monitor for and install updates themselves. the global nature of the iot device marketplace means many products are manufactured in and shipped to foreign countries that have yet to embrace sound and mature cybersecurity practices. iot devices are also particularly attractive targets because users often have little way to know when they've been compromised. unlike your personal computer or a phone, which have end point protection capabilities and the user's more likely to notice when they perform improperly, compromised iot devices may go unnotices for longer periods of time. in september of 2016, level 3's threat research labs began tracking a family of malware targeting iot devices. bad actors were leveraging the infected devices to create ddos botnets, affecting the devices and anyone on the internet. the malware has affected nearly 2 million devices on the internet. it resulted in multiple major websites going offline, and the

new attacks are alarming for their scope, impact and the ease by which attackers have deployed them. they relied on just a fraction of the available nodes to attack their victims, showk the potential for greater havoc for these threats. level 3 detected over 150,000 iot devices produced 500 gigabytes of traffic, a significant bandwidth that threatens the fabric of the global internet. the primary motivation for these attacks to appear to be financial. hackers utilize ddos to overwhelm businesses, threatening to take their business offline unless they pay a ransom for the attacker. in other cases, attackers are simply out to create mischief. although level 3 has not been a direct victim of these attacks, we are proactively taking steps to address these. we have contacted manufacturers of compromised devices to inform them of the problem and for them to take appropriate action, such as updates or recalls. we have engaged in a public

awareness campaign to educate consumers and businesses about the risk of iot botnets and steps they can take to protect themselves. we're also working collaboratively with our industry partners to monitor this evolving threat tlet and implementation of mitigation techniques. with the exploding proliferation of iot devices, so too will the threats they pose continue to expand and evolve. it will be imperative for all relevant stakeholders to work collaboratively and address and mitigate security risks so we can reap the benefits of this exciting and transformative technology. thank you again very much for the opportunity to testify and i look forward to taking your questions. >> mr. drew, thank you for taking time out of your schedule to be here as well. we greatly appreciate it. now turn to mr. bruce schneier, a fellow at the berkman klein center at harvard university, lecturer and fellow harvard kennedy school of government and special adviser to ibm security. mr. scheyni schneier, thank you

being here. >> thank you. committee members, thank you for having me and thank you for having this i think very important hearing. i'm bruce schneier, a security technologist, and while i have an affiliation with both harvard and ibm, i am not speaking for any of them and i'm not sure they know i'm here. >> it's a secret. nobody on the internet knows either. >> as the chairman pointed out, there are now computers in everything. but i want to suggest another way of thinking about it, in that everything is now a computer. this is not a phone. this is a computer that makes phone calls or a refrigerator's a computer that keeps things cold. an atm machine is a computer with money inside. your car is not a mechanical device with computers but a computer with four wheels and an engine, actually a computer distributed system with four wheels and an engine. this is the internet of things and this is what caused the ddos attack we're talking about. i come from the world of

computer security, and that is now everything, security. so i want to give you four truths from my world that now apply to everything. first, attack is easier than defense. for a whole bunch of reasons, the one that matters here is that complexity is the worst enemy of security. complex systems are hard to secure for an hour's worth of reasons. and this is especially true for computers and the internet. the internet is the most complex machine mankind has ever built by a lot, and it's hard to secure. attackers have the advantage. two, there are new vulnerabilities in the interconnections. the more we connect things to each other, the more vulnerabilities in one thing affect other things. we're talking about vulnerabilities in digital video recorders and webcams that allowed hackers to take down websites. there are stories of vulnerabilities in a particular account that's -- this one story, a vulnerability in an amazon account allowed hackers

to get to an apple account, which led ultimately to a g-mail acount and a twitter account. there was a vulnerability in a contractor that allowed hackers to get into target. and vulnerabilities like this are hard to fix because no one system might be at fault. they might be two secure things come together and create insecurity. truism three, the internet empowers attackers. attacks scale. the internet is a massive tool for making things more efficient, and that's also true for attacking. the internet allows attacks to a scale to a degree impossible otherwise. we're talking about millions of devices harnessed to attack dyn, and that code, which somebody smart wrote, it's been made public, now anybody can use it. it's in a couple dodds botnets right now. any of you can rent time on one on the dark web, to attack

somebody else. i don't recommend it, but it can be done. and this is more dangerous as our systems get more critical. the dyn attack was benign. a couple websites went down. the internet of things affects the world in a direct and physical manner -- cars, appliances, thermostats, airplanes. there's real risks to life and property. there's real catastrophic risks. fourth truism, the economics don't trickle down. our computers are secure for a bunch of reasons. the engineers at google, at apple, at microsoft spend a lot of time at this, but that doesn't happen for these cheaper devices. ms. eshoo's talked about this. these devices are lower profit margin, they're offshore. there's no teams. and a lot of them cannot be patched. those dvrs, they can be vulnerable until somebody throws them away, and that takes a while. we get security -- because i get a new one of these every 18

months. your dvr lasts for 10 years, your car, your refrigerator 25. going to replace my thermostat approximately never. so, they can fix this, but the buyer and seller don't care. and mr. burgess pointed this out, right? the buyer and seller want a device that works. this is an economic externality. they don't know about it and it's not part of the decision. so, i argue that government has to get involved, that this is a market failure. and what i need are some good regulations. and there's a list of them. and dr. fu's going to talk about some of them, but this is not something the market can fix. and to speak to mr. walden's point, i mean, yes, i'm saying that a u.s.-only regulatory system will affect the products in the world, because this is software. companies will make one software and sell it everywhere, just like, you know, automobile emissions controls in california affect the rest of the country.

it makes no sense for anybody to come up with two versions. and i think this is going to be important, because this -- for the first time, the internet affects the world in a direct, physical manner. and the second point i want to make very quickly is we need to resist the fbi's calls to weaken these devices in their attempt to solve crimes. we have to prioritize security over surveillance. it was okay when it was fun and games, but now -- i mean, already, there's stuff on this device that monitors my medical condition, controls my thermostat, talks to my car. i mean, i've just crossed four regulatory agencies, and it's not even 11:00. this is going to be something that we're going to need to do something new about. and like many new technology in the 20th century, new agencies were created -- trains, cars, airplanes, radio, nuclear power. my guess is this is going to be one of them. and that's because this is

different. this is all coming, whether we like it or not, the technology's coming. it's coming faster than we think. i think government involvement is coming. and i'd like to get ahead of it. i'd like to start thinking about what this would look like, and we're now at the point, i think, where we need to start making moral and ethical and political decisions about how these things wo worked. when it didn't matter, when it was facebook, when it was twitter, when it was e-mail, it was okay to let programmers, to give them the special right to code the world as they saw fit. we were able to do that. but now that it's the world of dangerous things, that is cars and planes and medical devices and everything else, that maybe we can't do that anymore. and i don't like this. i like the world where the internet can do whatever it wants whenever it wants at all

times. it's fun. this is a fun device. but i'm not sure we can do that anymore. so, thank you very much and i look forward to questions. >> mr. schneier, thank you very much. appreciate your comments. we'll now go to dr. kevin fu, ceo of verta labs and professor of electrical and computer science at the university of michigan. dr. fu, thank you for joining us. please go ahead. >> good morning, chairman walden, burgess, ranking member eshoo and schakowsky and distinguished members of the committee. my name is kevin fu. i represent the academic science research community. i am at the university of michigan where i research embedded security. my laboratory discovers how to protect computers built into everyday objects, ranging from mobile phones and smart thermostats to pacemakers and automotive airbags. i'm also ceo and co-founder of the health care cybersecurity start-up for the labs. i am testifying before you today on the insecurity of the

internet of things as related to the recent attacks on dyn. i'll provide a perspective on the evolving cybersecurity risks framed in the broader context. in short, iot security remains woefully inadequate. none of these attacks are new. none of these attacks are fundamentally new, but the sophistication, the scale of disruption, and the impact on infrastructure is unprecedented. let me make some observations. we are in the sorry and deteriorating state because there is almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers. as a consensus body or federal issue mandatedsecurity standard? not yet. is there a national testing lab to verify and assess the premarket security of iot devices? no. is there a tangible cost to any company that puts an insecure iot device into the market?

i don't think so. so i'd like to highlight eight observations about this iot insecurity. number one, security needs to be built in to iot devices, not bolted on. if cybersecurity is not part of the early design of an iot device, it's too late for effective risk control. two, good security and bad security look the same at the surface. three, the health care community does not issue different advice for flu transmitted by cough versus flu transmitted by sneeze. similarly, both connected and disconnected iot devices carry significant cybersecurity risks, so it's important to consider both conditions. four, the millions of insecure iot devices are just a small fraction of what the iot market will resemble in 2020, and it will get much worse if these security problems remain unchecked. five, unlike inconvenient security problems for your tablets or notebook computers,

iot's insecurity puts human safety at risk. innovative systems will not remain safe if they're not secure. six, i consider security a solution, not a problem. better cybersecurity will enable new markets, promote innovation and give consumers the confidence to use new technologies that improve the quality of life. seven, it may be surprising, but there are over 209,000 unfilled cybersecurity jobs in the usa, and that's just this country. and eight, the nation lacks an independent testing facility at the scale of a federally funded research and development center as a proving ground for testing premarket iot cybersecurity crash-worthiness and for testing cybersecurity embedded defenses. let me conclude with five recommendations to protect our national infrastructure. number one, incentivize built-in, basic cybersecurity

hygiene by establishing meaningful milestones encouraging use of strong cryptography in these products. two, support agencies like the national science institution, the national institute for standard technology to advance our understanding of iot security and to train the hundreds of thousands of students necessary for a robust cybersecurity workforce. three, study the feasibility of standing up an independent, national embedded cybersecurity testing facility modeled after, for instance, post-incident initiatives, such as the national transportation safety board, incident prevent initiatives such as the national highway traffic safety administration, nhtsa, and then, more unusual places like the survivability and destruction testing at the nevada national security site. number four, i recommend leveraging the existing cybersecurity expertise with an agency such as nist, nsf and darpa.

and five, i believe that universities, industry and the government must find the strength and the resolve for protecting our national infrastructure through partnerships and that investments in embedded cybersecurity will play great dividends to our society and our economy. i'd like to close, just thank you for the invitation to testify on what i think is a very important subject for our country. the committee can also find photos of illustrative iot problems in water treatment facilities, hospitals and more in the appendix of my written testimony, and i would be happy to take your questions. thank you. >> mr. fu, thank you. and thank you to all of our witnesses. this has been very enlightening. we greatly appreciate your testimony and your recommendations for our consideration. i guess i'll start with a couple of questions, as we try and wrestle this issue. over the last six years, we've done multiple hearings on cybersecurity threats to the united states, we've had multiple panels come before us and testify, and i think almost entirely they said, first do no

harm. be careful when you lock things into statute, because you can miss allocate our resources and our opponents will know what we have to go do and we can't get out of it, and they'll just go do a work-around. so how do we establish a framework that would both be appropriate here but have an effect internationally, because we don't make all the devices, and we may have market power, but we're not the biggest market anymore? but how do we create a national framework where the stakeholders really are driving this in realtime and we don't do something stupid like lock certain requirements in to statute? mr. drew, can i start with you and we'll just work down the panel? >> i think the best place to start is with standards. i think the best place to start is for us to define how we intend on solving this problem on the devices themselves. industry has a number of standards with regards to how they operate these platforms

once they purchase them, but they don't have standards on how they're supposed to be manufactured to be secure premarket. so i believe if we were to start with standards and then apply pressure -- so, as an industry, i'm under pressure to implement standards in order to serve businesses and serve consumers. i think if we start with that standard, then we're able to apply that pressure. and to the extent that pressure can be applied globally, i think that we can get some traction and some momentum before we get to start regulating. >> all right. mr. schneier? >> i'm also a fan of standards. and i think -- your question's a really important one -- how do you do it properly as to not -- >> a balance, right. >> and i think it's to make them technologically invariant. i tend to look at the pollution model as something, what works and what doesn't. and what works is, you know, here is the result we want. figure out how to do it in the most cost-effective way possible, rather than legislate, here's the process, here's the technology. the standard has to be

technologically invariant. and i know you had a driverless car hearing yesterday. and i think it's somewhat similar. we're going to make standards on the driverless car manufacturers to do things properly, but we're going to assume an environment where there exists malicious cars out to get you. so we'll have to deal with the rogue devices. we can't assume that everything on the internet or everything on the roads is going to be benign and secure. but standards will raise the tide. yes, we have to do them properly, because you do them wrong and it will stifle innovation. do them right, i think it will help innovation. >> all right. dr. fu? >> yes, i think there are ways you can do this effectively without stifling innovation. in fact, i believe that a well-designed cybersecurity framework will actually promote innovation. i'll try to avoid the technical side, but i'll just say, of course, encoding mechanism would be unwise. if you encode that all forms must be signed in blue ink, that

didn't assume the existence of e-signatures in the future. so you should be very careful of including a mechanism. however, principles i think you can encode. i would actually say that nist has done a relatively good job at encoding principles. there is no perfect standard. but it will be very difficult to build in security if we don't have these principles set in place, and it needs to have buy-in from industry. it needs to have government leadership as well, but it's all about setting those principles, which many of which are already known for over 30 years in the cybersecurity community. >> all right. most helpful. the extent to which you all can think about this some more and give us kind of your ideas on how to actually get it to the right place, because this is my concern, that if we're not careful, we look something in and it's so hard to change statute. and we don't want this to be an innovation killer in america. we actually want to lead on this and get it right. but you know, i don't think i

want my refrigerator talking to, you know some food police somewhere, you know. it just is what it is. so we need to get this thing right. so, thank you for being here. at this moipoint, i will returne balance of my time and turn to my friend and colleague who's been very involved in this, ms. eshoo from california. >> thank you, mr. chairman. and thank you to each one of you, the witnesses. i think you were absolutely terrific. i have legislation that i introduced that speaks to this issue. it hasn't really gained of traction. but what you said today i think puts some wheels on it, because it is about security without damaging innovation. we talk a lot about the attacks

that take place, but we don't really focus on prevention. throughout the valley, silicon valley, no matter who i've met with, i've asked them the same question -- what would you do about this? and to a person, they've spoken about hygiene, the lack of hygiene in systems, number one. and number two, the lack of good, solid security management. i don't think -- let me put it in the positive. i think we need good housekeeping seal of approval on this. and i think that -- and my bill called for nist to set the standards, not the congress, because we really don't know anything about that. and we missed the mark. we'll miss it by a wide mile. so, i also think in listening to

you, especially mr. schneier, that this is an issue that should be included in national infrastructure legislation, because this is part of our national infrastructure. and it deserves the kind of protection that you spoke to, because as you said, everything is a computer. everything. it's not just the computers over at the dod. we're carrying them around in our pockets, we're driving them, et cetera, et cetera. so given that, what is the frame work for it? how would both mr. schneier and dr. fu and mr. drew, what would it look like? what would it look like? we place -- i'm giving you a blank slate. what would you write on that slate to be placed in a national

infrastructure bill? whoever wants to start. mr. schneier? >> i actually think we need a new agency, but the problem we're going to have is that you can't have different rules if the computer has wheels or propellers or makes phone calls or is in your body. that's just not going to work, that these are all computers and we're going to have to figure out rules that are central. >> we have a continuing new new majority, so i don't think they want to create an agency, honestly, but this thing needs to be done -- >> for every one we create, we delete two. >> they don't like that stuff, so you know, new agencies, new regulations. we're dead in the water. but we can't leave this issue to be dead in the water. our country deserves much better. and so, i'm really not joking. i mean, it's a little bit of

fun, but you know. >> i understand, but i actually think it's not going to go that way. >> oh, good. >> i think everyone's getting involved here regardless. the risks are too great and the stakes are too high. and nothing motivates a government into action like security and fear. 2001, we had another small government, no regulation administration produced a new federal agency 44 days after the terrorist attacks. something similar happens in the internet of things, and there's no cybersecurity expert that will say, well, sure, that could happen. i mean, i think you're going to have a similar response. so, i see the choice is not between government involvement and no government involvement but between smart government involvement and stupid government involvement. i'd rather think about it now, even if you say you don't want this. because when something happens and the public says something must be done -- what do you mean 1,000 people just died?

that we have something more than a, i don't know, let's figure it out fast. so i agree with you, i'm not a regulatory fan. but this is the world of dangerous things. we regulate dangerous things, so let's do it smart -- >> dr. fu, can you do something smart in five seconds? >> i would say we're going to have some serious trouble if we don't answer these questions. i fear for the day where every hospital system is down, for instance, because an iot attack brings down the entire health care system. i do think you need to spend more time on the premarket. i know from my working with manufacturers that the engineers there are brilliant, but they often are not given the time of day from their executives, they're often not given the resources to do their jobs. what you need to do is give those people who can do a good job at those companies the ability to do so and incentivize their executives. >> thank you very much. most helpful. >> thank you. >> thank you, mr. chairman. >> i would just point out, we're all engaged in this on both

sides. my friend and i have some back-and-forth from time to time. she likes to characterize what we're for or against, which we may or may not be, but we are all committed to trying to figure out how to find a solution, and this is bipartisan. so we appreciate your testimony. we scheduled this hearing back in october right after the attack, and as soon as we were back in town, we're having it, and we will continue to march forward. with that, i yield to the gentleman from texas, mr. burgess. >> thank you, chairman walden. there's been a fascinating discussion back and forth. many years ago before i knew about the internet of things, i was invited up to microsoft in washington, and they showed me the house they had -- in fact, the house was named grace. and you know, you walk up to the door and grace knew you were coming to the door, turned the lights on, set the thermostat for the temperature that you wanted. as you came into the kitchen, grace might suggest a meal for

you. like mr. walden, i'm worried that grace's refrigerator would communicate with the bathroom scale and lock down the blue bell ice cream on me, but -- >> treadmill. >> yeah. so, it's an interesting world in which we've arrived. and mr. drew, i'm really fascinated by your comment in your written testimony about the incentive for someone to do this in the first place. and we've all heard since 9/11 that sometimes you've got to think like a criminal or think like a terrorist in order to outsmart them, and you referenced the monetization. i don't even see -- i mean, i get on ransomware where you lock down a hospital and you've got to come up with so many thousands of dollars of bitcoins to some dark website, but how do you monetize that your doorbell is conversing with twitter? i mean, i don't know how that works.

>> what we're seeing in these botnets is the botnet operators are operating, you know, hundreds of thousands of nodes and then renting out small portion of those nodes to people to be able to attack websites and hold those websites for ransom. so if you don't pay me $20,000, your website will be offline for the next three days. so very successful enterprise. it's 40 to 45 attacks a day, it's $16,000 in attacks, so -- >> that's happening right now? >> it's happening right now. >> and i know you're not in law enforcement. what is the response of our law enforcement agencies that are supposed to be enforcing the laws? >> they are working very diligently toll identify the operators of the botnet as well as the renters of the botnet as well as making some arrests in those cases to curtail this. but my -- what we've seen is the iot of things has changed the nature of the game where it's much easier to break into those

devices and they go unnoticed for longer periods of time. >> here's what bothers me about this, because until we had they headline-grabbing attack because it was just so massive, you don't hear about someone being busted for holding someone hostage for $17,000 so you unlock their hospital records or whatever was going on. one of the things that is talked about is making the public aware, you've got to change -- you've got to practice good hygiene, you can't have your password as "password" or "1234," but also, there needs to be a societal understanding of reporting crimes when they occur. and to some degree, these need to be publicized much more than they are. i mean, i have heard from folks in the fbi that, yeah, there is a risk that a hospital that gets stuck with one of these things is simply embarrassed, and they don't want to go public with the fact that they were hacked, pay the $17,000.

you're given instructions on how to get the bitcoins and where to deliver them, so that is actually easier than going to law enforcement and dealing with all of the things that would happen with law enforcement, but that's absolutely critical. and then never in any of the discussion of this that i've seen so far has there been really the discussion of what happens to people who are caught who perpetrate this, and it should be swift and severe and public. i suggested another hearing shot at sunrise, and i am not trying to be overly dramatic, but if you lock down an icu's medical records and an icu's worth of patients dies as a consequence, that is a capital crime. so anyway, i know we're not going to solve all of the problems today, but i just wanted to put those concepts out the there. this is relatively new for most of us. i think one of the things i like about what the commerce

manufacturing and trade subcommittee did on data security was, on data breach notification, was set the standa standard, we don't prescribe the technology because the technology changes much faster than the congress. i'm nervous, too, about creating new federal agencies. the concept that we could delete two federal agencies for every one we create, i've got two to recommend to lead very quickly that do with healthcare, but i know the standards need to be there. and the other thing is we've got a passive job as far as informing the public, and that's part of this hearing today, and i hope we all carry that forward quite seriously. thank you, mr. chairman. i'll yield back. >> gentleman yields back. chair recognizes the gentle lady from illinois, ms. schakowsky. >> so let me ask, actually all of you, but let me start with mr. schneier. you talked about how markets have failed us and that government has to play a role.

but i'm wondering from you and from anyone, given that computers are ubiquitous, and your example that got into target through the hvac system is just shocking to me. but is there a role for consumers, for consumer education, for consumer action, or is this beyond us now for individuals to actually play a role in security? >> you know, i think there's a role for some, but really, we're asking consumers to shore up lousy products. it shouldn't be that there are default passwords. it shouldn't be that you have to worry about what links you click on. links are for clicking on. i mean, these devices are low profit margin, they're made offshore. the teams disband, and the buyer and seller don't care. so, i might own this dvr.

you might own it. you don't know if it was used. you don't know if it's secure or not. you can't test it. and you frankly don't care. you bought it because of the features and the price. it was sold to you because of the features and the price. and this is an externality. the fact that it was used by this third party -- not him, but the third party to attack this other site, and it's something that the market can't solve because it's not a market -- the market isn't involved in that. i don't think i can educate the consumer. it's putting a sticker on that says, you know, this device costs $20 more and is 30% less likely to annoy people you don't know. i'm not sure i'm going get a lot of sales. >> mm-hmm. so, in 2015, the federal trade commission suggested best practices for device manufacturers to address security vulnerabilities. for example, device

manufacturers should test security measures before releasing their products, minimizing the data they collect and retain. and frankly, it seems surprising to me that manufacturers are not already taking these steps, but you're saying that right now there are no real incentives. so is that what we need to focus on? >> i think we should. i think we -- if we get the incentives right, the technologists will figure this out. some of it's rocket science. most of it isn't. but these are solvable problems. the incentives just aren't there to build the security in. we incentivize price, we incentivize time to market and features. that's what we buy because that's what we can see. i don't think i can get consumers to pry open the hood and look at the details. it's beyond the consumers i know and it shouldn't be their problem. it shouldn't be something they have to worry about. >> so let me ask mr. drew and dr. fu if you want to comment on that. >> i would largely agree with my

colleague here. i'd say that from a business perspective, there's a lot of incentive for me to make sure that the products i buy, the software that i buy follows specific standards, have been manufactured correctly before i put them in the network. i like to see mmore in that are more responsibility put on the manufacturer than there is today, but i do provide that incentive to those manufacturers. consumers, on the other hand, don't have that incentive. what they have is the incentive of public events, right? and the internet's been very adaptable and very flexible to that, that when there is a large sort of trip or a mistake over security, that they become more aware and then they push those requirements and those demands back to the manufacturers by purchasing products they feel more comfortable with. so, i am going back to standards. i'm going back to certifications and standards. you see that seal of approval on the device and you know that's going to be more protected than another device because you don't

want your refrigerator talking to your scale or your thermostat talking to your doorbell. and so, i think that's -- >> let me just interrupt you because my time's running out, but i would like dr. fu to be able to join in. >> sure. i would just paint a darker picture. even if a consumer wants to have security -- so, not many consumers are aware they need security, but even when they want security, it's hard to get. take the example of the hospitals, asking questions about why ransomware gets sent to hospitals. it's not because they're not clueful about it. they can't get the manufacturers to provide them with these iot medical devices that can withstand the threats of malware. and it comes down to plain old economics. the question is, well, how much will you pay for it? well, it should be built in, it's a public good. well, how much are you going to pay for it? so, everything's going to be driven by the economic factors. and i think the problem is, you know, the consumer group thinks it ought to be a public good. and then from the manufacturing standpoint, the question is, well, how much are you going to pay for it.

and that's a question that needs to be resolved. >> thank you. thank you. i yield back. >> the gentle lady yields back and the chair now recognizes the gentle lady from tennessee for five minutes. >> thank you so much, mr. chairman. i want to go back. i mentioned the cisco stats, and i think they rolled out of my mouth the wrong way. i want to clarify that for the record. we are currently at 3.4 iot devices per person. and by 2020, we're going to be at 50 billion iot devices. and that is the magnitude of this vulnerability that we have, because we're seeing it across our entire economy as we move from a physical application in so many arenas to the virtual space. and professor fu, i want to come to you. and ms. schakowsky just mentioned hospitals.

let's stay with that medical device component because of the area that i represent, nashville area, there is a lot of health care informatics and work that is done utilizing iot devices in the medical field. and as you look at the security, of course that's a concern. you look at information-share, you get vulnerabilities. but you mentioned in your testimo testimony, going back on pages 5 and 6 -- iot devices tend to have safety consequences or involve physical manipulation of the world that could easily lead to harm. and then you go on to say a number of hospitals expressed concern about the iot devices. so, talk to me about mitigation strategies and what you see with these devices and then what special considerations must be

given to health care technology and to the medical devices, and how should we go about addressing that? >> thanks for the question. unfortunately, i don't think i'll be able to give a satisfying answer, because at the moment, if you were to be a fly on the wall in the board room when the hospitals are discussing the topic of how does iot security affect their assurance of the clinical operations being continuous, at the moment they don't have a plan. it's more, well, we need to get a plan. what can we do? and it's usually some of the security officers saying, well, the problem is we don't really know what devices we have in our hospital, we don't have a very good inventory, we get a lot of contraband coming in. this contraband is known as shadow i.t. it's got a great acronym, but the shadow i.t., it comes in. typically, it's a clinician who accidentally connects a device to a very important network, but maybe it's a music player that

is simply providing comfort to the patients during surgery, and they don't realize it's introducing new safety and security risks, because they don't have the security baked into these devices. so the iot risk is more about having unvetted assets coming into a very safety-critical arena. they don't have a good answer right now, and that's because it's not built in. >> okay, well then let me go to mr. drew. and the article in "the new york times" yesterday that i'm sure you all saw and are aware of -- "secret back door and some u.s. phones sent data to china." >> yes. >> and mr. schneier, i assume you read that. looks like you did. but this is the kind of thing where consumers are unaware. and if you take a device like th that, then you have the concerns if it does get into an environment, such as a hospital

or a medical facility with patient information, things of that nature. so, these malicious actors are out there and with the vulnerability of these iot devices, you have some of these concerns that are going to man fast themselves. so how do we make sure that the consumers and the users are alerted to the vulnerabilities in the software and in these devices when they purchase them so that if they get something like this, they know to get rid of it? so, mr. drew? >> i would say that the biggest sort of benefit of iot devices -- the reason the devices can get compromised so quickly is because they all look the same. so a device manufacturer, all those devices look the same. the users are not really configuring the operating system

at all. that's why devices can be compromised very quickly, very widescale. having the devices have ability to auto patch, so when a new patch is out, the device can call home and automatically update, that is going to be the thing that keeps that infrastructure healthy. >> thank you. yield back. >> the gentle lady, vice chair of the full committee yields back. the chair now recognizes the gentleman from. janua new jersey for five minutes. >> thank you, mr. chairman. i wanted to ask mr. schneier a couple questions. looking at the attack on dyn three weeks ago, i'm concerned some people may dismiss it as only a few websites going down for a few hours. but in your view, what does the attack on dyn expose about cybersecurity generally, and why are these attacks moving from benign to dangerous? >> it's really when i talked about the world moving.

the internet becoming something that affects the world in a direct, physical manner. and the computers are the same. we're talking about these computers in our phones, in our computers. it's the same computers that are in these cheaper and smaller devices. but while the software's the same, the engineering is the same, there's a fundamental difference between your spreadsheet crashes and you lose your data, and your car crashes and you lose your life. the computer's the same. the software's the same. but the effects are night-and-day different. and as these computers start -- i live in minnesota. i have a thermostat i can control from my phone. and you know, if someone hacks it, they can -- well, not this weekend, but in the middle of winter, they can burst my pipes while i'm here, and that's real property damage, and that's different than a few websites going down, and i agree. dyn was benign.

it annoyed people for a while. it didn't hurt anybody. we're talking about hospitals. we've seen ddos attacks against 911 services. we're looking at our critical infrastructure, our power grid, our telecommunications network. these are systems being controlled by computers. we had hackers break into a dam a couple of years ago. they didn't do anything, but you know, next time they might get lucky. we had russia attack ukraine's power grid. these are now tools of war and of national aggression. even the attacks against our election system, which in the scheme of things are pretty benign. might not be next time. had a piece in "the new york times" a couple days ago that talked about, think about this now, because election machines are computers you vote on. >> sure. well, let me get to -- that kind of leads me to the next question because you and others have aid the insecurity of devices connected to the internet stems from market failure and you compare the problem to visible

pollution. being an environmentalist, i'd like to better understand what you mean. can you expand on the market failure at play here? and how are insecure devices like traditional environmental pollution? >> it's because the insecure effects are often not borne by the buyer and the seller. the person who bought that dvr, who's still using it, will use it for the next five or ten years, will not bear any of the costs of the insecurity. so, the manufacturer and the buyer, too, reap the benefit. the device was cheaper. it was easier to make because it was insecure. and there is a societal cost that it can be used to attack others, to cause other vulnerabilities, to be used in con jusion to cause other insecurities. so, like pollution, it's something in the environment that neither the buyer nor the seller when they enter their market agreement to purchase the product will fix. so i think the solutions are along those lines. we have to think about what is

the risk to us as a group. what is the national security risk of this, for example? i mean, there is one. but it's not going to be borne by, you know, the person who bought that. it will be borne by all of us. so it's incumbent upon all of us to secure our critical infrastructure against this risk. and that's -- so, i think the solutions are very similar in conception. the tech is very different. >> let me ask you one last question. you seem to believe that regulation of some kind might be part of the solution, but i've heard some at the fcc argue that regulation of devices connected to the internet would constrain innovation. would you agree to that? >> yes, it will. i don't like that, but in the world of dangerous things, we constrain innovation. you cannot just build a plane and fly it. you can't, because it could fall on somebody's house and you might not care. it might be a drone. but we societially care. true for medical devices, true for dangerous things.

and it might be that the internet era of fun and games is over because the internet is now dangerous. we haven't even started talking about actual robots. but you know, a robot is just a computer with arms and legs that can do stuff. and i personally don't like killer robots. i think they're a mistake and we should regulate them. so, yes, this is going to constrain innovation. it's not going to be good. i'm not going to like it, but this is what we do when innovation can cause catastrophic risk. and there's catastrophic risk here. it's crashing all the cars, it's shutting down all the power plants. the internet makes this possible because of the way it scales. and these are real risks. >> thank you. thank you, mr. chairman. >> thank you. the gentleman yields back. the chair now recognizes the gentleman from new jersey for five minutes.

>> thank you. good morning to the distinguished panel. and i certainly agree with congre congresswoman eshoo that this is one of the most important panels we've had on this extremely important topic. professor fu, of your options and recommendations, the eight of them you have given to us, i would like to concentrate on three of them. number one, you state that security needs to be built into the internet of things devices, not bolted on. could you expand on that as to how you think that might occur, that the security occurs before the device has been manufactured? >> right, thank you. so, we often, when we talk about security problems in the media or the news, you think, oh, this was a poorly implemented product, where in fact, it was a poorly designed product, and there's a subtle difference.

if you don't get security built in to the early design of these iot devices, it doesn't matter how smart the engineers are, they will never be able to succeed at creating a secure device. and so, that's why you really need to build it in. if you have this residual risk that you then hand off to the consumer, there are some sweet spots where you can try to mitigate the risk after the fact, but it's extremely rare, extremely hard and extremely costly -- >> so how do we do that? how do we build it in initially? >> right. there's actually quite a bit of -- this is going to get deep into engineering, but let me say in one sentence, it's about hazard analysis. it's all about understanding and enumerating those risks and having the manufacturer choose which risks to accept, which risks to mitigate, which risks to pass on to the consumer. >> and can that be done through the consumer market, or would it require some sort of governmental control?

we have mandated, of course, airbags in automobiles, seatbelts in automobiles to be built into the automobile initially and not to be added to the automobile. is it automobile. is it your recommendation this will require some sort of governmental mandate or not? >> i do believe in the long term this will likely require some kind of governmental mandate only because in my experience working with the zindustry, eve though they meanwhile, even the people who can do it don't have the authority to do the right thing because they don't have the economic drivers, they often have different constituencies within each company. let me cite an example from the medical world. we didn't think about the safety of over-the-counter drugs until 1982 with the cyanide poisonings in chicago. until that day, consumers had quite a bit of faith in those pharmaceuticals. we haven't seen that moment for iot but we know it is there and can cause harm. >> thank you. moving on, number four of your

observations for devices already deployed we should take some comfort that millions of insecure devices are just a small fraction of what the market will resemble in 2020. i suppose you mean by that that this is just at the beginning and there will be many, many more by 2020? >> that is correct. i would say on a positive side if we taken a action now we could win this. we could actually have a secure ecosystem. so even though there are terrible, terrible problems today, we can fix it. so we shouldn't give up hope. >> can you give us a rough estimate if we have x number of devices now how many devices will we have in 2020? >> i've heard the number double in the last 62 minutes from 20 billion to 50 billion so somewhere between 20 to 50 billion i think is a reasonable estimate. >> i see. and number seven of your

observations, there are tens of thousands of unfilled cyber security jobs in this country existing approaches are insufficient to train a large number in the work force for what we need in this area. based upon your experience first at m.i.t. and most recently in ann arbor, what do the great universities need to do in this regard? and what do we need to do at the level of community colleges, for example? >> that's a very good question. i think community colleges play a very important role as we develop the different kinds of skill sets so actually in fact there are 209,000 unfilled cyber security positions as of a year ago in the u.s., over a million unfilled positions globally. the problem is i think universities need to shift and adapt to the changing marketplace. right now we're overrun with students. we cannot teach the number of students who want to take our security courses, yet we're still not meeting the needs. in michigan, for instance, we have the automotive companies

talking about they have 30 unfilled fte positions for cyber security and they're wondering why no one applies. >> thank you, my time has expired. i hope to continue the discussion with all on the distinguished panel and particularly with you, dr. fu, thank you very much. >> thank you. the gentleman's time has expired. the chair now recognizes the gentleman from california for five minutes. >> i thank the chair and i thank the panel. this is why i love in subcommittee and this committee, great stuff happening. i'm going to start with mr. drew. in your testimony you noted that about two million of these iot devices have been infected by this bot, bot net and only 150,000 were used in the attack. that means there's, what? 1.85 million left. are they still capable of carrying out new attacks or have they been neutralized in any way? >> we have taken -- as a whole we've tried to neuter portions of it but it's still a 1.5, 1.6

million strong today in bot net. >> and they can attack not just dine servers but they can attack real physical devices, is that right? >> correct. the one fear about a bot net like this is that they're capable of doing something called a shaped attack, meaning the operators of that bot net are able to generate any protocol, any application they want from that -- from those machines to be able to direct attacks of very specific nature to their targets. >> so we have sort of a damocles sword hanging over us right now. >> i think the saving grace we've had so far is no one has been able to afford to rent all 1.7 million nodes. they've been renting them at 80 to 150,000 nodes at a time. our biggest sphere that another adversary sees the power of this total force and begins to adopt attacks that follow a similar nature. >> mr. fu, in your testimony,

following up on mr. lance's question, what type of incentives do you believe would be effective to prevent the risks of -- that you've outlined? >> i think it all comes down to accountability, whether it be economic accountability or liability. right now there just isn't kind of tangible cost to a mvr ermve deploys something with poor security and no benefit if they deploy something with good security. >> thank you, whether each witness answer with yes or no? iot devices span a wide range of products. would it be feasible to create one set of security standards for all set of iot devices. mr. drew? >> yes. >> no. >> no. [ laughter ] >> okay, in the alternative, the federal government could establish minimum security standards for iot devices and then direct the relevance

federal agencies to provide additional sector-specific requirements. would that be feasible, yes or no, please? >> i'm sorry, i missed the question. >> well since there's a wide range of products, it might be feasible to ask the federal government have the different agencies apply specific standards to those devices. would that be feasible? >> absolutely because that allows people to apply specific requirements and regulations to the area in which those devices operate. >> i think no because devices do multiple things. >> i think it depends. [ laughter ] >> good. or not. mr. fu, several things -- so many questions, so little time. you said there's no cost to produce devices with poor security, that's pretty clear. but that iot security is a

solution, it should be a solution not a problem. could you expand on that a little bit? >> right. >> so my fear is that consumers will not embrace technologies that will improve their quality of life in the future because they don't trust that it will be safe. it won't take too many more horror stories before people start to go back to their analog ways so i've used security as a solution, enabling innovation, in the short term yes i would agree with other witnesses that you may see a short term problem you're going to be interrupting the product development life cycle. in the long term we're going to see this producing new innovation, just like what we saw with car safety regulation many decades ago. >> very good. you also mentioned devices should incorporate strong crypto security, cryptography. isn't that asking a lot for these cheap devices to incorporate strong cryptography? >> stop leading me, bruce.

[ laughter ] crypto -- you can implement crypto on these devices however there are certain special cases like medical devices where it is more challenging. for instance, cryptography does draw more electrical power and it can reduce the battery so it does cause this sort of risk question but in the general case i think it's almost always the right answer to deploy the cryptography. >> well, i have one more important question but my time has run out so i yield back. >> thank you, the gentleman's time has expired and the chair recognizes the gentleman from kentucky for five minutes. >> thanks, appreciate y'all being here, thanks, mr. chairman, this has been really informative to me. usually when i get memorandums getting ready for a meeting and it uses words like "bots" and "terabytes" my eyes glaze over but this is important and appreciate you moving forward. one thing that i wanted -- mr. lance asked one of the questions i was going to let dr. fu finish a thought but one thing you said

earlier that when we write the regulation or the law that we're going to have to address this if and when we do that we can't be do prescriptive because the sign in blue ink example you used and i certainly understand that and i think a lot of things we've done in legislating has deferred that to the agencies and we say well, everything will go on good faith but we have to be care to feel make sure as we've seen in a lot of other areas, not necessarily this area, that when an agency get leaseway, sometimes they go farther than congress wants them to go so that forces us to be more specific so we have to find the right balance. i'm interested in auto industry and computer science technology and jobs available and you were talking about the auto industry and then time ran out and you didn't finish your thought do you remember that thought? >> sure. michigan is known as a state with quite a bit of manufacturing and many industries are trying to hire

cyber security experts. i found one many have come from the automotive industry and they tend to quit fairly off to get other jobs. you have to understand at the career fair you'll see a line out the door for the silicon valley companies, googles, facebooks of the world and for these other industries it's very difficult for them to compete for this talent not only because of the insufficient number of qualified skilled workers who are trained in appropriate security but because the competition is so great. >> so hence the -- one of the major company -- industrial -- general electric adds about -- so when the young woman going to work for general electric says i'm going to work for a high tech company they're going well, you're going to work for general electric. so maybe that's why they're pursuing -- >> it's a good marketing strategy. >> because they are exactly proves the point we're saying here. as a matter of fact, they make refrigerators outside of my district in louisville and they're very high tech. very high tech. as a matter of fact they were

showing me how to operate the refrigerator, it was automatic coffee pot. >> my refrigerator tweets. >> yeah, that's what they do there. so you start with the basic premise that cyber security threats are constantly evolving. this is a truism we have heard reinforced many time. one of the issues is the identification of vulnerabilities. the you tell us about how vulnerabilities are shared now days? and if you have any recommendations moving forward on information sharing? >> sure. so there are many different ways to share vulnerabilities. in the consumer world there's the u.s. cert, which is a coordinating agency that works in concert with dhs, works in concert with idaho national labs and other places to to select information from security researchers and provide it to manufacturers. that's one pathway. others are bug bounties, rewards between researchers and companies and the third way that

has become more disturb theingly popular is to deploy it to the public before there's a chance to evaluate whether or not the report is true. >> and you talked about the hackers will look at the least secured device. but what is the general level of security included in consumer-grid internet of things devices. have the recent attacks prompted any conversation that you're aware of about the security included in those devices with manufacturers? >> i have seen no good news about any security in any iot device, even if my own home. i've seen devices where i could -- anyone on the internet could break in and take complete control. this was a device i just picked up in one of those big box stores. i have no good news on the security built in to iot devices today. >> well, thank you, and mr. chairman that concludes my questions. i yield back. >> the gentleman yields back, the chair now recognizes the gentleman from new mexico for five minutes. >> thank you very much, mr.

chairman, and thank you for holding this important hearing. as we all know, this is an important discussion since the proliferation of cyber attacks represents a serious challenge to both our digital and physical space. we saw the proliferation of cyber attacks this year across the country including with foreign actors as well-being called out by our national security teams. pertaining to the development of internet of things which will provide rerobust and important infrastructure for america, we also know that there's going to be more complex and dynamic networks that result from that. dr. fu, you talked about shadow devices. currently's alamos national laboratory is looking at ways to monitor and protect against malicious attack. the worked a dresses the issue of dynamic and ill-defined

networks with devices joining and leaving. it constantly monitors these ever-changing networks to respond to malicious behavior, can talk u you talk about the importance of us looking at national assets like national laboratories and what we can learn for tech transfer opportunities, whether in a skush space or open space to help with us these endeavors? >>. i think what i can do is i can say nist has a document that talks about how to do this security well. one is you have to know your assets at risk so you enumerate that and that sounds like what you're referring to. the second is to deploy compensating controls that match those specific risks. and the third one we often forget as consumers and industry is to continuously monitor the effectiveness of those controls and that's where it gets to the shifting threat landscape. you deploy a security product today, it might be effective tomorrow, might not work at all.

here's where i'm skeptical of agencies that claim they know all their networks. i know as a fact most hospitals refuse to look at the security of their most sensitive networks because they're afraid of tipping over things like linear accelerators, radiation therapy devices, very sensitive machines. they have rebooted from very simple security products so if you're in a facility that has nuclear material, fissile material, i would be skeptical of a claim where they've thoroughly vet it had embedded systems to see how will they've survived unless they've tipped something over. >> is there a benefit in working with these nationals s assets t assist us? >> there can be a benefit for critical safety issues. there is quite a bit of expertise in what's called embedded security at the national labs however this is a very interdisciplinary problem and i've seen this come up already in my vulnerability

reports to different agencies. they will often tell me "i'm sorry, we don't have an in-house expert on that particular subject of this health care situation, let me try to help you." and they usually have a difficult time finding a partner. >> mr. snyder, as more and more of our critical health, energy, and finance infrastructure is brought on line, the things connected to the networks will need to be secured from inception to delivery. are you able to speak specifically to what we can do with securing the technology foundations that supply chains through the internet of things whether it but through semiconductor chips, iot device operating system, secure communication protocols or secure device access management? >> this is actually, i think, part of the big problem. security has to go all the way down so someone there who left talked about that phone that surreptitiously unbeknownst to the consumer would send copies

of your text messages to china. on the plus side, it was cheaper but you're not going to know and that could be the software. we're worried about switching commit that we use in our country that comes from china because we worry about the hardware there that might be some hardware switch that will eavesdrop or turn off in the face of hostilities and these are very complicated questions and any place in the stack we can cause an insecurity that affects the others. lots of people are working on this, there's a lot of tech here but this is, i think an extreme worrisome issue when we deal with global manufacturing. so this is an american device made, i believe, in china and many of our devices are made in countries that might not be as friendly to us at all times as we'd like. and while we have tech that will helpfully detect these things, it is an arm's race and right now there is an edge on the attacker. it's easier to hide a

vulnerability in something like this than to detect it. we also use that. the nsa uses that to spy on our enemies so there's some good here, too. but i think by and large it's dangerous for us. >> and mr. chairman as my time runs out, i think doctor i'll submit a question to you pertaining to expanded use of trusted foundries pertaining to hardware and we can expand the conversation. thank you, mr. chairman. >> well, thank you. the gentleman's time has expired and the chair now recognizes the gentleman from texas for five minutes. >> i thank the chair and welcome, mr. drew, mr. snyder, and dr. fu. i have to admit last night i lost a little sleep preparing for this hearing. all because we focused on september the 21 of this year when a bot net lonaunched a ddo strike on the creston on

security over 600 gigabytes per sect swarmed them. a month later, october 21, the same bad actor went off dyne. i lost sleep because after nine years in our navy, as a naval aviator, eight years work in a senior staffer for two texas senators and four terms in the house, i know the biggest threat to our security and our prosperity is not bombs, it's not missiles, it's cyber attacks and cyber security. 1s and 0s. what bothers me most about what happened earlier this year is that the attacks, the execution was exactly what coach mchue told me when i was nine years old on the football field. he drew a line "here are the defenders, there's two of there,

swarm them, offensive people, score touchdown." that's what these guys did, nothing hard, nothing new, yet they had the success of having 600 gigabits per sect swarm creston non-security. and so in this environment we can't be reactive. we have to be proactive. our government has to be proactive. now i said the word "government" and said proactive. looking around the room here, some people shook their heads and smiled. they know those words don't go together but somehow we have to come together to address this problem. dr. fu, i love your term about we have to have it built in not bolted on. i know mr. lance asked a question about that but i want to elaborate on it. say you went crazy, you ran for congress, you won, you're a member of this committee.

how would you ask what do you think we should do to help out our american economy, make sure we control these attacks and be proactive instead of reactive? what's our role in d.c. >> thank you. let me first correct the build it in not bolt it on is actually a phrase my community has been using for many years, including mr. snyder who is behind that quite a bit. i would say to really get out in front of this problem and be proactive, we haven't even done what i would consider -- if i were talking with my students i'd say you have to do your pre-lab before you do the real work. and the pre-lab is going out and getting firsthand information from some of these constituents. i'm doing that and that's where i'm getting my firsthand information from the executives, from the eck nears and i'm picking up horror story after horror story. i can't relay that to you? this manner because you haven't seen the people i've talked to. that needs to happen.

there needs to be congressional visits to these sites. that i need to go to the universities, see where the struggles are happening, what are the barriers i believe that likely after you see the same problems i'm seeing you're probably going to start thinking about we need to have incentive systems built in economically. i don't know what these are going to resemble. would they be regulations? maybe. could they be more financial incentives or penalties? maybe. is it more about corporate liability? perhaps. i don't know the answer on the mechanism but i know we need to get more people doing congressional visits to these sites to understand where the problems are born. >> thank you. how we get involved in d.c., if you could write laws, how would you write laws to help your organization overcome this incredible challenge we have with these cyber attacks? >> i believe -- i agree entirely with regards to us having the

right incentives to make sure that whether i'm a business buying technology or a consumer buying technology that we have the right incentives whether they're economic liability or regulation. i completely agree with that mind-set. and i do think that there's a significant number of existing frameworks with regards to each of those ideals around health, safety, convenience, and use with regards to these threats as well as with regards to these technologies. >> very quickly, your comments about how would you approach this from a federal government role? >> i think you have a serious problem here and we have in the a lot of areas that we're now at the point where the speed of technology exceeds the speed of law. that's probably changed in the past decade or so. it used to be laws could lead technology and now it's reverse. so we need to figure out a regulatory structure, an incentive structure, liability structure that's technologically invariant. that we can't focus on

technology or rely on them but focus on people and incentives. technology will change. and these attacks are basic, not sophisticated yet highly effective. sophisticated stuff is worse. >> i yield back the balance of my time. >> thank you very much. the gentleman yields back and the chair now recognizes for five minutes the gentleman from oh ohio. >> thank you very much. i want to get more into the technical aspects of some of the things we're talking about this morning. particularly d-dos attacks versus the other types. mr. drew, as i understand it, these d-dos attacks have been

around almost as long as the internet itself has. they've gotten worse over the last few years but at least for traditional d-dos attacks we know that -- we know how to defend them against using techniques like ip address, blacklisting, white listing, ip packet inspecting and other techniques. can you tell us more about those defensive techniques? why they've been successful in defending against traditional d-dos attacks? >> i'd say about every three years or so we encounter an evolution of capability with regards to dos attacks. every three years or so we have someone of a backbone impairment event on the global internet that is resulting of adversaries developing new capability based on new weaknesses or new technology and then directing that capability to hear the

backbone. >> so i eade say t'd say the co large has been proactive as well as reactive in investigating what the bad guys are doing, the techniques they're evolving and shaping and making sure our capability to respond is built into the platform or in some cases bolted on to the platform by redirecting traffic and scrubbing it. so what scares us about iot attacks is the enormous potential scale whereas the typical bot net involved in these attacks over the past handful of years up to a decade has been in the tens of thousands. we now have the potential of devices in the millions. and network capability for filtering and scrubbing is not scaled at that factor. so it's something we're taking with great notice and great pause to make sure we can invest in our capability and technology to prepare for that. >> is it safe to say the majority of these defensive

techniques have worked because they target the way that traditional d-s do attacks use spoofing and amplification? >> i'd say that with regards to what the traffic looks like itself -- meaning how that traffic is executed upon the victim -- there's been slight evolutions in the way that traffic looks but, for the most part, the definition that is -- has an upper and lower control in it, that that is fairly well understood. so the technology is geared to be able to operate within that sort of control parameter. it's really -- the big issue is the scale in which -- that the devices are coming at that victim and being able to launch those sorts of attacks. >> so to get kind of to the heart of the matter of why we're here today, because from what we've been told this murai bot

net doesn't use spoofing or amplification, is that correct? >> it uses a shaped attack where it can send any protocol or packet that it wants to. >> instead the bot net is built out of these individual connected devices and you say now there are potentially millions of them out there that are so numerous that spoofing and amplification aren't even necessary. it's just a deluge of traffic from those connected devices, correct? >> that's correct. if you wanted to send a large amount of traffic in the past, you would use an amplification attack. now with devices like this you don't need that. >> well, i think we need to dig into this a little more, then, because when we were talking about defensive techniques before most of those defensive techniques seemed to rely on d-s do attacks that use spoofing and amplification. if a d-s do attack doesn't use spoofing or amplification and

you begin to allude to it a little bit, how do techniques like ip address, blacklisting, white listing and ip packet inspection work, how effective are they? >> more effective on non-spoofed traffic. the overall capability to inspect and mitigate is more capable when the traffic is not spoofed. i'm going to go back to the scale issue. a lot of that technology is built for the hundreds of thousands of inspections at the same time as opposed to the millions of inspections at the same time. >> my time is expired but i guess it's safe to say we have a lot of work to do and we have to stay on this because we have to develop new techniques to handle this new threat, correct? >> absolutely. >> thank you, gentlemen. mr. chairman, i yooeld back. >> chair thanks the gentleman, the gentleman yields back. chair recognizes the gentleman from missouri, mr. long, five

minutes for questions, please. >> thank you, mr. chairman. and. many drew, i understand that newer brand name devices are generally safer and less vulnerable to cyber attacks but how much blame would you put on low-end manufacturers cutting corners on security with the type of attack that happened in october? >> well, with specific regards to the type of attack that happened in october a vast majority of the devices were low-end manufacturers from other countries. we spoke to a vast majority of those venders, those venders hadn't contemplated the ideas that it could be used in that fashion. some were mortified and trying to wrap their head around how they could deploy cyber security and other manufacturers had no interest in deploying because they had had every belief their consumers would continue to purchase their zblukt okay, this

is directed to all of you, i guess we'll start with dr. drew since he's teed up there. what are some ways hardware and software manufacturers can band together to prevent a cyber attack like the recent one? >> so -- >> we won't start with dr. drew. no, that's fine. >> were you referring to me? i'm sorry. >> he's dr. fu, i'm mr. drew. >> okay, i'm sorry. >> but together we're interdisciplinary. [ laughter ] and i would say the key point here is interdisciplinaryism for the hardware and the software. there's a good -- function follows form and if you look at the educational system you'll see people trained on hardware and people trained on software don't actually have sort of the closest cultures in terms of education, i think it will be very important to educate people there a way that brings hardware and software together because otherwise you won't have the

work force that's skilled and trained to solve these problems so when i train students i train them in both hardware and software because you can't abstract it away anymore. >> dr. snyder? >> i'm sorry -- >> mister, i'm sorry. i can't see this angle with my glasses, i need new glasses or a different angle, i guess. there you go. >> engineering operates in silos. the companies that made those dvrs got a chip with software on it, they didn't inspect it because it's a blob and they put in the their device, they sold that device to some other company that put their name on it and sold it to the consumer and you have this chain which is very opaque and companies will hand off to each other so banding together i think will be very difficult and the way we can do that is to incent it. if i have liability that go up the chain, if i have regulations that will affect each other then i'm giving the companies reason

to not just say, yup, this works it's hard and i don't have a good crisp answer. hopefully mr. drew does. >> that's what we put him last. >> i would say that i agree with regards to cheap iot. i think with regards to cheap iot the focus primarily is on the specific set of application they're looking to develop, they get hardware from another manufacturer, they get the baseline operating system from somebody else and they develop their application and don't know how it interconnects together as a global ecosystem. i'd say on more emerging iot that is a bit more integrated and capable of being interconnected to other iot devices we are seeing more discipline and knowledge with regards to mirroring both

hardware and software disciplines together as well as being able to achieve higher security standards as they interact with each other from device ecosystems. so a long way to go but a lot of growth in that particular area. >> let me ask you something else. could the recent cyber attacks have been avoided if the targeted sites registered with more than one company that provided the same services that dyn provides? >> presumably yes. what we did see on the dyne attack is that a number of the domains targeted attack is that a number of the domains targeted they fell back to another server and then launched the attack against the other server. so in this case the bad guy was following specific victims. and reacting to them as they mitigated and moved? >> yeah, i heard you say that

earlier in the opening, i think. dr. fu, how's that? is that okay? dr. fu. to what extent did default passwords play a role in these recent cyber attacks we've been discussing? >> default passwords played a key role because it was the entry point to take over this army of unwitting agents to attack dyn. default passwords are everywhere. in my testimony i provided a graphic of default passwords for medical devices. there's nothing stopping the same attack from happening to another industry, other iot products, default passwords are a big problem. the fact we're even relying on passwords at all is a big problem. >> okay, thank y'all, my time has expired and i yield back. >> chair thanks the gentleman. chair recognizes the gentleman from florida five minutes for questions, please.

[ [ inaudible ] thank you. internet of things devices including potential attacks on other systems, dr. fu, it appears one of the reoccurring problems identified in your testimony is the use of insecure operating systems which are easier to infect and target for distributed denial of service attacks. have you seen industry react to these issues and move forward to more stable operating systems and are there impediments to making such a switch? >> i have seen industry move to better operating systems but like most communitys there's a wide distribution. there's a leader, there's maybe not the leader. i still see windows xp which is a decades old operating system in critical systems. there's a photograph of one

windows xp system in a water treatment in michigan in my testimony controlling water pumps for the city. windows xp is susceptible to the last decade of already-released malware. it doesn't take anyone more than a kid in their basement to be able to cause a problem. it hasn't happened because no one's wanted it to happen. it's all about the economics. certainly on the high-end devices like linear accelerators for example or radiation therapy devices. you're talking multimillion dollar machines. certainly when a hospital buys a new device they're more likely to get a new operating system because it comes with the new system, however most hospitals have capital equipment costs and they don't want to have to buy a new mri or what not every ten years, it should last 20 or 30. this is why you'll see windows 95 machines, windows 98 machines. the year is important. when they go to manufacturers saying, hey, we want to have an operating system we can keep

secure. they'll say, sure, buy a whole new machine. so there was this unwritten assumption that the software would be maintained. it may not have been written into the agreement but the health care community felt that it should have been kept secure, kept maintained but from the manufacturing standpoint it was we've provided by you this device. >> thank you, reports on the many devices used in the october attack were situated overseas. while some seek to regulate devices in our own country, how do we protect ourselves from devices outside the u.s.? dr. fu and if someone wants to chime in that's okay too. >> let me comment briefly and i'll let my fellow witnesses opine. i think the important thing about computer security is not to be able to put yourselves in a secure environment but you need to be able to tolerate an

insecure environment. we're never going to be able to make networks blissful places full of rainbows. the networks are always going to be hostile so we need to make sure whatever we put listen to will be able to tolerate malicious traffic. d-dos attacks are hard to defend against because they cut at the core of where we are least b prepared and that is high availability. >> anyone else want to comment on this that? >> two things, i think u.s. regulation, especially if it's u.s. and europe and more major markets can cause a new environment which raises the tide for everybody because companies won't make two devices, they'll make one device and sell it so we can make a difference with us and like-minded countries like we can in so many other industries but dr. fu is correct that we can't assume ever a benign environment. that it will be a combination of making the devices that we can touch more secure which means the insecure devices are more

minority and then building infrastructure controls to secure against this malicious minority. it will always be that. >> thank you. sir, do you want to comment quickly because i have one more question. >> i was going to say that we have the fundamental belief of ensuring that we can try to route packets on the backbone based on reputation so the more that businesses and backbones can collaborate together on data and route traffic based on reputation the better prepared we'll be. >> thank you. one of the biggest concerns for -- dr. fu, one of the biggest concerns of the distributed denial of service attacks is the potential impact on hospitals and their patients. we already know hospitals are targets in other areas such as ransom ware hacks. question for dr. fu, how can hospitals protect themselves from these threats in their current technology and should industry prioritize the health

care sector in preventing current cyber threats? >> well, in the short term hospitals are in a sticky place. stlrks's not a lot of mitigating solutions so the best is for hospitals to know their inventory of medical devices. i saw discussion yesterday in a dhs report about a bill of materials of sort ware. hospitals don't even know what software is running on the inside of their facilities because manufacturers don't know themselves what is are on the devices. if we knew what was on the medical devices we could better understand what risks we are taking. >> thank you very much, i yield back, mr. chairman. >> the chair recognizes the gentlelady from indiana, ms. brooks, five minutes for your questions. >> thank you, i'm going to follow up, dr. fu and if you would explain a bit more about what -- your concern is that the devices that are being used in the hospitals, the hospitals are not aware of what is on those devices so what kind of mechanisms should we have so

that hospital systems are fully aware of what's in their hospital? >> right. so let me just frame the context. so hospitals want to make sure that they have a continuity of operations of their clinical work flow so they don't have to shut down like the med star system shut down in this area for several days so the problem is when you don't know what your assets are, how are you going to protect that? if you don't know what ports are open. the manufacturers, they're not, i would say, willfully causing harm as far as i know but they're not providing enough information so that the hospital staff can do their jobs to assure continuity of their clinical facilities so providing a bill of materials of what software comes on a device when it enters a hospital. it won't completely solve the problem but it will help because you can't do step two until you do step one. you have to know your has sets and inventory before you can control security mitigation

controls. >> so while that has obviously life saving or life-ending implications, what other sectors are you most concerned about. a this is for the panel, the seconder integration, so to speak, of devices within maybe the system is not known. >> i'll just say public utilities, water, gas, electric. it surprises me how people just sort of laugh about, oh, we don't have security, ha ha ha. and we won't be laughing when the lights go out. >> so i think looking at sectors is almost self-defeating because what we're worried about is interactions, if you ask somebody a month and a half ago whether a vulnerability in a web camera can affect twitter some people would say no. and in a lot of ways we barely know how the internet works. mr. drew's answer of whether

this particular defense will mitigate this particular attack and the answer was we're not sure. it's the emergent properties of interconnecting everything that causes the vulnerabilities. if we focus on a sector we risk missing the big picture and they are all computers, whether they have wheels or propellers or in your body and they affect each other on the same internet so i urge you to think wholistically and not -- there are sectors that are more vulnerable, more critical, that's obvious. but the cause of the vulnerability could come from nowhere. >> mr. drew, a question whether or not -- what your thoughts are as to whether or not hacking back or some other form of active defense should be permissible. thoughts on that? >> i know that this has been a fairly large debate within my industry. it's been a fairly large debate within the u.s. we have these conversations on a regular basis about green viruss

where if we know a particular exposure exists and we know that we can write software to go out and patch this system on the user's behalf to get the malware off the system then we would be better protecting both the consumers as well as the internet as a whole and i think that that is a fairly dark road to go down. i think it's an excuse for us not fixing the ecosystem and providing the right incentives in the right locations and potentially has impacts that the author writing that software isn't necessarily aware of as he's touching a pretty broad set of devices on the ecosystem. so i'd say i fear more of the consequences of that than i do pushing the right incentives in the right layers. >> going back to the question about whether or not we have the appropriate safeguards in place. we have 209,000 job openings right now, according to dr. fu,

and what are the programs -- degree programs or other types of certification programs that should be offered that we are not offering enough in our higher ed institutions or training programs? are degrees necessary or do we need to have different types of certifications short of degrees. dr. fu? >> we need all of the above. it's a little known discipline called embedded cyber security. this is very related to iot, bridging the hardware and software. i think we need both at the community college level and the four-year college and in graduate studies. also in advanced masters programs for already-skilled workers who are perhaps experts at building cars or designing cars but need to know how do you build security into that thinking? there aren't enough opportunities for those workers to come back to get that training. and a final comment is the pipeline. i think in the engineering and

some of the sciences we have difficult, i think, attracting -- tapping new resources, different demographics, i think we need to be much more -- doing much more outreach to high schools and some of the kids who are coming up to encourage them to go into these fields. especially women and minorities. >> thank you all for your work. i yield back. >> chair thanks the gentlelady, gentlelady yields back and the chair recognizes the gentleman from illinois five minutes for questions. >> thank you all for being here, taking the time and elaborating on these issues. mr. drew, is it accurate to categorize the recent d-dos attacks as an international issue? >> it absolutely is an international issue, the device manufacturers were foreign, the majority of the locations where the devices were located was foreign. most of what we're talking about here today from a regulation perspective wouldn't have a direct significant impact on at

least the adversaries that were involved in the october 21 attacks. >> do you know, are there any other countries, international groups, et cetera, focused on these security issues right now? >> i mean, yes. there are a number of count these are focused on very progressive cyber security controls in great britain, as an example. there is a significant amount of cyber security work with regards to integrating that into the kell communicationings sector so meaning that if you're going to be offering telecommunication services or the government will be purchasing services you have to be certified at a certain cyber security level. >> are you seeing any through these groups and countries a consensus on how to move forward and what recommendations would you give to congress to marryup to that or work together on those issues to help the conversation. >> i'm going to go back to one of my original point which is is

i do believe we are missing defined standards in this space that we can get some adoption around, that we can get some pressure focused on and we can change buying and investment patterns. i think that by setting those standards and by setting them both by domestic and international groups, whether it's nisn or iso, setting these standards so you can force buying behaviors for consumers and businesses will be a major step forward. >> we've discussed a staggering increase in the number of connected devices over the next few years. the number we heard today anywhere between 20 and 50 billion devices, which is unreal. what do you think policymakers and stakeholders should think about in general regarding cyber security and their connection moving forward. what would be a take away you'd want us to leave with? >> i think innovation is progressing faster than discipline. and what tends to happen is we

go on a bio rhythm of lack of discipline causing significant unintended and unforseen consequences. our ability to adapt and respond to those is the thing that will keep that infrastructure protected and as well as continue to evolve it. so i think that, you know the average cso has to manage 75 separate security vendors and that is to bolt on security controls for products and services that they are purchasing. and when we get one of those dials wrong there are some significant consequents as a result and so focusing on making sure that pre-market controls are placed in that infrastructure is going to be a significant adaptable win for us. >> dr. fu, congressman long brought up the issue of default passwords and you stated we should get away from passwords all together. can you elaborate on that?

>> passwords are just intrinsically insecure. we are human, we write them down, we choose poorly so pretty much any password system is going to encourage unwise security question heat wave your. there are some technologies out there. there's one company in an arbor that does something called two-factor authentification where you have a mobile phone in addition to a password but at the heart of it we need to figure out other ways and i'm going to defer to the other witnesses for suggestions on that but i feel we need to retire passwords, we need to kill those off because these are going to be bringing down our most sensitive systems. >> do any of y'all want to elaborate on that? >> i largely agree. there will always be a role for passwords, there will be low security devices, applications, latent times when you need security for a short amount of time but in general passwords

have outlived their usefulness. you can secure your gmail account now with a code that comes to your phone as a second factor. i can secure this with my fingerprint. there are many other systems that give us more robust authentication and that would go a long way in a lot of our systems to help secure them because we're talking about two different ways to break into things. with we're talking about vulnerabilities which are exploited and bad user practice which is also exploited. if i could get rid of one, that will go a long way to make things better. >> thank you for your time. i'll yield back. >> the gentleman yields back. the chair would recognize mr. mcnerney for the purposes of follow-up question. >> i thank the chair for the opportunity to ask another question. this one is a little philosophical so i hope you don't mind. mr. snyder, you mentioned that the attacks are easier than defense on this complex system.

and making more complexity opens up new vulnerabilities but biological systems work in the other way. they build complexity in order to defend themselves. is there some kind of parallel we can learn from on this? >> in the past decade or so there's been a lot of research on moving the biological metaphors of security into i.t. and there are some lessons that don't work. biological systems tend to sacrifice the individual to safe the species which is kind of not something we want to think about in i.t. or even in our society. but, yes there are ways of thinking about a security immune system but the complexity of a biological system is complexity that's constrain sod for example we all have a different genome and that gives us a resistance

against disease. and you might be able to do that with an operating system but it won't be two or three, it will be billions of different operating systems which are suddenly much more expensive by orders and orders of magnitude. so a lot of the lessons don't apply. some do and researchers are trying to learn from them and that is kind of the new cool way of thinking and i think there's a lot of value there. but still complexity -- unintended consequences, interconnections, if attack surface, the enormous attack surface we're talking about makes it so that in at least the foreseeable future an attack will have the advantage. my guess is there will be advances in security which will give us maybe not in our lifetimes but eventually a defensive advantage but no time soon. >> all right, thank you. mr. chairman, i yield back. >> thank you, mr. snyder, i'm recognizing myself for a

follow-up question. you had mentioned in response to an earlier question about autonomous vehicles and yesterday in our manufacture and trade subcommittee we had a hearing on autonomous vooex so particular vulnerabilities or places where the focus should be as that autonomous vehicle, self-driving vehicles develop as a separate entity? >> i think it's an interesting test bed for what we're thinking about and i don't know how much detail you went into on vulnerabilities but what we learn is the vulnerabilities are surprising. there's one attack that used the dvd player as a way to inject malware into the car that controlled the engine. now that shouldn't be possible but surprise. and similarly i'm worried about the usb port on the airplane seat potentially controlling avionics.

airline companies will say that's impossible but those in computer security don't believe it. so the more holistic we can be, the better. there are always going to be surprises so to get back to the immune system model, how do we build resilience into the system? how do we ensure it fails safely and securely? how do we ensure or at least make it more likely that a vulnerability here doesn't migrate to another vulnerability there causing something more catastrophic. so the more we can look at the big picture, the less we focus on this or that because it's the connects so you think about it, it's exponential. i have five things, that's 25 connections, i have a hundred things, that's 10,000 connections. it goes up by a square. i just did some math, sorry. that's the vulnerability and that's why complexity is such a problem. >> well, i posed the question

earlier and this is for any of the three of you who wish to answer the question i'm thinking like a criminal but really we're still playing checkers and they're playing three dimensional chess or a multifactorial level of three dimensional chess. what are the things that keep you all up at night? what are the things you've wondered about? >> i would say the best advancement in the security space for us as an example is behavior analytics. it's being able to monitor the netwo network, monitor the enterprise, monitor our infrastructure and look for behavior we've never seen before to determine whether or not that's unauthorized traffic or not. but no matter what that to be is based on a compromise already having occurred. a bat guy already being in the network so our ability to be more proactive. our ability to get ahead of that attack and predict those attacks

were they occur and change the technology before they can be exploited. that's where we need to migrate. >> i worry about catastrophic risk. the dyn attack was interesting. one person had the expertise to figure out how to do it, he encapsulated his expertise in software and now anybody can do it. so it's unlike my home where i only have to worry about burglars where driving to my home is worth the bother and there's some bell curve of burglar quality and the average burglar is what i care about. on the internet it's the most sophisticated attacker i care about, anywhere in the world. because of the way computers encapsulate expertise into softwa software. >> dr. fu? >> i worry something about more human and that's bureaucracies. i worry about the inability to change. i worry about being stuck saying well, we've never done it that way before. i worry about saying things like well that's unprecedented, while

the internet of things is unprecedented, there are going to have to be changes so i worry we won't have the strength and resolve to do it. will will take some guts i think but this is foresight. in the safety world we saw this with hand washing in the 1840s. hand washing wasn't even a thought that crossed your mind until after ig knack semi-mel vice. it took 150 years beforehand washing was common. it will take security but the time is right to do something now and something wise. >> i would just note for the record, i think dr. semi-mel weiss did end up dying of a strep infection from not hand washing. >> he also messed up his experiments and didn't write them up well. >> wonderful. this has been a very informative hearing. seeing no further members wishing to ask questions. i want to thank our witnesses for being here today. before we conclude i would like to include the following documents to be submitted for the record by nonconsent. a letter from the online trust

alliance, a letter from the national electrical manufacturers association, a letter from the college of health care information and management executives, aexecuti letter from the advanced medical technology association. the letter from cta. pursuant to rules, they have 10 business days to submit additional questions for the record. i asked the witnesses submit their response in 10 business days upon receipt of the questions. i didn't say it, but without objections order all those things inserted into the record. without objection, the committee is adjourned.

coming up later today, democratic senators chris kunzite and amy klobuchar and senator langford discuss how they will work with the trump association. more from a conference on artificial intelligence, privacy and security. autonomous weapons systems and their use by military around the world. ethical questions involving decisions to computers as well as constraints of their use in battle situations. >> good afternoon.

thank you for joining us this afternoon and those joining us just now. also welcome to you on the life stream who are joining us today. the #for the event is carnegie. it's a pleasure to welcome you today. this is the second panel of the second part of the panel. there will be a second part taking place december 2nd in pittsburgh, to which you are also invited in case you're interested. please make sure to drop your business card off inside or send us an e-mail. this focuses on autonomy and military operations. as i explained for the first panel, this event is designed to combine expertise carnegie mellon university with carnegie endowment. each panel is preceded by setting the sage presentation one of the experts carnegie mellon university followed by panel skugs with experts from

around the world. so we are pleased and delighted to have people in israel and india came up all the way specifically for this event. now my pleasure to introduce you to david brumley, director of the security and privacy institute at carnegie mellon university. he's also the faculty mentor of top hacking teams in the world and ceo of a company called for all secure. a great pleasure to have him here and setting the stage remarks and i look forward to this panel discussion. thank you. >> good morning, everyone. you read headlines, russia building robots to fight on the battlefield. the u.s. navy is developing swarms of unmanned drones and darpa commissions fully

autonomous condition. these ar few headlines that highlight the increasing role of autonomy in the military. in the second panel an international perspective on what autonomy and counter-you aton me in operations. my name is darryl brumley. i consider myself a hacker as i run this hacking team we talked about. a look at the issue, why it's so exciting, so timely and so important to get absolutely right as we go forward. this panel's issue in a nutshell is countries around the world, including the u.s., russia, israel, china, india, are increasingly deploying and investing in artificial intelligence and autonomy in their operations. autonomous technology, once the work of science fiction, is here today. for example, in pittsburgh, you can use your uber app to summon a completely autonomous vehicle to take you home from a steelers game to your house.

don't just think physical. think of cyber space. think of social. for example, in august this year, darpa demonstrated that it's possible to build fully autonomous cyber bots in full spectrum offense and defense. it then went on to demonstrate that these bots can supplement human capabilities in the manual defcon competition. we also need to think about social networks where autonomous systems can be used to sway the opinion of a population. key pros include faster and better decisionmaking in weapons systems, cyber space operations, and it even creates the possibility of fully robotic soldiers in warfare. these are all significant benefits that lower the cost and lead to better protection of human life. however, there are significant policy, legal, and ethical questions. many questions revolve around how much control we should cede to machines. what sort of actions should we allow machines to take and when. and how do we handle the case

when machines have mistakes, when there's bugs that could be exploited by adversaries. what does autonomy mean? to quote the board, autonomy results from delegation of a decision to authorize and take action within specific boundaries. we'll be talking about delegation of a decision. in the context of this panel, we delegate that decision to a computer program. an app, if you will. not everyone is familiar with apps and web browser, but not everyone is autonomous. they follow a fixed set of rules and interact with the user in a very limited way. an autonomous system must be more than an app following a prescriptive set of rules. it must be able to make a decision about how its actions will affect the environment. put it all together, today we focus on autonomous decisions where we delegate a decision to take action and that action has been ceded to a computer app. that app interacts with the