st attacks. >> do you know, are there any other countries international groups, et cetera focused on the security issues right now? >> yes, there are a number of countries that are focused on very progressive cyber security controls and iin great britain example. cyber security work with integrating that to the telecommunications sector. so meaning that if you're going to be offering telecommunication services or the government will be purchasing services, you have to be certified at a certain

level. >> so are you seeing any groove do you marry up to that to help the conversation? >> i'm going to go back to my -- one of my original points, which is i do believe that we are missing, you know, defined standards in this space that we can get some adoption around that we can get pressure focused on, and we can change buying an investment patterns. i think that by setting those standards and by setting them by both domestic and international groups, you know, setting these standards so you can force buying behaviors of consumers and businesses will be a major step forward. >> reports are indicating a staggering increase in connected devices over the next few years, a number we heard today, any where between 20 and 50 billion

devices, which is unreal. what do you think policymakers and stakeholders should think about in general regarding cyber security and interconnection moving forward. what would be a take away you would want us to lead with? >> i think innovation is progressing faster than discipline. and what tends to happen is we go on a bio rhythm of lack of discipline, causing significant unintended and unforeseen consequences. our ability to adapt and respond to those will keep that infrastructure protected and as well as continue to evolve it. so i think that you know, the average cso has to manage 75 separate security vendors. and that is to bolt on security controls for products and services that they are purchasing. and when we get one of those dials wrong, there are some significant consequences as a

result. and so focusing on making sure that premarket controls are placed in that infrastructure is going to be a significant adaptable win for us. >> dr. fu, congressman long brought up passwords and stated we should get away from passwords all together. can you elaborate. >> passwords is in strin sickly insecure. they choosetrinsically insecure. they choose poorly. any password system will encourage unwise security behavior. there is technology out there, one company in ann arbor, two factor authentication, where you have for instance a mobile phone in addition to a password. but at the heart of it, we need to figure out other ways and i'm going to defer to some of the other witnesses for suggestions on that but i just feel we really need to retire passwords. we need to kill those off.

because these are going to be bringing down our most sensitive systems. >> do any of you want to elaborate on that. >> i largely agree. there will be low security device applications, low amounts of latent times for a short amount of time, but in general, passwords have outlived their usefulness. you can secure a gmail account, i can secure this with my fingerprint. there are many other systems that give us more robust authentication. and i think that would go a long way in a lot of our systems to help secure them. we're take being two different ways to break into things. vulnerabilities, which are exploited. bad user practice swirks also exploited. if i could get rid of one of them or at least reduce it, it will go a long way to make it better. >> thank you for all your time. i'll yield back. >> thank you. the chair would recognize mr.

mcirnny for the purposes of follow-up. >> this one is a little philosophical, i hope you don't mind. mr. snyder, you mentioned that the attacks are easier than defense on this complex system. and making more complexity opens up new vulnerabilities, but biological systems work in the other way. they build complexity in order to defend themselves. is there some kind of parallel we can learn from this in. >> so in the past decade or so, there has been a lot of research and moving the biological metaphors into i.t. there are some lessons and things that don't work. biological systems tend to sacrifice the individual to save the species, not something we want to think about in i.t. or even, noy, in our society.

but yes, there are ways of thinking about security immune system. but the complexity of a biological system is complexity that is constrained. so for example, we all have a different genom, you may be able do that with a different operating system. it is suddenly much more expensive by, noy, orders of magnitude. so a lot of the lessons don't apply. some do. the researchers radio r trying to learn from them. and that is kind of the new cool way of thinking. and i think there is a lot of value there. but still, complexity, unintended consequences, interconnections, the attack surface, enormous attack surface we're talking about it makes it so in the foreseeable future,

attack will have the advantage. there will be fundamental security, defensive advantage, but no time soon. >> all right, thank you. mr. chairman, i yield back. >> thank you. mr. schneider, a follow up question. you mentioned along this line and you had mentioned any think in response to an earlier question about the autonomous vehicles, and yesterday in our manufacturing and trade subcommittee, we had a hearing on autonomous vehicles. so particular vulnerabilities or places where the focus should be as that autonomous vehicle developed as a separate entity. >> so i think it is really interesting test bed for what we're thinking about. and i don't know how much detail you went into on the vulnerabilities, but we learn the vulnerabilities are surprising. one attack that used the dvd

player as a way to inject malware into the car that controlled the engine. now, that shouldn't be possible. but surprise. and similarly, i'm worried about the usb port on the airplane seat, potentially controlling you've i don't kn avionics. those in security, don't believe it. the more holistic we can be, the better. they're going to be surprises. to get back to the immune system model, how do we build resilience into the system. how do we ensure it fails safely andsecurely. how do we make it more likely that a vulnerability here doesn't migrate to another vulnerability there, causing something more catastrophic. the more we can look at the big picture, the less we focus on this or that because it is the connections. so you think about it, it is

exponential. i have five things that's 25 connections, 100 things, that's it goes up by a factor square. sorry. i did some math. that's the vulnerability. that's why this is so -- complexity is such a problem. >> well, i mean, i posed the question earlier, for any of the three of you who wish to answer. the question i'm thinking, like a criminal, but you know, you really, we're still playing checkers and they're playing three-dimensional chess or perhaps multi factor ral level of three-dimensional chess. i mean, one of the things that keep you up at night? what are the things you've wondered about? >> i would say the best advancement in the security space for us as an example is behavioral analytics, being able to monitor the network, monitor the enterprise, monitor our infrastructure and look for

behavior that we've never seen before to determine whether or not that's unauthorized traffic or not. no matter what, that technology is based on a compromise already having occurred. a bad guy already being in the network. and so our ability to be more proactive, our ability to get ahead of that attack and predict those attacks before they occur and change the technology before they can be exploited, that's where we need to migrate. >> i worry about catastrophic risk. is it the dyn attack, one person had the expertise, encapsulated it and now anybody can do it. so it is unlike my home, where i only have to worry about the burglars driving to my home is worth the bother. there is some bell curve of burglar quality, and the average burglar is what i care about. the internet is the most sophisticated a taettacker, any where in the world.

>> dr. fu. >> i worry about something more human, and that's sort of bureaucracies. i worry about the inability to change. i worry about being stuck staying, well, we've never done it that way before. i worry about things, well, that's unprecedented. while the internet is unprecedented, and so there are going to have to be changes. i do worry we won't have the strength and resolve to do it. it will take guts, i think. but this is on foresight in the safety world we saw it with hand washing in the 1840s, hand washing wasn't even a thought that crossed your mind. it took 165 years to get to the point where hand washing is common. it is going to take time for security, but the time is right to do something now. do something wise. >> i would just note for the record, i think dr. simalwise did end up dying from a staph

infection. >> he messed up his experienced, too. >> wonderful this has been a very informative hearing. i want to thank our witnesses for being here today. before we conclude, i would like to include the following documents to be submitted for the record by unanimous consent. a letter from the online trust alliance, a letter from the national electrical manufactures association. a letter from the college of health care information and management executives. a letter from addvomed, technology association, and a letter from cta. pursuant to committee rules, they have ten business days to submit additional questions for the record. i ask the witnesses to submit their response within ten business days upon receipt of the questions. i didn't say it, but without

objection, so ordered that all those things are inserted into the record. subcommittee is adjourned.

tonight, a discussion on school segregation, with nicole hannah jones. she claims that racial segregation is currently maintained bio fish al action and policy. the columbia journalism school airs tonight at 8:00 eastern on c-span. the trump administration could approach biomedical, health care issues and drug pricing. that event hosting by the milken industry in new york. you can see that on c-span 2 at 8:00 eastern. this weekend on "american history tv" on c-span 3, 7:00 eastern, president lincoln's cottoco cottage about lincoln's general wives for better and for worst. >> you can see too that women

have a means of reenforcing either the best in their husband or the worst. and that's what this study is. >> then at 10:00, real america, the 1950 film, america frontier. >> the production office at willston and then to oklahoma. day and night, our telephone board was lit up like a christmas tree. calls from new york, california, houston. bit by bit, we began to realize how big a thing this was. >> the film promoted the financial benefits for farmers of leasing land for oil exploration and was funded by the american petroleum institute. sunday morning at 11:00, panelists discuss novelist and social activist, jack london and his call of the wall generations

of western novelist and writers. >> he always looked back to the natural land, to his ranch, the beautiful scenery in california and elsewhere in the south pacific. to center himself and to find release and relief from the rigors and the degradations of the cities. >> at 6:00 eastern on american artifac artifacts, we visit the museum in virginia beach. >> it basically taught all the military aviators, army and navy, how to fly. many guys never even saw an airplane coming from the farms and any where you can think of. the first airplane they saw was the boeing steerman. >> for the complete american history tv schedule, go to c-span.org. james madison is the architect of the constitution and he might be, then george

washington is the general contractor. if you've ever built a house or put an addition on, you know it looks more like what the general contractor has in mind than what the architect has in mind. >> sunday night on q and a, edward laws edward larson talks about unifying the country and ratifying the first federal documents in his new book "george washington, nationalist." what they wanted to do is recruit washington as part. talked to washington before about this democracy stuff isn't going to work. you're going to have to be our king. washington was a true republican. he believed in republican government. >> sunday night at 8:00 eastern, on c-span's q & a. a look at global health risks and how auto preparing and responding to them. we're going to hear from dr. tom

fre freiden. this is about 45 minutes. well, good morning. we're going to get right to the worst case scenario here. i don't know how many of you have seen the movie conta containgaion, how close are we in the infectious disease world to a scenario like that? i'm going to start with you dr. freiden. we've seen ebola, we're dealing with zika, all these desisiseas. how close are we to some biblical playing? >> every year, we identify one new path jen. everyday, we start a new investigation that could detect

a new pathogen. bill gates said said only two things can kill 10 million people around the world, nuclear war or biological event. if you look back what happened, it happened before. 1950, 100 million people killed around the world. even 1957, influenza pandemic, cost 3% of the world's gdp. even relatively small outbreak cost about $30 billion. these are deadly, costly problems. we don't know when the next one will come. where it will come from. or what it will be. we're certain there will be a next one. >> and in terms of the gates foundation interests in this, you've obviously been very involved in ebola specifically and zika, how do you see this in terms of the danger to the world, to the idea that business will be disrupted, that you know, looting and fires and all kinds of social unrest?

>> well, i would say from a gates foundation standpoint, there is three ways we look at this. as you just heard from tom, we need to be ready for the worst case scenario. the world needs to be ready for pandemic flu being the scariest. there are things that are und underutilized and not fit for use in the world. one is government, who makes the call when things happen. the global health secure sity agenda at that has gotten a lot more attention. the focus on global health research and development, the focus on tool development, th e investments are a big focus of the foundation, and the last thing, even though the world is worried about something really super scary like the movie, we all saw this last summer, how something like zika, that ha been thought to be not a big threat, spread by mosquitos, but

was a particular threat, and is a particular threat for women who can get pregnant. because it causes a catastrophic birth defect. even zika, from a business standpoint, i know everyone in this room probably had young people who were going to travel on business, and either men or women, who were completely concerned about their risk should they become pregnant or should their partner become pregnant. so understanding these new pa pathogepat pathoge pathogens, and having the kinds of tools starting with diagnostic, so we can spot them, are a big focus for us at the foundation. >> looking at the, obviously a new administration and one of the things that has to be funded is things like research and disease control. in terms of this global health security, i think a lot of people think about, you know, homeland security, they think about economic security. i don't know how worried the general public is. we hear about these things that

fire up in africa or affect maybe a pregnant women, it is not about me. how many of these things, you know, are we able to control with a global health security agenda? what are the components of a global health security agenda. >> three things that need to be strengthened and one key tool. we have to find things better. stop them faster. prevent them where ever possible. for each of those three aspects of global health protection or global health security, there are both institutions that need to be strengthened and new tools that we need. we have he got very exciting things where we can do whole genome, what organizisms are and how to stop them. the joint external evaluation, if you want to start or expand a business, see what the risks are in any country in the world, what are the corruption or security risks, you have databases that will do that.

if you want to know, is there country ready to deal with an emergency from the health sector, currently there is really no way to do that. what we've done over the past one to two years is get a global consensus on an independent objective transparent public rating of all countries that agree to do it, and if a country doesn't agree, they can basically be considered, you know, potentially problematic and it looks, score of 100, regular green, core capacities, are they ready. that's important. because it holds them accountable. it holds the world accountable f there are poor countries not ready, we're all at risk. let's channel our assistants to close those gaps. a blind spot is a vulnerability everywhere. yes, diseases from any where can end up here right away. whether it is a drug resistant bacteria or hiv. >> the gates foundation, helping

to put together public/private partnerships, whether it is institutions, federal agencies, how can that be done in a way that gives that rapid response? once you have a structure in place, can you then deploy it rapidly for other things, if it is ee bowl larks is there enough about ebola applicable tobola l about ebola applicable to an influenza pandemic for example. >> what we know is each has its own characteristics. the first thing we can do is partner with cdc and others who do help us to understand what we need in the global infrastructure. because there is borders and countries sovereignty, so figuring out that piece of this is essential for us. but on the public/private side, it is one of the aspects of the gates foundation that i think is maybe not well-known. and that is, we encourage companies, big, multi national companies that have the power and the capability to move quickly in the face of an

epidemic. >> that would be you. >> everybody in the audience. to invest in these, not only because these are global health security problems that can affect your own business, but one of the tools we like to use is something that we use for market failures. ebola wasn't worked on by companies, because in the first 30 years it existed, less than 3,000 cases and really not any rich countries. so in the case of market failure, will make investments, we're happy to make equity stake in making sure that these multi national companies can work in these areas that are the subject of market failure. working on ebola vaccines, diagnostics and vaccination and collaborate with not just academia, but also multi national companies and small biotech companies. >> from the cdc perspective,

congress created the cdc foundation to hep c dc do more faster. we have a business council in the foundation and when ebola hit, the gates foundation was first to give us resources so that we could act very quickly before and in a more flexible way than the usual government syst system. we were able to provide to those individuals and companies real time information, updates regularly, whether it is on the flu or ebola or zeika with the next threat. >> the investment in data, so one of the biggest challenges with the last couple of years, whether it is ebola or zika, it would be a massive challenge, if it was the next sars is getting good global date it and on time. using things like the smartphones and other information technology so we've

invested and collaborating with cdc, or others, we've invested heavily in better, accurate and quicker data, so that everybody in the world knows what's going on. >> well, so technology obviously plays a big role. we were talking about one of the battlegrounds was down in florida where people were upset for example that people don't want their neighborhoods sprayed with deet, so you're picking your poison, do i want the risk of zika, do i want deet. it is an interesting approach, genetically modifying mosquitos. talk about that. >> two approaches to what we call in global health, vector control. so vector control just means we're trying to not just think about a therapy or vaccine for the human, but trying to control the mosquito. so a mosquito that transmits

dengue fever, a bad mosquito, and unlike the other mosquitos, malaria mississipposquito, vectl can be really challenging with this particular mosquito. importantly, there is two different novel ways of thinking about controlling these mosquitos. one is further out in time. that's a genetic modification or a gene drive method. that's still at the research stage. there is a nongenetic modifying approach, something called bobacia, the mosquito's micro bium. it is a bacteria naturally found in about half the insects on hear earth in the dengue mosquito or zika mosquito. we've been investing since 2005 in a -- scott o'neal, an ought

stral y -- australian inventor, preventing the mosquito from transmitting mosquito, originally done for dengue, which is scarier than zika, and that's being used in brazil and in columbia, through a recently announced grant to actually try and release these mosquitos that cannot transmit this virus. a really great example of global health research and development, something that seemed very risky, far very out, that's being done with the communities. so that in terms of the innovation and the risks, very thoughtfully studied and very important for all of us to realize when you think about a behavior change intervention, the communities are driving this intervention. but has a lot of opportunity. we don't know how big it will scale. it is just gotten to populations

of 2.5 million in the two most recent studies that are being done. but when you're faced with these vectors and concerned about things like insecticide, a very novel based on biology and based on great long-standing research attack on these mosquitos. >> there is that problem with the public health perception. you know, in puerto rico, they had a really problem getting spray. people don't want spray. it is almost like you're taking your chances that you're going to be -- >> the mosquitos are quite difficult to control, as sue says. they can hatch in a bottle cap full of water. they co evolve with people, spreading serious diseases, including zika, dengue, and they are an urban pest like a cockroach. the way i think of it is we have to do two things. one is mix and match our current tools to control them as well as possible. there are some new approaches that may minimize the use of

insecticid insecticides. none of us like to use insecticides. if communities try to chose them. what we recommended in the wynwood area of miami-dade, we used a larva insecticide and the result was quite impressive. we saw almost all the mosquitos killed overnight. and the trapped counts, we trapped mosquitos going to essentially zero. as the next batch of mosquitos bred, they then applied the treatment again. after four times, no more mosquitos basically. the spread of the disease stopped. so it showed that at least in that environment, it was possible to stop an outbreak. something like wobacki will need to be applied before months before the outbroke starts. we have one fundamental approach in public health. get the date it and use

performance. we don't like do something because it has always been done that way. let's set up an information system so we can see what's working and continuously improve our program. >> there is one other innovation to quickly mention on the zika front. that is modern family planning. and so one of the early grants that we made was to cdc foundation and the pan-american health organization to get the right communication out there. so that women who are pregnant or could become pregnant knew what was going on, knew how to prevent zika, knew what the risks were. and we continue to fund research and development to make better more widely available more affordable modern contraception that can be used voluntarily by women any where in the world, when they're faced with such a health threat. >> right. well, the other obviously you mentioned earlier, you brought up the idea of hospital infections. i know a big crusade of yours has been antibiotic stewardship.

we're using too many and breeding resistant super bugs. everyone who has asked your doctor for a cpac, it was a virus and not a bacterial infection, you're all contributing to that. i among them have probably done that. but the question is how do you -- are you seeing progress towards this call to stop overusi overusing antibiotics to people that don't need them? >> first of all, this is a really big problem. i am an infectious disease specialist. i've cared for patients that can't be treated with any antibiotic we have today. we talk about a preantibiotic era, if we're not careful, we're going to be in a post antibiotic aer ra. the economic impact is enormous. it is not just about infections that you think of, like pneumonia and urinary tract infections, it is about modern medical care.

treatment of arthritis. organ transplants, dialysis. chemotherapy. we expect there to be severe infections, because we're suppressing the immune system and we expect to treat them. if we can't treat them, we risk undermining much of modern medicine. we've estimated on careful analysis of data, between one-third and half of all antibiotics are completely unnecessary or too broad. it could be narrower spectrum. we do need to do some things in terms of getting better tools for diagnosis that would be easier if you could tell, is it a bacteria, we don't have that. we can do a lot more to be better stewards of the antibiotics we have. we have knew antibiotics, but we're not going to invent our way out of this. the microbes are smarter.

one of the things, center for medicare and medicaid services is to require that every hospital have a stewardship program. globally as part of the global health security agenda, we're expand ourg knowledge expanding our knowledge in terms of drug resistance. it is a broader issue. we overtreat systems and undertreatment silent conditions. if you look at things like the flu or common cold, pain, adhd, we may be overusing medications for those. if you look at hypertension or high colleholstrol. i'll never forget a few years ago, i was back in india, i was at the institute of medical sciences, a terrific harvard quality institution there. i was in the intensive care unit and this is soon after the --

new delhi strain of a resistant organism was described. he said i don't know you're so worried about this, it is producing an organism. every patient has untreatable organisms. >> run out the door. >> avoid being in a hospital if at all possible. >> i will i say from a global health standpoint, who things to add to what tom just said. first, many of the people we serve in the poorest areas don't have access to antibiotics. we certainly want effective antibiotic ifs you need it. if you have have a bacterial infection, and that includes antimicrobi antimicrobial, tb, also global threats that face resistance. >> right. >> but one of the things that is a best approach to antimicrobi l

antimicrobial. >> vaccine preventible diseases, you've got a fever and you want antibiotics, so we consider vaccines as nearly miracles, because they are so profoundly making a dent already in childhood mortality globally. and any child who can get a vaccine for a vaccine preventible illness, won't cause even more resistance. >> but again, you've got a huge public health challenge, educated people in places like southern and northern california and seattle who, you know, i think does anybody vac nat vacc their children. >> we're very open with all

information on vaccine and adverse reactions. we put them on the web so people can see them. there has never been to my knowledge a vaccination campaign any where where there hasn't been some conspiracy theories what it is really about. one of the things that the gates foundation and we at work very closely on is polio irrad indication, and we're closer than ever to it, but it is still a challenge. >> they'll kill you in pakistan if you try to -- >> increasingly, we are making a big dent in polio in pakistan. >> in 1988, 350,000 children who were disabled by polio. this year so far, it is less than 30. we've made a lot of progress. but suspicion is a problem. this is one of the greatest gifts to humanity there has ever been. in some ways, they are victims of their own success. people in developing countries see people die from these. they don't don't they need a

measels campaign. part of it has to do with rebuilding the commons. if everyone says my kid is safer not being vaccinated, we would see large outbreaks, as we saw in southern california last year. >> i know certain schools won't allow you to have your child in the school unless they're vaccinated, so you see more people doing home schooling. are you worried enough, is it more of a global concern in the united states, we still have the ability to educate people and to get beyond the antivaccine. >> really, if you look at it, well over 90% of kids are vaccinated and vaccinated on time. is there a small, very vocal group we're never going to convince. maybe 1%. there are others that wonder. we answer the concerns, we listen. some parents who decided not to have their kids vaccinated for

flu, their kids have died. they've gone on tv and told their story. we lose children from school and 90% of them are not vaccinated. making sure these aren't just theoretical risks, and it is only working together and taking preventative measures we can protect ourselves and our neighbors. >> i was interested to read, you did a public health piece for the new england journal of medicine and you listed the challenges and of course there is infectious disease and chronic diseases, but the largest cause of underlying disease in the world is tobacco. >> tobacco use continues to kill globally millions of people. in fact, more than infectious diseases combined. and it can be stopped. if you look at countries and communities that have taken tobacco prevention seriously, they've been able to drastically reduce tobacco use. the gates foundation, bloomberg foundation. >> working together. >> together, to come up with a

concrete set of policies that the country can decide to do or not, driving smoking rates down. in new york city, we were able to help 400,000 people quit smoking, saving 100,000 lives. so this is something that we can make a huge difference in, and companies have gone smoke-free. companies have been supportive of this. it is interesting, sometimes people say you're not pro-business. you know, businesses have different interests. if your business is tobacco, you have the interest to sell more cigarettes. if your business is to have a healthy work force, your business is to have fewer workers who smoke. >> profoundly public intervention, so we've been thrilled to partner with bloomberg foundation, and supporting what are proven remedies for tobacco control. it has a positive economic impact to tobacco control. it is profoundly

intervention. the other intervention we've invested in is nutrition. globally we see global nutrition and undernutrition and poor nutrition. so very simple things like exclusive breast-feeding for six months, making sure that mom, as she's pregnant, has access to good nutrition, understanding micro nutrients and what's needed. the kinds of things on nutrition and tobacco we can do as public health and global health interventions are cost effective, very pro economic. the magic time from the first thousand days of conception isn't just important for your stature, but important for your cognitive development. these are the kinds of things that emerging countries and businesses that are working in those countries are extremely interested in because that's your future workforce and future consumers. >> this is very relevant to

issue of health care costs. a non-smoker costs drastically less to care for than a smoker. in the u.s. today there are ten million fewer smokers than in 2009. if you think of the payoff, how much higher our health care costs would be, if that weren't the case, it's quite substantial. in public health we often have what we call a wrong pocket problem, where you spend the money here and it saves the money there. it makes it important that there are groups throughout society, whether it's tobacco control, research on new diagnostics and treatments, there are groups advocating for that which is good for the society as a whole. >> the idea of wellness and prevention, a lot of companies look at their health plans and wonder do we need to offer this or that. you said the idea of making wellness a priority to get ahead of disease before you have to spend all the money to prevent it, is that a good investment for ceos to make?

>> i think it's a great investment. speaking as a ceo with a group of employees, there's nothing better than a group of committed, passionate employees who are not just passionate about their mission, but their own ability to make an impact. their own health and well-being i've always felt that hasn't changed over time, that that's the best investment any institution can make. >> any other public health issues before we turn it over to a group of questions. i know uncontrolled blood pressure is another thing, everybody is a ticking time bomb. >> if you ask what other health issues, we could go on for hours. i'll just mention the one. hypertension is called the silent killer. in this country, 70% of people over the age of 65 have high blood pressure. nearly 30% of our total population has high blood pressure. we don't do a good job at it. a few years ago i put in an

electronic health record system and said what's the single most important thing to do, if you want to save the most lives in health care, what should you do? there was no analysis about that in the medical literature. the answer was very clear, control blood pressure. nothing else could save as many lives as controlling blood pressure. globally it's the only thing that kills more than tobacco. controlling is not hard, once a day medications, simple monitoring and inexpensive. in the u.s. for $3 trillion a year, we get that most important question right 54% of the time. 46% of all americans with high blood pressure don't have it under control. as a result strokes, heart attacks, kidney failure, more cognitive decline. so lots of problems that we could prevent by better treatment and better prevention. >> i think if all of this is possible if there's a functioning health system. so globally, and we learned this with the ebola epidemic, a

functioning health system is the through line, everything from hyper tngs, tobacco prevention, good nutrition, vaccination to being an early readout and rapid response to the threat of a pandemic. so increasingly our foundation with many, many partners and governments worldwide is focused on having a functioning healthy health system for those citizens. >> well, i would like to throw it open to questions if anybody has any about the threats to their -- yes. >> could you elaborate a little bit on the prevention side? doug devos from amway corporation. knew tra light is one of our brands, nutrition products. very interested in prevention. can you elaborate on prevention from a policy standpoint? we tend to pay for cure a lot and diagnosis, but beyond advocacy, from a public policy standpoint, anything you would talk about on the prevention

side? >> again, you have a few hours? prevention is underfunded. there are plenty of hospitals that have units named after someone cared for in their ucu. there's no health care department that has a floor named after someone who prevented many more heart attacks than it cured. a lot is policy and some is clinic. several different venues you can have prevention. on the policy side, if it's on tobacco, it could be smoke-free workplaces, deter use, hard-hitting ads make a big difference and change the context. in the clinical environment, prevention includes cessation measures, it could increase physical activity which is the closest thing we have to a wonder drug. it improves everything you'd want to improve from mood to resistance and cancer infections.

we think often in public health about what is scaleable. there are very limited or no examples of whole communities becoming much more physically active with people exhorting them and changing them. we're working on that and trying to see what happens. >> making things walkable. >> absolutely. complete streets and other programs. use the stairs instead of the elevator. lots of ways we can tweak the environment to make the healthy choice the default choice. there are other things that are in the clinical sector, whether it's immunizations or control of blood pressure and other things. we know if we got blood pressure control in the u.s. from 54% to 70%, we would prevent hundreds of thousands of heart attacks and strokes. at a minimum, we would change our expenditures from taking care of people who have had strokes and in nursing homes or rehabilitation to paying for blood pressure and blood pressure monitoring and medications. >> we're investing in

understanding behavior change, particularly investing in what creates sustainable behavior change in a community and compliance. when you make a big investment, and companies find this all the time, you can for a short term change things, people wear their device and they stop wearing their device. increasingly what's sticky, what sustains and how a community can drive its own wellness. and part of it is in incentives. there's a big economic argument in making that more visible at the community level, is something that you'll see more of overtime. >> other questions? we also have a poll question. before we get to that question, we'll let you ask it right now. we have a poll question. why don't we bring that up if we could, danny. you could be answering this while we're getting this next question. do you have or potentially have business interests that could be impacted by infectious disease

threats like zika? yes or no. how international are you i think is the question. >> i'll go back. i'll go back to the question about pandemics. you talked about the jee, the assessment of individual countries. how do you think about incentives for what is undoubtedly preventive expenditure for those companies that come out with a amber, yellow or even red outcome from a jee. how do we think about incenting them to expenditures against other priorities they may have? >> this is something the world community has to work together on. it has to be important. so business has to say we're concerned about this. globally we have to be committed to trying to fill those gaps. now that we've identified them and been honest to say this is a problem, whether the world bank, bilateral donors or industry

saying we're going to try to fill this area, knowing in two or four years, someone will come back objectively and measure it again and say, yes, your investment paid off, it's gone from yellow to green or red to yellow. the key is we moved to a world before ebola that was none accountable and non-assistance to a world that is partnership with accountability for what the results of that partnership is. >> i would only add having been in a number of advocacy discussions with now heads of state or their cabinets, one of the really important things is what bucket do costs go in? and if the costs go in a bucket of economic empowerment, job creation, driving your economic engine versus a health bucket, that can actually be a net positive. so making the argument that this is a financially positive economic engine argument can be a much more effective argument.

>> other questions? >> at davos a couple years ago you talked about the readiness for the pandemic. jim kim was playing a large role. how much of that has been hard wired now? >> we have a lot more work to do. within the u.s. we've done a lot to enhance our preparedness. we need a w.h.o. that's more functional than it is today. we need new tools. we don't have a vaccine that could work against the flu overnight that arose. we have been tweaking our methods. we've been cutting days, weeks, sometimes months off the production process and increasing the ability to produce things t