.

>> microsoft are producing software that can remediation millions of customers who are infected. to the second part of your question, smartphones and other mobile devices are an emerging risk. everyone is listening to what is happening in other parts of the world and of making sure that we are analyzing and putting appropriate remediations in place. also, working on the education front to let people know of the risk of there.

the guidance that we have, while it does not mention a mobile phones, is applicable to that technology. again, no regulation or guidance is needed there. we have what will work today as the press change. >> are any of you familiar with chicago first? this was in 2003 by a chicago financial organization. it was to enhance the resilience of the community and infrastructure overall. including cyber security threats. and focusing on preparedness. >> we are very familiar with chicago first. there are a regional coalition. we partner with organizations

like chicago, even though we're not based in chicago to participate in the exercise. that committee is one that we trust. >> thank you. one more question. we worry about the government agencies protecting the proprietary information of the companies. if they voluntarily share security and the members of the european union and the u.s. are in discussion about this as it relates to the banks and other financials, including insurance. have any of you been involved in these discussions with the international regulatory and standards body? i guess that will have to see that the answer to that.

how does a small, business entrepreneur -- where do they go to get the information? is there a place on line that they can find out? >> any financial institutions have information on their website. to have held seminars for their customers. also through the account takeover tax force have put together a joint bulletin's would you have made available to our members. they can print goes off and give those to the customers. they approve all the recommendations for consumers and businesses for operating safely in the online space. that is a website that as a number of good recommendations. >> thank you.

i yield back. >> thank you. >> thank you, mr. chairman. i certainly appreciate the time. appreciate and agree that we want additional regulations. we are concerned about cyber threats and try to protect consumers as well. i guess my question is what role should the government take in combating the attacks. >> i think the key role that we are looking for is that information sharing on a timely basis. as unrestricted as the government can make it so that we can act on it to protect our customers. if the government has information about software and vulnerability, we would like to be made aware of that. >> what would be a timeline or

timeframe that you think would be appropriate? >> as soon as they know about it, sir. >> hundred you talk to your testimony before, each and every day you equated it to somebody ringing the doorbell. i am not so concerned about somebody ringing the doorbell. in its subassembly taking a crowbar to the back door. can you talk to me how, for instance, the nasdaq, you identify these stress that are coming in? what are you doing at the nasdaq to identify this? >> yes. i would be happy to, congressman. there are several ways to answer that. i think one of the important steps is to become aware of who

the potential actors are and the most sophisticated out there. we're very much information -- very much interested in information sharing. we try to equip ourselves with who is attacking various financial institutions. and what tools they're using. another approach is to try to build systems that can withstand technology to a crowbar. we put a great deal of effort into technology. except for very specific and tell your protected and regulated, specialized channels for the use of trading information. one of the things we do is to

only allow a very narrow channel of communication into the trading systems. that goes to several barriers. here is a point that may not be obvious. when you're talking about regulating information that flows through a network, there are two main ways you can do it. one is to constrain where the information comes from. we can call that the ip address to be technical. the other way is to restrain what kind of information comes through. we can talk about what network comes through. we use several layers of the fire walls to put the information that flows and and flows out to continually smaller and smaller filters. another point out like to make, in just a moment, is that you're trying to protect -- will use

the analogy of try to protect our houses and the items we might have. it is not necessary to understand all the way somebody might try to get into the house. in many cases, the defense we build our proof against many type of attacks. we tried to build as many defenses as we can. >> from each of your perspectives, i would be interested to find out. as we look at things we're looking at at the committee, what do you identify as the greatest threat you're trying to deal with right now? how can we in congress tried to help legislation -- try to draft legislation to highlight issues they're out there today. i'll start with you. >> i'll go back to one of my tenants. essentially going after the bad

guys. really getting the united states to pressure foreign governments. if these governments want to compete, if you want to participate in the global economy, the cost to purchase it is that they need to demonstrate that they have a favorable security legislation and demonstrate their actively prosecuting and punishing the people that are responsible for cyber crimes. the issue that we worry about today and the prevalence of the, customer computers and the mobile space we have mentioned as well today. >> my time has expired. i yield back. >> thank you. >> thank you, mr. chairman. i appreciate all the witnesses being here and sharing your expertise with us. earlier you talked about

education and how that can help. tell me, how much of this problem can be cured by good computer hygiene and good habits compared to a much more active defense? >> the internet ecosystem requires a lot of players to act to make the internet a safe place for financial commerce. certainly, a good computer hygiene is important. representative maloney mentioned the report. we have consumers who do not pass their computers. that is critical. we have to get the message out to people that that is an important step. and then the industry telecommunications and financial have a part to play as well. >> at what point will the

industry determine that they cannot allow consumers who do not run anti virus software and maybe now where software -- malware software to connect your institution and perform transactions? >> that particular step to interrogate a customer's computer to do that requires agents that an institution would have to play on a customer's computer so that some may choose to go down that road to make that decision. what i would say is to go back to the guidance that we have that says to look at the laird security and what you're doing to validate. is that the customer log in? do you think they are doing that transaction? and this transaction is keeping

with that customers pattern of behavior. there are things we can do without necessarily looking at the halls of this of that customer's computer. >> thank you. how many institutions, and i guess this is for the gentleman and maybe others who want to answer, how many companies use cyber insurance to help protect against liability? what percent of of folks out there and use that? >> i do not know the specific answer. i could probably get back to you. as you noted, it is in its second infancy. there was some talk about a decade or so. i -- we had some issues. i don't have an idea on the number 0 specifically.

>> since it didn't really, and anybody's testimony, this inevitably the cyber 6 -- cyber to be an important part of creating new requirements on folks without law that we would pass, but a much more dynamic model like it is done on workers' comp for many other issues up there? >> i would answer that in the sense that i think it could be helpful in other sectors i think it could be helpful in terms of the underwriting forcing the process. >> thank you. several you have mentioned the security protection in sharing

act. does it allow the government to share information? i notice not currently passed in its current form. are there changes you'd recommend? >> congressman, what i would say on that one is that certainly, as an industry, we support any improvements we could make to the public/private information sharing that is happening today. we could certainly use more of it. that is another one to help get access to even more information. i think we can also enhance information sharing within the private sector that are currently either perceived or real areas, from legal perspective, that are preventing some of the sharing today.

we think that legislation could address this kind of issues as well. we also would like to see. there's over one decade-worth of trust building. we would not like to place any additional hierarchy that could potentially introduce more into it. thank you. my time is expired. >> thank you. my subcommittee had a hearing a few months ago on a new entity created under the dodd frank bill. it was a story house for a loss of financial data. i was looking at some of our panelists today. a lot of you will probably be

providing that information. what kinds of connectivity, and this question came up during our hearing, how secure is all this data that the ofr is going to be mining from the financial markets? could you elaborate on your discussions and with you have concerns? >> i will focus my comments on the protection as opposed to the disclosures made by ofr. the protection, ofr is part of security. that is kind of the macro picture. we have to work out ways that protect the information while it is in transit. the methods being used a somewhat ad hoc. that is an area will need to

work on. when it to work on the interests of other parties and getting into that data. >> thank you. mr. graff? >> you put your finger on a problem, which is, how do we share that of permission securely? there are several methods to talk about. the technology is there. i think the more intense concern might be protecting a once it is in the federal networks. that is, frankly, a concern of ours. we want to work with the federal agencies to make sure we give them a sufficient, but no more than they need.

we also like assurances about the way they protect those systems as well. i think that is an important problem. is does encourage good security. i think there's a lot of room for improvement there, too. >> i am sorry. i'm not familiar with the particular regulation. >> ok. i want to go back then that to mr. clancy. there are multiple aspects of that. one is the transmission of data. and then two, once the data gets to ofr, how will it be protected? who will then have access to that data moving forward and how they use that data? and those are areas you have

some concern. >> i think access to the data itself is one of the key questions, both in terms of the progress of what is done with the data as well as i defend against it being misused. what we mentioned earlier is that as their taken over. someone can use the data. we expect a high level of resilience. >> thank you for those comments. about market participants. we talk about those who use it. i was going back to talking about small businesses and individuals. the computers at home or their

laptops. there is a lot of discussion going on right now about using cloud top systems to store your data. my question is is my data more secure in a remote location or is it more secure on my computer? >> a simple example, i have a neighbor who is a ceo of an intellectual based property company. his group is two people. anything he puts in the cloud of the will be better defended than he can do himself. our information in a public cloud would be very hard to defend a basic level of service. >> that is a great question, congressman. for the average person, their own system is likely to be safe

enough to give them the security they want. it is a good practice, in general, to store the information with people who are professionally trained to do it. also, they assume responsibility for the data. that is an important factor, i think. these providers have a much more robust infrastructure to protect your data that at home. >> yes. >> thank you, gentlemen. >> thank you. i have a couple of questions as to the distinctions, if any, that occur on these cyber attacks. just aalking today about banking online. is that correct?

or are we talking about accessing the 401k information? how broad does this get? >> cyber attacks are across our industry. they could be going against your checking account. they could be addressed to your 401k. we have companies a report this. it is not just that particular isolation. >> it is a 401k identified by a social security number. that is correct? >> blog providers used to do that, but they moved away from it. some more aggressively than others. the authentication is based on other data that is selected by the customer. >> which means it is not covered. >> the overall account is

protected, but they're not using the social security as a user name to sign on. >> that is my question. at one time you write a check, ticket to a bank, and not worry about covering in for a couple of days. of course, that is all done electronically now. what about the electronic transfers between banks? have these ever been hacked? that you know of? >> the platforms had not. the access to accounts that authorize the platforms, those front end systems have been targeted. what of social security that mandates, social security checks have to be deposited?

i mean, now you have a federal mandate. is that cover? have there been instances where the federal government has gone to transfer a social security recipients check into a checking accounts and the money has not showed up? before it got into the actual account? >> i am not aware of any instances of that, sir. >> the last year on my e-mail account, someone came in. attacked the account. put out this thing that i was trapped in britain and the people to send $1,500 and actually got another member of congress, a democrat, to make sure i was ok. out of that was generous on his part.

it took all my addresses. i had to reconstruct that. this is what we're talking about? >> we've been talking about things that cover that. that particular example, unfortunately, is a somewhat condom -- common scam. . members might have known and then taken action to send money that it would've otherwise done. that is the technique they're using. behavior-based provocative messages. i guess the broader issue, really, is that he really does

not think online. i am serious. until you stopped by the office, i was present these were -- these commercial accounts were safe. you make a reference to accounts from members of congress and their campaign funds. how pervasive is this? should the american people take a look whether now or not it is worthwhile to bank online? >> that is the threat that might victims' group is trying to head off.

that cyberspace will become such an unsafe neighborhood that americans will just decide that they can not bank on line. that my fellow panelists have made the point that individuals and small businesses cannot possibly have the cyber security expertise to secure online banking on their and. we make community bankers in your district to become cyber security experts and spend their time studying at bulletin's and set about making loans to move our economy forward. the bad guys have one. even if they don't make off with the dime. your money is currently not safe at the bank, except at a small number of very large banks.

they employ a multi-layer control processes. otherwise, whether you are randomly targeted like your yahoo account was. the same people could get your commercial accounts if your banking from that pc. they could get your money. i do like the idea of buying a new pc to do online banking as a stimulus measure. however, as a $500 or $600 tax just for the privilege of using on-line banking, i am opposed. >> thank you. >> i would send you money if i knew you were trapped in europe. >> i'm not back in britain.

people click on a and somebody is selling the product out of their house. i guess the virus went through again. i got back 50 or 20 people saying you have been hacked into. >> your first mistake. do not have of friends. >> that is easy because i'm a politician. >> [laughter] >> one i have a personal interest in, let's see if i can phrase it the proper way. we often, what we will do is shut down the server. but there is legacy software out there in the world sitting on

computers. my understanding is that we will have creative souls who will come in and set up a new high tech. how much of that is mechanic? because the residency on computers around the world are also correct. >> i think that is a very large threat. if you would allow me to defer to mr. weiss on this question, because he is been very active. >> and my phrasing in the proper mechanics? >> that is absolutely fine. let me just elaborate. we thought it was a very proactive thing to do, to have customers protect themselves. a partnership. to laughter three of the very dangerous.

that is actually at the server level. this is an action to go after the command and control sector. >> what is residency on individual computers and systems? >> right. what we normally find is that we've talked a lot about this e- mail is that people are clicking on. that is probably not the only thing you have been affected -- infected with. now that we have the command and control infrastructure seized from criminals, those computers are now phoning home to the good guys. instead of being under control

of the bad guys, -- >> what you get is a redirect. >> exactly. the debt forensic evidence. we will at one point be able to claim these machines. >> interesting. this one the chairman wanted me to ask. quickly. tell me. if you're going to do one thing, tell you it would be in security. >> we are blessed that it is easy to stop and the solutions are in place. so, just move the responsibility as she spoke about to the processors. my number one is we have to stop malware. if you look all of these attacks on the pentagon, small

businesses, everybody, is the fact that computers will run software that other people wrote who are not your friend. we have not figured out the anti virus products stopped working over five years ago. we have not gotten them working again. we cannot detect the latest model now where -- malware. >> we have to keep the ball rolling on the inner -- on the information-sharing. in june 2011, it became the third to become a regular presence. from that point to afford between the sectors, between the government, we made great strides to improve in the relationships between the financial-services sector.

>> threat sharing. >> yes. >> i would take it one step further and say threat analysis. a lot of data flowing back and forth. or it could come from other sectors. but taking that data to know when you have the incident that really matters. or more importantly, we see the trend that is coming out and '82 act sooner than later. >> i take a slightly different approach. i am very concerned about the supply chain. the possibility that computer manufacturers are others might be able to introduce pieces of hardware/software into computer routers. even network cables.

>> the advantage of physical barriers. >> yes. it is a problem both in hardware and software. the initial problem is, in fact, hardware coming out of, it appears to be a router with specialized chips. >> forgive me for going so over time. >> be simple. take the program i mentioned. make sure it continues. >> engage the telecommunications industry in this discussion to help. >> can you give me a little more definition there? >> yes, sir. because of the fact that they pass this traffic between us, our customers and thus, between other sectors, are in a

situation in our infrastructure where they see this traffic, and they're given the authority to dump it, that would get rid of a lot of problems. >> thank you. the gentleman from new york. >> thank you very much. last year the fcc can now with a guidance that financial firms had to disclose the cost of material cyber attacks and include a description relevant in insurance coverage to shareholders. how common is the use of cyber insurance by financial institutions now? do they have this type of insurance now? can someone answer? how common is it? >> it is not very common. that is the challenge. >> what factors are considered in determining whether or not an

institution has a cyber risk? >> the same factors that are used in all the other guidelines that we have are used to evaluate cyber risk and going through that application process. >> there have been some reports about pump and dump. what steps have the private sector taken, or federal regulators, to prevent so-called pump and dump? these scams are they try to move the market by moving the price of security in the camps of they have taken over? how common is this practice? i have read about in the papers. is it common? a very uncommon? >> i did not have a sense of frequency. it certainly happens enough that

there is a group together out of pittsburgh. it is a policy or information for those crimes are shared. and then potentially referencing back. >> our like to ask you about your great bank. it was the subject of a high- profile cyber attack in 2011. can you tell us what changes citi has made since then? what is difference now? >> it impacted our credit card business only. since then, with have many lessons learned.

lots of millions of dollars and people's times to improve the monitoring system that we have in place today to make sure that kind of breach does not happen again. >> our like to ask anyone familiar with their practices if they support federal pre-emption of state laws. what specific differences in state law posed challenges and can you explain why you favor pre-emption? >> outtake the first crack at that one. one of the major issues for us is being able to reconcile more than 50 different state laws and regulations that we have to deal with when it comes to notifications. where to figure out which notifications we have to provide, when, how much.

as the standard we can rely on. we think and the confusion of the customers are getting today. . >> you made clear that you believe account takeovers continue to be a challenge at financial institutions. to what extent could regulatory changes address concerns or what legislation our actions are needed to address the problems that you perceive are there? >> of course, if you read my bio, you know i'm not in favor of regulation. in this particular case, to stop this crime and that we close

and, we reduce the amount of net regulations not make the sport community bankers study it. as she said, put the responsibility of those risks on the processor. . in one case, the bank had the fraud controls in place, was paying for them but was unaware of it. brands-alerts, that this did not know to look at them. there were not responsible for transfers. they're getting these alerts. >> my time is expired. thank you. >> thank you.

>> thank you, mr. chairman. following up on the syllabus, there is a survey that is described in your written tariffs -- in your written testimony that there is a drop in commercial account takeovers between 2009 and 2010. what do you attribute to this large reduction in fraud and? >> the answer may surprise you. when we told our members of the most recent survey, they said customer education was the most pacific driver to that. >> -- the most specific the driver to that. >> that was specific to corporate account takeover. >> ok. thank you.

in your testimony and a list of various communities and sharing groups that you have here, it seems like there might be too many of these groups where each are slightly different, so that we may have a lot of information flowing back and forth. potentially the correct information may never get to the right place. should we be streamlining information sharing, even as we seek to improve this? >> i think the answer is probably two-level. i think we do work very closely together across a number of the organizations and associations that we have.

we try to make sure that each of us is focusing on key areas and we're not wasting resources in terms of time and effort. specifically, information sharing. i think that within our industry we are doing a good job at sharing through all the information. i think when we start to think about sharing between sectors and between the public and private sector and having some of the standards that mr. weiss mentioned earlier and how the data gets formatted, how we can look at it collectively will be important because i do think there is a risk that so much data will come from so many different sources that we will miss the answer in the analysis and will not be able to do it well. >> thank you. we have been talking so much. people have been hacking in or

attacking. mr. clancy, you said something about enforcement. maybe this is beyond the scope, but how many of these people get caught? or do they? what happens? what is the penalty, and what happens? >> i do not have a specific answer on how many people were caught. the attacks happen in a time scale of minutes and hours. the law enforcement activity happens over months and years. the challenge is the difference between those two points and we respond to them. on the minutes, seconds, and hours from, you have to focus on mitigation. that is why we focus so much on information sharing. >> would anybody else like to -- ok. i yield back.

>> thank you, mr. chairman. my question is for mr. weiss. consumers get a third party liability protection. they cannot lose more than $50 of electronic transfers. some level of talked about expanding that to business customers to help protect them from these account takeovers. that would shift the liability from financial institutions and potentially, i suppose, make the small businesses less interested in some of their protection, although i guess it does require them to immediately notify the system. is that a good idea or a bad idea? >> currently, commercial and small-business customers are covered in every state. we feel that has stood the test

of time. >> what is the coverage amount? >> that the standards need to be commercially reasonable. >> mr. weiss, the you want to? >> really, nothing else to add. >> if i may, what commercially reasonable means, as a matter of law, is the subject of 12 lawsuits. two of them were settled for 100 cents on the dollar just as soon as the banks saw with the judge had to say about their motion for preliminary finding for the defendant. one was actually won, so far, by the bank.

one was one by the victime. the consensus of the big security conference was that given the new 2011 guidance, going forward, there will be found currently to mean that the banks are liable. our victims' group has deep concerns about making small bankers liable for the risks that they cannot understand and cannot really manage. we would like to see those risks and responsibilities moved because it is possible that small banks will have to hold additional capital against the possibility that these large- demand accounts might have to do a refund because the transfers were fraudulent, not going back

and 90 days. this is too much for small businesses, too much for small banks. >> thank you very much. i yield back. >> this will be our last questioner to the panel. i do appreciate your patience. this is an interesting area with lots of layers. >> thank you. i bought a new computer a couple of years ago. the store recommended x co. software anti virus. for different amounts got different coverage. does this stuff work? >> it works to a point. the challenge has been that the innovators innovate.

they make sure their attack code is revealing. it is a cat-and-mouse game. does it to be 0-weeks later? -- does it two weeks later? >> it is worthwhile to advise protection. >> you're much better off with it than you are without it. >> when my account got hacked into last year and my contact lists were stolen, i call the rep from this company. the lady said that because the information on the e-mail

account was not stored in my pc, but somewhere -- i did not know if the word was the cloud or whatever else it was, is that this anti-spyware was unable to protect it. maybe you could explain what she tried to explain to me on the phone. >> sure. what happened, most probably, obviously i'm just basing it on what you said, is that finding an id, your user name and has roots compromised. the bad guy sounded from some other system to pretend that there were you to some of these females. as opposed to actually attacking your own personal laptop or computer you are using. because the credentials were stolen, it appeared to that male provider as signing into your

password so it must have been you. clients on your pc do not come into play because it -- come into play because it was external for you. if that actually occurred when you're using your computer and not traveling. but bill >> but the question is how to get compromised? the typical way is they had malware on your pc that watched you enter your user id and password. stolid and transmitted to that guy who could be used in that scam. you can recover a user id password on your who by answering questions they could research about you. there are other possibilities, but almost always it is malware. >> the reason i asked the question is that is an option to

take and about what is in the cloud now directly to your pc? would that make it more secure? would open up everything else on your pc to that attack? >> it would make it less secure because the testimony here among the experts is that you cannot secure your home pc. the pentagon cannot secure its desktop pc. itwould just be two placews could be attacked, not just one. you could lose tourist. -- you could lose your pc. it could be stolen from your house. >> computers would generate the telephone list of seven numbers and then, with a combination that would rein. -- ring.

to people who do this take a look at somebody's name and then try to figure out different combinations of that? how individual is this? in the hacking that takes place? is it mostly on a fraud base so that everyone gets hacked of the same time? there through a $40,000 and it was just their district. >> i say both. there are commodity attacks that are broadly targeted. with your name is posted on a website or what not. and there are targeted hacks that are very convincing. you have sophisticated criminals doing those attacks and those farm team criminals doing the more widespread lead.

>> my account at not to really shouldn't have your name -- at yahoo really shouldn't have your name on that address. would that be correct? >> if you look at who lost money, it looks randall. -- random. every time the banks signed somebody up, like your school district, for on-line banking. they get these reverse lottery tickets. if their number is selected by the criminal, $300,000. it does not matter if your name is included or not. they are just randomly and lucky to end up with malware on your pc to get your money stolen.

the criminals to try everything. they tried every attack, every which way. you cannot defend yourself. >> thank you. >> thank you to the panel. this is interesting. we will be spending a lot more time on this subject in the years to come. the chairman and notes that some members may have additional questions for this panel which they may wish to submit in writing. someone isworried going to come in an objective that moment. the hearing record will remain open for 30 days for the members to submit written questions and place their responses in record. i can almost assure there are two or three mayors here to a technical questions. thank you for your participation. this hearing is closed. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2012]

>> today, chris matthews will be the speaker at the presidential foundation award honoring reporters or national defense issues. you can join us live at 1:00 eastern on c-span. today, the ceo of deutsche bank is the featured speaker on europe's fiscal crisis. he is expected to address measures taken by government so

far. the event will be hosted by the atlantic council. you can join us live at 5:00 p.m. eastern here on c-span. >> the president has a hard-time selling an argument of economic optimism when, at the same time, people are not feeling it. the american people come in with the approach this election, they understand that we did not get into this crisis overnight. we're not going to get out of it overnight. >> it is what the people -- ohio, florida, virginia, what they think. what they think about their lives. is it getting better? is it getting worse? who is responsible? >> this past week, the national journal focused on the 2012 presidential election. what the discussions on line at the c-span video library.

>> this week on "q & a", douglas brinkley discusses his news biography titled "cronkite." >> douglas brinkley, on your book "cronkite" you say "i am now close with the entire cronkite clan." you say that after you read the book, in the acknowledgments. >> if you are always wondering how the family will feel about it. his son lives in new york. i wanted him to read part of it. he liked it. there are mainly positive things about walter cronkite in the book. the book.