the private sector in order to function. as i said before, we have some lessons to be learned about the inadequacy of what of the federal government is doing to protect its own information. i think it would be helpful not only when we repair that but i think it would be helpful not only when we repair that but make sure we facilitate the day- to-day engagement in information sharing with the private sector. i thank my colleagues who are on the panel, distinguished patriots as well for the opportunity to peer with them. i thank the chairman and the committee for the opportunity to share these remarks this morning. >> thank you for those remarks very, very much. congresswoman harman, please proceed. >> thank you, mr. chairman. as i think every member of this committee knows, i have great affection for this committee. i work very closely with your prior management during eight years on the house homeland committee and another eight years, some of them overlapping, on the house intelligence committee. later today at the invitation of colorado governor, i'm flying to denver where senator lieberman

and i are appearing on a 9/11 panel in denver this evening. >> i hope you'll give him my best. >> i shall. as my youngest daughter would say, your former ranking member, susan collins, is one of my besties. we stayed good close friends and we work together on the intelligence reform law of 2004. i also have great affection for all of us testifying before you today. worked very closely with everyone on this panel on homeland topics. and we continue to stick together, which i think is a good thing. 12 years ago today as the towers were falling and the pentagon fire was burning, i was walking toward the u.s. capitol. my destination was the intelligence committee rooms in the capitol dome, the place most consider was the intended target of the plane that went down in shanksville. my staff called to alert me that the capitol had just been closed

as were the house and senate office buildings. so most of congress, including me, milled around the lawn in front of the capitol. there was no evacuation plan. we had no road map for response. part of the solution which some of us recommended was to create a dedicated homeland security function. and that function we thought should be in the white house and tom ridge became its first coordinator. along the way the white house proposed a much more ambitious concept, and in order to get this function as part of law, we embraced that concept. then there became the department of homeland security. now, in its 10th year, i'm proud of my role as one of the department's founding mothers, and i think we should acknowledge today the thousands of d.h.s. employees who serve us daily, around the country and the world. as we speak, customs and border patrol agents are in megaports like the port of due pie and

they're screening u.s.-bound cargo for dangerous weapons and material. investigation agents are in diplomatic posts everywhere in the world and they're reviewing suspicious visas. and t.s.a. screeners are depriving al qaeda and other terror groups of the ability to turn more aircraft into weapons, a tactic we know they are continuing to attempt. today, as tom ridge said, d.h.s. remains a work in progress, but the efforts of its people are its backbone and our backbone. we have a safer country because of them. a year ago i testified here, and i noted some of the things that were going well at d.h.s., but i also noted challenges. and they include an anemic intelligence function, something tom ridge just touched on, the need for d.h.s. to focus more on its relationships with critical infrastructure owners and operators, something that's now happening because the cyberthreat is increasing.

and, as mentioned by you, mr. chairman, the failure of congress to reorganize its committee structure. today, as you mentioned, there is a very good op-ed in "the new york times" -- i buy the print edition, i want you to know, by tom kean and lee hamilton. lee preceded me as president and c.e.o. of the wilson center and we served as colleagues many decades ago in the house. i don't want to touch on all of this, but het me just briefly scope the good news and bad news since last year. bad news, we failed to thwart the boston marathon bombing. an exponential increase in cyberattacks, edward snowden and one part of al qaeda is in the boonies in yemen. there is good news. one, information sharing is improving.

i know there's much to continue. second, resilience. we showed resilience after boston, in particular, after the boston marathon bombing. and common sense is emerging in the way we approach homeland security, and to senator coburn's point, i think there's more support and there should be for a risk-based approach. collaboration with the private sector on cyber, that is happening, and credit should go to the -- i guess she's just retired -- to the secretary of homeland security, janet napolitano, for personally working on this issue. and we are getting ahead of privacy concerns. let me just touch on these very briefly, because my time's running out too.

information sharing, tom ridge talked about it. but the committee should take credit for the fact and the department should that homeland security grant money was critical. according to the boston p.d., it helped make sure that the city was trained to share information rapidly during the emergency. d.h.s. also participated in something called the multiagency coordination center, the macc, that was operational before and during the bombing and it was critical once the bombs exploded. resilience. a very important factor in our country's ability not to be terrorized. it's not that we won't -- if we fail to be terrorized, then the terrorists lose. the agency distributed almost $11 million to boston, just to pick boston, through its uasi mission.the money was used. it upgraded 5,000 portable radios for first responders, install a communication center inside the boston tea and conduct two city-wide simulator

disasters. this is a very good news story. similarly, in hurricane sandy, which went fairly well, fema activated in advance a national response coordination center which was critical in terms of preventing more damage and speeding the recovery. collaboration with the private sector on cyber. d.h.s. will never own the cyber mission but it is responsible for a central piece, which is critical infrastructure protection, and in the past year d.h.s. has tracked and responded to nearly -- get this number -- 200,000 cyber incidents, a 68% increase from a year before. we will never get a handle on this. as janet napolitano said about six weeks ago, she said that's happening. kudos to the department. finally, getting ahead of privacy concerns. the department itself has a privacy and civil liberties office. that office has trained many in

the fusion centers, 68 out of 78 fusion centers have received some training. there's enormous complaint out in the boonies about the invasion of privacy and it's important we do two things. one is protect the american people and two is to protect the american people's privacy. it's not a zero sum game. it can be handled with proper training and finally, the administration has fully populated the privacy and civil liberties oversight board which was created by the 2004 law and which was never functioning until may and that should be helpful too. let me just conclude by saying d.h.s. will continue to face difficult challenges, including al qaeda's enormous ability to evolve, the rise of lone wolf terrorists, the constant increase in the type and sophistication of cyberattacks, especially the risk of exploits in software and privacy issues. but most attempts to attack

understand since 9/11 have been thwarted for which thousands of selfless d.h.s. people deserve our thanks and so do our former secretaries of homeland security, starting with governor ridge over here. and so do members of this committee. thank you very much, mr. chairman. >> congresswoman, thank you so much. admiral allen, your whole statement will again be made part of the statement. please summarize as you see fit. >> thank you, mr. chairman, senator coburn, members of the committee. thank you for the opportunity to testify this morning. like secretary ridge, for the record, i'm not representing any particular entity. i'd note, however, that the op- ed piece that was published by lee hamilton and tom keane was part of an aspen sponsored part of the department of homeland security and i'm part of that task force, as part of the disclosure.

i'm pleased to be comrades jane harman and stu baker. these are people i've worked with over the years and consider them friend and role models. glad to be here with them. it's hard not to sit here this morning and not recall the events of 12 years ago. and what's transpired since the interim. i was the coast guard on 9/11, and what happened that day was something i never thought i'd see and that is a coast guard cutter off manhattan with the guns uncovered. it was a chilling sight. we closed the port of new york. we closed the potomac river north of the woodrow wilson bridge and resupplied ground zero because there was problem getting vehicles in and out. this was a consequence event for the coast guard as well. and i, like the members of the panel here, passed on our best regards to the families who were impacted by that terrible event. i have testified before this committee on several occasions since my retirement, and in each of the testimonies, including today, i've done a retrospect of where the department is at. i will say i was the chief of

staff at the coast guard when the department was established and led the transition out of d.t.o. into the department of homeland security. i've spoken over the years on many occasions on the conditions which the department was formed which was bureaucratic light speed in a little over three months. in association of trying to bring that all together, including it was in the middle of an appropriations year, it was between sessions of congress. i think secretary ridge was confirmed the day before he became secretary if i remember correctly. that's a lot of stuff going on at the same time but i think we have to move beyond the aggregation of entities that came within the department and try to get beyond that. you can talk about that as a means for why the department kind of is the way it is. but i think 10 years later we have to actually sit down and say what is going on here and where do we need to go? i need to associate myself with the remarks made by secretary

ridge and jane harman. they talked about the what. i'd like to talk about the how, because ultimately we need to, moving into the future, how to tackle these problems and the best way to do this. the occurring theme you're hearing is information sharing. because information sharing is the precursor to unity of effort and more integrated operations at the "in depth." not only in mission execution but in mission support. all the back room operations that actually enable folks who put boarding teams on, have t.s.a. inspectors screening people and that's h.r. operations and so forth. i'd like to talk in general about the border, resiliency, counterterrorism, law enforcement and cybersecurity. as been previously referred to. regarding the border, there's a lot of talk right now about the southwest border in relation to comprehensive immigration reform. while we move forward and define what the policy is going to be and what's going on with the number of illegal immigrants in the country right now, i think

we need to remember we have a border that's very complex and goes well beyond what i would call a geographically and described border. it's a functional border which includes the analysis of data and the movement of cargo that are never touched by human hands but are virtually carried out and we have to carry out our functions as a sovereign government in a global common in a variety of ways including air, land, cyber, sea. as we look at border security, i'd urge the committee to understand it's a combination of functions and it's a system of systems and it can't be reduced to oversimplistic fixes like fences or more border patrol agents. we have to figure out what is the nature of the problem and what is the best way to deal with with all the tools we have available. including the aggregation of data on all border functions into a fused picture that senior leaders can take a look at. i'm talking about all the different license plate reader programs, passenger information, information on private arrivals of aircraft and vessels and so

forth, bringing that together and putting that where there can be coherent analysis. and i think sensory information is incredibly important. we need to build an architecture that allows us to do it so we can understand how to react to them on the border. we need to visualize that for our leaders so they can understand what we'll call a common operating picture and that in turn can be discussed with folks here in the congress regarding oversight. and i think we need to look at along the southwest border, not every part of the border is the same, and boots on the ground and fences are not the way to control the border. we need to look at areas where say there was no traffic and conversations i've had with some folks in the department using satellite imagery and going back and taking several runs at a time and if there are no movements, you can pretty much say that's a low-risk area and start concentrating on where there is a risk involved there. i think in that way we can probably do a better job of how we're managing the border. congresswoman harman talked about national resiliency. i think it's extremely important and important because we need to look at it way beyond natural disasters and what fema does for

a living inside the department.i am in favor of risk assessments, focused on the most likely and consequence events that occur, easterly natural or man built. and that is population densities and risk they present and we need to figure out how to look at building codes, land use, going beyond current floodplain legislation and regulations associated with that and try and look at the behaviors that need to be influenced to change how we think and act at a local level. i think we need to improve our incident management doctrine. hspd-5 is a general framework for the secretary to manage incidents.

but frankly when you have these large complex incidents it's very hard to subordinate one cabinet to another in a very overarching way, especially in complex events. i think it's extremely important. if you look at the possibility that we could have a combination of events that starts with a cyberattack that gets into industrial control systems that produces a consequence kinetic effect, all of a sudden you have fema, mppd, the f.b.i. to the ncgi, a.t.f., and you have the overall management, we don't have a clear doctrine on how to move forward on that. and finally we need integrated national operation center for homeland security. the national response coordination center at fema is an excellent operation for what they do. the coast guard has an operation center. one of the big challenges in the absence of being able to consolidate on a campus of st. elizabeth is the inability to coordinate an operation center there to be able to coordinate and direct operations. i have some other points but i see my time is up. i'll submit that to the record. i'll be glad to answer questions. >> thank you. you got a lot in in five minutes. that was a lot of wisdom.

mr. baker, please proceed. welcome. >> thank you, chairman carper, ranking member coburn, members of the committee. it's really an honor to be here with members of the committee and members of a panel, all of us made promises to ourselves and to the country 12 years ago that it's a pleasure to be here to have an opportunity to continue and rededicate myself and the rest of the panel to those promises. there have been a lot of achievements in those 12 years, and d.h.s. has contributed to many of them. it has many successes that we've heard about from other panel members that couldn't have been possible without the department. it also has some failings that i think you are talking about addressing quite directly. the idea of reducing the number of committees that provide disjointed oversight to portions of the department would be an excellent approach as would be building the equivalent of the

defense department's office of the secretary of defense. we've had three great leaders of the department who, when they are focused on a problem, have made the entire department sit sing like a chorus. but when they've had problems that they can't spend one day a week on or one meeting a week on, the components tend to drift off. there's no institutional mechanism for keeping the department in tune and on the same tune when the secretary is pulled off or the deputy secretary is pulled off in another direction. so finding ways to build the office of policy, the office of management into effective

managers of many of those second tier issues would be very valuable. i want to talk mainly about an issue where i think most opportunity for progress is offered, and that is in cyber. this is a terrible crisis. we are not solving it. we are falling behind. many of the ideas that have been proposed are rather divisive. but it seems to me there are at least three issues that the department of homeland security could contribute to that may form a basis for less divisive solutions. what seems to be clear is that while we are falling farther behind we have also learned that we have more information about

the people who are attacking us than we actually expected to have five years ago. we know what their girlfriends look like. we know what blogs they write. they are no more able to secure their communications than weeen le to secure our networks. and in that offers some opportunity for actually bringing deterrence to bear, not simply defense. we cannot defend ourselves out of this cyber crisis. that's like telling people that we're going to solve the street crime problem by making pedestrians by better body armor. that's not the solution. we have to find a way to actually capture or deter or punish the people who are attacking us. how do we do that? it seems to me that one of the ways that we do that, law enforcement's very familiar with the idea of deterring and punishing attackers, but prosecuting the people who are attacking us, many of them

overseas, many of them associated with governments, is probably not the most effective measure. what we need is new ways of bringing sanctions to bear on the people that we can actually identify, and d.h.s. can lead that. if we use the law enforcement capabilities that the department has at i.c.e., at the secret service, integrate them into a smaller group, maybe on an experimental basis, with mppd and the defense capabilities and the understanding of the attacks, we could gather much more intelligence about these people and then bring to bear new forms of sanctions. again, something that d.h.s. can take a lead in developing. many of the companies that support these hackers, that hire them after they finish their service for government, the universities that train them need and want visas to come to the united states.

i don't know why we are giving them visas if we know who they are. we should find a way to come up with sanctions of that sort, or frankly sanctions of the sort that treasury uses today to deal with conflict diamond merchants or the russian officials who oppress the human rights of one. we have attacks on human rights right here in the united states. cyberattacks on tibetan activists and the like, we should be treating those attacks on human rights that occur in the united states every bit as seriously as we treat the russian government's abuses inside russia. and again, d.h.s. could be authorized to go looking for ways to bring those sanctions to bear. and then finally, with the private sector, it seems to me the private sector knows more about the attackers inside their networks than we will ever know.

they are more motivated to find the attackers and to pursue the attackers who end up as their competitors, which is often the case. what's being stolen is competitive information. it must be fed to the competitors, and those competitors are operating in our markets. and if we can gather that intelligence and close that loop, we can bring to bear criminal and other penalties on the beneficiaries of these attacks. that is not something we're doing now because there is not enough integration between the people who have the resources and the incentive to do that, individual companies who are under attack, and the law enforcement agencies that are totally swamped by the nature of the task. if we gave, if we experimented with giving the companies that are under attack more authority to investigate their attackers

under the guidance and supervision of the government, we could make more cases and impose more sanctions on people who are attacking us. so those are three pretty concrete ideas, plenty more in our testimony which i will ask that you read into the record. thank you. >> your full testimony will be made part of the record. thank you very, very much for your testimony today. i want to return to a comment, dr. coburn, several of you, governor ridge, and the issue -- i call it -- it's not just d.h.s., it's not just the department of homeland security. we have too many vacancies throughout the federal government. the administration released an extensive list of nominees. we welcome that. one or two are in this department. we are looking for -- senator johnson knows we are looking for an i.g. we need someone to fill that position in this department and a bunch of other i.g. positions

that are vacant. this is a shared responsibility. the administration has the responsibility and give us names of excellent people, honorable people, hardworking people. we have an obligation to hold hearings, vet those nominees and with the extent they do a good job, move them promptly. the administration needs to do their job. we need to do our job. we'll keep focused on that. governor ridge and i wore different uniforms, he in the army, me in the navy. there was a popular movie called "five easy pieces." if those of you remember, jake nicholson. great movie. i think a comprehensive -- a comprehensive cybersecurity policy is not five easy pieces but maybe six. i want to mention them and then i want to ask a question each of you about one of those. one of the pieces -- critical infrastructure. are we -- best protect our critical infrastructure, that's a shared responsibility as we

know. another piece, information sharing. i think every one of you touched on that in your testimony. third is we call it protecting the -- federal government's networks. fourth piece is work force. governor ridge and i talked about this recently. how do we make sure that d.h.s. is able to attract and retain the kind of people they need to do their job in this arena? research and development would be a fifth piece. another one falls outside our jurisdiction but important one is data breach. how do we reach to those who breach data, it affects a lot of people's lives? that would be the six not so easy pieces that we're dealing with. i over the past couple years, the department of homeland security has been playing an important role in protecting our federal networks and working to try to secure our crippled

infrastructure. unlike the specific statutory authority that defines the f.b.i.'s, our n.s.a.'s work in this arena, the department of homeland security's authority comes really from the patchwork of presidential directives. it comes from policy memos. it comes from vaguely written laws. in fact, one way i heard it described, as far as cybercapabilities go, if the n.s.a. has a doberman, the f.b.i. has a german shepherd, then d.h.s. has a chihuahua. nothing against chihuahuas, but they need a bigger dog because this is a big fight. we need to figure out what to do. while i say d.h.s. is much further along in developing cybercapabilities, some people give the department credit for, i think we need to provide the department with clear, statutory authority to carry on their current activities so it can be compared to something a lot

stronger, a lot more formedible than a chihuahua. let me just ask each of you -- do you believe that it's important for the congress to empower the department, this department with clear and explicit statutory authority to carry out its current cyberactivities, these activities include working voluntarily with the private sector to protect against, to prepare for and recover from cyberattacks? and would a better defined statutory mission of the current cyberactivities, current cyberactivities, help to strengthen the department's cybercapabilities? governor ridge, lead it off, please. >> senator, i think the enabling legislation that created the department of homeland security and embraced in a strong bipartisan way with the house and the senate basically set up

conceptually the very idea that d.h.s. would really be at the ep -- epicenter of engagement down to the epicenter of engagement down to the private and local sector. with the original intent of congress in terms of the role that d.h.s. plays. secondly, i think any gray that exists in the alignment of d.h.s.'s relationship with the private sector, particularly, probably creates a great deal of confusion. right now i think the private sector is reluctant to cooperate from any reasons even to share information because of the absence of liability protection of those sorts. i realize you aren't asking that. i think if there is a gray area that can be cleaned up and there is a direct line of

responsibility -- by the way, you have the opportunity to hold them accountable that are not doing their job. you have been assigned some tasks. we don't think you're providing these very well, you can hold them accountable. thirdly, i'd say, by the way, it would be important to do two things. one, it would be important to resource the department appropriately. look, the men and women in d.h.s. right now that are working on cyber, government generally, let's face it, probably a lot more potential lucrative opportunities out there in the private sector. we have some real patriots. they're working hard on cybersecurity matters because they believe it's their contribution to their family's security and their country's security as well. we probably going to need to look at some kind of compensation adjustment to keep some of the best and brightest with us for some time. one is enabling legislation. two i think clarity would enhance the kind of voluntary collaboration that i think is absolutely critical between the private sector and the federal government, vis-a-vis d.h.s. and if it will be a mandate they need to be properly sourced. >> congresswoman harman, the current cyberactivities help strengthen the department's

cybercapabilities? >> my answer is absolutely yes. the administration did issue an executive order last year which is somewhat helpful but it would take legislation and secretary ridge outlined a lot of the issues. there's been a difference of opinion among people up here about how robust d.h.s.'s authority has to be, but the bottom line problem is that the private sector doesn't trust d.h.s. that has been overcome to some extent by the really impressive efforts that secretary napolitano has made in the recent months to reach out for industry and there literally is a floor at the d.h.s. headquarters where the secretary and others are working together on cyberthreats.

that's a good start. i just want to add a robust endorsement to your point about swiss cheese. there are a couple of nominations that have been made by this administration, and one of the nominees i know very well much she's been nominated for undersecretary for nppd which is in charge of the cyberfunction, and i just mention her to all of you. her name is suzanne spalding. i hired her to be the staff director of the minority on the house intelligence committee, worked with her for years. before that she was executive director of the national commission on terrorism on which i served which was then chaired by jerry brimmer, as many of you know, a commission that predicted the attack on u.s. soil. one of three commissions were not paid much attention to. i would recommend the guy to my left as new secretary of homeland security. thank you. >> i would ask if anyone wants the nominations closed.

there is no shortage. we need the administration to pick one and send us a great name. suzanne spalding, i think we have a hearing for her next week and my hope is we'll move that nomination quickly. she's an impressive nominee. admiral allen. same question, same question. >> it's a tough statement to follow but i'll try. i think there are three things we need to look at. i don't think you need to look at d.h.s. authority and isolation. the first one is the current status of fizz ma which is basically a regulatory compliance tool to try to ensure that proper information security is being dare carried out in the federal government. they are trying to move away from a checklist mentality to include mitigation and measurement at the gateways so we actually know what's going on. that will be enhanced shortly by a dash board which will pull

that information up, allowed it to be shared across the agencies. that's a phenomenal step forward but been largely done through the congressional and appropriations process where money was provided to actually go out and solicit for that work to be done. i think we need to move forward and figure out how we'll transition from fisma to continuous monitoring of our circuits and how to move that information around. secondly, as jane mentioned, the executive order on the cybersecurity and infrastructure protection has lay out a number of very important steps, a framework for the private sector that's been formed by nist right now. we need to go beyond the e.o. regarding liability and what are the prohibitions that keep the private sector from being involved. you have the fisma revision. you got the e.o. on cyber, which is going to take legislation to completely solve that. i think both other panelists have said that.

finally, what are the authorities and the jurisdictions that d.h.s. would need to do? if you put all three of those together i think you have the complete package and i think legislation is needed but it should not be separate from legislation that addresses the issues with the private sector as well. >> thank you for those comments. lastly, mr. baker, better define statutory mission of the current cyberactivities that d.h.s. helped strengthen that department's cybercapabilities? >> yes, i think in a couple of ways. first, the technology is always evolving and yet the law that we're operating under is 10 years old, at least, in many cases. authority was simply transferred. and fisma is a great example. doing security checks that would take -- occur on paper and take months to accomplish. yet, the department is now actually rolling out technology that will perform much of the fisma checks in three days. and it's important to revise the law so it takes accounts of those capabilities and all of the security measures that are

being developed in this area. i would certainly support the idea that working with the appropriators is the best way to do this. having a single unified appropriations process by the department is the saving grace for department. and the more of that that can be done the better. similarly, the second point that i'll close on is that in many cases, the authorizing legislation needs to make clear that while the national security agency has a big dog, it's an important participant. i used to work there. very supportive of it. but everyone in the country needs to be reassured that when we're talking about cybersecurity, it's d.h.s. that's setting the policy and dealing with the data, not the national security agency.

so what i would say is maybe d.h.s. doesn't need so much a bigger dog as a leash. and authorizing legislation can provide that kind of reassurance to the american people. >> thank you for those comments. how do we better honor the loss of all those lives 2 years ago 12 years ago this morning? do we join some of our colleagues on the steps of the capitol for an observance or do we better honor their lives and their loss by continuing to do our work here today? we believe the best way is for us to continue doing that. we'll continue going through the 11:00 hour and give us a chance to really drill down on some of these important issues. with that having been said, let me yield to dr. coburn. >> well, thank you, mr. chairman. couple points on what i heard here today. the homeland security budget is

twice what it was when you had it. everybody knows we're resource poor right now. and the question is how do you put metrics on what homeland is doing? number one, there's 45 opened areas from o.i.g. that have not been addressed by the department of homeland security on recommendations that they essentially agree with but they've not acted on. i don't know if that's a priority problem or a resource problem. but that list is growing. second thing on fisma, bobby is a great leader at homeland security. if we had 100 bobbys, we could all sleep great at night. but the fact is fisma is going backwards according to the last o.m.b. report, not forward. so i'm hopeful, based on what you said, admiral, what you said and you, mr. baker, in terms of improving that.

the other point i'd make, i asked c.r.s. to give us what statutory authorities homeland security has. they had most of the authorities they needed for everything. as a matter of fact, when secretary ridge was secretary, he had them start all these things under these authorities. so we need to ferret out what we need to do to give increased authority. the things that i'm concerned about, first of all, we can't afford to duplicate things we're doing at n.s.a. we heard from all of you, we do need -- every time we've seen a problem since 9/11 is because of either a stovepipe or an individual judgment that was made in the wrong direction. even with boston. i mean, if you go to the intel on all that, what we know was we had some errors made by individuals and/or by process, rather than have flat, good horizontal communication that was real time. and so tom and i -- tom carper

and i don't disagree what the goals are. the question is -- the disagreement is how do you get there and how do you hold people accountable? so information sharing is the key for us to be flexible and highly responsive when it comes to threats for our country -- to our country and how we respond to that is important. jane, you said something that i think is really important. the confidence level by the public and the private sector in terms of d.h.s.'s capability to handle this is a key hurdle we have to get over. and what we have to do is we have to walk before we run. and we've been crawling, and now i think we're walking, and i would attribute some of that to the most recent secretary, but also to bobbie and her crew and what is going on there. the other thing is privacy is a big deal.

we've seen that. but we had a lot of problems at fusion centers with privacy. we put out a report that showed that. and they responded. they were starting to respond before that. but there's no privacy policy associated with the drones, with d.h.s. right now. we have an open letter that hadn't been answered. what are you doing about it? and yet there was no consideration of privacy as they made the policy moving forward use of drones. there are big problems for us to address. i guess what i would ask is -- and by the way, i need to make a correction. the president has nominated four positions out of the 15, not two. so i stand corrected on that. office of general council, nppd. so the question i'd ask, how do we make -- what do we do -- how do we incentivize to make sure we have real-time sharing across

all the branches, one? number two is, how do we reform congress' oversight of d.h.s. to where we limit the committees? tell me how we do that so that we can make them reactive in a positive way and not spend so much time up here on the hill but have good, clear communication and single authority coming out. we have most of the authority for homeland security, but that's not true in terms of a lot of other subcommittees. so your comments on those. i'd like each of you to address that if you could. >> i'll be happy to volunteer to begin the conversation. i must tell you, senator, that i think your frustration with the growth of the department in terms of personnel and dollars is something that i share a

little bit. more is not necessarily better. i remember my first year as secretary, well-intentioned congress on both sides of the aisle wanted to give me more money. i said before you give me more money, better take a look at it and say if we're doing an effective job with the money we already have. i think you and senator carper bring that mindset. some would be from 180,000 to 240,000. i do not know what the number is. i have no idea where the additional bodies needed. notwithstanding the increased personnel down at the border, c.b.p. and i.c.e. the failure of this institution of congress and the united states to consolidate jurisdictions so there are no end runs to protect vested interests that have been -- that have been existing in silos for a long time. i think the only answer to that is the will of this body to effect a change.

so a small group of republicans and democrats in both chambers with nearly exclusive jurisdiction, you're going to see through the process, it's a little byzantine, everybody has allies in every committee, both in authorization and appropriation levels, we really need to do that. i think if you can consolidate that responsibility, i think you can effect the kind of change you're talking about. it's amazing to me that the congress would ask two of america's great public servants lee hamilton and tom kean, to spend a year and a half, two years, take all that testimony and say we as a congress want to know how we can help the new department mature and how we can make our country safer, and two of the most obvious and needed recommendations made 10 years ago, consolidate jurisdiction and provide a public safety broadband network so police and fire and emergency responders can handle future crisis, and we're not there. >> risk-based rather than all- hazard. >> third is risk-based.

they're starting to do it at t.s.a. i mean, i'd like the preclear program. i know john has done a great job. moving in the great direction. quit arguing about a fail-safe border, security platform. you'll never make an absolutely secure border. what we want to do is reduce the risk. we have to risk manage the border. we have to risk manage commercial aviation. we have to risk manage everything across the board. i think at the end of the day, senator, if you're looking to achieve the outcomes that i think generally shared on both sides of the aisle, the commitment's that strong, i think the republican and democrat leaders in both chambers have to sit down and say enough is enough. one final antidote.

and i say with respect. with my 12 years on the hill. i can't tell you how many times we've been working for a vote and leaving a subcommittee hearing and there would be lament among the members, geez, we have five or six hearings today and we have to run from here to there and everybody decries the pressure on legislators to do their job effectively in all these committees and subcommittees but nobody wants to relinquish the seat on the committee or subcommittee. may not be voluntarily relinquished. if the leaders in both chambers say, it's done. we are making these changes. homeland security doesn't report to 100. it will be reported to five or 10. it's done. you have to get leaders in both chambers and both parties to agree. it's at the epicenter of solving the problems you addressed. >> strong letter to follow. [laughter] >> mr. chairman, let me apologize in advance. i have to leave at 11:00 because

i serve on foreign policy board to the state department which has been rescheduled three times but it is today and the meeting with -- >> we understand. we are just delighted we are making that time count. >> 11:30. all right. so i apologize. let me just address reorganizing congress, which i think is absolutely essential and will be very difficult to do. i was in the painful discussions, maybe senator baldwin remembers back in the day about the need for more jurisdiction for the house homeland security committee and the pitch was made and people nodded and then someone from the house commerce committee stood up and said oh, no, this option of interoperable broadband network is central to our jurisdiction. so, no change. and people in this institution on both sides earn their power through their committee positions.

and giving up power in this institution is not something people will do voluntarily. so i agree with tom ridge that the leadership will have to basically require it, however. the leaders earn their powers through the loyalty of their members and making members shrink their own power is not really helpful to leaders holding power. so i don't know how the thing changes but until it changes, we won't have the robust homeland function that we should have. just one other comment as i kind of implied 10 years ago. the concept for the homeland department is more ambitious than some of us would have wished. it was the white house to put agencies and departments together. some of us thought of a more

modest function between the coordinator and the white house. but we took it because the administration was behind it. so it's a daunting task to make this thing work. at this point, i don't think we should rearrange the deck chairs in the administration. but if there is a way and maybe the members here have more power than members i have observed back in the day, if there is a way to reorganize congress to give the committee more power, i think this country will be more safer for it. >> admiral, do you want to? >> thank you, mr. chairman. >> as i stated earlier, i spent several days out at the annenberg foundation with lee hamilton and tom to produce the report that was set out today. my proposal would be attached to the record because there is a detailed discussion rather than

take the committee's time here. i wouldn't have served on that task force if i didn't subscribe to that. there is a subcommittee for the coast guard there. i spent four years as commandant of the coast guard without an authorization bill. fishing vessel safety to unregulated small boats and never were able to be addressed and if they were, committees would assert jurisdiction. very, very time consuming. if you look at some of the issues we haven't been able to address and some of those are in the aspen report, there is a lot of issues on the record that have been raised, the issue of security for general aviation aircraft. that is another one moving forward. only other point i add to senator coburn's comments, what we are trying to do with flood insurance, it's very instructtive.

those that bear for the risk don't pay for the risk. we have an extraordinary amount of liabilities trying to pay off the claims from hurricane katrina. on the other hand, you start to let the flood insurance fees rise, you have issues with local communities. and what you have to do in the long run is get ahead of all of this and change behaviors on land code and zoning use which is a more strategic way to deal with this but you can't do this with four, five committees asserting jurisdiction over the problem. >> i fully support the idea of reducing the number of authorizing and oversight committees. let me talk about two ways we can address senator coburn's concerns about the budget and some of the other issues. it seems to me that proper authorizing legislation can set the framework for actually saving money in the budget.

and i'll give you two examples and you raised one. the question of duplicating n.s.a.'s capabilities makes no sense for d.h.s. to try to do that. n.s.a. has built up capabilities for over 50 years that d.h.s.'s mission will never be funded. they have enormous capabilities. at the same time, both the american people and the department of homeland security wants some reassurance that if they lean on d.h.s. to use those capabilities that they won't discover that policies being made defacto, privacy policy in particular by the people that they are leaning on. so language that could create an authorizing legislation that sets aside d.h.s.'s authorities and leaves it in control of this area, drawing on n.s.a. for talent and for tools and technologies that it already uses, you will end up saving money by relying on existing capabilities. and creating at the same time,

reassurances for people about how that reliance will work the same thing, it seems to me is true if you can build a planning process, a budgeting process that uses integration, office of secretary of defense- type capabilities to say how can we reduce the budget effectively, how can we eliminate redundancies by looking at the authorizing language and if we do that, we will be building the capabilities of what i described as the second tier so that the secretary doesn't have to sit down and get out and start ag asking about the 14th line about individual components. but that is being done by a

staff that is trying to eliminate redundancies. by creating the right kind of authorizations for those central staffs, you set the framework for reducing the budget. and last tied to that, it seems to me that until it comes when we have eliminated many of the authorizing issues, one of the things that this committee can do is build a relationship with the appropriators so when the appropriators are asked about legislation that arguably is authorizing on appropriations, they know that this committee has looked at those ideas, have thought about them, has vetted language, creating authorization language that may in a pinch end up in an appropriations bill, is worth considering at least the short run until we get to the promised land. >> thanks, and i realize we have senator baldwin. he has gone to the observance. we have gone well beyond the five minutes as you know and i

thank you for your patience. i thought it was important for us to allow this panel to answer these questions in the thoughtful way we have done. we have spent going from one place to another, in and out as you know. and this was a very helpful series of questions and responses. senator johnson is next. this is an excellent hearing and i'm pleased the way it's going. jane, we'll give you the first rights and then you can leave.

>> thank you, mr. chairman, and thanks to this panel for being here today. mr. chairman, i join everybody in remembering the families many from my state that were tragically impacted from the events of 9/11. certainly watching this in new jersey. the most recent events that we have seen that really get to the issue we are talking about today, the bombing at the boston marathon. and at the time -- and i have read this issue before when we had commercial davis and others to talk about those events. and i was serving as attorney general. i remember being in my office and learning that there were contacts as to what was going on

there in my state. and i remember -- and our state police and everybody did an unbelievable job that turned that around to make everybody proud and we want to make sure that event doesn't occur.i have the same question, and i have a time constraint. and i would like you to answer first because you have a time constraint, do you think we have the appropriate -- currently have the appropriate client among the people that are responsible for having developing and sharing the information necessary so that that information is flowing appropriately to get secretary ridge's point, we aren't overly siloed. be it from a cyber perspective, a terrorism perspective, whatever these perspectives, it is making sure the information

gets to where it needs to get. and i ask you to talk about your thoughts on the current climate of the way that information is shared among the people that are responsible for sharing it. >> thank you, senator. i would give us, as i just said, an f for re-organizing congress. it is sad that congress has a 19th century structure to deal with 21st century evolving- threats against our country. but on information sharing, it is a "b." it's not an "a." i am looking at tom ridge. >> a "d" or a "b"? >> b. not an "a." but the challenge was to break down silos and to create opportunities for people to actually know each other, which is one of the ways you build

trust and enable information sharing. yes, there were mistakes in the boston marathon case. the tide list didn't get to the right folks and the f.b.i. didn't follow up and a little of this and a little of that. however, once the event occurred, boston -- the surrounding p.d.'s, the state of massachusetts and all of our federal law enforcement agencies and homeland came together in almost a seamless way in using video, including people's hand- held phones, they were able to focus on them quickly. that's why i say it's a "b." an "a" before action. it was probably a "c." this is improving. i want to mention that we haven't talked about and something i know a lot about based on my role on the advisory committee to the d.n.i. and some of these other intelligence places that i stay connected to, and that is the dark side of

information sharing is that it enables snowden or others to get too much information and to use it for evil purposes. our goal is to build the trust and horizontal arrangements and put in safeguards so people with bad not iffs inside or outside our system can't abuse it and i don't think we mentioned that and that is part of the challenge going forward. >> thank you. secretary ridge. >> well, i would have the great pleasure of working with i had to remind everybody that the hs does not gather information. we rely on the alphabet agencies to provide it and the state department did not give the information to the hs and the berd, and dhs should not held accountable but they are. there has been a revelation that the fbi in two different venues

hassan wasthat emialing the radical cleric. dhs's spot. question inth your regard to boston. i do not think that the fbi is on a speed dial arrangement with the kremlin and i would like to know personally how often the kremlin picks up the phone and says we think we have -- you have a couple of terrorists and your missed -- in your midst. i am not faulting the fbi. i do not know whether or not the federal government generally russiang the fbi, took intelligence communication as seriously as they should have. i think the response to that

incident was phenomenal. dhs did not get the credit, there were grants that is out and the training program, all that was done under dhs but that is triage after the incident. that is why information sharing is so critically important. let's assume the breakdown of a silos -- write-down of silos. someone has to take a look at classification. the easiest way for the agency to deny access to and i am concerned about the private sector is to say it is top secret. to take a look at the classification. i have seen the things that were classified top secret that i know you could have shared with folks at it would not do harm to sources and methods create classification is very important, particularly for serious information sharing. and finally attorney generals

have to know more information about what is going on. i am one of those folks, you cannot secure this country from inside the beltway. federal agencies have to entrust and trust high-level law enforcement members in all 50 states with information about what is going on. i would venture a guess that you have no idea as all the investigations did not. i think it is a huge mistake. people say somebody may reveal that information that was shared. there will be consequences but i think we need to expand the network with fellow americans. we have to start trusting them. you cannot keep the information in here. that is my response that inquiry and we need to look at

classification. it is overly classified which is a reason not to share. trust americans outside to keep the country safe and secure. >> we have the opportunity to be briefed and every attorney general asterisk action -- jurisdiction is different. to get to your point, others have made these relationships, the first time you're talking in a be after an event. talking before and having some trust and having seen somebody is invaluable once the event starts so there is no hesitation. that information has to get to the decision-makers and the rescue workers and to whoever else is involved. i appreciate your thoughts. i do not want to hold up senator baldwin.

i would love to hear from the other panelists, two. >> are you ok of the other panelists respond? let's just do that. >> thank you. >> rather than repeat some of the points, let me take a different spin on this. when you look at counterterrorism and the great expansion of organized crime and illicit trafficking, we note there are growing linkages there. whether you're a terrorist or criminal you have to keep -- talk and move and spend money. every agency operates on a case doctrine and there is usually confidential informants and sources and methods. that is usually the root of classification. that our laws

enforcement structure has evolved against business lines of the bad guys. firearms,all, counterfeiting. all managed i a lot enforcement agency that manages at the case. we are dealing with networks, illicit networks. that generate cash however they need to to perpetuate their regime. we need to do is attack the network with a network and i think the greatest case for information sharing and the greatest case for better integration domestically and internationally is to move to a way to look at these challenges as network challenges and how do we move across dealing with their business lines which means you are taking down one franchise. you're not dealing with the root of the problem which is how the network manages itself, threat financing, how the money moves and how they can indicate. that is the number one cost per

andon -- cause for action information sharing. >> three thoughts on this. one that i offer only tentatively because i do not all the dashed i do not know all the details. brother came back from russia he entered the united states and we had the chance to interrogate him, we had the chance to look at his electronics as he crossed the border. we did not do it. my impression is we did not do it because at that point, the fbi had closed its case. one of the questions i wonder about is whether dhs and cbp have deferred to much to the fbi. we have an independent responsibility to protect the united states and the fact that the fbi closed its case is not necessarily reason not to ask questions of somebody who has gotten the kinds of intelligence reports that weren't.

second, one of the things -- >> let me correct the facts. your statement is an error. the information was sent to the joint terrorism task force in toton but it was not relayed the customs and border patrol at kennedy. >> ok. then there were failures of that cost usharing something. something significant. we learned after boston how valuable cameras can be. valuable in stopping crime, they are valuable in catching the people who carry them out. in the bombings in london. -- boston. a lot of cameras have not yet been installed in city centers. we do not need them hooked up. we do not need to be watching them but we need to be recording

so if something bad happens we can go back and figure out what events led up to that. we should be encouraged -- encouraging the installation of those cameras and people have privacy worries we should have them rewrite their hard drives as opposed to send the data anywhere. and third, on the information sharing point, i thought jane harman was exactly right. information sharing creates risks, creates snowdens and mannings, but they look a lot like the chinese hackers who have compromised computers. and same tools that help us to provide better cybersecurity and will provide us better audits and will protect as well because we will be able to tell whose accesses information improperly. one of the things that this

committee could do, that d.h.s. could do is make it clearer to the state and local entities that get grants that they can use that money for cybersecurity, audit technology that will allow them to meet all of those requirements. >> thank you. >> senator baldwin, thank you for your patience. take as much time as you want. >> thank you, mr. chairman, ranking member for holding this hearing. i thank our panelists and congresswoman harman for your service to our country. and i appreciate each of your sharing your analysis and appraisal of where we have come in the last 10 years and where we still have to go. i want to focus my questions in on the larger issue of cybersecurity and incredible increase in cyberattacks that we

are experiencing. and i would like if you could and start with you, mr. baker, to talk about any distinctions that we should appropriately make with regard to economic cyberattacks versus the threat of cyberterrorism where the goal might be to take out part of the power grid, for example. and i would like to focus in -- you ended your testimony a little bit with the private sector being in a position where they have more intelligence on their potential competitors, but i think you were talking about economic cyber attacks in that arena. so the question i have is, what can we do better with existing authorities? and then the second question that i would like to hear from all of you about is, i don't

know how long the journey will be until congress actually passes legislation on this topic to supplement the executive order and to respond to many of the issues that have been raised, but there has been lots of comment and secretary ridge, you talked about don't make this prescriptive or regulatory. i wonder if there is a distinction we need to make when we talk about critical infrastructure because people depend upon that and it may be private, but it is to the public benefit without question. and should there not be some additional obligation, some prescription, if you will, because of the level of

importance of that critical infrastructure? if you don't mind, mr. baker, i would like to start with your reflection on those questions. >> there are two big worries in cyber. one is what you might call economic espionage in which all of the attacks are aimed at stealing information. and we have seen enormous amounts of that aimed at practically at everybody who might be of interest to any foreign government with any capabilities in this area and probably everybody on this panel and certainly everybody on this committee has been attacked in an effort to gather that information. that is a serious pandemic problem right now. sabotage or cyberwar, designed to break systems so they don't serve us is a very serious possibility. i'm not so sure about terrorism. i'm not sure it has been healthy for al qaeda leaders to use the internet in the past. but state-aided terrorism, if we

actually did attack syria, i think you would have to worry that iran or hezbollah or some organization assisted by them would age in cyberattacks in the united states designed to cause failures in financial or industrial control systems and those could be very serious. all of those attacks tend to use the same basic techniques. you break into a standard commercial network and try to hop to the industrial control network that you can break and cause serious damage. and so stopping the espionage attacks, making it much more expensive to steal secrets is our first and highest priority. under existing authorities, we do have authorities to investigate -- first, companies

know a lot about who is in their network. i represent a lot of them and experts that they hire will say, oh, yeah, this is this unit of the peoples liberation army or some other criminal gang. we know by the things they're doing, and the code they are leaving behind who it is and will tell you what their tactics are going to be for the next 24 hours and what they are trying to steal and why. they know a lot just looking at the activity on their network, something that may not be available to law enforcement. what they can't do is go to the command and control septemberers being used to steal the information. you need law enforcement authorities. law enforcement doesn't have all of the background information.

we need to find a way to use existing law enforcement authorities and the existing resources and information that individual companies have to actually track those guys back home and then begin looking for reasonably creative penalties that can be applied again, using existing authorities we can deny visas for any good reason. the president and congress can impose financial sanctions on individuals who have committed this kind of crime. we have lots of authorities we have not yet used. >> i think the progress that has been made with the executive order that was timed by the president regarding cybersecurity and protection has taken a step forward. until you start dealing with the issues about proprietary data there is a hesitancy of the private sector to get on board. the conversation has been started in the last two weeks with the release of the draft, voluntary framework by nist is going to advance that discussion

further. there are some critics that have said that is too general and not detailed enough to be effective. my position is you start with a 1.0 version and go to 2.0 version and having that conversation and involving the private sector is what is needed. if you look at this problem, this is a classic case of macroeconomics and what's the inherent government role and what should the private sector be doing. and there is not a consistency in the country about where those roles are. whether the government will control that is a command and control system. i think to figure out a way to share the information that is held classified within the government and get it out to the people that need it if they are attacked and get the information out of them and potential civil

or criminal penalties associated with that. i will say this and there are a lot of people out there trying to work this problem. i have had the opportunity over the last couple of years to work with an organization in pittsburgh. it's a 501-3-c organization. and local f.b.i. office and have developed a way to create a metaphorical switzerland and capable of walking across the hall and under the protocols and building trust and so forth. we have to figure out a way for the parties to come into an area where they are free of risk, organizational risk, to provide that information and exchange it. it's not going to work. and of all the conversations i

have had regarding this complex problem. the organization has come closer to figure out how that works. and i would suggest the committee may want to reach out and talk to them. >> quite a bit of progress has been made since the establishment of the department with regard to addressing cybersecurity, although we have to admit in 2003 when the enabling legislation was created, there was no one, i don't think, that was as totally as concerned about -- some may have been -- the emerging threat about cybersecurity. we commercialize the internet in 1992 or 1993 and it's the backbone of everything we do. so the sensitivity and concern with regard to distinguishing between what is and economic inet and what is a defense or offense-oriented is a legitimate

one. you have nation states, you have terrorists, hackers employed by nation states, organized crime. there are multiple challenges in dealing with this. even if we can attribute, if we actually attribute who the attacker was and maybe the determination of the consequences, what do we do about it? what do we do about it? that speaks to the kind of collaboration that focuses on information sharing in a true public-private partnership with the private sector rather than compliance. with due respect to my profession, as an attorney, i don't see compliance lawyers as being the best means of assuring that we have enhanced our security in this country, because a regulation means there will be a checked block. and you did what the federal government did what they wanted you to do. and frankly, the technology available today, offensive and defensive as we speak is changing and it will be different tomorrow and the years ahead.

i think the best insurance right now is to take the embrace whether it is pat gal ager from gallagher from nist who said let's continue down this path of setting voluntary standards that both the federal government and the private sector agree upon and see how well they do about taking those standards and did he advising the kind of defense strategy they need before we start thinking about regulations because i'm afraid -- i'm going to say this, congress, four, five years ago, appropriately gave to d.h.s. chemical facility, anti-terrorism standards and regs.

three, four years later, there are a lot of people working hard on it. but that delegation of authority doesn't mean it was executed in the appropriate way. i'm simply saying for the time being, i think president obama said -- set it up with his executive order. we ought to let it come to fruition before we think about regulations. i might add, three or four critical sectors and i think you were alluding to them, financial services, energy, transportation. i must say from my experience, these sectors have spent and will continue to spend hundreds of billions of dollars sometime on their own, sometimes in cooperation and collaboration with homeland security. but we have evolved a long way. i remember we created an emergency response at carnegie melon because this was a problem in 2001 and 2002. we will be dealing with this forever more. forever more. i don't think we will have a regulatory compliance scheme that will keep up with a dynamic environment. my recommendation, even though i think your question is important, i think we need to

let the nist standards play out and push to far more public and private collaboration. my company deals with significant private sector companies that deal with cyber issues. and one is a multinational corporation and said, we have been hacked. and they said we know. we are a tax paying group of folks, don't you think we should sit down and work together on it. focusing on collaboration and sharing rather than compliance is the best approach for the time being. >> do you want some more time? i want to preff as, -- preface, you mentioned pat gallagher pat galer from nist and he said

every now and then witnesses showed great wisdom and in his testimony before us, he said, we'll know we're on the right track when good cybersecurity policy and good business policy are one. that's what he said. that's pretty good. pretty good advice. we have gotten a lot of good advice here as well. we also preface my next question by saying it's the anniversary of the 9/11. here we are maybe days before the u.s. could launch limited cruise missile attacks at some targets in syria. here we are knowing we are under attack, cyber front, 24/7.

and we have an acting secretary of homeland security and we have an acting deputy secretary of homeland security. and just cries out for the administration and for us to do our jobs to make sure we have in place the kind of confirmed leadership that we need capable and confirmed leadership. that having been said, let me turn to a topic i just mentioned that is on our minds and that is the potential for military action, limited military action in syria unless the country relinquishes its chemical warfare and dismantles its capability to create more chemical weapons. the prospect of using military force is a serious matter. the president visited our caucuses yesterday, the senate, both democrat and republican.

i want to ask, as we are prepared to make whatever decisions we need to make in the days ahead in conjunction with the president, it's important to get answers to a few more questions and i would like to ask this seasoned panel of national security experts for some of your thoughts. if the president does choose to take limited military action against the assad regime, what impact do you think that might have on homeland security? what should d.h.s. be doing to preparing to prepare for potential consequences that would flow from u.s. action, even on a limited basis, against syria? mr. baker if you would like to lead off, that would be great. >> we absolutely need to prepare here by taking on syria. we are also taking on hezbollah and iran, backers of that regime, and if they choose to try to make the united states

regret the sanctions it imposes, they have very substantial capabilities. hezbollah has its own cruise missiles. and so a terrorist organization with that kind of capability certainly can develop and use cyber attacks or can send people to the united states to carry out attacks. so we would have to go on a pretty substantial alert basis. they would be biting off a lot. they're already on alert against israel and fighting in syria themselves so they may decide it's not prudent to attack. we need to be worrying about defensive capabilities and for the first time we face the risk

we will have a cyber attack in getting us to quit in engaging in military action. iran is widely blamed for a series of attacks on our financial institutions that have been visibly punch-pulling exercises in which the attackers announce how the attack will last and what day it will happen. and obviously, they could do more and cause more damage. and again, iran having blamed us for stocks net is going to be less constrained about using that kind of weapon against the united states on behalf of an ally like syria. so we will have to up our game both physically and virtually. >> thank you. admiral allen. >> let me start with the caveat. it has been several years since i sat up in the tank so i'm

going to speak in general. i don't want to speak in comments that wouldn't be appropriate. in regard to cyberthreats that could be generated by this, one of the problems, we are trying to evolve these structures and we talked about them extensively here today. it's tough to talk about how you would deal with one of these things when you talk about what you need to do and haven't done yet. advanced persistent threat is discussed internationally and relates to what stewart was talking about. there are foot prints that are left regarding behaviors that go on out there that are indications of something that's going to occur and one of the things that changes need to be made and continue to be looked at in the executive order and in

the standards and everything else is we need to move to continuous monitoring and after that we need to continually be able to look at the precursor or being set for an attack. any threat situation and this one specifically, i think there ought to be a fine-tuning of our sensors of what's being talked about in social media and what type of activities are taking place. after 9/11, we talked about chatter. we have a much better capability now -- we have a mismatch in computation, spectrum and band width management. we don't utilize against these problems. in this case, we will be looking at advanced persistent threat. they had to put the mechanism in place to do it. >> i appreciate the question and i must tell you, we have had long conversations about topics

of national interest, i'm going to resist the opportunity to tell you how i think we got into this mess and how i think we ought to get out of it and answer your question exactly. it reminds me of the national security council over to what was then a small core staff between the time i was sworn in as secretary and the intervening six weeks before we opened the door on march 1, 2003, first day of the department of homeland security. couple members of the national security staff came over and said very confident at the time we are probably going into iraq. we know you don't have a department but maybe think about the potential blowback in this country and what can we do to minimize the effects. it is appropriate to play the what-ifs and then respond if the if occurs. we have learned a lot since liberty shield.

i think frankly, the state and locals are far better prepared. we know the many maligned colored-coded threat warning system, at least we know there are certain levels of security that are embedded in the federal government and even within with the state and locals and private sector, number one. number two, i think the most likely pushback would be in the cyber realm. and to that end, again, it's a great place to suggest that this is precisely where the federal government should be sharing the precursors that it may know or

the addresses that it has seen as it relates to the digital incursions that we have been hit with from the syrian army, perhaps hezbollah and the like. this is a classic example where we are more familiar with the electronic incursions directed at us from russia, from syria, et cetera, and precisely the time that that information should be shared with not just state and locals, but with the private sector. so long-term, i think we are far better prepared to respond to an attack because i think the word has been used, we are far more resilient than we were 12 years ago. this is an excellent opportunity for the federal government to share the information that the private sector would like to

check -- check that information against what they see occurring occurring on the grid, the financial institutions and transportation, et cetera, to see if they are missing something and be better prepared if there is an electronic attack or digital attack if we go into syria. >> thank you for those thoughtful responses. governor ridge will take the color codes to his grave and the leadership we provided, i'm not so sure you can work that into your tombstone. i say why do you spend so much time on postal reform. she was kidding on postal reform on my tombstone and i thought what would be appropriate are these words, return to sender. >> it's a classic example, something that the congress will have to deal with, i believe. we know russia and china have cyberattacks as part of their warfighting strategy. this is a condition of not only military and diplomatic and business activity, international activity.

but again, where you need the public and private sector to sit down and cooperate and determine if there is an attack, what are the consequences and who is responsible for returning it to sender. all of this has to be worked out. and again it just calls for collaboration and cooperation, communication and doesn't require for a regulatory scheme where you check the compliance box and everybody feels safe after that. >> senator coburn. >> i think secretary ridge agrees with this. we spend billions on grants every year. is it your opinion that those grants ought to be risk-based rather than parochial based?

>> absolutely. >> senator coburn, following the attacks of 9/11, i was the atlantic area commander. i was concerned about the posture of our ports on the east coast and put a team together that developed port security risk assessment model. we look at impacts trading off what you would protect in a port based on risk and consequence. i remember having a conversation with secretary chertoff about implementing that at a secretarial level across the department to inform the grant programs. and we had a pretty significant impact in doing that because there was logic attached to what we did. until secretary chertoff ran

into the buzzsaw called new york city and we are stinging from that adventure couple years ago. i agree with you, it ought to be risk-based and conditions-based, based on local communities to adhere to the national incident management system. it ought to be linked on how they are making decisions on land use and reducing risk. there is every argument in the world to do that. >> one quick comment, i want to go back to the reorganization of congress and conjures up a couple of conversations we had where we are were trying to move it to risk-based. i think the department of homeland security and all of the agencies and the federal government is more susceptible to political medical willing and interference. once we got into the second year of the urban security initiatives, we had the f.b.i. talk about in the intelligence community, really assess based on the prior year's intelligence gathering and try to come up

with a risk-assessment models, the cities that were impacted. given the traffic. long story short. from one year to the next, we took several cities off because based on an analysis of the preceding year, they were no longer on the list. and human cry from congress that those who represented those communities, not deafening but fairly loud. not that we listened to it, but it ought to be risk-based and you are on something very important. but the whole system should be risk-based. >> one of the things that the president proposed is combining these grants together where you have an efficient and effective grant program where you set metrics, transparency to it, you are following up and if they are not following what the grant was for, you jerk the money. so that we actually saved money by son doll dating the grant programs and -- consolidating the grant programs and have more money to go where the risk is

and follow up with the money where the grant was for. they got a cold shoulder in congress and i got a cold shoulder when our committee marked up that we are doing things on parochial than risk- based. any recommendations on how we can accomplish that -- i don't know whether you agree with the president's recommendation of consolidating these grants and using them on a risk-based process. any recommendations, one, on how we do that? and two, whether we should do it? >> one, without knowing the recommendation, it's very consistent with my thinking as to -- after 10 years of maturity and 10 years of growth, growth

hasn't met with becoming more efficient and effective. homeland security is about risk management and resiliencey and the dollars out the door are based on some kind of assessment and would be well to bring that philosophy to everything they do as well as the approach in terms of appropriating dollars to these grant programs. you might want to allow for -- i'm going to speak -- be interested in my friend and colleague, that had allen. i'm not sure we have done enough with port risk, maritime risk. some of those may be two or three verticals and identify the greatest risk which would be the maritime industry and more on there. there are duplication of programs and oversight and everything out the door needs to be risk managed at this point. >> there was a port security

grant program as well. and i would like to attack the larger issue that you raised. i was prone to support request for grants in areas where i saw that there was not only recognition of risk but a commonality of purpose and regional approaches and we saw some areas, one of them is houston where they came together and created a regional entity which they consolidated all their requirements that came in for a grant program. when you do that, that behavior ought to be encouraged. whatever you put in place and this will be a lousy meta for, but it's going to have a wall around it to be executed like the brac program. it's executed or it's not executed. and i don't know how you structure that in law but you are going to have a way to decide how it's going to be done, the criteria are established and the decisions are made, it's either up or down and can't be picked apart. the issues, i just -- i saw secretary chertoff get wire brushed up here, the political buzzsaw in new york. not to say that new york doesn't

have problems, but that was a very, very difficult time for us in the department. >> i think admiral allen raises the point that is worth thinking about in terms of how much -- of your personal credibility and time you would invest in that because even after you've built a pretty good risk system for grants, politics will not disappear and that risk system whatever it is is going to get distorted by the kind of politics that secretary chertoff encountered and others have. and so you may at the end of the

day end up with a less mechanical system, but not one in which the politics have been eliminated. and at that point, it's possibly, you will ask yourself, how much did i achieve by introducing this risk concept. i believe in it, but in practice, i'm not sure that it works out as well as one imagine. >> thank you. my comment on that, is you need a backbone of the person who is running the agency and take the heat, but do what's right for the country. when we have a bear cat garden of pumpkin festival in keene new hampshire and say what can we do to protect cybersecurity or advance, what else could be done? we are dividing up the pie and we are -- this country can't afford to do that. we don't have the pleasure of doing that. the next homeland security director -- secretary, that's

going to be one of the equal fikes i'm looking for, are you ready to take on the fight to do what is best for the country and not what's best for the politicians. >> i think it would make the next secretary and future secretaries, backbone would be essential, but nice to have the institution that applies so much pressure, change in their jurisdiction so the fact that you can apply pressure institutionalized, they are institutional-wide. you have a necessary oversight, it would be a heck of a lot of pressure if the decisions -- the legislative decisions that the secretary is obliged to follow is reduced rather substantially and therefore held accountable to senators coburn and carper. >> could i make one quick

comment? there are a lot of different grants out there. i saw senator coburn making strong statements after the tornadoes in moore, oklahoma and respecting the earlier statement by jane harman in the passage of the emergency supplemental following hurricane sandy there were amendments to the stafford act that created more leeway and flexibility for local governments to deal with debris removal, where there was an economic incentive for them to do what was best for them and preserve the funds and allow them for another use. there may be some utility in looking at what we were able to

do. and i realize that was an unusual way to america the stafford act. but there may be insight to gain how you can empower local communities with an economic incentive for them to do what is right and build off a concept like that. and i congratulate everyone on that piece of legislation, by the way. >> it was back in march dr. coburn and i held a hearing to examine the progress that has been made and some of the challenges that still remain within the management of the department of homeland security. i'm sure that all of you are aware of the latest high risk report from g.a.o. that the department had made considerable progress in integrating its components, moving toward -- actually having auditable financials. but the overall management of the department remains on g.a.o.'s high risk list. and i have been real impressed by the efforts of the department's leadership to address these management issues. with the changing of the guard, impending changing of the guard at the top of the department, there are still a bunch of questions about how the department can sustain and build upon the work of secretary

napolitano and i hasten to add deputy secretary. what do you view as the most urgent steps that the department should take to develop strong management institutions and practices? to further develop this practices and are there any legislative steps that come to mind. tot we are to take strengthen the tools and institution that the secretary needs to manage the department? the last quick question. you were there when we cut the ribbon on the coast guard headquarters. at saint elizabeth's.

>> i was on travel that day. ask how does consolidation of the headquarters at saint elizabeth's play into management improvements? you can take a swing at those. three strikes, three pitches. -- make sure >> fastballs. i am not familiar with the report, not the contents of the report with regard to management . i have often said that the department of homeland security from the get-go had to responsibilities, that it had to deal with some attaining asleep. one, build the safety and security platform to do with risk and resiliency. the other was the business line integration. it is a business. the budget that has doubled. you have a couple hundred thousand employees. one of the ways -- one of the regrets and it is something you could not do anything about. 20you were going to move

plus agencies with multiple procurement requirements in the private sector, would have least have had a year or so the time you got the regulatory approvals. the homeland security was and still is about mergers acquisitions, device teachers, and startups and the management around those things for the past notears -- the gao has dramatically improved. i do not have an answer. i think we have had some good people there trying to get those things done. but absent by and from some of the management changes and the restructuring that might recommend and that is by and by the congress, it is difficult to make reforms. it is not just endemic to homeland security. believe there are still

silos within that agency that bel require -- that have to merged to be done with legislative oversight and direction. hope you find the money to build out saint elizabeth's because when we would have. it innings with the leaders of the five or six muscular agencies, it got about 20 departments and bureaus. to try to five or six pull your leadership together a couple of times a week, taking them from their offices and bringing them over and sitting down for two or three hours a couple of times a week was not a good use of their time or ours and we had the opportunity to develop the day-to-day working relationship that i think that congress wanted when it put these agencies together. it is a tremendous opportunity for disparate pieces of homeland security and it has been

demonstrated tactically with customs and border protection working with the coast guard, working with ice. the collaboration is report and but you get better management if you have the leaders of the entity interacting on a day-to- day basis rather than piecemeal. i also think you get more managed -- better management and efficiency if the restructuring that is recommended by some of us from the outside and department of homeland security has put into law. >> thank you. area i have a great passion about. do not field bad about cutting me off here. let me hit a couple of these issues. that happenedngs when the department was created was we aggregated the authorities and the jurisdictions from the legacy departments but one of the things that has been insidious, i noticed him talking with staff and the appropriations committees is that we took the appropriations structures from the legacy department's

treasury, justice, and so forth and moved them to a single committee. there was no comparability in the department right now between components. because of that you cannot compare an trade-off between components on where you want to make investments. i have said in several hearings here and before the house and you have to get to blocking and tackling if you want to take down the management issues and the first areas should be the appropriations structure and how termsdget is presented in of the justification so there is comparability. cameras cannot make the decisions on this there is more transparency and compared ability across the department. that leads to financial management and the ability to have better insight on how you're spending your money. they have a qualified opinion on their audit, that was a major breakthrough. a qualifiedard got opinion. the first military service to do that. that should be taken as the floor and it needs to move forward. you're talking about the

integration of our key systems. there are three major financial platforms. a look at shared services and there may be a better way to do this. all that has to come on the table. we have to look at integrating this enterprise mak run efficiency like you were running a corporation. here. to sit at my hands i the commandant when we made the decision to move. all i said was i can support this. i am behind it. i do not want to go there without the secretary. i will leave it at that. the issue with the federal building funds, issues on how this project has been funded. issues with the department, the district of columbia planning into these. the overriding imperative to have a central operations center from which the secretary can operate and make decisions is a primary need in this department. it is in my written testimony. i will not belabor the fact

here. .ational operations center absolutely and paired of moving forward. >> thank you. >> i certainly agree with admiral allen. they say in washington that where you stand depends on where you sit. i do think that if dhs sits together, they are likely to stand together much better than they do today. and so to the extent that we can get everybody in one place where much better off. to make reluctant suggestions for changing the details of management in the department i have left a few years ago. i think that there are probably some opportunities with respect to the quadrennial homeland security review to turn that from an exercise in which we

look at some very interesting and difficult issues. into something that turns our budget into a multiyear, thoughtful priority driven exercise rather than something in which we say how much do we have and what can we cut. authorizingt that legislation can move it in the direction of actually influencing budget decisions, i think that would be an arm wrestling effective way of dealing with the looming crisis we have with respect to appropriations for everybody. cuts areg sure the much smarter than they otherwise would be. >> thank you. -- sometimes we have a hearing like this, i like to invite our witnesses to give up brief closing statement. a couple of thoughts you want to pull together or underline a few things and leave those for us.

i would welcome, we would welcome that. dr. coburn. do you want to give us a closing thought or two before we wrap up? >> yeah. me prouder orde cause me more frustration than my service at the department of homeland security. am deeply fond of the institution and i believe that it is making a major to the security of all americans. it has changed our approach to the border in ways that nothing else could have a dividends and almost every terrorist in it has been planned or launched against us since 9/11.

we need the department but we needed to be better and we need it to be more organized, more coordinated. more that is the biggest challenge a.t the department faces is we got by with three great leaders but we cannot count on personality driven unification forever. we need to institutionalize it. it is a big challenge especially with the oversight authority that exists, but it is a you cane that accomplish. >> thank you. admiral allen. >> in regard to some of the mission areas we have talked about today, cybersecurity, comforts and immigration reform, a lot of that will involve the congress to do that. i sit on the advisory board of the comptroller area -- general.

when it comes to the internal management of the department of homeland security, they are added -- there are adequate authorities in the administration of -- administrative space to operate. there needs to be a serious discussion about employment and management agenda related to functional integration in the department for the next leadership team moving in. clear andought to be distinct and enforceable in the budget. they ought to be laid out with metrics attacked -- attached. legislation ise needed to take care of the management improvements that the department could implement medially. >> thank you. governor ridge. >> [inaudible] to look back on those days when there was considerable debate as to whether we needed a department of homeland security. i remember my friends on my side

of the aisle said we were creating a brand-new bureaucracy . we were going to consolidate units of government that had missions related to protecting our borders and gaining knowledge about the people and the goods that come across our borders. long needed in the for -- 21st century world when the interdependency of the marketplace, the interdependency of information sharing for law enforcement purposes and the interdependency of countries with regard to security is part of our elite lives and how we're are going to live. we are interdependent. congress did the wise thing. they brought together the right agencies. i think the department has evolved and matured and i am reminded after it was announced as the the president's nominee to be the secretary of the department of homeland security. a couple of decades ago we saw

there was a smaller aggregation of responsibility that created nasa -- natsa. cultural vestiges of -- cultures and silos.

. .

work really followed the generally accepted government auditing standards. to do so, what we did is we were coordinating the gao and their iniewing the data hub certain aspects of the exchanges to requests they had received. we coordinated with them to ensure we did not duplicate any effort. we have got a lot of ground to cover, so we want to make sure our work is complementary not duplicate it. they were doing certain aspects. they advised they were not looking at the security over the hub. so we said we would look at the security. so we designed a program to ensure that the agents, to assess whether the agency was in

fact following the missed -- the standards in that regard. >> so why did you note in the audit that you did not have access to the documents? >> ranking member clark, in our report, we indicated the agency had not provided a certain documents at that time. theof them specifically was security test plan because it was not available at that point in time. and then subsequently, it may have become available. it was not that they refuse. it just was not available. >> is available now? >> i am pretty comfortable it is available now. they provided as updates of data that has subsequently been done. again, give us a sense of why you did not engage the beta testing on the hub? >> we did not engage that part because one, that is usually towards the end of the project.

and our work wrapped up by the end of june. we have got a quick update before we published the update, but most of the work was done a bit earlier, and some of that information was not available. the other part would be that that would cover more functionality issues. and that was beyond our scope. gao would've been looking at the functionality over the hub. we were focused on security. >> is it that to a certain degree, there are some theoretical aspects to standing up the hub that makes it somewhat an exercise in futility for you to get that testing? or is it that you are waiting for a certain level of, the operation to become feet before

the testing becomes -- to be complete, before the testing becomes applicable? >> i appreciate that. there are certain aspects of testing that cannot be done until the process is far enough along, until enough has been billed to do testing. to be clear, part of our audit approach was to look at the testing that was ongoing by the agency as it was being built, because the agency employed, actually it is a system development process called agil. it is very popular right now because you can build things up fairly quickly. with that, though, they are doing continuing testing as it goes on. so what happens later on, then, is all dependent --independently independentd an security assessment that is done after all of the internal testing is done. with that, we said there was not

any time for us to do it. and we did not want to duplicate any effort. instead, we review the documents they had available. part of theirs ongoing testing, we looked at whether they had identified any issues, whether they had logged those issues, whether they had corrective action plans in place. we saw the process they were following. so that is the answer to that. yield back,going to mr. chairman, and thank you for your testimony. >> i think the gentlelady. the chair will recognize as we do under the rules of the committee those members in order of their appearance at the time of the gaveling down. chair recognizes mr. parry from pennsylvania. >> thank you for testifying. that everyl you single one of you with all due cancer, your testimony is breathtaking and concerning for

me. i think most americans, and other members of the panel, maybe -- i will direct my question to you, but i am not sure who should feel this. i think americans and members of congress are concerned about the navigators. this is a new position for most people and we don't know exactly what it is going to be like going to a navigator, but we have heard about some of their training. it is my understanding they will receive 20 hours of training. in thethink about that context of the information that these folks, they will be helping us as consumers decide what insurance is best and how to enroll and right now members of congress and our offices cannot advise the public on questions, we cannot do that right now, but these folks will do that with 20 hours of training. i want to alert you to the fact that in pennsylvania it takes 1250 hours to become a barber.

it takes a massage start best -- thearapist 50 hours. to navigate insurance, for which -- this thing is been been ongoing for a couple of years -- these folks are going to be advising us with 20 hours. whyith that, i'm wondering was -- it is my understanding that it was recently 30 hours. can anybody verify that and if so, why was it cut? ok, nobody can verify that. these folks, i guess in that 230 hours, can anybody tell you what training that these navigators will receive regarding security of personal information? that necessarily that you should be able to answer those questions. know, this is going to range

from social security numbers to if a woman is pregnant or not. various organizations, which include these individuals, are going to be contracted to do this. let's pick one. one would be planned parenthood. with the issue of pregnancy. is there some safeguard which offers consumers some kind of recourse? thes say that, in information that is gleaned, the woman is pregnant and this organization uses that information to advertise to this person their services. is that allowed? what is the recourse? can anybody provide any information? ok. let me ask you this. with regard to, and this is to ms. daly. thank you very much. according to the testimony did not review the functionality of

the hub or in regards to the privacy act. be anrstand there will independent contractor that is doing that or that is during that currently? >> that's correct. an independent contractor was supposed to be doing the security assessment that would cover overall issues related to security. with that, though, that is supposed to have been done because it is supposed to be a critical part of the system's authorization that was originally provided on september 6. >> if that is done, is that information available, the outcome of that? >> i do not believe it is available to the public because of the sensitivity surrounding that, because it would show what was tested, how the system is configured and things of that nature. >> is there some report that public and the congress, members of congress, the federal government regarding the efficacy of that testing and the results? is the system ready? is it not>?

because it is my understanding for the final testing happens at the end of this month and is supposed to go live the first of next month. we are 20 days away. what is the plan or do you know the plan if it fails? >> that is a very good point. i want to clarify the testing i have been talking about focused on security aspects of the system, not on the functionality or efficacy of the system. so that was beyond our scope. so we did not focus on that, because as i mentioned, we were coordinating with gao. >> it is my understanding that the private contractor will be assessing those other milestones or efficacy. is that your understanding? >> i honestly cannot speak to that. i am sorry. >> can anybody else? go ahead. >> speaking for myself, i never relied on the contractor to give complete assurance on these

things because, no writ is respect to this contractor -- no disrespect to this contractor, but they are in business to keeping the contractors happy. they are not going to rock the boat. this is exactly what offices of inspectors general are set up t o do, to make independent assessments, violations of legal rights, fraud. i'm outraged that you would rely on any -- i would never rely on mitre. and i did not when i was going through dozens of these programs. >> i have a lot more questions. i see my time is expired. thank you, folks. gentleman.the the chair recognizes the gentleman from nevada. >> thank you, mr. chairman. iank you for this session and want to start by first asking,

there is in fact a private contractor who is doing this software system development on income and eligibility verification? is that correct? whoever can answer the question. >> at both the state and federal levels, yes. i believe -- i am not the expert at the federal level. there is one contractor at the federal level. at the state, it is one contractor. but there is a variety of different private entities that have bid out to do this, to do various components of it, ranging from eligibility and enrollment to identity proofing, to connectivity with the hub. these are generally private contractors. to be honest, i wish the state experience was -- with i.t. systems vendors was as rosy as he said, that they are all the

business of making them happy. that is not always true for us. only oneere is contractor that has responsibility for building the federal data hub? now, under at least the health ces department, the collection of this type of income and eligibility data occurs across many programs currently, today, correctt? >> that is correct. at lease with respect to medicaid as i referenced earlier . there are a number of different crosswalks that medicaid has to do every single day for many of the 72 million people who walk in and out of the door, whether that is other federal or state programs that may be eligible, sometimes worken on a joint application to make sure that the shared information works there.

duallyividuals who are eligible for medicare and medicaid, you are walking information across those two programs, both from a claim system, from the care coordination perspective, from a program integrity perspective. of last is the payor resort. we tend to look for, does the individual have coverage from some other third-party insurance or even some sort of settlement from a car crash or something? we interface with those systems. in terms of citizenship documentation, we do all of that every day. the program could not run if you did not do all of those things. you would not want the program to run if you were not accessing across programs to get that kind of information, because if you are doing that without that kind of information, and you are working blind. your testimony

that it is important that we focus on how to minimize and mitigate the risks inherent in the interconnected parts of the systems and how these work. my question and the question i hear from my constituents, including the insurance companies, agents, businesses, they want this to work. and they want congress to stop playing games and to figure out ways to make the law work better. this is the same problem that there was under medicare and social security when they were implemented. it is not going to be perfect on day one. so my question is -- what are some specific recommendations where we can identify the potential risks and mitigate those risks? and what are the steps that we

need as members of congress to do to ensure that we are putting the steps in place? get a lote you will of input from other members of the panel, but i would just say that i agree, from our members perspective, we wanted -- this to work. at the end of the day, it is the u.s. citizens that are impacted and they do not care whose fault it is. if it goes wrong, they will blame us. in terms of trying to make it work well for them, again, i think this type of conversation is and can be very useful, as we raise potential issues. are there contingencies that perhaps we have not thought of, whether they are security- related or what have you. i think it is important to get those out in the open so we can plan for those. in terms of concrete recommendations, the challenge really is, again, we have got states coming from 50 different

places. and there has been -- there is a challenge in trying to build systems up in terms of time, money, and bandwidth. there is a challenge when it comes to the timeliness of federal guidance in terms of --t states can expect, because this is being done with private contractors, you need time to build into a proposal into a contract, what exactly they are trying to build. if you do not know until the last minute, it is hard to build that out quickly. so the extent to which transparency of information from the federal perspective comes out in a quicker, more clear way, that would be helpful. i could go on, but i do not want to take up too much time. >> if i could for a few moments -- transparency, as my colleague has pointed out, is important. it is important that these

security documents not be fully public. i agree with that. but there is a difference in terms of transparency with you now whether the k system is secure, whether it is violating privacy, whether it is doing its job. and you do not know that right now. if the it factor general defines a job so -- its jobs so those things are not relevant areas, you need to go to gao and say to them, you need to fill the gap where the inspector general is not fulfilling its responsibilities. i believe the senate has started to do that. >> thank you, mr. chairman. >> does the gentleman yield back? ok. i do not want to assume anything. thank you. at this point in time, the chair recognizes mr. rogers. >> thank you, mr. chairman. on your, based

testimony, it seems to me that the issue is not if, but when we're going to have a breach of the data hub, or it is going to be leaked or some other problem. has the i.g.'s office developed standards by which that would be reported to? you? they guissman rogers, de this area in which breaches are reported. >> you do not have -- to audit it. they have to notify you when they realize there has been a breach or a leak. >> that is exactly right. they notified the cio's office. required to notify the individual whose information was breached? >> well, it depends on if a true breach occurs.

first, there is an assessment determining the amount of encryption that might have been over the data and if it is a high enough level of encouragement -- encryption, the individual does not need to be notified. if there is a certain amount of risk involved with it, and that is a determination that is made thehe cio's office, then individual of courses notify. >> what about consequences for the navigator, the workers or navigators, if we find that one of them has intentionally breached the security? are there criminal penalties that you are aware of built into the law or regulations? >> unfortunately, i am not in a position to answer that today. >> anybody else? >> yes, there should be an array. it depends on the nature of the offense, but there should be an

array of federal and state penalties. >> that would already be in existence? >> not to say that it might not help for congress to clarify, but there would be existing tools for enforcement if hhs chose to use them. letter signedre a by state attorneys general, alabama being one of them, to kathleen sebelius last month. is,ng the questions they ask and i think about medicaid when i think about this, since the state is so heavily involved in it. what is the state's legal liability in this new endeavor, if there is a breach? do either one of you know? >> with the qualification that i gave up my law license a few years ago, i think generally on these matters --

>> voluntarily? just joking. >> i did. i was afraid as the head of the government agency i would get sued individually. i decided to give it up. >> i'm a recovering attorney myself. >> as a general matter, this statute, whatever else you might say about it, is a classic example of the statute that preempts a lot of state laws. that has been part of the challenged the validity of the statute in the first place. think, well i would not want to say that there might be some liabilities for states depending on how much discretion they are using implementing the act, my personal view would be the activities, because they are being required by the federal government, would give the state some immunity from suits. concerns me that 10 states attorneys general cannot legally discern whether they

have that liability. and one of the things they asked in the letter is, do they have have their states legal capacity or obligation to add to supplement the criteria by which this system is operating? to make sure they do not have legal liability. do you know if the states will have that latitude to supplement the security criteria? >> i think certainly for some features of the act, they will have the ability to add on. i believe it was designed -- it is tough to tell from the statute, but it does appear that to me that it was designed with that intent. to the extent you are going beyond the federal mandate in a discretionary way, it does seem to me that you would be running some risk of losing the protection of the federal preemption. >> my time is expired.

thank you very much. i yield back. >> does the ranking -- ok. the ranking member have a request? >> yes, mr. chairman. i have a request that the request for unanimous consent to have congresswoman jackson-lee of te xas sit in and make comments during our proceedings today. >> without objection, so ordered. and consistent with the rules of the committee, those members of the committee who are present will take precedence over those who join us. i know the gentlelady will yield while we turn to the former u.s. attorney from pennsylvania, mr. marino. >> thank you. good afternoon and thank you folks for being here. ms daly, you have some tough questions that you answered.

you are between the devil and the deep blue sea here because i.g.e -- what the technically is supposed to do but based upon the lack of information you may have. my question to you is -- security authorization be made without assurances to you as the i.g. that the system itself is secure? could you explain that to me, please? >> well, thank you for the question, congressman. forart of the guideline developing systems, the best practices the agency should be following, that's what we looked at with regards to security for the data hub. process, thehe agencies are supposed to be

doing continuous testing as its developed, and it looks at security and other things, too, but our focus is on security, and at the end, they are supposed to have an independent security assessment. r assessment is based upon the information that you are provided, correct? >> that is correct, sir. >> and you are not making any leaps of faith or conjectures beyond that point? you are not determining any what ifs? >> that's correct, sir. we are basically reporting facts in this case. if we had seen something that was a significant violation in any way, we would've reported that and made a recommendation that things be -- >> based on what you received? like a computer. whatever you put in is the only thing you will get out. so the only information you get, you base your assessment on what you're given. >> that is correct. we compared the testing and what

the system development documents showed compared to the standards in place at that time for that purpose. >> this is interesting. i got a phone call from a constituent who works for the state. an that person has insurance program paid for in part by the state. so that person went to the social security office. he wanted to get information about medicare. because of the age, 54, 65. and that person asked why i needed to sign up. as the first explained, i already have insurance. i do not need it. why put the taxpayers to an extra cost of now the federal government paying and my employer coming in second? and the answer the clerk gave

this tothat we need track you and to garner information about you. now, i found that kind of odd. he said, well, i only want to sign up for part a. he again told her that he had insurance. and she told him that he would be charged a penalty if he would sign up later, but the government needed a system whereby, any information to track him, so they can have information on him to see if he is paying for insurance or has insurance. me,anyone address this for because i am in a quandary as to why? >> with all due respect to my former employee, i don't think

that is an accurate description. my recollection is that there wa s a policy decision made in the late 1960's to link the two together. i do not think the rationale of hew at the time is 100% clear. it was litigated fairly recently. and i remember being consulted on that litigation a couple of times within the administration in 2008 and 2008. casenot remember when the was decided. i think it was 2010. but the decision was that the agency had appropriately linked those two programs together. again, i do not think the rationale for why was particular, i think it was lost in the mists of time by the time it got litigated. but i do not think that my former employers description is probably accurate. >> ok. know you could

go on for a while here, but i'm over my time. but if you can give us a synopsis of your opinion of the i.g. report. >> i'm extremely negative. i think that essentially what happened here is this is not according to gap principles. they went in, said, how are you doing? we are running behind but we are doing great. and they said, can we see the documents? and they said, no. if you read the report carefully, you will see that the security plan was due on july 15. and there is nothing in the report that says it was not done on july 15. and this is an august 2 report. there must've been a draft at that point. and i and i used to the idea that the inspector general asked for things and you say not. the agency andin

i cannot remember that happening. this is a new i.g. that is fai the americanuty to people to dig into what is happening and give answers to the congress and the american people. i think it is really sad. >> thank you. i yield back my over spent time. >> i thank the gentleman. the chair recognizes the gentlelady from texas who we are happy to have joined us on the panel today for five minutes. >> we thank the chairman and the ranking member for their courtesies. i think i have some pointed, two or three questions and a brief comment. i just always believe the importance of oversight and fact-finding. younted to ask, have engaged our present inspector general in a one-on-one conversation or viewed his documents before your testimony was prepared? >> no, i have not. then i guess the follow-

up is, you have firsthand knowledge of what might be some fractures in the structure of exchanges personally being constructed. >> i had firsthand knowledge through, to some extent, due february of this year, yes. >> in what capacity? >> as commissioner of social security. >> had the infrastructure of the exchanges begun and to what extent? but there wasgun, still a great deal of fluidity in it which for me, was a source of concern because the time at that point was really too short to do the job properly. >> but that was an opinion. and it was february, 2013? >> i left office on february 13. >> of this your last year?

>> this year. >> we are now in september. on thereflecting knowledge that took you up to february and not further than that. thank you for that. salo, theto mr. national association of medicaid directors. i am sorry that i missed the explanation of that. let me go to the crux of where we are. we all should be concerned about personal information. i think the magnitude of affordable -- the affordable care act and its impact on health care in america is an enormous step forward for saving lives and american. . -- in america. do you think we are in the multiple whale? are we about to be swallowed -- in the mouth of a whale? are we moving forward with respect of personal data?

>> oh, i think there has been a long-standing and very serious commitment to personal data on behalf of medicaid, on behalf of the medicaid directors. they know full well what happens if there is a security breach. and it's something that nobody wants. there contingency plans. i wasis constant work and chief information officers, with state i.g.'s, with security experts all the time in medicaid. and i think the thing to keep in mind about the big picture h ere, whether we are getting -- talking about getting swallowed security and that privacy of data is always a concern, but the thing that has changed is the increasingly interconnected nature of not just our health care system, but our overall lives in general. banking orexpert in

credit cards or internet service providers, but there are challenges their. the challenges in health care have changed. we used to store information in file cabinets in the back of somebody's office. was that secured? no. so you had to put in place procedures. we have decided as a society, rightfully so, that that is not where we want to be, and that what we need for a variety of reasons is to have much more fluid interconnection of data electronically, whether it is claims or insurance information or what have you. this is a good thing. it does bring with it different challenges to secure privacy. not insurmountable ones, different once. so we adapt according. and so -- what we are looking at here, whether it is dealing with the federal hub, is an

outgrowth of that natural progression of how do we figure out how best to secure this information in this inevitable changing world. >> my time is ending. i want one simple question. is this any reason to stop moving forward on the affordable care act? knowledge,est of my we will not have security breaches. >> but this is no reason not to go forward? >> that is right. my colleagues. and say this is an important hearing and i think the issue of affordable care is crucial. i think we need to be more cautious, and i think we can work together to do that. i yield back. thank you. >> i thank the gentlelady for taking the time to join us here today. that we have a few follow-up questions that i would like to pursue. i recognize myself again for five minutes. perente, you made some

observations in your testimony, and i do not want to leave them hanging out there. you are an expert in dealing with health care databases. you worked intimately on these in the past. you opined in your testimony about concerns of not understanding how the system would work and the potential for fraud. would you please elaborate? further and say most of what i have heard today has not reassured me. for several reasons. workedst is, i have myself as an independent contractor for federal databases, one in the state of maryland when maryland took a step in the 1990's to put together an all-payor database. i worked with the medical foundation and project hope to be that independent verification contractor. and there was a public report. because the maryland state

legislature required. i personally find it unconscionable that this contractor, whoever it is, will not have an executive summary by efficacy,out, the performance standards that would be essentially the safeguards put in for vulnerability tests, for the operationsypes of that are supposed to be in place to make sure all compromises are taken into consideration. >> that would be the kind of thing that the certifying officer would have to rely on. isn't that right? >> absolutely. when i took that roll-on for the state of maryland, it was a one- year contract. those went in to look at databases, worked with other contractors, and that's one thel state, let alone scale and the normandy of what we are discussing today. >> that is one of the concerns, because we talked about the scale of this. you as well.

again, i know we are asking only for your opinion and not the kinds of asking statements of fact, but i do appreciate once again your testimony touched on something rather significant. and you discussed that there was a time in which you believed backed away have from its obligation under the privacy act and in violation of the law? did i get that correctly? >> the irs came to the same conclusion at about the same time. so we both filed. arbiter.e they stalled for a long time because hhs did not have much to say on the privacy act issues. it sat for months and months and months. it was not resolved at the time that i left, and at some point subsequently, i understand it

that they decided that all these issues are under the routine use exception. i think that is an abuse of the routine use exception. in the you believe affordable care act or not, you and congress imposed criminal penalties for violations of the privacy act. those of us in the executive branch we are supposed to be respecting that. i found the hhs disregard for the privacy act to be shocking. >> let's pursue that. as a former prosecutor, i am concerned about routine use. for the use, routine use is the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected. that would beyond a violation of routine use. so we are already beginning to collect information that relies on some database. and then there is a broad expansion of how information

originally collected is going to be utilized. is that not accurate? >> that is correct. >> even if there is an interpretation within routine use and because it is part of a the great concerns i have has been that derivative use of information that is being gathered by navigators. have navigators who are going to be asking personally identifying information, do we have any checks on whether or not they will have any other kind of use except for the sole purpose, the entire sole purpose of facilitating activities on the exchange? >> i think that is a fine point. members of the committee pointed out that these are not even typical americans. these are disadvantaged americans. some of our most vulnerable populations. and to some navigators out with a minimum -- to send navigators out with minimum training, that is an invitation to fraud.

i have been working on fraud against the elderly since 1979. hudder att s the thought of untrained people outpervised by hhs, going with no real monitoring or accountability system saying, i am here from the federal government. let's talk about some of the most intimate choices you need to do and you need to apply for this. and what is your sosa security number? the is the thing that inspector general should be screaming bloody murder about, because if that is not an invitation to widespread fraud against our most vulnerable people in this country, i do not know what is. >> are you aware of whether or not there is with in this the requirement that there be background checks for any individual who was going to service a navigator? >> my understanding is that many of these people are being hired without background checked. >> so somebody could be convicted of identity theft and a navigator?e

is that accurate? >> the navigator is not a medicaid function. so we are not directly involved in the hiring of them. so i cannot speak to whether or not there are adequate background checks or other security -- >> let me ask one other question, because i'm trying to create a record. because i want to see what is going to happen at some future time. in the bottom line is, again, because we can foresee the potential for utilization of information that is beyond the scope of even an interpretation of what would routine use be. and we have now identified. now, those people who have certified, the stability of the system in light of the recognition that those are potential things here, willful acts of privacy. the federal government itself. i have the case law that

supports it. it is the -- imposes liability on the agency when they violate the privacy act by willful or an intentional manner, by committing the act without grounds or flagrantly disregarding others'rights under the act. >> that is exactly right. the issue first came to my attention -- i talked to a reporter last night he was sure that everything i said was political and ideological. but this issue first came to my attention because my own civil servants who would be doing this came to me and said, i am afraid it will be prosecuted. >> do you believe the standard of responsibility is such that before certifying it, there would be checks to ensure that people with criminal records will not have access to personal identifying information of individual signed on to the exchange? >> absolutely. they are going to be asking for

sensitive information in many cases, including a social security number. people can run wild and destroy someone's life, taking a social security number. it is a big problem in our society. >> my time is expired. i asked the ranking member if she has follow-up questions. >> i do. i would like to follow up with mr. salo. your testimony mentions all the state medicaid programs work with public and private status systems -- data systems. they communicate with federal agencies to verify citizenship. >> that is correct. >> they may communicate with other programs as well. >> coorrrect. >> and they also communicate with private insurance companies. >> correct. >> is it correct to assume that

that data that is transmitted is personally identifiable? >> in many cases, yes, it is, not always. >> so state medicaid programs across the country have for years exchange personally identifiable data with federal private data systems. we know that any data system 10 susceptible to a breach, but have state medicaid programs experienced any programs beyond those we have seen in the data systems of private industry? >> no. >> so could state medicaid programs function without this ability to share and retrieve data from other systems? >> no, and i do not think we would want it to. >> you have described a heavy lift for states, but a good partnership with the federal government could get this accomplished. it is my understanding that hhs has made a 90-10 matching rate available for upgrades to states

a legibility and enrollment systems regardless of whether a state chooses to expand. can you comment on the number of states that have availed themselves of this funding? >> my understanding is that every state has availed itself of that funding. there are examples of states that have turned back other innovatorr early grants. in terms of the money it is taking to update, upgrade or ent medicaide currre eligibility systems, many of which are legacy systems that go back to the 1980's. itselftate has availed of the 90-10 funding. the question is, is 90-10 en ough? even if there were enough funding, is there enough time to make those changes.

and is there the bandwidth within the i.t. system vendor community? joke thatsed to when we look at the history of medicaid and systems changes, the number of times that you got a contract in on time, on budget and to spec was, well, three times in the history of medicaid. people, myself included, would argue, you need to do something very different here. but having said that, in the run 1, and in the time soon thereafter, the states and the fed and the i.t. vendors have worked double, triple, quadruple overtime to make this work. so we do believe the system will be up and running come october

1. as i said, it will be bumpy. the consumer experience will not be a seamless travelocity. but it will be, it will be a system in place that with workarounds, with having contingency plans going back to using paper, going into the medicaid office, insurance and subsidies that will be available. it's our plan over the next couple of months to make sure that we improve that as we go. >> i would agree with you. so much of our information is in the public and private domain. that i think we need to take a step back and give this an opportunity to roll out and work with it to make sure the american people get the very

best access to health insurance that they possibly can. i mean, just about every american has had an opportunity to go online and to provide information. and we don't have the most i.t.e, unbreachable operations in our own homes and families. so to sort of pre-judge just how secure this process will be will pretty relative to the security of our i.t. systems nationwide, the ones we use each and every day to pay a phone bill or purchase something online. concerned that we not create a panic around the situation, but that we give it of best efforts in terms

providing an opportunity to make this thing work, and to work out the kinks as we go along. there are going to be kinks. we know that. there is not one system that i know of that has been perfect. people report iphones. they've been rbreachable out of the box. let's not act as though we have the -- perfection on our side. , personal information is critical and is security is critical to all of us, but at the same time we have managed to, given the massive use of i.t. systems around this nation, to keep breaches to a minimum, given the number of people and transactions that take place each and every day. i yield back.

>> i want to thank the gentlelady. each of theo thank witnesses for your testimony today. i appreciate that with the exception of ms. daly, each and every one of you effectively don't have to be here, that you were responsive to our inquiries. and i am grateful for your taking the time using your professional expertise to help us better understand the situation in which it is still my considered opinion that this demonstrated by virtue of the testimony even more questions about the readiness. and there has been testimony. it is not a question that this stepping off point to prevent a system from being put in place, but is it ready to go today? at a certain point, is it so clear that it is not ready that the requirements that are

continuing to push this forward at a certain point start to become perhaps not even just negligent but otherwise? great concern to me. i want to thank each of the panelists. not getting ready to close, because the member from pennsylvania has one final question. >> thank you. my prosecutorial background, we were u.s. attorneys together. i want to bring up two points. you were questioned about when , and i thinkagency it was pointed out that you had not been there nine months. how long we would the agency before that? >> six years and a day. >> you based your opinion on

your experience over that six- year. period. >> sure. since that time i have tried to keep up on the issue. i do not call into the agency, but people retire. the agencyll into and ask as we get calls from our constituents. last year, up until september, i now in same answers september that i did last year and in january and february of this year. we do not know. given the fact that there has been waivers, delays, i do not think much has changed over the last year and a half. ma'am, could you please tell me, did you ever doinga point when you were these investigations concerning security that you thought maybe a statement should've been made

concerning, i do not have enough data to form an opinion as to what the security is going to be or not be? look, congressman, i want to focus initially on the scope of our work. the scope of our work was not to provide an opinion. we were going out there to do an audit. we were provided the data that we requested, even if it had been created. i have done a number of system development jobs over my career. it is always a challenge when you are doing this because you are doing this because you're doing something that does not exist yet. and so, that makes it more challenging. >> good point. did you ever raise that? these things do not exist yet. so how can we form a conclusion?

a factual conclusion. >> well, that is exactly right. wethose cases, that is why reported that the information was not available and when they expected to have it available. that was in our report. if you could bake me an indulgence, i would like to say that i think our office -- beg indulgence, i think our office of inspector general is one of the most highly respected. tremendous job for the american citizen and taxpayer. our office return $6.9 billion in expected recovery last year, along with over 1100 civil and criminal actions. i think our record speaks for itself. thank you. >> we rely on you. thank you for indulging me. each of the panelists.

the members of the committee may have additional questions. if they are directed to you, i would ask that you would respond in writing. without objection, the subcommittee now stands adjourned. on c-span, former secretary of state hillary clinton accepts an award from the national constitution center. then " washington journal" live with your phone calls, followed by live coverage of the u.s. house as members consider a bill to stop payments of health care subsidies under the affordable care act. >> on the next ", washington russia'sa look at proposal to turn over control of the chemical weapons to the international community. our first guest is congressman meeks, a member of the foreign affairs committee. gibson, a military veteran, and a member of the armed services committee. washington journal is live

every morning at 7:00 a.m. eastern on c-span. >> i can remember so well the day that it happened, because my father was a minister, and so we had gone up to the church. my mother was the choirmaster. we have gone up to the church to get ready for service. and all of a sudden there was this loud thud. and we knew a bomb had gone off. we thought maybe in our community -- and within a little while, mrs. florence rice, she was my father's country. she said that 16th street church had been bombed. a little while later, we knew the names of the little girls who had been killed. who was onecnair, of those little girls, had been a family friend, kindergarten friend. there is a picture in the book of my father of giving her her

graduation diploma from kindergarten. so it was a very sad and terrifying day for our community. birmingham, alabama, a 50th anniversary commemoration of the 16th street apt his church bombing. live sunday on american history tv on c-span three. senate has delay consideration of a resolution on syria, while the white house pursues a possible diplomatic solution to securing its chemical weapons. asked about these developers at the daily briefing. need to see some kind of tangible progress before going back? >> i do not have a timeline to give to you. it obviously will take some time. there are technical aspects involved in developing a plan for securing syria's chemical

weapons and verifying their location and putting htmthem under international control. foretary kerry is leaving geneva to meet with his russian counterpart, where they will discuss this matter. each side, the american and the russian side, will bring technical experts. we will bring a delegation to evaluating proposal and to assess paths forward. i expect this will take some time. but we also are not interested in delaying tactics. we believe it's very important to hold assad accountable. what is very clarifying about this, as the president made clear all along, the potential use of limited military strikes by the united states was in response to assad's use of

chemical weapons. it was not, as he said, an effort to involve the united states militarily directly in the syrian civil war and not designed to precipitate regime change. it was around the question of chemical weapons. 's chemical weapons stockpiles can be secured and removed from his position absent military force, that will be a good thing. -- i know there are no specific dates you want something done by but talking about experts, this could take months or even years to carry out. don't we need to get some sort of firmer timetable for when you need to see progress? otherwise it could just drag out. >> let's be clear, this initiative has been presented only in recent days. we are deployinghe