that's part of the issue. when clearly and we've seen this with other substances, we've seen this with prescription drug abuse, that when people see something that is legal, when they see it, it's often prescribed by a physician, people see it as benign and not harmful. it's not -- it's not a surprise for me to see that change in public perception. >> all right, let me pick up on the point you're making, first of all, this whole issue is is it a gate way drug, is there evidence that in fact it is a gate way drug? can we empirically correlate the use of marijuana to go on to other dangerous substances? >> we know the earlier someone uses marijuana, the more likely they are to develop a dependence and go on to more significant issues. so and if you look at those

folks who have an oepiate disorder, they will often tell you and you will see they started with early tobacco, early alcohol and early marijuana use. >> but mr. botticelli, that's a logical fallacy, that's true but that begs the question that millions of americans, 4 50 million, have used marijuana and didn't go on to other drugs. we have to desegregate the addictive personality from the recreational occasional user. i mean nothing norm tif by this. i said in my opening statement, i'm a child of the '60s and leery of legalizing any drugs. i've seen the damage. but i want us to be basing fact on the matter is the war of drugs doesn't look like it work very well in public opinion and demand. whereas other campaigns that are

voluntary. actually have worked. so maybe we could learn something from that as opposed to incarcerating, especially minority populations in this country and that doesn't seem to work either and doesn't seem to reduce demand. >> representative connolly, i think just focusing on marijuana as a gate way drug, obviates the total harms associated with substance -- we know many people have used alcohol and get into problems and don't have an aaddictive disorder. the same is true with marijuana, we know about one in nine people who use marijuana go on to develop a dependency, but we also know there are health consequences associated with marijuana use in general and particularly with young adults. again, national institute of drug abuse has shown that youth brain is in development up until 25 years of age. and that regular substance use, including marijuana use, can

have significant long-term effects. we're not talking about folks at gate way to other drugs, but we're talking about just marijuana use in general. i think you really have to look at not just those people who go on to develop addictive disorders, yes we need to be concerned about that, but you have to look at the totality of harm and think about the number of people who use marijuana and get in fatal car accidents. they may not have an addictive disorder but their marijuana use had significant health consequences for them. >> my time is long up, i thank the chairperson, i would just say though, the problem with that logic is it takes us exactly where we are today. it fills up our prisons and even when it's really a small amount of possession and where the effect is treats somebody no different if they did a violent crime. those inequities in the prison system are the consequence of treating marijuana the way you just described today. >> under this administration

we've really tried to move away from the war on drugs and arresting and incarcerating. this is where we believe tlsz a third -- there's a balanced approach here, not legalization that has the attendant health consequences to it and not a war on drugs approach, but looking at dealing with this as a public health related issue and utilizing criminal justice reforms to make sure we're not arresting and incarcerating. our policy really, our position really focuses on that middle ground in terms of both innovative criminal justice reforms in dealing with this as a public health related issue. >> wish mr. cummings -- let me yield to the gentleman from illinois, mr. davis. >> thank you very much, director. i think you've partially answered questions because as we

continue this discussion could you refresh for me just what the purpose and mission of the office of drug control policy is? >> sure. again, we established by congress in 1988. with the authority of really setting at administration's national drug control strategy, we produced that strategy and sent it to congress every year. and it really is a blue print, interagency blue print for how, one, the administration is going to handle the drug related issues and really looking at this whole of government approach to how we're dealing. each agency has a role to play as well as looking at their budgets and making sure that they are aligning their budgets with those drug control strategy. so it sets the administration's drug control policy and looks at strategic priorities and looks at interagency cooperation and interagency action as it relates to how they are going to

implement those drug control strategies. >> do you make recommendations to agencies and to congress and to the public in general? >> the express purpose of our strategy is really to look at how the federal government is going to respond and what is our policy. what is our policy related and how other agencies align their work with those policies. >> we've just heard a great deal of discussion relative to disparities among population groups relative to arrests and the judicial process. would the -- would the agency have any position on any of that or would it have any

recommendations based upon what we've just heard about disparities and arrests and judicial process? >> sure, you know, when you look at our strategy and this was set in the original 2009 obama administration strategy, again, it really focuses on a wide variety of criminal justice reforms to look at that, about how we make sure that we're diverting people from the criminal justice system. one of the things that we've been really promoting again with the bureau of justice assistance is the expansion of drug courts in the united states. so we now have 2700 drug courts in the united states that are diverting people away from incarceration and giving them treatment along with the accountability of those issues. we have also been focusing on things like diminishing the barriers for people to get jobs. we've also been focusing on smart probation efforts.

we have been trying to implement a wide variety of innovative criminal justice programs that really look at moving people away from the criminal justice system. the other piece is looking at the public health strategies of prevention and early intervention. the goal of those is to not only intervene early but really minimize the chances that people are going to intersect with the criminal justice system. you know, often we have not dealt with these issues early and so we want to make sure we're preventing those issues from happening. that's been part of our policy position in terms of how do we come up with alternatives to incarceration, particularly for folks with substance use disorders. >> would you see legalization perhaps as an asset in terms of reduction of drug courts? >> again, i don't see that.

we don't see that as an effect when we look at legalization. again, i think that our concerns around legalization is that we'll see an increase in problematic use and might neat more drug courts if we move down the legalization pathway to do that. i don't think it diminishes the need for those kind of services and might have actually an opposite effect in terms of greater impact and need both within the treatment system and our criminal justice programs like drug courts. >> thank you very much, i yield back. >> let me yield now to mr. blumenauer. >> i found the discussion to be very useful, you're highlighting a wide range of issues on people's mind. how many marijuana overdose deaths were there in the most

recent year we've had available? >> to my knowledge i don't no if there have been instances of specific overdose. >> you talked about marijuana deaths, i want to be clear, not trying to trap you, how many marijuana deaths have there been in the last five years? >> so if you're referring to overdoses, and i'm not sure of those numbers. if you're referring -- >> i would like to have you supply us with how many overdose deaths there were because i have heard from experts that judgment i respect, that they don't know of any. that would be really important to provide at least to me, if not the committee. >> what is more dangerous and addictive, meth a.m. met means and cocaine or marijuana? >> you know, i don't think anyone would dispute the fact that there's relative toxicity

related to those drugs. >> i asked what's more dangerous and what is more addictive. >> cocaine and meth or marijuana? pretty simple. >> i think that conversation minimizes the harm -- >> i'm not trying to minimize the harm. i want to know which is more dangerous and addictive? >> you know, again, i go back -- >> you don't know. >> as public health person, one of the things that we look at is not what's the relative risk of one drug -- >> let me just say that i think that you're ee quif indication right there, being unable to answer something clearly and definitively when there is unquestioned evidence to the contrary is why young people don't believe the propaganda, why they think it's benign. if a professional like you

cannot answer clearly that meth is more dangerous than marijuana, have every kid on the street knows, which every parent knows, if you can't answer that, maybe that's why we're failing to educate people about the dangers. i don't want kids smoking marijuana, i agree with the chairman. but if the deputy director of the office of drug policy can't answer that question, how do you expect high school kids to take you seriously? >> so representative, i don't mind to be disrespectful and did mean to indicate that there is no -- there is not different degrees of toxicity associated with -- i. >> asked what was more dangerous and you couldn't answer it. i want to say that, you, sir, represent what's part of the problem. let me go further. >> that's exact lip not what i'm saying. >> what kills more people,

tobacco or marijuana? >> you know, there's been a fair amount of tobacco associated deaths. my challenge and reason i'm hesitating in answering the questions as it relates to relative risk, many times that conversation gets distorted and that there's no risk -- >> i'm not trying to trap you -- >> no, this is why i don't want to be disrespectful. >> let me suggest that your inability to answer whether tobacco or marijuana is more dangerous, again, is part of the problem. mr. connolly documented very clearly that we had been able to drop dramatically tobacco use. and it kills more people than marijuana if you don't know that. but we've been able to drop that without locking people up, without arresting -- i think this administration has seen

three to four million people arrested for marijuana since it's been in office. >> and yet we've been able to drop tobacco use without being coercive and we've been using fact based advertising and focused our efforts on things that matter rather than things that don't work. and i respectfully suggest that you and the department take a step back if you're concerned that somehow people think marijuana is benign. that part of the reason is that drug professionals can't communicate in ways that the rest of america does. i appreciate you're being here and i welcome any written follow-up to my questions. i'm not trying to trap you but i'm very discouraged by your

inability to answer questions. >> let me tell you this morning, i spent the bulk of my morning with a number of parents from across the country who are doing everything they can do to prevent drug use and particularly prescription drug use. and many of them whose kids have died of an overdose. i asked them, what more can the federal government be doing in terms of preventing substance use and preventing the tragedies. and they told me they cannot understand why states are moving to medical marijuana and legal marijuana. they cannot understand it becausethy understand from a very acute level, the message that legalization sends them. these are -- this is not from a bureaucrat in washington. these are from parents who struggle on a daily basis and have been devastated by addiction in their kids. they understand that -- they understand in a very dramatic and real way, that legalizing

marijuana since the absolute wrong message to our youth. >> the gentleman will recognize the gentleman from tennessee. >> with all due respect, you should be listening to scientists. i understand the parents who are grieving because their child died of an overdose. they didn't overdose on marijuana. if you're listening to them rather than scientists. mr. botticelli, it may go back to a few good men, the movie, jack nickel son, you can't handle the truth. the drug war failed. your direction on marijuana is a failure. my young 22-year-old friend died of a heroin overdose. he smoked marijuana, probably the first thing he did, but that's not why he smoked heroin or shot it up. maybe he did it because he heard

people like you saying they are all bad and terrible, can't deal with the truth and tell him, maybe marijuana doesn't kill you and heroin does and meth does. until you deal with the truth, the kids aren't going to believe you at all. you talked about alcohol and may have gotten to this. sir rose sis of the liver, pretty serious thing. violence against spouses and women, people don't smoke marijuana and beat up their wives and girlfriends. they get drunk, sometimes they beat up their wives and girlfriends. and i know you've got your statistics and i would debate your statistics. your statistics about the amount of people with marijuana in their system in fatal accidents, i would submit they probably had other drugs like cocaine or crack in addition to the marijuana or alcohol and marijuana wasn't the cause. what i've understand is that people who smoke marijuana,

mostly drive slower and look out for cops. they don't drive fast and wild like people do on alcohol and cause deaths. maybe the reason there's so many more people smoking marijuana now because they are not listening and maybe they are doing the other drugs too. it shows the drug war has been a failure, serious failure. harry ans linger -- >> i don't. >> you should. he's your great grandfather, he started this war in the '30s and he did it to get the american public had problems and sometimes i think we still got them with hispanics and mexicans coming into this country. and it was a war on hispanics and african-americans and that's when they made marijuana illegal was in the '30s and all directed ought those people. and latinos are just as much discriminated against as african-americans. it still continues to this day

and 85 years since he started this. the fact we've spent so much time arresting people is simple. you talked about the overall effects of marijuana. again, you can't name one person who has died from an overdose of marijuana, can you? >> not to my knowledge. >> right. you say the cumulative effects, do ut know people possibly or heard of people who smoke marijuana who are corporate giants, run banks, run major corporations, do you know about these people? >> yes, but i also know an equal number of people, substantial number of people who also have gone on to develop significant disorlds who have smoked marijuana. one in nine people who try marijuana, develop a dependency and we know that particularly those kids who use it earlier in their -- >> kids shouldn't use it ever.

age 18, people shouldn't be arrested for it. maybe it should be 21. but kids shouldn't use it. that's something we all degree on. but the fact is, we need to put our priorities toward heroin and meth. what percentage of your budget goes towards heroin addictions? >> i don't think we necessarily slice our budget, our demand reduks budget based on drugs. our prevent efforts are focused on preventing drug use, of -- >> isn't that a mistake when people die from her o inwith great numbers and the vermont governor spends his entire state of the state on heroin use and we don't distinguish and try to save people's lives? that's when you knock people over at the corner store, not to get money to buy a doughnut because you're high, it's to buy heroin because you're hooked. that causes people to die. >> our office in 2011

acknowledged the epidemic we have in the united states. in 2011 we released a plan that looks at dealing with prescription drug abuse and oepiate issues. >> my time is about to run out. i compounded in 2011 with your predecessor. >> kru la could you xi. >> he said there was no particular -- they haven't found any medical use to date however the fda not found smoke and marijuana to be a safe and effective for any condition. i think that medical association -- are you not aware of people who smoke through marijuana to get through cancer treatment and nausea? >> i do. it's never been our position to arrest people who have been using medical marijuana. i think it's important for us age, again, the fda is not here, fz the fda process that

determines the scientific efficacy. >> couldn't you try to influence it? i had a buddy who a buddy that seal. he died of cancer. he smoked marijuana at the end. our role in this is to rely on the scientist process to determine. i would say and i mind it unfortunate to invite the director of the national institute on drug abuse. we are a science becauased offif you ask her, she will lay out for you the scientific evidence. >> you are prohibited by law and

you are the only office that is restricted in that way and required to oppose schedule iin purpose ps for approval. aren't you troubled by this? >> sir, i'm not familiar. congress put that language in our reauthorization and i'm actually not, i don't know the background of that. >> would you support legislation to use science as a basis for your determination. i would support federal agencies that allow you to do that. >> yours is prohibited by law. >> you think you should be muzzled? >> i think that it is important that our office not involve itself in terms of giving

legislation or activities. that the office not involve itself in state -- >> but the totality of the drug world you need to participate. if you realize that medical marijuana can help people with cancer or ghcla glaucoma, your d be to have a sane policy not to be handcuffed. in 1971 congress created a commission to study federal marijuana policy.

sir, i would be happy to review that legislation. i would be happy to have a conversation in terms of what that would look like. we would have additional questions. some weren't able to attention. we'll be submitting to you some questions we'll ask for a written response. again, i think this is our first hearing. we may have a series. you have suggested additional sit ness and we are going to try to work with the minority.

it shows efforts on programs to try to keep substance abuse under control. with that, i again, i appreciate your coming out today being >> we would like to get your thoughts on u.s. erewhon a policy. you can join the conversation on facebook and twitter. >> coming up, the pentagon responds to cheating allegations at the navy's nuclear propulsion school. then retail store officials before a senate panel on recent credit card data breaches.

quickly came to washington to conduct investigations. my department conducted investigations for year and a half. five or six days a week, 8-10 , in the field of finance and reorganization receivership's. and i had a great galaxy of people on the stand, but we never, never would even call a man if we knew that he would invoke the fifth amendment. >> righty, c-span radio continues our series of oral history interviews with former supreme court justices. this week, from 1967, associate justice william o douglas, at four clock eastern. radiowide on xm satellite and on www.c-span.org.

>> up to 30 sailors at the navy's nuclear propulsion school are being investigated for cheating on written exams. a senior navy official spoke to reporters at the pentagon for a half hour. >> we are here to talk about it incident that took place central stint and i would like to stick to that of possible. fire away. >> good afternoon, and thanks for having us this afternoon. i'm admiral jon greenert, the chief of naval operations. and i have with me the director for navy nuclear propulsion program, admiral john richardson. we're here to discuss allegations of cheating on a written qualification exam at one of our nuclear training commands. we learned about this yesterday evening. we were alerted of the incident. and it took place in charleston, south carolina, at our navy nuclear propulsion command there. the propulsion exam was allegedly shared amongst some senior enlisted operators. and admiral john richardson

here, he will speak more about the details of the incident and where we are so far. to say that i'm disappointed would be an understatement. whenever i hear about integrity issues, it's disruptive to our unit's success and it's definitely contrary to all of our core values, our navy core values. and it affects the very basis of our ethos. a foundation of our conduct throughout the navy is integrity. we expect more from our sailors, especially our senior sailors, and we demand it in our training and in our operations. and we will operate to that. the incident, i underline, does not represent the hundreds of thousands of professional sailors who are operating with honor and integrity throughout our fleet today. we set high expectations within our navy, particularly this program, the navy nuclear propulsion program. it has five decades of distinguished service. and it is all founded on integrity. our sailors are held to a standard, a very high standard,

and this will not change. so i assure you if these allegations are substantiated we will hold the appropriate sailors -- hold the appropriate people accountable. we will remain vigilant throughout the program, as we have been, as i said, for five decades. we'll learn from this, and we'll do a case study, and we'll train on it. john, over to you. and then we'll take some questions. >> thank you, cno. and, as the cno said, i'm admiral john richardson the director of naval reactors. it's like i have cradle-to-grave responsibility for the navy's nuclear propulsion program. and, as this incident involves my program, i take full responsibility for this incident. this is mine to investigate and to correct. i was made aware of this situation yesterday, on 3 february, when one of our sailors from the nuclear power training unit in charleston, south carolina, was offered to compromise his integrity, recognized that this was wrong, and reported it to the command. the naval nuclear propulsion

program aggressively focuses on managing problems, whether those are materiel, operational or personnel problems, with the intent of finding and correcting problems while they are still relatively small. and so, in addition to self-examinations, each element of the program is examined by outside inspectors, and we aggressively respond to any problems that they find as well. on rare occasions, an integrity incident occurs that includes an element of collusion between more senior people. for instance, for your reference, the last comparable incident of this nature took place in 2010 on board a submarine crew. integrity is a foundational element of our program, and when confronted with problems, we respond aggressively and forcefully. now, although the investigation is just beginning, i'd like to try to provide some details for your information. this incident took place in our

school. we have a one-year training program that includes six months of classroom training, theoretical training, and six months of hands-on training. we do this in charleston on two converted submarines that we use as training reactors to certify operators to report to the fleet. so this is propulsion reactors, not related to nuclear weapons. this incident involves members of the school staff who are required to qualify to operate and instruct students on the training reactor. we operate using 11-person watch teams. so there's an 11-person team on watch when -- to operate the reactor. this incident, as the cno said, involves the compromise, the alleged compromise, of the written exam to qualify just one of those 11 watch stations, one of the 11 person team. to qualify for that position, in addition to the written exam, that we are discussing and investigating, one must also

pass an oral academic board given by a three-person panel, and must pass an evaluated practical exam showing satisfactory performance. from what we know so far these elements of the qualification program appear to be valid. once qualified, their individual on-watch performance is further evaluated by external inspectors. evaluation by my field representatives on site and through a separate continuing training program, we have seen no major concerns from those other assessments to date. finally, once the staff member completes this tour at the school house and returns to the fleet, the process begins anew. they're required to requalify using the same process on the ship to which they report. and this ship -- this command, is also subject to the internal and external inspections and oversight that i have just described. it is this philosophy of defense and -- that allows me to assure

you that our naval reactors are operating safely. this is a serious incident. as the cno said, integrity is the foundation of our business. the training command and ncis have begun a full investigation that will be led by a nuclear qualified submarine admiral, additional efforts to ensure that we -- will be to ensure that we have properly bound the problem. to date, we're getting good cooperation with the investigation. the training reactors were shut down for routine maintenance when we learned of this incident. the training command has ensured that all personnel implicated in this so far have been removed from the site. their access has been revoked, and all current personnel on watch are those who have no element of implication. as a precautionary measure, these personnel are also being re-tested to validate their knowledge. additionally, i have assigned extra supervision to the operating teams.

i will not reauthorize operation of the reactors until i am personally satisfied that appropriate corrective actions have been taken and additional conservative measures have been implemented. additionally, i have a five person cadre of personnel from my headquarters that have flown down to the site, led by a senior navy captain to assess the command climate in other areas and to ensure the investigation is getting started properly. this scene will review past assessments with the goal of ensuring that we do not have a broader problem at this command. in closing, i'd like to restate that i am fully responsible for this matter. i'm aggressively moving to address the situation. we take our record of over 55 years of safe and reliable operation of naval nuclear propulsion plants very seriously. while i can't provide much more information at this time, due to the ongoing investigation, i will keep you as fully informed as possible. we intend to be as transparent

as possible as we work our way through this. thank you. and i'm happy -- the -- answering any questions that i can, subject to the understanding that there is an active investigation going on. lolita? >> admiral, for both of you. i was just wondering, one, if you could maybe clarify a couple of more details. did this involve e-mailing questions or answers to the -- to the staff? and, did it also involve any violation, possibly, of classified material or access to classified material? and then, secondly, as you know, the air force has had some cheating issues also within part of their nuclear force, and their comments then that it is -- they worried that it's systemic and that this is a broad morale problem, that involves people who were cheating because they felt the need to get 100 percent, because

it affected their promotions. i'm wondering if you could address whether those are also among some of your concerns. >> with respect to the exams themselves, and the nature of what we're talking about, most of that will be more fully developed in the investigation, but it's fair to say that these exams and the operation of the plants do involve classified information and that'll be an active part of the investigation to fully understand that. with respect to the morale, we -- and -- and the necessity to pass these exams in order to advance, that's -- that's not really a dimension of our program. we do not have that -- that, you know, kind of 90 percent and above type of dynamic in our program. our exam program is -- is different than -- than the -- the one that you mentioned for the air force. and so we don't really see that being a dynamic here. but, again, you know, as i said, my team is on board to make sure that we've properly bound this.

we're taking nothing for granted right now. >> admiral richardson and i grew up in the same program, the navy nuclear propulsion program. the foundation within it is examination and reexamination, oral and written, as well as demonstration of proficiency. so what i'm saying is it is in the -- it is in the ethos, if you will. it is in the process that folks are used to getting examinations -- getting examiner qualified in their -- therefore, i don't perceive, as admiral richardson said, that there's an element of "you have to get the highest grade." because we're constantly evaluating and self-assessing ourselves within this program. >> how many -- sorry -- if you've answered this, excuse me, but how many sailors have been decertified? and could you tell us a little more about how this came to light? you said one sailor had been encouraged to -- to join in. it sounded like a sort of group of people who were cheating and he came forward.

did this not come to light because of the review that was ordered by the secdef in relation to the air force? >> it did not. we were, of course, you know, looking very hard at ourselves, as we always do. so i hope the theme that emerges here is that, you know, there is a climate of introspection, of looking for problems and solving them -- so we are constantly assessing ourselves. this did not come forward as a consequence of that ongoing thing. this was a sailor who, you know, has been fully trained from the moment he enters boot camp that integrity is a foundation of our navy's operations and -- including the naval nuclear propulsion program. he recognized when he was asked to join in that that's not consistent with those values, and mentioned it to the command. >> and how many have been decertified? >> it's really, we're still bounding that problem. and so i'm hesitant to give you a number right now because i don't have a final number.

but we conservatively estimate that this is probably less than 1 percent of the naval nuclear propulsion force. >> and that would be roughly? >> we have 16,000 sailors in the program. >> how many in charleston? >> in charleston, it's roughly -- it's a few hundred. >> we'll get you that number. >> we'll get you the exact number. >> so we're talking about a dozen or so, aren't we? >> you say 1 percent -- less than 20, is that what you're talking about? >> that's the ballpark figure. but again, i hesitate to commit to that because we're still in a very early -- we're only 24 hours into this. >> hi. i wanted to ask about how -- views this incident and the repercussions of it might disrupt potential budget decisions in a constrained environment for subs and carriers? and if there, you know, might be a need identified to fund some more of these internal and external investigations? >> well, i don't think it will affect budgetary decisions.

as admiral richardson explained, we are constantly evaluating ourselves, especially within this program. we in fact have our navy i.g., john has asked that team to take a look at our nuclear propulsion examining and training process. that examination has been going on how long, john? >> about four months. >> about four months. and so, finding things like this occasionally, as he's mentioned it happened four years ago on a vessel. so, i don't want to trivialize it. this is very serious, but these are the things that we are very vigilant for. we need to learn from, understand the case study and get in and train about it. so, i don't see it right now as being something that would have a budgetary ramification. but if there is any need to fund additional evaluations, and we'll figure that out, we'll fund that. this is very important to me. jennifer griffin? >> what will be the consequences for those who are found to be guilty of being involved in this? >> i think that that's a

case-by-case evaluation. we generally are pretty forceful about holding people accountable. and so, as, you know, the investigation continues and we can determine, you know, the level of culpability, the level of misconduct, then we'll evaluate that on a case basis. >> would it be safe to say that if you're caught cheating, you would be kicked out of the navy? or what's the upper end of punishment? >> that's -- certainly removed from the program, and then, you know, if -- our history is that if you are caught in an integrity violation, you're removed from the program and generally on to -- out of the navy. thom shanker? >> i'd like to return to the point that -- was reaching for earlier about your sense of "why now"? rightly or wrongly, i think the general public, the taxpayer sees a contingent of cheating across the military. so what is happening now? is it the optempo since 9/11? it's been going on for a long time, but nobody caught it?

are these just one-off and inexplicable? why, admiral, is this happening now? >> thom, if i knew that answer, i would be doing all kind of things within the navy. but one thing is sure. we need to and we will remain vigilant. we will continue to drive home to our people the importance of integrity: the fact that it is the foundation of all that we do in the u.s. navy. we have to believe everything that somebody says to one another. again, it is the foundation at sea and port, and certainly in this program. and so we will be very introspective on this. we will, as i said before, make this very much a case study, like we did previous issues that occur in this program and in others, but certainly in this program. it's founded, again, on self-inspection and good assessment. julian barnes ? >> admirals, two follow-ups and points of clarification. do you think that the sailor who came forward to report this did

so in part because of the attention over the air force issue, knowing from that that he had a duty to report what he knew and two, is there any way to describe this test in any more detail about whether it was maintaining the reactor, running a reactor, or what exactly, obviously, without getting into classified material, but what it was testing. >> with respect to what the test tests, it's -- this particular is primarily on reactor operation, and so they test the theoretical level of knowledge to be able to qualify for that watch station, that position on the watch team, and that's what this exam serves in conjunction with the oral board, in conjunction with the evaluated, on-watch assessment. and so there's sort of a three layers of evaluation there.

with respect to what motivated the sailor to come forward, we have a -- a steady drum-beat in the navy, and particular, in the navy nuclear propulsion program of -- that stresses the importance of integrity to our -- as a foundational value, and so it's hard for me to say right now what specifically motivated this sailor, but i think at the foundation he understands the importance of the value of integrity and made his report. >> admiral, as you know, the air force has had their own issues, been conducting their own reviews with cheating of nuclear missileers. has the navy been doing its own review of its program because of what's been going on in the air force? i know the secretary of defense had a meeting here at the pentagon to talk about the broader program. what had the navy already been doing as a result of this? >> the answer to that is yes, the navy has done a review of the -- what i'll call the nuclear enterprise. the -- the nuclear weapon enterprise involves two

services, obviously, the navy and the air force. we have our element, the ssbm force and all of its supporting entities. we've been directed to look primarily at the personnel element of that. the qualification people of all those that organized training, and equip those that do handle or employ or field direct operations of nuclear weapons. the certification they're in and of course the personnel reliability program. and so that is in progress. what -- what we do already, craig, is every two years, we have a three star flag officer review, if you will, the program, coordinated with our director of our strategic systems program, ssp. that strategic systems program are responsible for all operations, if you will, handling of -- of our nuclear weapons themselves. so, that has been going on. there's a drum beat of that, as admiral richardson said, in his program. we have a similar drum beat. now, we are going to take the

results of our most recent, which is months old, we are going to take the results of the schlesinger report, you remember that from a few years ago. we're going to take the results of the admiral donald report, if you remember that also was a few years ago, look and see what was directed in that, review that, did we do what it said, how are we doing on that, and then we're going to do an internal assessment coordinated with that. so, what has been looked at before? how is that going? is it still effective, and where are we now? all of that is underway, and we're due to report in what is now about 45 days. we were assigned this a few weeks ago. phil stewart? >> i just want to get a sense about the -- the timing of the person who came forward. was that person indicating that there was a -- that this is a new problem, this is a fresh, one-off incident, or did the evidence suggest this might be going back awhile, this cheating might have been more -- more systemic or -- a pattern of cheating. and also, your -- your reticence to put a finger on the number, is that because you believe it's going to get much higher?

>> well, that is indicative of the fact that we are just getting started, and so any number that i give you, i don't know where that's gonna go, ray, we're just getting the -- started. and so, i'm reluctant to give you a number, because it could change. it may be bound. we just don't know. and so, i don't want to put something out there that -- that may be accurate, but we may find more, right? so we're in the very early stages of this. and then, i'm sorry, what was the other part of your question? >> was this a new, a single -- >> so, again, part of investigation, we know that when he was confronted, you know, we learned about this yesterday. and so, in terms of the time frame, we'll get a sense for that in the investigation. >> this individual came forward. he was not asked, right? >> no, no. he came forward of his own accord. and this just happened in the last 24 hours. and so, we wanted to get to you very early on, to let you know about this. >> was this just in a pattern that has been going on for a long time, or was it -- it's just in this one-off incident that -- >> it's to be determined. we'll be back to you when we learn that. >> bryan bender with the boston

globe. a couple of just points of clarification. so, to be clear, this test, in particular, is one of a series of a tests which you must perform before you're qualified. >> exactly. >> and then the only -- the other question was, was this test to qualify or to re-qualify someone? in other words, are they already qualified to operate the reactor and they're being retested? or this is for a new person who's never done it, taking the test to see if they're qualified? >> so, because these, the folks that we're talking about, are on the staff, they have already completed their initial qualifications as students through this same program. they have then gone out and requalified again at sea on whether -- on the carrier or submarine that they were assigned. and now they are coming back, and there's an additional requalification process back at those training reactors. so this will be about the third time that they will have been

through this qualification sequence. over the top of all that, there is a continuous training program that in addition to the qualification, it is a program of lectures and clinics and education, with exams and validation along that. so it fits into a pretty thorough network of education, qualification and validation. to vanden brook? >> sir, i have a question about, these were senior enlisted folks who were the instructors, for -- >> correct. >> and they were giving the answers to, or offering to give answers to trainees? >> no. our understanding to date is they were giving them staff to staff. so this is so that the staff could qualify the position to operate the training reactor. you have to -- he'd have to qualify to operate that. and then additionally, you're training students. but we see no evidence of compromises for the students at this point.

>> but was there anything offered in exchange for these answers? >> no. gordon lubold? >> just to clarify, run off-- question, admiral, you described what was underway, in terms of reviews and all that. i just want to see, does this incident then trigger potentially a broader investigation, not just of this incident that you've been describing, but a broader kind of wake-up call kind of investigation of the navy's nuclear force? you see what i'm saying? >> right. we will certainly in this process of bounding the problem we will take everything that we've -- that we learned from this incident, and we will apply that to the broader force. that's just our nature, right? we use these as -- these problems as opportunities to check across the force. and so, that is part and parcel -- that's par for our course. we will do that. >> gordon, i think i should add, as i described to craig, we're doing this 60-day look,

involving our nuclear enterprise. we share across enterprises, the nuclear propulsion enterprise, again, the foundation is integrity, the principles are all there. our people serve on nuclear-powered ssdns. and so, those elements have to be shared. so there's a lot involved in this, across, if you will. >> yes, could there be any operational impact with these -- those involved with the cheating, possibly suspended? the air force had to suspend or restrict about 120 missileers. is there any -- and people are pulling extra shifts. do you foresee any type of similar operational impact? >> i could possibly foresee an impact in charleston. we'll see if that is broader. >> what -- of impact would that be, sir? >> the same sort of thing. so there's those folks that are implicated are gonna be removed from those responsibilities. and other folks will have to

possibly pick up those duties. additionally, there will be a certification process before i allow any kind of operation of those plants as well. >> admiral richardson, you said the only thing comparable involved is submarine crew. were you talking about the memphis? >> that is it, right. >> ok, why is it comparable? you're talking about something that happened in a training atmosphere, and the other one is talking -- you're talking about something that happened on an attack submarine. >> right. the elements that concern me are not so much the, you know, where it happens, but the nature of the incident, which is both on memphis and, in this case, we have one, a violation of integrity, one of our core principles. two, you have some kind of an, you know, collusion amongst particularly senior people. and so that -- when we -- you know, on those rare occasions that we find those two things, it's of particular concern to us. and that's why i draw parallels between those two incidents.

louis martinez? >> going to go back to your under 1 percent reference, is that to mean that's how many individuals you're looking at who might be implicated? because i did some fuzzy math and that comes out to like under 160 personnel. >> right. that's kind of my initial bounding of the problem, and so, you know, pending further investigation that's kind of where i see it right now. >> in terms of what? in terms of what? in terms of -- >> personnel that will be implicated. >> sorry, she asked before -- >> sixteen thousand personnel in the plant. and so, used to -- i mean, one percent of 16,000 i think is 160, but in terms of the ballpark figure, you know, it's -- it's well less than that. so when you said 16, that's i think -- yeah, you're gonna be closer. again, it's hard to say. i just am very reluctant to

declare a number at this time, because as i said -- >> certified, that's what i'm having a problem with, because you don't want to give a number. it's between 16 and 160, but if you actually de-certify people, there would be a number. >> and i just -- in terms of the number de-certified, it's, you know, part of this entire program. so i just am reluctant to -- you know, to get a sense for where we stand right now in an ongoing investigation. >> follow up. how many of these teams are there? i mean, you're talking about an 11 person team. how many teams are there in this unit? >> there are five different shifts that operate. so -- so there are five of those teams that operate in shift work, and you know, we essentially do 24-7 training there on -- on a shift work basis. >> this is the universe that you're looking at? >> well, we're looking across the entire program. so we'll start there. that's where our concern is most acute right now. we'll make sure that we have taken a look at the entire program to ensure we bound this.

>> admiral, thank you. and if there's any follow up questions just please press the navy news desk or e-mail me. thank you, very much. >> our next washington journal, we will talk to florida congressman john mica about u.s. marijuana policy. then marilyn representative thea edwards will discuss report that the deficit will drop to 514 billion, and this week's deadline on the debt limit. later, dr. richard carmona will lend hispdate and research to improve survival rates from ied's and mass shooting's. we will take your phone calls and you can join the conversation on facebook and twitter. washington journal, live each morning at 7:00 eastern on c-span. new -- >> the new www.c-span.org website makes it

easier for you to find and watch all the extensive average of washington. look for it on the homepage in a face -- and a space called federal focus. congressional committee hearings, events with the president and members of his cabinet, press briefings from the white house, capitol hill, the state department, and the pentagon. plus, selected supreme court oral arguments and appearances by the justices. watch live or on your own schedule. federal focus on www.c-span.org, making it easy to keep tabs on what is happening in congress, the white house, and the court. an executive from target said the company is investing $100 million to up rate to a more advanced credit card system following the hacking of customer data. testifying before senate committee, the target cfo john mulligan was asked about the

holiday season cyber theft that has exposed the personal or financial data of millions of u.s. shoppers. senator patrick leahy of vermont shares the jude -- chairs the judiciary committee. >> we are starting a little bit .ate i apologize for that, but i appreciate everybody who is here today. state,l over the including now snowy colorado. were going to meet to examine americans protect from the growing dangers of data breaches and cyber crime in the digital age. safeguarding american consumers and businesses from data breaches and cyber crimes has been a priority of this committee since 2005.

sureears, we try to make everybody understands this is not a democratic or republican issue. i work closely with members of both sides of the aisle to advance meaningful data privacy legislation. i want to thank senator grassley for working with me very closely on this hearing. i hope it can continue working together to advance the personal data privacy and security act i recently introduced to protect american consumers. you watch the news, you pick up the papers, you listen to the news, whatever. most americans, myself included, have been alarmed by the recent data breaches at target, neiman marcus, and michaels stores. the investigations of the cyber attacks are but they compromise the privacy and security of millions of american

consumers, potentially putting one in three americans at risk of identity theft and other cyber crimes. i know my wife and i have been so in deciduous as checking our credit card bills, but that is the same with everybody. i mention those three stores, those are all excellent stores. they are major parts of our economy. but we have to have faith in them. if we don't have faith in businesses ability to protect the personal information, the economic recovery is going to falter. in the digital age, major data breaches involving our private information are not uncommon. there have been significant data breaches involving sony, epsilon, coca-cola, also some

federal government agencies, department of veterans affairs, energy, dated breaches of yahoo! and others.dge so it won't seem like we are singling out just a few businesses, more than 662 million records have been involved in data breaches since 2005. agree, a cyber attack -- also for consumers who want to protect himself against further exposure, it is not like someone comes in and robs a store, you know where it happened and you have some general idea of where the perpetrator is. here, the perpetrator could be thousands of miles away in

another country. american consumers deserve to know when their private information has been compromised. rely on being able to do a lot of our business electronically. but we should also remember that the businesses that suffer cyber attacks are also often the victims of a cyber crime. a recent study found that data breaches involved in malicious cyber attacks are the most hostile he data breaches around the globe. cyberr capita cost of attacks in the united states was $277 per compromised record in 2013. times that by millions upon millions. ,he highest cost for any nation fragileou are in a

economic recovery, this is a significant hindrance to recovery. so before the judiciary , symantec, and we will hear from the u.s. secret service, department of justice, federal trade commission. we are facing threats to our privacy and security unlike any time before in our nation's own history. aboute also had hearings threats to our privacy by her own government agencies. i hope in this particular one we can get some good bipartisan , get some data privacy legislation on here. i think we will all be better for it. senator grassley. >> very important that we have this hearing. we have had well-publicized commercial data breaches. we are still learning about the details. this hearing will help bring more details out, i hope.

it is clear that these and other breaches have intentionally impacted tens of millions of consumers nationwide. today's opportunity is to learn about the challenges that both industry and law enforcement face in combating cyber attacks from well-organized criminals. the witnesses have the unique ability to provide us various important perspectives as we consider the government's role in securing sensitive data and crafting a breach notification standard. i hope to learn where the committee's expertise could be helpful in combating future attacks. furthermore, i would like to use this hearing to explore areas of common ground so that we can determine what might be accomplished quickly. it had been a couple of years since our committee has considered data security

legislation. in that time we have learned a lot about the subject, thanks to broader cyber security conversations. the proposals offered by the administration and discussed in congress along with other government initiatives and be helpful for us to proceed as we consider what to do with this legislation. when considering data security requirements, our approach should provide flexibility and also account for businesses of different sizes and different craftyes in a world of criminals, it seems to me that one-size-fits-all approach will not work or lease will not work for everybody. instead, let's see how the government can partner with private business to .trengthen data security an example may be the national

institute of standards and technology cyber security framework am has received bipartisan support, and as far as the senate is concerned, unless it is bipartisan, it isn't going to go anywhere. that's not because there's something wrong with democrats or republicans. that is the institution itself. as we discussed the creation of a federal breach notification standard, we must avoid the risk of consumer over notification, just as there is a potential for harm when a victim isn't notified of a breach, over notification can lead to harm and apathy. as time permits, i want to explore these and other issues toay, and will be available discuss things beyond the committee process, either with colleagues or with other people. if everyone works together, it seems to me we can tackled these problems and hopefully limit future attacks.

chairman.in, mr. i ask unanimous consent to theude my full statement in record along with statements we received from these groups, the national business coalition on e-commerce and privacy, the payment card industry, the national association of federal credit unions come in the american bankers association, national retail federation, and the retail industry leaders association. >> without objection that it be included in the record. matt asked the four witnesses to please stand and raise your right hand. let the record show that the all took thes

oath. we will hear from each of the witnesses first and then we will ask questions. john mulligan is chief financial officer and executive vice , thedent for target second-largest largest general merchandise retailer in the u.s. 1996.ned target in his responsibility includes financial planning and analysis, financial operations, tax .ssurance, investor relations he graduated from the university of wisconsin in 1988. 1996 he earned a masters of business administration degree from the university of minnesota.

>> good morning, members of the committee. my name is john mulligan. i'm executive vice president and chief financial officer of target. i appreciate the opportunity to be here today to discuss important issues surrounding data breaches and cyber crime. as you know, target recently experienced a data breach is altering from criminal attack on our systems. to begin, i want to say how deeply sorry we are for the impact this incident has had on our guest, your constituents. we know this breach has shaken their confidence in target and we are determined to work very hard to earn it back. target we take our responsibility to our guest very seriously. his attack has only strengthened our resolve. we will learn from this incident and as a result, we hope to make target and our industry war secure for consumers in the future. i would now like to blame events of the breach as i currently understand them. please recognize that i may not be able to provide specifics on

certain matters because the criminal and forensic investigation or mains active and ongoing. we are working closely with the secret service and the department of justice on the investigation to help them bring to justice the criminals who committed this widespread attack business, american and consumers. on the evening of december 12, we were notified of the justice department of suspicious activity involving payment cards used at target. we merely started our internal investigation. theecember 13, we met with justice department and the secret service. on december 14, we had an leadendent team of experts a thorough forensics investigation. on december 15, we confirm the had in our system am installed malware and potentially stolen guest payment card data. over the next two days we began notifying the payment card processors and card networks, preparing to notify our guests

and equipping our call centers and stores with the necessary information and resources to address the concerns of our guests. our actions leading up to her a public announcement on december 19 and since have been guided by the principle of serving our guests. we have been moving as quickly as possible to ensure accurate and actionable information with the public. we know that the breach affected two types of data. payment card data which affected proximally 49 million guest and certain personal data that affected up to 70 million guest. we believe the payment card data was accessed through malware placed on our point-of-sale registers. it is designed to capture the data that resided on the magnetic script -- magnetic strip. this focused on supporting our guests and strengthening security. in addition to the media steps i described, we are taking the following concrete actions. first am a we are undertaking and into inferencing review of

our and our network and will make security enhancements as appropriate. fraud, we increased detection for our target red card guests. to date we have not seen any fraud on a proprietary credit and debit card do to this breach. we have seen only a very low amount of additional fraud on our target visa card. her, we are issuing new target credit and debit cards to any guest who requests one. fourth, we are offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped in our u.s. target stores. guess they have zero liability for any fraudulent charges on the cards arising from this incident. six, target has a -- is accelerating our investment in our target red card point-of-sale terminals. target has invested significant capital and resources in security technology, personnel, and processes. we had in place multiple layers of protection including firewalls, malware detection, intrusion set the texan and

prevention capabilities and data loss prevention tools. in fortunate reality is that we suffered a breach. all businesses and their customers are facing increasingly sophisticated threats from cyber criminals. in fact, news reports have indicated several other companies have been subjected to similar attacks. to prevent this from happening again, none of us can go it alone. we need to work together. updating payment card technology and strengthening protections for american consumers is a shared responsibility and requires a collective and coordinated response. on behalf of target him i am committing that we will be an active part of the solution. of you and allch of your constituents and our guests, i want to once again reiterate how sorry we are this happened and our ongoing commitment to making this right. thank you for your time today. click thank you very much, mr. mulligan. michael kingston is senior vice

president and chief information officer for neiman marcus as well as chief information officer, he oversees approximately 500 professionals responsible for all aspects of information technology and security including technology strategies. information technology services for all neiman marcus clients, both its doors and website. thank you for being here. please go ahead, sir. >> mr. chairman, senator grassley, members of the committee am a good morning. my name is michael kingston and i'm chief information officer at neiman marcus group. i want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal cyber security incident at our company. longersubmitted a written statement and appreciate the opportunity to make some brief opening remarks. we are in the midst of an ongoing forensic investigation and has revealed a cyber attack

using very sophisticated malware . from the moment i learned there might be a compromise of payment card information involving our company, i have personally led the effort to ensure that we were acting swiftly month early, and responsibly to determine whether such a compromise had occurred, to protect our customers and the security of our systems, and to assist law enforcement in capturing the criminals. isause our investigation ongoing, i may be limited in my ability to speak definitively or with specificity on some issues. there may be some questions i do not have the answers. nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist in your important work. our company was founded 107 years ago. one of our founding principles is based on delivering exceptional service to our customers and building long-lasting relationships with them that have spanned generations. we take this commitment to our

customers very seriously. it is part of who we are and what we do daily to distinguish ourselves from other retailers. we have never before been subjected to any sort of significant cyber security intrusion, so we have been particularly disturbed by this incident. through our ongoing for investigation, we have learned that the malware which penetrate our system was exceedingly sophisticated. a conclusion that the secret service has confirmed to read a recent report prepared by the secret service crystallized the problem when they concluded that a specific type of malware, comparable and perhaps even less sophisticated than the one in our case, according to our investigators had a zero percent ejection rate by antivirus software. able to capture payment card data in real-time, right after a card was swiped, and had sophisticated features

that make it particularly difficult to detect, including some that were specifically customized to evade our multilayered security architecture that provided strong protection of our customers data in our systems. because of the malware's sophisticated anti-detection devices, we did not learn that we had a natural problem in our computer system until january 2 and it was not until january 6 when the malware output had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. then, disabling it to ensure it was still not operating took until january 10. that day we sent our first notices to customers potential he affected and made widely reported public statements describing what we knew at that point about the incident. to january 2,ior despite our immediate efforts to have two separate firms of forensic investigators dig into

attempt to in an define any data security compromise, no data security compromise in our systems had been identified. based on the current state of evidence and the ongoing investigation, it now appears that the customer information that was potentially exposed to malware was payment card information and transactions in 77 of our 85 stores between july and october of 2013, at different periods of time within this date range at each store. in, we have no indication our transactions on her website are in our restaurants and compromise. three, and data was not compromised, as we do not have been patently do not request pins. for, there's no indication that social security numbers or other personal information were exposed in any way. we have also offered to any customer who shops with us in the last year at either neiman

marcus group stores our websites, whether they're card was exposed to the malware or not, when you're a free credit monitoring and identity theft insurance. we will continue to provide the excellent service to our customers that is our hallmark. i know that the way we responded to this situation is consistent with that commitment. your you again for invitation to testify today and i look forward to answering your questions. >> thank you very much, mr. kingston. served asitness policy council in the consumer union washington office and is lead advocate for telecommunications media and privacy efforts. consumers union is a policy action and vision -- division of consumer reports. she graduated from the university of virginia with a from columbia school

of law. we are glad to have you here. please go-ahead. thank you for the opportunity to testify before you today about these breaches. i service policy council of consumers union. this past december at the height of the holiday shopping season, 40 million unsuspecting customers learned that criminals may have gained unauthorized access to their credit card and debit card information. subsequently, 70 million more learned that personal information such as names, addresses, and telephone numbers may have also fallen into the hands of suspected hackers. since then we have learned of similar breaches that other retailers. neiman marcus has confirmed unauthorized access to payment data and michaels has stated it is investigating whether a similar breach occurred. the press is reporting that the malware that was reportedly used in the neiman marcus and target

breaches was sold to criminals overseas. what we have seen thus far may just be the tip of the iceberg. this is truly disturbing. as consumer reports and consumers union have reported who regularity, consumers have their data compromised in a large-scale security breach are more likely to become victims of identity theft or fraud. although federal consumer protection lending laws and voluntary industry standards generally protect consumers from significant out-of-pocket losses, policymakers and consumers should take these threats seriously. there are practical and time-consuming concerns for tumors whose data has been breached. particular concern is debit cards. all consumers might not ultimately be held responsible if someone steals their debit card data or pin number, data thieves can still ink he out a consumer's bank account and set off a cascade of bounced checks and late fees which victims will

have to settle down the road. datacan happen to that after it is stolen is disconcerting to say the least. sometimes it is resold to criminals outside the country. make counterfeit cards. the result is decreased consumer confidence in the marketplace and uncertainty with the realization that your private financial information is out there in the ether for anybody to use for an unauthorized purpose. when consumers union learned of the breach, we urged them to investigate the matter and for increased public disclosure. just last week attorney general eric holder confirmed that the department justices also investigating the matter. we know that lawmakers have urged the federal trade commission to investigate as well and we are grateful of the federal agencies efforts and state attorneys general efforts so that we can figure out what happened and get to the bottom of this and figure out how to come up with a solution together to prevent these breaches from occurring in the future.

we have also provided consumers with a number of tips including checking transaction data, notifying your bank immediately of any suspicious activity, replacing credit cards, debit cards and pin numbers. five election also security to block- fraud alerts access to your credit report. target and affected retailers consumersffering credit monitoring which we would be happy to speak about and answer questions about as well. new technology uses multiple layers of security including computer chips in each card that stores and transmits encrypted eta -- encrypted data. what we have reported in the past is that when this technology has been adopted in

europe, it has significantly decreased fraud. so we need a stronger commitment from all stakeholders to adopt this technology sooner rather than later. reinforce just how timely and relevant these issues are. we are appreciative of the to theee's efforts and chairman for introducing the data privacy and security act. we think that the sooner consumers know their data has been compromise, the sooner they can take steps to protect himself. the committeeurge to consider shortening the time line for notification from 60 days to require more immediate notification. -- we would like to strengthen some provisions including those related to preemption. we want to make sure that any national standards offer strong, meaningful protection. we thank you for the opportunity to speak before you today and appreciate your interest in data security. we want to ensure that there is

consumer confidence in the marketplace and we look forward to working with you and all interested parties. thank you very much. next thank you for what you said about our legislation. i'm hoping we can move it quickly. the senior vice president of at symantec.on he drives development at mobilec and norton management. he was vice president of identity and authentication services before that. he obviously has a background in this field. please go-ahead. >> thank you, and good morning. thank you for the opportunity to testify today on behalf of

symantec or operation. we are the world largest security software company with over 31 years of experience developing information security and management technology. our global intelligence network is made with millions of sensors all over the world and records thousands of events per second, and we maintain 10 security response centers that operate 24 by seven around the globe. this gives us a view of the entire internet landscape. at symantec, we also invest over $1 billion a year in research and development to help our customers stay ahead of the bad guys. the hearing today is critically important and will focus attention on what businesses and consumers can do to protect themselves from cyber attacks and data breaches. attacks on point-of-sale devices are not new. but it does appear the pace is increasing. it brings immediate attention and citizen concern, but it cannot be just about one or two

high profile crimes. not just retailers but every organization with sensitive information is at risk because cyber crime is a big business. in 2013, we estimate the identities of over 435 million people were exposed. that number is rising as the reports surface. the cost is very real and is borne by both consumers and organizations. in 2012, thehat global price tag of consumer cyber crime was $113 billion. it was found the average total cost per breach in 2012 was $5.4 million. the study also found that strong security before a breach and good incident management post breach can dramatically cut the cost of these incidents. these breaches are increasingly kospi targeted attacks which are up 42% year over year. some are direct attacks on the company servers where they search for undefended

connections to the internet. all attacks have potentially won gold, to gain control of the user prof computer. -- have potentially one goal. in the case of a retailer, and can include compromising obtainf-sale systems to valuable consumer information. the best way to prevent the attack starts with the basics. good cyber hygiene is simple and cost-effective. strong passwords, ubiquitous encryption are important element of any good security program. a modern security suite that is being fully utilized is essential. then security protection is much more than antivirus software. in the past, the same piece of malware would be delivered to thousands or even millions of computers and with easily block with signature-based systems. today cyber criminals can take the same malware and create unlimited unique variance they

software.ast basic that is why modern security software does much more than look or known malware. it monitors your computer or mobile device, watching for unusual traffic had earns or processes that could be indicative of malicious behavior. basedvide behavior security technologies that can identify more danced threats. the solutions put files in context using age, frequency, to --ons and other data of the computers trying to execute a file we have never seen anywhere in the world and it comes from an unknown source, there's a high probability that it is malicious and should be blocked. security should also be specific to the device being protected. point-of-sale system devices have advantages over other systems because the functions they need to perform

can be narrowly defined. allowing these devices to only run approved applications will reduce the attack surface and render many streams of malware ineffective. ace -- towe released report that provides a room -- an overview of the methods that attackers may use and provides recommendations on how to protect the systems from attack. andrtunately, data breaches cyber threats are part of our day-to-day lives. we will never be able to prevent every data breach or cyber attack. working together, industry and government can make it increasingly more difficult or cyber criminals to succeed. iq again for this opportunity to be here today and i'm happy to take any questions you may have. >> thank you very much. i think we are all united in the same thing. we all want to stop these attacks, number one. number two, as you just pointed out, we are always going to have these attacks, no matter what we

do. the question is, can we successfully stop them and are we keeping up to date with the realities of today as compared to years ago. mr. mulligan, the data breach at target became front-page news every day on and on. just going after your company, obviously, but it to placethe potential one in three americans at risk of fraud or identity theft, identity theft being part of -- probably one of the most difficult things one has to deal with. what do you find so far? are you any closer to finding who did it? tell us just briefly, what are

the steps you are taking to prevent privacy -- protect privacy? >> as i said earlier, the intruder came in through a set of compromised vendor credentials and took two sets of data. the first set of data was malware was placed on our point-of-sale registers and there they grabbed payment card information in the time from it being swiped by magnetic stripe and a time when encrypted it in our system. separately, they took information from certain personal data, name, address, phone number, e-mail address, for up to 70 million records. they encrypted that and removed it from our systems. we have an ongoing forensic investigation and end to end review of our intern network to understand what went on. thee then we have removed malware, close the point of entry, narrow the scope of who has access to our system. we have provided the malware to a security firm for their review

, and we have the ongoing review where we will have additional learning and we are committed to taking additional actions. >> as i understand it, the justice department told you -- you said this, on december 12. you remove the malware three days later on december 15, is that correct? >> that is correct. greg had you had any knowledge the malware was there before the department of justice gave you that notification? >> we did not. despite multiple layers of detection we had within our systems, we did not. >> a you had all your systems in but you found out about

it from the department of justice. >> that is correct, mr. chairman. did the breach involved online purchases? >> that is my understanding. kingston, you testified breach at your company would affect 1.1 million american consumers, is that correct? learned in our investigation is that this which was inserted into our systems by the criminals was operating in many of our stores at certain times between july and october of 2013. of account number numbers in our stores at that time that were exposed to the

malware was 1.1 million accounts. believe because the malware was only operating at certain times that the number is actually less than that. >> when did you first find out ?bout it >> the first time we found out about it was when our forensic investigation teams discovered it on january 2, 2014. when did you first receive information about it? x the forensic investigation firm first alerted us that there was some suspicious malware they had found as part of the investigation on our systems on january 1. you say that you first receive information december 17? >> on december 17, we were notified by our merchant mastercard had

122d in their fraud systems account numbers that had been fraudulently used, that were used prior to that at neiman marcus locations. >> since january 1, have you any of your malware protection protocols or equipment? >> yes, we have. we have made a number of different changes. as i mentioned in my testimony, the malware unfortunately was by our antivirus systems which we maintain and keep up to date. since then we have shared the malware both with forensic

investigation teams, the secret service and our antivirus company and they provided us with updated signatures so we can remove it and disable it. >> how has the cooperation been within law enforcement? with lawe been working enforcement all along the investigation and they have been very helpful and very cooperative eerie >> would you say the same, mr. mulligan? >> i would, senator. we have a long relationship with law enforcement and our interactions throughout this time have been very productive. >> i want to associate myself with the remarks that the chairman made just before he asked questions. that is that i think we are all trying to find the same solution. this is not a case of a group of business people on one side and the government on the other side. we've got a major problem we have to deal with and it's going to take cooperation.

the senator did not say it exactly that way, but i hope i -- thank you. as we have heard today, even companies with tremendous resources and multilayered -- by the way, i'm going to ask this, as we are heard today, even companies with tremendous resources and multilayered security systems can be attacked and breached. this means smaller businesses are more vulnerable to similar attacks. one thing i have heard repeatedly is that businesses of all sizes need flexibility in creating and implementing their security programs. what works for one may not work for another. but companies must be proactive and guidelines for what they should be doing are held. so to you three, how can the government encourage the private sector just ring and data security that provides businesses that flexibility and guidance that they need as

opposed to burdensome government regulations? >> we agree that this is an evolving threat and one that is well beyond retail and target to all industry. there were hundreds of breaches last year and we think therefore the solution needs to be a combination of efforts across all participants in the space. a thing for payment card information, there are a number of disciplines in the payment card world and we need to work collectively to move to chip and pin technology. that would have rendered the account numbers that were taken far less useful. it is technology like that that is important and we are committed to moving forward and accelerating our efforts in that particular area. >> i think shedding light on the issue as the comedians doing

today is extremely helpful, and we appreciate that. governmentthings the can do, there are a lot of actors in this ecosystem. technology companies, private ,ector, law enforcement government agencies, there are security experts. collectively all of those actors and stakeholders who have intelligence and are able to share that with the community, if we can encourage more of that information sharing, i think it could help us try to keep up with this problem, which is continuing to evolve and continuing to become more sophisticated. >> i would agree with what mr. kingston said. it is definitely a shared goodnsibility to follow practices. we believe it would be helpful for the government to recommend in a very flexible way some preventative measures that companies can take to at least give a guideline on being able to protect our systems.

good,ieve it is a flexible framework companies can them -- can used to guide into developing good security solutions. >> to the three of you again, and this gets back to some people who think this ought to be government driven, and then there are people who think it is entirely industry, government stay out of it. the chairman and i have talked , and a partnership recently the national institute of standards technology was just mentioned here. for you three, if government is going to create federal data security standards, what role, if any, should the private sector have in that process? >> i think private industry and government have to work together

here. i agree with what you have heard, it is a shared responsibility and communication between the private sector and public sector is important. we have had ongoing relationships and information sharing with law enforcement. that seems to happen more broadly between our organization and the government to find solutions here. >> mr. kingston? >> i think guidelines and standards are always very helpful, particularly in this case. so i would encourage that all the stakeholders provide input into that. would agree and i think the key word here is flexibility. what we have to recognize is that this is kind of an ongoing war. the type of threats are changing all the time. -- whereechnology constantly raising the bar. whatever needs to develop needs to allow for that to happen rather than locking in at any particular time what might seem to be acceptable. but iid have a question

want to make a statement that i hope we can avoid a situation where the government says you do something and you do it, and it is abiding by the regulations, and that may come up short of what we need to do. that is why cooperation is so important. >> i agree with that. even with the expertise of the four of you here, you couldn't tell me specifically what would be the greatest threat we might face 18 months from now, because these things are evolving, just as our best intelligence agencies and others cannot either. but we want to give you a framework and we want to have our framework that protects theirers so they know rights are being protected, but also protect our businesses. the trusto maintain

between both the businesses and the consumers for the good of our country. we have a fragile recovery, we are slowly recovering, but without that credibility, we cannot do it. i have to step out for a moment. >> thank you very much, mr. chairman. mr.nt to begin by thanking mulligan and mr. kingston for to veryre, because up recently, companies would not step forward. companies would not make it public. i introduced the first data breach notification bill in 2003. i could not get any cooperation in that data breach. i have pulled the record and would like to introduce the particulars of what happened in 2003 into the record.

that will be the order. i am a shopper at your institution, mr. kingston. i don't recall getting any notice that my data may have been breached. when what i have had notice? and i would have shopped during that period of time. >> we have actually sent out a number of different notifications. i will start with the 10th of january, when we learned -- -- thedid not learn breach took place months before you actually learned that there was a breach? 6,it wasn't until january actually, that we learned that this very sophisticated malware that was put in our systems had the ability to scrape card data in our systems, and then we quickly put in actions to contain and eradicate that malware.

then we immediately began notifying customers. >> and you said that 1.1 million customers had been affected? >> during that time, that is the weal number of accounts that transacted in our stores. >> can i assume that all 1.1 million were affected and noticed? so somewhere in my records i should be able to find a record of having been noticed? have notified all customers who shopped in our stores or on our websites, which is a greater number of customers that were affected in this 1.1 million number. >> when did you do that? >> we did that on january 22. >> mr. mulligan, when did you notify your customers, and how many did you notice? to them as guests. on december 19, four days after

we found the malware. for those we had e-mail addresses for, we notify them by e-mail. given the scope, we thought that fraud disclosure was the best path to go, so we had very broad disclosure through multitude of channels. >> but you did not notify individual customers? have specific contact information. quick so you were depending on the public for your notice. -- iou explain to me why document cases going back to 2003 and 2002. nobody would notify. that would notify, and it was fiercely fought. companies did not want to notify their customers. i worked on that bill, it's not ofng to go anywhere because the notice provisions. here we are again with respect s. notice

i believe that if somebody has an account, or uses their credit at your institution and their data is breached, they should be notified so they can protect themselves. do you want to respond to that? your viewe with completely, senator. our focus has been on having accurate and actionable information, balanced with providing that notice as quickly as possible and ensuring we had the capability to respond to millions of requests for information. public that dissemination was appropriate and would let all of our guest know virtually immediately. we were on the front page of every newspaper in this country. quick here is the problem with that. the public notification is always vague. it is sort of nonspecific. you really don't know, and then you find out kind of brutally in

other ways if you have money .issing you happen to be retail establishments. in 2003, a hacker broke into electronic records of the payroll facility for california state them ploy ease. some 265,000 social security numbers were compromised. you said there was no compromise of social security numbers, but my point is, those people deserved to know that their data has been thethis big resistance out there in the in theial community 11-12 years i have worked on this. as far as i'm concerned, any bill that is forthcoming from this institution should provide notification of customers that their data may have been breached, so they can protect themselves. if anyone has a comment on that,

if you disagree, please tell me. no comment? agree, senator, which is why we did exactly as you said, we had knew that criminal activity inside our systems and who the impact was, we reached out individually to customers and in fact reached out to more customers him adjust to be cautious, because it is important to us. our primary concern is their privacy and information. all customers that shop the entire year at neiman marcus stores and websites were notified. >> i will go home and look for my notice. thank you very much. iswe agree that notification an extremely important aspect of this discussion. the sooner consumers are made aware, the sooner they can take actions to protect himself. >> thank you very much. senator hatch. retailersthat many

are migrating toward secure point-of-sale terminals capable of processing chip and pin transactions. will only require chip and signature. why would that be the case, especially when a chip and pin credit car would be more secure for in-store purchases. anybody who cares to answer that? is today theanding standards have been set for chip enabled card technology. the chip and pin standards have not been set yet. we are advocates of getting to chip and pin technology. we think that is the safer form. we also think taking the next epidemic or in in getting to a place where we have guest payment devices in retailers that can read chips and cards are issued with chips so we can begin to migrate away from magnetic strips. >> it is my understanding that chip and pin technology does not

make online purchases more secure. europe confirm that as transition to chip and pin card, fraud losses from online transactions actually increased at a greater pace. as chip and pin cards make in-store transactions more secure in the united states, how will you make online sales similarly secure, mr. mulligan? >> that is an excellent question, senator. --st, we need to not let making progress in stores makes a lot of sense and installing chip and pin technology there we think is important. as you said, the threat continues to evolve. there is a shared responsibility here, and continued to have all parties that ensure payment transactions are processed appropriately here in the u.s.,

be participants in moving that forward to find solutions to the online transactions. it is a topic where all interested parties in the payment space come together and discuss that so we can find solutions to online, but your point is right on. greg mr. kingston, you said the credit card information was scrapped. what about information like birthdays and social security numbers? where the hackers able to get >> ourformation too investigation has shown no evidence that other personal was obtained. describeyou please both the advantages and disadvantages or shortcomings of chip and pin technology, as well as any alternatives that may exist that are not currently being considered? chip and pin technology itself is more than 20 years old.

there more secure alternatives that we should be considering? >> i think we would agree with the other panelists that chip and pin is definitely a step in the right direction. it definitely adds three primary benefits to the ecosystem. .ne is more encryption the credit card information would stay encrypted longer and it would make it more difficult for hackers to be able to obtain that information. that is a big in a fit of chip and pin. it makes it more difficult to duplicate the car. if the information is stolen, sometimes with the regular magstripe it is easy enough to go and create another card. because the chip in the card has a unique potential, it cannot be copied. of multiplehe risk cards being generated. third, it combines what is called to factor identification.

the card is something you have in the pen is something you know. if someone was to steal your physical card, it would do no .ood unless they knew your pin deftly raises the bar on security. >> i have a related question about the so-called mobile wallet. companies like google are just starting to roll out these type products. it allows you to pay by simply tapping your smart phone and it will be widespread in a few years. can you describe the security features of these payment platforms and whether chip and pin technology is compatible? >> we agree that mobile payments are certainly going to be the future. it is yet to determine which of those models that are out there will be the future. it is important to note that when you use a mobile device, basically there is a new opportunity for criminals to use that. there are a lot of technologies that can lock down those devices

and keep that information safe. chip and pin would not apply in that case. it is really for cards when you .ave a swipe there are other ways using behavioral analysis to fingerprint some of these devices and recognize the user that can add security in the mobile payments ecosystem. >> thank you very much. we certainly know that in minnesota, the home of target, and we also know that if these companies can see these kinds of data breaches, it can happen to anyone. as senator feinstein expressed, a lot of times when we have pushed these cyber bills, we get a lot of push back, and i think if anything, we have learned from this major, major breach

that we can no longer do nothing. my first reaction is a prosecutor is to find the crooks who did this and punish them. i know that investigation is continuing. my second reaction is that we have to find a technical solutions and our laws have to be as sophisticated as the crooks who are breaking them, and i started there. i start -- i thought i would start by following up what senator hatch talked about, which is new technology that i understand has been adopted in europe. is that true? yes. >> and is it true that in great britain, they have seen a major decrease in these kind of breach as? --they have seen a decrease a decrease. they have also seen a shift to the online channel.

>> what is stopping our country when they are doing this in europe? i think they started using this kind of technology back in 2003. what has stopped it from being rolled out on a major basis, and how can we change that? you know, there are many participants in the payment card world that will ensure that transactions are processed appropriately in the u.s. we put devices in our stores to read chips. cardtroduced a target visa with a chip in it, but without broad options there are not -- brought adoptions, there are not significant advantages for consumers. >> you mean other retailers?

>> others having the ability to read the card as well as having cards issued with a chip on them. they need to move together simultaneously. we have been advocates of this. it is a shared responsibility. >> how does this affect the financial industry? >> they are the issuers of the cards, so again, in partnership with them, we need to move together collectively so that the whole system is employing this technology. >> and with the new standard that is in development -- how long has it been in development? >> it has been in development for quite some time. it is due to be released. >> like 20 years? >> more like around a year time frame. >> ok. >> it is said to be released next week. >> that's good timing. set a standard for these companies or do we need to

do something to get the new technology out there? >> i think the new standards does provide some guidelines and objectives for the companies to follow but it is not specific >> we arethe chip definitely supportive of chip and pin technology and of any efforts to expedite wide adoption of this technology. >> i just want to go back quickly to something that was raised at the beginning about the time in between when it was and when the consumers found out about it. time inu give me the between a was confirmed and the time you notified customers? >> we were told on december 15 and we notified customers