anthem reported a very large breach that may be impacting many people in this room. since many federal employees are covered by the program's anthem offers. we must maintain a laser focus currently seven seats including rhode island the district of columbia guam have enacted similar legislation. no two are exactly alike. as a university with students from all 50 states, we are affected by all of them. making it very difficult. this can create a value for small innovative organization lacking the expertise to understand the state laws. this type of burdens breach notification is a breach issue. so i would encourage to

understand such legislation. it should identify the methods, speed, delivery an content of notification. it may be unattainable for small organizations, nonprofits and educational institutions. based upon the size of an organization would make compliance possible for all. it should also encourage organizations that collect data to be trance fernt about the use of such data. consumers appear to be happy to give away their data and privacy to enter social media sites for the sake of convenience. given the highly publicized breaches it is apparent that more work is needed, no matter what the size the company,

certain expectations of security should be defined when data is collected and stored. importantly it took a couple of insenity tots establish better education and breaches. it is important for us to have sishe expertise within the u.s. in conclusion i appreciate if opportunity for this dialogue. i stand by to assist you in any way i can. cyber security and cyber security education is critical. thank you. >> good to see you again. mr. johnson? >> yes good morning. chairman, hoe ran member of the subcommittee. my name is sub johnson, i currently lead the associations fiscal, sishe security in policy

everies at the association. about protecting consumes in this increasingly educated work of record keeping. and conducting their abcs electronically. not with standing these breaches we are to remain strong and functional. it's mandatory that we stay strong so we can remain a system that our system can essentially continue to trust. a majority of the transaction is conducted safely. consumers have a right to swift, accurate, effective notification of these breaches. they also have the right to do that whenever they conduct businesses electronically, the businesses doing everything it can to prevent that the breach is occurring in the first place. mr. duncan mentioned, the

international sample of several police stations around the world. other organizations note that for the united states a business is reported over 30% of the reported breaches for 2014. while our numbers differ and we do believe that the numbers are more appropriate to decide, i believe that our intend frank sli the same. i believe that our intent to protect customer data. the banking sbim is zpwood. we continue to work for congress to achieve that goal. acknowledged leaders in defending against cyber threats. therefore, it is critical that legislation takes a balanced approach that build upon what is

already in place and effective for the financial sector. three key points that must be considered with regard to data protection standards. first -- a day to breach standard. consumer electronic payments are it is of paramount importance. currently 36 stays have enacted laws governing data security in some fashion. many have conflicting standards forcing bisses to ply and leaving them without the proper recourse and protection. state laws should be preempted. second any federal data protection and notification

requirement must protect you and notification allow laws including some financial services are required by law to develop and maintain robust international protections. they are no notify them that would bing would work. providing effective data. for businesses generally. finally there must be a strong national data protection requirement associated and coast for protecting con psalmers. the cost of -- for protecting consumers. to limit some consumers it's applicable to any party without

access to important consumer financial information. thank you. and i'll be happy to answer any questions you have. >> thank you chairman moran and ranking member blum. that. i remember and one of the biggest challenges that we face as a nation. the company else nonprofits and government agencies that hold our information. last year's reaccompanied. because of that 10 years ago i john:ed 43 other attorneys general. in a buy a now she knows where. it is. mike nelson helped clean up an three. in 2005 when their personal

financial information is comblizzed. and in 2006 do you remember to help them restore tchare credit and use without their alterization. so far we've helped over 3700 people. we'll. at this point americans realize that it's not a more what can we do to best assist them to prevent data breaches. first, for the daw we already have that in this country. . and many states are working toward their laws that are the constant threats that were revealed.

there are publically known breaches that have affected over 900 million record in. americans need and expect more transparency of data breaches, not less. last year i held over 2500 round trables including local government officials law enforcement, small business owner, religious leaders. as we as consumers. here's what they told me. first they're considered about the increasing number of breaches and when their information is stolen, they want to know. >> i want to know what they can do to protection themselves from so they want to know if she protecting their information. a week after the law most state laws will not meet incredible in

stead of any personal sense active information. and the f.c.c. should be able to update the definition in response to new threats. it has been revealed that entities too often fail to take data city per cautions. we have found numerous intensities where they alows sensible data. they failed to install the security patches for software vulnerability. retain data longer than necessary and fail to complete for log on requirements. they should have a packet to take reasonable stets.

>> it's going to germ on net six. imagine if a landlord knows that he has in his bob. this is what you'll love when data is stolen with the so-called harm analysis. . when match's data breaches affect all lower model. >> finally i know the other preventioning -- as a state official i have supposed threags limits us to safeguard our presidents. if the provision must be narrow. the law should preserve the state's ability law and congress should give them not the flight enforce them.

>> thank you very much >> thank you. tammer ron. and senators of the subcommittee. thank you for the opportunity to testify today. my name is yael lineman and i'm the vie. nonas i.t.i. rory to don:ing at the federal trade commission. most rekebtly i began my career at the enforcement division. they have data security concept or in fact complying. the 59 companies that i.t.i. represents are leads is a leader

on the commune. when consumer information is breached individual may be looking at identity faster. year after year. it's the number one complaint reported to the f.t.c. con sirmes can take steps to protect themselves from identify following a data breach. . would put consumers in. well you did a great job. i take this opportunity to outpline three important conditions in connect of their legislation. first, we're going to have to look at preserpgs. it's like the exiting line and state. provides an opportunity to streamline the mote fi vacation

process. complying with 5781 lies. 47 states, three territories an one district each one with its own unique provision sst to consumer complying with 51 different laws also result in notices across the done there country that is confusing to con . resulls in a total of 52 different frameworks. the second principle is the timing of con sirme notification. an inflexibility mandate that would notify tunes within a productive.

>> follow a breach this is much to be done. vulnerables must be ride med. er are corporation with law enforcement is. premature notification could suggest or organization to fatherer attack. very firster just diesing do. premature. do i identify the introducers? aggressively. upon learning that the weak had bp discovered. >> and knowfication to consumers before an organization has identify the full scope of the breach could. organizations have every incentive to notify impacted

consumers in a timely cousin not afford the fess accept brnlt which consumer should be notified. >> know fying it. it is not productive, however, it is data breaches the result of the notification, the. con sirmes would be unable to determine, which one. if they are at a significant risk of identify wegs. is a number of factors should be considered in making that determination including the greece information. no water. they would not lawrence notice would would know fission cafmente being the three

principles i have outlined today . let me leap in and let me except that they played. 2014 hooze been refered to as the year of the data breach. many of us would like to see 2015 as the year of federal data breach notification. i would be happy to answer any questions. >> you seem to be on the minority on this issue of pre empings. how do you respond to the concern that's been raised particularly by mr. duncan and mrs. wineman. is there a way to preempt state law but then continue to have states in law enforcement for

the new standard? >> to answer their. and it happened frequently at the federal level where you will set a national standard but still allow states attorney general to affect the law. this is is one of our most important concerns because there will be instances where there are find one or only a few states and it will not be arke that we finance on. in part of the same sitch weights we have in terms of different jurisdictions at the state level vs. the federal level even for criminal matters. some of the cust departments officer for a big held. we want you will can twirl, was,

. 51 different laws and organizations have to comply with the terms of notification. i would say two things. one to some extent the concern is overblown. in a very real sense somebody mentioned it's a lawyer who determined what the notice has got to be and produces another so they could be used across the country. but it is -- it's not impossible to do. it doesn't make an tournt. the other issues that need to be contended with . i do think that it is imperative -- i think everyone agrees -- if you set a national standard it cannot be a week long. it has to be higher one than some of the first generation states.

it's because we're seeing an increase number of federals. >>. biometric data and things that really during the first generation very few considered. thank you very much. >> is there any indication that from state to state depending upon the law says that law or the year of the effectiveness of that law set that hammers. is there any suggestion that a state law discourages hacking from taking place in that state? in other words, is it effective as a prevention measure? and is there any questions. the increased law state in those states. they're a different level of compliance. they're a different level of desire to attack at a certain state because of state laws.

mr. duncan? >> as i mentioned in my testimony, the very nature of this problem is that is by the interstate. they instantly have connectivity throughout the united states. so it's the fact of notice regardless of which it occurs in that drives the interest in trying to have greater standards. this is a national problem. >> we often think of the states as laboratories. we will see what standards are there and what makes sense. i wanted to make certain there was no suggestion that a particular state has found a way to prevent or discourage this kind of behavior. mr. johnson? >> i would ecothrack the sfact

no. if you don't have both pieces you really don't have the able to raise the bar from a secure standpoint. i. to raise the cyber security bar. >> thank you mr. johnson. . is there any developing insurance coverage market for the data preach sbet. . they have a standard in play covers the consequences of a data breach. you can also offer some of those policies as well. as an entry we're looking for that carefully. in fact,.

i think we will improve the market not try to build the insurance as a private incentive. >> thank you. >> senator blum. that -- blumenthal. >> i want to follow on a couple of questions that the chairman asks. you make the point that pre empings has sometimes been narrow. if there should be state and then and only to the extent of the inconsistency and that's a coat in grown. help information technology for economic and clinic health also known as high-tech. that prince pm of narrow

preemption has been adopted sbfmenter and had his experience been with last now we are to work in fusion that are witnesses to raise as the spector of avoiding department. . the concern from the state level is you're aware is that -- it took taut pill. it took 10 years for congress to pass the bridge notification law. and to the extent that there are new thruss i out there. . . we node toe be able to respond or there's a rapidly.

we have not seen significant problems where states must restain. preemption is nar row. in fact, i think it works beth that way. because r. state resources go to some of the smaller issues. >> mr. duncan it's probable by the failure of details to take responsibility for the consumers. some of them i am told have actually blocked some of the new technology they pew unability. i don't want to call them out if you wish. i'm disturbed that these major

retailers have invest loved and yact his dad. they offered it as a future to come assumers for years. . like apple pay and google wallet. they still not have been deployed as they should sb. aren't you kiss appointed that retailers. they're consumers? >> it's not matter of disappointment in terms of what he had dunch in the killer. i can tell you that when i asked for the ford meetings and i have heard the croweo. talk long and seriously about the steps they have to take to address this very similar froukt.

this is a -- this is a very complicated issue to address because there are so many ways pointed out if the big actors get out. . that woman effectively passed that that. . they're terminals for example. . >> there are some technologies that either are unproven or extraordinarily plensive away from the company into someone else. they have to make a decision on that element but that's completely strait. oobt how you can deal with the data files. you had recommended to the panel that there be preemption not only of state statutory law.

that's a frey big -- free big emplings situation. . experience shown us that the courts will strike it down and the relimb reaction -- very strong law and it has to be a uniform law. it needs to be in effect. . we're all saving if a benefit. what are the telemarketing kes oork. they're the same kind of propose sure i was taken. with you don't see individual actions under that rule. >> no, my time >> we would support that.

approach an appropriate to. me. this committee should consider and that a. attorney general has suggested if there is to be any preemption at one that's important. >> senator fisher. >> thank you, mr. chairman and my tchanks to you and the timing orgets. . ms mcguire you know there are numerous reports to gauge it back after the two attack. son-in-law of them have a different. for its require u.s. i.f. company to tirn. independence cluging. as strange for market access. are you concerned that such information in the hands of well we could call.

he already rickses. where. having to tougher over any of our keckstially. we believe that that is >> we are concerned about having to turn over any of our intellectual property to any country. we believe that that is an infringement on our ownership of our intellectual property that we had clearly spent extensive resources to develop. we should be allowed to protected accordingly. as it is passed to a second party, it does expose us to potential vulnerability. in short, we believe we should not have to share intellectual property. >> there are instances i believe where companies are being pressured by foreign governments to share that property. do you know how prevalent that is?

>> there are some new requirements. actually, some not so new requirements in some countries. i cannot tell you how prevalent it is but we are certainly seeing a growth in those kinds of requests from many different countries around the world. >> how dangerous is that if we continue to see growth, if the companies do that and increase in market access, how dangerous is that two other companies here in our country when that property is shared? would that put your security at risk? >> it potentially could put other organizations at risk. i am not sure that i can

quantify how much, but anytime you have to provide the source code to another party, it can provide additional openings for risk. >> are federal data protection framework is largely based on who is collecting that information rather than tailoring and enforcement based on what is being elected. what he did be better for consumers and businesses alike is we would apply a more uniform regime for all entities so that enforcement is based on the sensitivity of the information that is being collected? >> that is our view, that it should be a space application and threshold for what type of data potentially is breached. >> for all of the witnesses, if i could just ask a couple of yes or no questions. do you support a federal data

breach notification standard that is consistent for all consumers? miss mcguire, if you want to start. >> yes. >> absolutely. >> yes. >> yes, if it is strong and meaningful. >> i will be the outlier and ask for further clarification of the question. are you referring to which particular type of data? whether you do not want to distinguish between types of data?

to a certain extent, the secretarial approach that we have in the united states has worked with regard to financial and health data. since the desire is to get federal breach notification legislation across the finish line in 2015, anything that potentially could slow that down is something we should carefully consider. >> do you think it would be easier to get something across the finish line if exceptions are made or targeting made on what type of data is collected? >> i think it would make it easier to get it across the finish line. if entities that are already subject to data breach notification requirements in specialized areas remain intact. >> senator fisher, with all the respect, a sectoral specific approach or exceptions to the kind of incentives we need to have effective protection for consumers. >> we have disagreement. i am over my time, so thank you very much. >> senator. >> miss weinman, you and others have talked about the balance strike in terms of over notification. we recognize we do not want to be in a did a consumers and others with notification of breach is that they are not

significant enough. it would become meaningless. my question is it determines whether this is a significant risk of identity theft. is that the attorney general to determine? is it the court, individual companies? i think that is one of the key issues. we can all agree on principle that we do not want to be over notifying that, where that responsibility resides is key. >> thank you. i am glad that we can agree that over notification is not something desirable. i think an organization that holds the data and has a sense

of what information has been compromised, the extent to which it has been compromised, would be in the best position to make the determination. >> what standard would they be held to? under the law or their own judgment about whether this would be harmful to their consumers or does this get refereed in court? >> i think the level of risk would be something that would be codified in a statute. like significant risk of identity that or financial harm. i do think that would be in the letter of the law. >> you are talking about a risk-based analysis. please elaborate. >> along the same lines of what kind of data has been breached and what the risk is to the consumer or the organizations data that also might have been

part of that, but as i stated in my statement, we believe that a component of that statute needs to be that the data has been either rendered unreadable or unusable the encryption or other technology so that if the data has been accessed, it is meaningless to the perpetrator. that is a key component of the statute. >> attorney general, maybe take a half a minute to elaborate. >> i do not think there is any such thing as over notification going on at this point. notification keeps consumers alert to the possibility of identity theft. it certainly depends on what other information these criminals may have access to in terms of what they could be using some information we would use if it is combined with other information. there is no over notification going on at this point.

>> i agree with you but we do not want to create a scenario where i'm getting e-mails to our three times a week and i do not know what to panic about and what to ignore. i agree we are not there in reality. if you could articulate what would constitute a strong standard. i respect that the california law and some other statutes are pretty good marks to make. i see a few heads nodding from a few shaking. that is fun but i would like to hear what you think would suffice in terms of being worth the trade-off. >> a strategy i have heard about is we should look at the state laws that are out there. california at this point being one of the high marks. i should say it is not just

california. this is a bipartisan issue. texas, florida, indiana, if they do not already have some of the most progressive notification laws in the country. you need to see what the changes have been from the first generation. we were saying, it would be our first name and first initial with our last name as well as unencrypted social security number, credit or debit card number. now we are moving to biometric data, e-mail addresses with login passwords. as it changes, you need to look and see what is the high water mark and make sure that that really is your floor. >> mr. johnson, you can have the last word. what would suffice as a strong enough standard that we would also comfortable preempting the state laws we would be looking

at. >> i think what we're doing at the federal level as a standard associated with when a company makes a valuations -- a valuations. i think also, the financial services companies, even if the breach is not occurring at the company, they have a lot of experience with dealing with these breaches. i think that is what i would look to. >> thank you. senator. >> thank you, chairman. we had a similar hearing in this committee last march. i think at that time, all of the panelists were for preemption. attorney general, i often tend to be in favor of the underdog but i seldom imagine you would

be the underdog on this issue. you might be in terms of where other people are tending to end up. i would ask on the topic of preemption, and we will see where that goes. i think the president and attorney general had taken a position on this since last march that they agree with the idea of preemption. we introduced a bill last ear and are working on a bill of this are. one of the things we have not done in that legislation so far is establish an arbitrary time frame. there is an argument about whether or not there should be a specific timeframe established as opposed to established by circumstances. so far, i have stayed on that we need to have some flexibility in the timeframe.

i and not absolutely sure that i understand all of the impact that you can have your. i noticed in the of them data breach this week -- in the end anthem data breach, they were becoming the victim of breach fatigue by constantly being notified he could be in a group where information has been breached. many people in that group -- the impact of that -- we are not lookup legislation with the idea that we need an arbitrary deadline. i have a couple of questions. the question would be, what would you perceive in terms of how a deadline should be established or the criteria for what would be a reasonable response and your view on whether an arbitrary deadline is something that should be included in a data breach notification. >> thank you. i think an arbitrary deadline with a specific

timeframe is not useful in that it sets an objective standard. each incident is different. each incident requires special consideration to address vulnerabilities, cooperate with law enforcement. some breaches will require cooperating with many different types of law enforcement. i do not think a specific deadline is useful. that being said, a number of the states have deadlines that do not involve specific dates. i think that is the right approach, to give flexibility. >> is there any sort of guideline you look at as to

whether or not a response is appropriate if the guideline becomes the -- the response is to be an appropriate time for them could be a triggering factor whether the response was appropriately there are not? >> the words we hear a lot is without reasonable the light. -- delay. in examining whether the notification was done without unreasonable delay, you would look at what the company had done until that point when it decided to make that edification. had they got dotted all of the i' s and dotted the t's, listened and cooperated with law enforcement. >> i am down to a minute. anybody that feels like a guideline should be specific? anyone want to respond?

>> i agree there should be a standard for a reasonable notification. i think it is important to recognize that there are different types of breaches. there's a difference between losing a laptop with a lot of data and a network that has been penetrated. that may require very different responses and investigation timelines. that is an important criteria to consider. >> i would agree with my colleagues. there should be some flexibility there because smaller organizations simply are not going to have the types of resources that bigger organizations can a lake to. some flexibility would be essential. >> it -- my one concern about reasonable response is it sounds like time in court for me to determine whether the response was reasonable or not and contend that it was not.

i'm out of time. thank you. >> we are honored to be joined by the chairman. >> thank you for holding this hearing and for focusing on this issue. it is important to our country had something that congress has been trying to fix or over a decade. hopefully, this will be the year we finally find the path forward that enables us to put forward a workable solution that attacks consumers and addresses this issue which we are reading about today.

billions of americans impacted by yet another data breach. i want to ask, i think the question has been asked many times but perhaps not everyone is answered it. miss weinman, you have extensive experience in this area. could you give us your explanation of why you think a single federal law is so preferable for businesses and consumers? >> thank you. i have a chart with me that is 19 pages long that goes through the variances of the different state laws. that reason alone, i think, lends it self to having one notification standard to enable companies to act quickly and provide the required notice. i think it i both business friendly, and consumer friendly. >> mr. duncan, your testimony highlights the need for congress to enact a preempted federal data breach notification law. i agree that would provide a great deal of clarity for

companies, including retailers and merchants you count as remembers. it also provides needed consistency for consumers, which is an issue. congress has dealt with in the past. there have been proposals that call for uniform notification procedures and uniform federal data security standards. i appreciate your observations about some of the risks of ftc enforcement. says that enforcement can already occur, wouldn't retailers benefit them a federal law saying that reasonable data security measures must take into account the size and scope of the information? >> the ftc effectively has a reasonable standard either

under this section or unfairness -- deception or unfairness. once you put a lot of different factors in, you have a situation where is a medium-sized company cannot check the box of every single one of those factors, then they are likely to be in their a bad shape. that kind of standard works better when you are developing guidance. that is a big distinction between the glb standards and a uniform national standard. if you have an examiner sitting next to you and you can work the region of those various

elements, that may work. but, if you're trying to set one standard for every type of business, then having multiple components to that is going to make it impossible for the average american company to respond. >> could nrs support this type of security requirements? >> sure. a reasonable security standard coupled with a very robust notice requirement, that would work. >> i have a question for the attorney general. ms. mcguire suggested any notification standard should

notify customers of their data before it was stolen. ms. wyman suggests it will not result in risk and a notice not be appropriate. i wonder what your thoughts are. also, how the illinois state law approaches that issue. >> it is the right thing to do. i agree with both of them. illinois law, you do not get notification of the breach of the information is encrypted. what we need to see is encrypted information -- encryption information has been compromised. if it is encrypted unusable, unreadable, notification does not need to take place. >> thank you. >> thank you very much, mr. chairman. thank you for holding this

important hearing. one of our major retailers experienced a breach and i think there is a day that is not go by that we do not hear about another cyber attack. in fact, last night, the media reported the anthem was breached inand as many as 80 million customers could have had their account information stolen. these cyber attacks our increasing in scope. i hope, given that we have already had a hearing, and i appreciate the senators leadership. i hope we can move ahead in this area of cyber security. my first question was about what i just raised. with this disclosure, it is important to discuss what is and what is not covered under the health insurance portability and accountability act for hippa. would the breach be covered by hippa? >> what i have heard so far is they claim medical information was not breached so it would probably fall under the various

state laws to determine if the definition is met. but i think it remains to be seen what the total extent thaff breach is. >> i think we don't know yet. in your experience if something like this happens, not this exact case, how are the agencies coordinated with the attorneys general whether the departments of health and human services,

f.t.c., to enforce these consumer protections, and do you think there is more that can be done when it comes to coordination? >> we've certainly long had a very good working relationship with the f.t.c. because we obviously had similar jurisdiction over consumer matters. we probably do not have as much interaction with the other entities that are dealing with some of the health information. in illinois the way our breach notification law works if that type of information is taken we want the ability to make sure people are notified. obviously coordination helps everybody particularly when we all have limited resources. at the end of the day our concern is all the same. we're trying to protect individuals from any sort of identity theft, financial damage that could occur because of it. so we are always looking to cooperate whether it's at the state level or the state and federal level. >> okay. mr. duncan, i'll focus some on the retail issue since we're proud to have target and best buy in the state of minnesota, two great companies. last year many of my colleagues and the media talked about the need to move to chip-and-pin technology similar to what we're seeing in europe, canada, and elsewhere, and following the push for the change the industry made a voluntary commitment as you know to switch over to the cards and readers by the end of october, 2015, which is this year. that's an important timeline i think for consumers. we learned from the home depot data breach that impacted both canadians and americans that cards from canada were actually less valuable on the black market than american cards because they had chip-and-pin technology. we tended to be a target because we've not improved that technology despite the work of

companies like target, who had early on tried to but as we know it's not universal across the country. mr. duncan, what percentage of your members have already adopted chip-and-pin payment technology and have the necessary technology to read cards at points of sale? >> this is a quickly changing number. i have data from several months ago, in which case it was in excess of a quarter of the nation's retail terminals were already outfitted for chip and pin. the concern that many of our members have is that the investment in pin-and-chip technology is extraordinarily expensive. it will cost between dass 25 billion and $30 billion to reterminalize the entire country. it's worth it if you get improvement in fraud reduction. unfortunately, many of the banks, not all, but many of the banks are not issuing pin-and-chip cards. they're only issuing chip and signature cards.

as you know, a signature is a virtually worthless security device. retailers are being asked to spend tens of billions of dollars for security that is going to be ill luceary. >> just talking to target and best buy i know they're pretty committed to this october deadline, which is great, but is the -- when you're talking about the 25% are there just ones that haven't done it yet but you expect a higher percentage to be there by october? >> lots of companies. i mean, it takes a great -- it's a huge effort to reterminalize a large operation, interconnected operation, but we expect a significant portion of the industry to be there. not a hundred percent. it's impossible to do that in 10 months. >> so your point is that it's very important to have the full technology with the pin and chip. >> if we're going to spend the money to reduce fraud, let's do pin and chip. >> okay. good. any comments from anyone else about this? yes. mr. johnson. thank you, mr. duncan. thanks for the opportunity senator.

i think one of the things when we have this conversation that we forget sometimes is the fact that the card market is really two different markets to some degree. it's the debit card market as well as the credit card market and debit cards have p.i.n.s. and so you've essentially got more than 50% of the card environment already that is p.i.n. enabled. but what we've learned from the credit side is the fact that both of the retail side as well as our customer behavior that in the credit environment our customers prefer to use the signature. if they want to be protected by a p.i.n. they can use their debit card. they have effective choice to be able to accomplish that. >> but i think what mr. duncan said is that you get more protection and certainly the situation that we saw with the home depot where the canadian cards were less valuable because they had that full technology, i can imagine everyone would like ease. it's just that if we know one technology protects better it seems we wouldn't want it just

for debit card. sometimes i just know from having a bunch of cards in my purse i don't really think through what kind of card it is or if it's signature or not. >> i think that the most important thing here is to really work toward getting rid of static numbers. what we have in the environment right now are credit card numbers and p.i.n.s that are static numbers that make us vulnerable. and i think that to the extent that we develop technology such as tokenization where numbers are meaningless, if someone was to breach target and capture all the numbers that were associated with those transactions or any retailer the numbers would be meaningless because they'd only work for that one transaction. so i think that's really what we need to be working toward is making those numbers absolutely worthless to the criminal. that's what's going to really protect the customer at the end of the day. >> very good. my last thing is just for the good of my hometown companies that target did fix the breach and everyone can go shopping

there. thank you. >> thank you. senator danes, let me first say that a vote is scheduled at 11:30. i want to make sure senator dane gets an opportunity to question. we had intended to take a second round but that may not be possible based on the voting schedule. senator danes? >> all right. thank you, mr. chairman. this morning 80 million anthem health insurance customers woke up to learn that their personal identifiable information could have been stolen. in fact, we just received this over the fax machine, a notice from anthem that says to our members, just quoting from the letter just sent out to their members, it could be 80 million members, "these attackers gained unauthorized access to anthem's i.t. system and have obtained personal information from our current and former members such as their names, their birthdays, their medical i.d.'s, social

security numbers, street addresses, e-mail addresses, and employment information including income data." last year in the house i offered an amendment that would strengthen victim notification requirements. i'm eager to work with the chairman on strengthening these requirements again in future legislation. i've got a question for anyone on the panel here this morning in light of, there's been a lot of discussion about past breaches and now it looks like this most recent significant and serious breach. what is an appropriate notification time period like for the 80 million anthem customers? we still know for sure -- don't know for sure when this occurred but we're hearing it might have been last week. for these 80 million customers that are waking up this morning to hear and learn that their p.i.i. could have been stolen? >> senator, i would respond this way. it sounds unusual and helpful

that anthem has actually notified people even if we don't know the full extent of the breach as quickly as they have, because we are aware of situations where there are retailers who have waited months and months, some maybe as long as six months to notify people, which is clearly too long to notify. we've had some extensive discussion about should there be a 30-day, you know, hard deadline? should it be more flexible? i can tell you at the state level there are some that have time frames. we've been very reasonable basically saying to do this as expeditiously as possible. when we look into if that has taken place, we determine when did the breach take place, when did the company know about it, did they have time to put in place a response to secure their system, and obviously any

exceptions they need to continue to work with law enforcement. so a flexible deadline would be a good one, but it cannot be that there is seemingly such a flexible deadline that you never have to notify or you can wait for months because our goal is to let people know their information is out there and that they may be a victim of some form of financial fraud or identity theft. >> yeah. i -- prior to coming up on the hill i spent 28 years in business. in fact, half of that time with procter & gamble. we prided ourselves on good customer service. the other half of that time was part of a technology startup, a cloud computing company we took public. oracle acquired us an couple years ago. built a world class cloud computing company. i was vice president of customer service working with literally millions of end users and thousands of customers who we were -- we sold a b-to-c customer service cloud based solution. when i was running customer service and looking out for customers and we had a problem our policy was we'd notify our customers as soon as we were aware of the problem. maybe not always understanding the magnitude of it.

we believed we owed it to our customers to get back to them. i'm frankly surprised to think we might be thinking in terms of 30 days or -- i think, frankly that's unacceptable, that the customers, consumers in this country should be served better than that. and we should ensure that when particularly dealing with p.i.i., recognizing we may not know the scope of the problem at the time, but at least the customers ought to know there's a problem and we're working quickly to try to resolve that. i'd be happy if there's any other comments from the panel, please. >> senator, we would support the kind of notice regime that's contained within the illinois law. it's less important as to what number of days are attached to it as long as you provide the time for law enforcement, for example they may not want to notify because they want to set a trap for the people who have invaded it and have a way of catching them, taking them off the street. you've got to allow for that. you clearly want to clean up the

hole so that the people can't come back inside. once you've taken care of that you can -- 30 days, 10 days, whatever, 40 days, it doesn't matter, just a reasonable time period. i will say, to the specific point that was made a moment ago, one of our members had a breach which they initially interpreted to be a million card data had been released. once they examined it, it turned out there were only 35,000. so the idea that you would have given notices to 965,000 more people unnecessarily is a pretty serious problem. so you've got to get it right. there is no easy answer here. >> if i may comment, in terms of customer service i agree with you that quick notification is very important, but on the other hand, situations such as my other panelists have pointed out, some flexibility is necessary in this situation. one of the biggest deterrents to any organization is loss of trust. as we noticed, anthem has been very quick at reaching out to people and

hopefully will learn from their past challenges and also from other breaches that have occurred. lots of trust is a very big deterrent in the current environment, internet enabled gathering session, people have to quickly respond. >> yeah. well, i would hope to continue to work on this issue of trying to establish what we think would be without unreasonable delay and trying to perhaps put better guard rails on that because i think it's probably in the eye of the beholder sometimes. i can just say my experience in years of working with a cloud-based computing company i just believe it's better to err on the side of the consumer and for their protection. i fully understand you can create maybe a bigger problem by notifying everybody without understanding what really has happened. but i think as we lean one way or the other on this i would just urge us to lean toward a quicker response, defining

that. i think better safe than sorry particularly looking at this notification that went out. this is social security numbers. this is personal income data. this is perhaps private medical records. this is very, very serious. i think the consumer has the right to know about that sooner than perhaps waiting a week as we try to walk the fine line here of law enforcement and not creating a mountain out of a mole hill. i tell you what, i think we should be trying to make this tighter. i had two days. i hope we can work to something here that we can actually define. >> mr. daines, thank you very much. the bell has rung indicating votes and we will conclude this meeting momentarily. i'm not going to ask any

additional questions but, dr. pendse, i would be glad to have you visit with my staff. you know kansas well. what small businesses should we be worried about? what innovators may be deterred from greater innovation as a result of this kind of legislation? i'd welcome your input. >> absolutely. >> then i'd be interested in hearing from any of the witnesses about graham leech

bleily and its potential being used as a standard. i'd like to know whether the bankers, if there is information that banks have that could be breached that is not covered. and, also, the same kind of question related to hipaa. where in those two arenas health care and financial services is there something that we ought to be considering a standard or a starting point as we look at broader breach opportunities or is that just a bad idea? >> yeah. i agree with you that it offers a potential model here. mr. johnson, i gather you feel that preemption language you said in your testimony, i'm quoting, "the extensive breach reporting requirement currently in place for banks provides an effective basis for any national data breach reporting requirement for businesses generally" -- i gather that you support the preemption model contained in graham leech bleily. >> that's correct. >> because i think that may provide some common ground here. and i invite the witnesses, i know mr. duncan, i apologize, my time expired before you may have been able to provide a full teens my question so i'd invite you to supplement your answer in writing if you wish because i value your further comment. thank you, mr. chairman. >> if i may, senator blumenthal, i would emphasize the fact that this is essentially guidance. it says you should, you ought to, something like that. that differs quite a bit from the state laws that have a

mandate and a requirement. we would favor a mandate and a requirement rather than something that's merely suggesting. >> i was referring really to the preemption model there. >> senator klobuchar has exceeded her time at the earlier opportunity. >> but any concluding comments? >> in the great tradition of senators that's what we're expected to do. i think actually, snore daines followed up on the question that i had but i want to ask one more time. mr. duncan, a couple different times, has established a matrix of what might go into a reasonable standard. is there anyone on the panel who's concerned about the congress pursuing, as we look at this issue, a reasonable standard sort of along the lines that have been outlined or as opposed to a specific notification period? >> are we talking about time frame? >> we are. nobody has a problem? nobody is proposing that we should include a specific time frame in any law that we require notification in? >> senator, what i can tell you is the reasonable time frame such as what illinois has, we

have seen it abused. and so the idea that you would put in a specific deadline maybe within the most expedient time but in, you know, no circumstances less than, i mean, put some sort of a line there or as i said, it could be six months at which point your information is long gone. it has long been purchased on the black market. and who knows what has been done with it or damage that's been done to you. you need to have further discussion about how do you better define what the time line is going to be for notification. >> anyone else? >> thank you. >> thank you, senator. to be bipartisan in my admonition senator daines also exceeded his

time allotment. i also notice senator clope end char was very effective in putting me in my place by something like "the new kid on the block." we're delighted you were all here and appreciate the information conveyed us to. the hearing record will remain open for two weeks. during that time senators are asked to submit any questions for the record. upon receipt of those questions the witnesses are requested to respond to those, to the committee as soon as possible. i thank the witnesses again for their testimony and i conclude this hearing. we are adjourned. >> thank you. >> the political landscape has changed with the 114th congress. not only are there 43 new republicans and 15 new democrats in the house there is 108 women in congress and the first woman veteran in the senate. keep track of the members of congress on c-span.org. there is lots of useful information there. new congress best access on c-span c-span 2, c-span radio and c-span.org.

>> president obama's $4 trillion budget request for 2016 has been released and jonathan of bloomberg is with us to help us understand what is in that budget. tell us what are some of the president's key priorities in his budget request and what agencies would get increases. >> the two main things that sort of they highlight in the budget is they wanted to tend sequester. these are scheduled cuts that were agreed to nth 2011 budget control act. about $74 billion of spending over what these caps would b. they want to do those half between domestic spending and half defense spending. whether republicans will go for

that mixture or insist upon maybe an increase nonl defense spending which the obama administration would disagree with remains to be seen. the other thing they proposed a lot of different tax aspects where middle class economics where they try to bring more tax breaks in for middle class and lower income people and pay for those with some tax changes that would largely affect upper income earners. >> are we talking about any major cuts for any departments or agencies? >> they want to increase irs funding which took a big hit under the cr omnibus bill last year. that is likely to be problematic for republicans.

the defense d.o.d. spending will be a flash point and those are some of the main aspects. a bunch of the discretionary spending, about a third is within relatively narrow range of the last had couple of years because of the budget standoffs that have been happening. >> you tweet that the price tag for obama not having to deal with debt limit again, about $1 trillion insert dr. evil laugh here. tell us about that. $1 trillion. the debt ceiling is currently suspended so it doesn't apply. it will reset in mid march. after that treasury will have more time basically using accounting maneuvers to continue to borrow. it's an unspecified amount of time at this point. treasury is wary of giving a

precise forecast until they have more data but a lot of people are thinking act, maybe november and that will be when they need a new debt ceiling increase. if you look at the projects to get from where we expect to federal debt to be in march versus where we'll be in september 30 of 2016, which will only be a few weeks before the next presidential election, it comes out to about a trillion dollars. dealing with that issue near the end of the year will be one of the last big flash points between the obama white house and the congressional republicans this year. there will be a lot between here and then though. >> what is the next step with the budget process? >> gets sent to the cbo. they will take a look at it and

say this is a legitimate accounting, this part over here we would question, so on. and then in march it will go back to congress with their review of the president's benlt and a new baseline given projections about what they expect the economy and deficit to look like in the next 10 years. they will write their own budget, one in the house and in the senate and try to reconcile before april 15. if they can do that and that's not been done since 2009 given there was divided power in congress during most of those years, they will be able to use that budget document to possibly leverage later legislation that would be i mune to filibuster in the senate and send bills to the president for signature or veto. and what those reconciliation

bills will be remains to be seen. >> a budget reporter and covers house leadership. he's on twitter. thanks very much for joining us today. >> thank you. >> next on c-span a hearing on guantanamo bay and the prison center. live at 7:00 a.m. eastern "washington journal" features representative donna edwards of maryland on the president's budget and congressman john fleming of louisiana on the newly formed freedom caucus.

>> later a look at libertarian policies in 2015. we'll bring that to you starting at noon eastern and on c-span 3. >> the c-span cities tour takes book tv on the road traveling to u.s. cities to learn about their history and literary life. this weekend we partnered with time warner cable for a visit to texas. >> we are in the reading room of the reading selections. papers are the flagship collection we have here. he made it his life to help local and beyond mexican americans learn to be more

civically active and get the benefits they had coming to them as veterans which were sometimes very difficult for them to obtain. these represent the case of a private which was an sneant occurred early in the history of the g.i. forum. he served the united states during world war ii and was killed by a japanese sniper towards the end of the war. his widow argued to have his funeral conducted by the only funeral home near her home. they were willing to conduct the funeral but they were not willing to allow his body to remain in their funeral home over night for fear of offending the white citizens of the area. she appealed to dr. garcia and he conducted a letter writing campaign to people with positions of influence. a response came from johnson who had recently been elected

senator. he states his belief that it is wrong for a soldier a fallen soldier to be discriminated against after death. he offered burial in the articlington national cemetery and that's where he was laid to rest. >> watch all of our events saturday at noon eastern on book tv and sunday afternoon at two on american history tv on c-span 3. >> thursday defense department and national intelligence officials testified about the future of the guantanamo bay prison and u.s. detention policy. this it was eighth hearing of the senate armed services committee since senator john mccain took over as chairman in the new congress. this is two hours.

>> the chairman is currently at the national prayer breakfast. that is not finishing as promptly as they anticipated. as such, what i'm going to do is ask consent centered mccain's opening statement be submitted and my statement be submitted to the record and at this time, call on the panel for their testimony. then we will begin a round of questioning.

with that, mr. rasmussen, are you prepared to go first? go ahead, mr. secretary. >> members of the committee, thank you for the opportunity to testify today on the detention center on guantánamo bay. on retaining detainees and related issues. in 2009, president obama signed executive order 13492, which ordered the closure of the detention center of guantanamo bay, cuba. pursuant to that order a task force was set to discuss the detainees and determine the possibility of their release. through that rigorous effort, a certain number of detainees were approved for transfer and review and a certain number for detention.

since then, pursuant to the executive order signed on march 2011 for fiscal 2012 a periodic review board has begun to review the status of those detainees not currently eligible for transfer except for whom charges are pending or judgment of conviction has been entered. when the president came into office six years ago, there were 242 detainees at guantanamo bay. today, because of the task force and subsequent efforts, 122 detainees remain. of these, 54 are eligible for transfer. 10 are being prosecuted or have been sentenced and 58 reviewed by the periodic review process. in his nearly two years as secretary, secretary hagel has approved the transfer of detainees, 11 of whom were transferred, 28 transferred last year and five transferred this year.

the great majority of these transfers authorized by the secretary occurred under the authorities of section 1035 of the nda for fiscal 14. we urge you to maintain these authorities. mr. chairman, members of the committee, i want to make a fundamental point regarding the detention facility at guantanamo. the president has determined that closing it is a national security imperative. the president, and his national security team believe that the continued operation of the security weakens our national security by draining resources, damaging our relationships with key allies and used by violent extremists to incite local populations. it is no coincidence the recent isis videos showing the barbaric burning of a jordan pilot and savage execution of a japanese hostage each show the victims clothed in an orange jumpsuit believed by many to be the symbol of a guantanamo detention facility. 40 military leaders, all retired

flag officers wrote this to the committee last week and stated it is hard to oversay it how the continuing existence of the detention facility at guantanamo has been and continues to be. it is a critical national security issue. many of us have been told by countries around the world the greatest action the united states can take to fight terrorism is to close guantanamo bay. this letter is signed by retired general charles kulak, retired of the marine corps and the first commanding general of the task force at guantanamo. many leaders encourage closing of the facility including general dempsey and admiral mullen. in 2010 general petraeus stated i've been on the record well over a year stating guantanamo should be closed.

i think when ever we have taken expedient measures, it has turned around and beaten us on the backside. senior figures across the political spectrum have made clear guantanamo should be closed. former secretary gates and pennetta and current secretary all support closure of guantanamo. finally, president george w. bush concluded the guantanamo closure was a proper tool for enemies and distraction for our allies. i will address some of the letters raised by the letter of invitation. 27 detainees have been transferred since november 2014. these detainees have been transferred to nine different countries. key features of the process that leads to a decision to transfer include a comprehensive inner agency review and rigorous examination of information regarding the detainee and the security situation of the host country and willingness to

maintain appropriate compliance of security measures. those reviews were conducted by career professionals across the government. next, any transfer decision requires assessment of the receiving country and willingness and capability of that country to comply with security assurances. we also have the ic look at that issue. finally each has been subject to unanimous agreement of six principles, secretary of state, secretary of homeland security, director of national intelligence, attorney general chairman of the joint chiefs and finally secretary of defense. under section 1035 of the nda they decide if it is in the action of the united states and if actions plan to be taken to substantial substantially reduce the risk of the terrorist engaging in terrorist or hostile activity that threatens the united states or u.s. primary interests. the primary interest of a

potential transfer is whether the detainee will return to the fight. we take the possible of re-engagement very seriously. the most recent public data on re-engagement of former detainees was released last september and the data is current as of july 2014. there is a lag in the public reporting. i know you may have seen a more recent classified report on this matter. the office of the director of national intelligence categories the figures in three ways. the totals for before 22nd january 2009, when president obama signed the executive order and total after january 22nd 2009 referring to detainees who departed after that date. this is how the data break down. the total number is 17.3%

confirmed of re-engaging, 12.4% suspected of re-engaging for a total of 29.7% confirmed or suspected. before january 2009, that is those transferred in the last administration the numbers show 19% confirmed, 14.3% suspected re-engageing for a total of 33%. the data after january 2009 shows 6.8% confirmed of re-engaging. 6 out of 88 transfers. 1.1% suspected for a total of 7.9. in other words, the rate of re-engagement has been much lower for those transferred since 2009 which attests to the rigor of this new process. of the detainees transferred during this administration, over 90% are confirmed or suspected of not having re-engaged. this speaks to the scrutiny given to the transfer of the

review process and security measures the refugee government intends to take pursuant to its domestic laws and determinations to mitigate the threat. one additional point. of the 107 confirmed of reengaging the vast majority transferred before 2009. 48 are either dead or in custody. re-engagement is not a free pass. we take it seriously and work with partners to mitigate re-engagement or follow-up action. i cannot discuss the specific discussions with foreign governments with specification. i can tell you, among the types of measures we see is the ability to restrict travel monitor, reintigration, and rehabilitation programs. before transfer we had details specific conversations with receiveing countries about the threat they pose for transfer

and what the receiving countries will take to mitigate the risk. we review the ability of that country and security and track record adhering to private agreements. let me talk about the periodic review process briefly. the interagency process established to review whether continued detention of detainees in guantanamo is a continuing threat to security and we will provide your staff detainee risk assessment. to date, 10 full hearings of detainees have been made public and six eligible for security assurances pursuant to this process. two eligible by this process already been transferred, one to kuwait and the other to saudi arabia. the other three detainees remain subject to law of detention. efforts are being made to

expedite this process and prioritize hearings. you asked us to address legislation introduced by senator ayotte and several other members i understand may be marked up by the committee next week. in our view this legislation would effectively ban most transfers from guantanamo for two years and reverts to the previous regime for fiscal 12 and 13 which resulted in only court ordered transfers, transfers pursuant to plea agreements and use of only a few national security waivers. in addition, it adds a proposal to limit transfers based on jtf gitmo threat assessments that may be outdated or not include all available information. we believe any decisions on transfers should be based on current information and individual assessments of current detainees. because this legislation if enacted would effectively block

progress towards the goal of closing the guantanamo bay detention center the administration will oppose it. the posed legislation bars transfers for any detainees for two years. 76 yemeni nationals remain. 47 eligible for transfer. 26 for prb review and two have charges referred and one is serving presentence confinement. a ban on transfers is unnecessary because we are not at the present time seeking to transfer any of them to yemen, especially in light of the recent further deterioration in the security situation there. since the president's moratorium on detainees transfers to yemen was lifted two years ago in favor of a case by case analysis, not a single detainee have been transferred to yemen. the 12 who have been transferred have been transferred to five other countries. we are currently seeking other countries to take additional yemenis. let's may briefly talk about what our plan is. our plan to close guantanamo has three main elements. first, we continue the process of responsibly transferring 54

detainees eligible for transfer. second, we will continue the prosecution of the detainees in the military commission's process and if possible in federal court. third, we will continue and expedite the prb process. when we have concluded, it is likely several detainees cannot be prosecuted because they are too dangerous and will remain in our custody. ultimately closing the detention center at guantanamo bay will warrant us to consider other options including secure facility in the united states. the department of justice has concluded in the event the detainees are located to the united states, existing statutory safeguards and executive and congressional authorities provide robust protection of national security. we understand such transfers are currently barred by statute.

the president has consistently opposed these restrictions, which curtail options for reducing the detainee population. you asked us to address what happens if someone is captured on the battlefield. the disposition of an individual captured in the future will be handled on a case-by-case basis. when a nation is engaged in hostilities, as we are detaining the enemy to keep him off the battlefield is permissible and as an alternative to lethal action. in some cases, they will be transferred to the united states for federal prosecution, after appropriate interrogation has occurred in the cases. some cases may be appropriate for detention. the president has made clear, we will not add to the population of the detention center at guantanamo bay.

in closing, i would note that president bush worked toward closing guantanamo and many officials in his administration worked hard to achieve that objective. we are closer to this goal than many people may think. of the nearly 800 detainees to have been held at guantanamo since it opened in 2002, the vast majority have already been transferred, including more than 500 detainees transferred by the previous administration. the president and national security experts of this administration believe it should be closed, as do the senior military leaders and civilian leadership of the department of defense. we leave the issue is not whether to close guantanamo. the issue is how to do it. thank you very much for listening. i look forward to your questions. >> thank you very much mr. secretary. let me do something i neglected to do prior to asking for your testimony. that is introduce the witnesses. i'm a little rusty at this. secretary mckeon. nicholas rasmussen is the

directer of national intelligence center. mr. rasmussen, do you have a statement? >> i believe i'm next. >> mr. rasmussen, please. >> thank you for the opportunity to appear before the committee today for this discussion concerning guantanamo detainees. i'll begin by discussing the intelligence community's support for the process that brian outlined in some detail, specifically the analysis that the intelligence community provides. the community provides a range of tailored intelligence -- >> would you adjust your mic? >> the intelligence community produces a range of assessments aimed at helping policy makers make decisions about the transfer of detainees from the guantanamo detention facility. these include profiles that examine factors relevant to whether individual detainees

pose continuing threats to the united states or to our allies. and to echo brian's remarks, we take the risk of reengagement very seriously. the community is continuously evaluating the global threat environment and works to keep decision makers, including the congress, informed of developments, especially with respect to threats to the united states. as you know, we continue to face threats from a wide range of actors, from al-qaeda and its affiliates, as well as from isil. the full force and brutality of these groups, such as isil and isis is felt most acutely in the middle east and north africa. in western countries, the threat environment is largely characterized by smaller-scale attacks. the majority of attacks conducted in the west in the last eight months were in fact conducted by individual terrorists. accordingly, it focuses most closely on the potential for

these detainees to threaten the u.s. and its interests overseas after they leave guantanamo. these assessments aim to provide a comprehensive understanding of the detainee's background, the current mind set and any links to individuals or groups that pose a terrorist threat to our interests. those assessments also take into account the evolving terrorist threat to the united states as well as security developments overseas, including in the detainee's home country, in conflict zones and potential transfer destinations. intelligence community products do not state whether a detainee poses a high, medium or low risk of reengagement, because we assess that the likelihood for a detainee to reengage is shaped by a combination of factors. in addition to this individually focused analysis, we also provide assessments about potential destination countries, their capabilities and their willingness to mitigate a potential detainee's threat.

brian also mentioned reengagement. i'd like to discuss our roles more monitoring. once a detainee is transferred from guantanamo, the ic continuously monitors for indications of reengagement and we work very closely with liaison partners to ensure the fullest understanding of a detainee's activities. through formal and structured intelligence community coordination process that draws on the assessments of eight different intelligence agencies, we determine whether to designate a former detainee as reengaged. now, we determine that a former detainee is confirmed as having reengaged in terrorism when a preponderance of information identifies that individual as directly involved in terrorist activities. we determine that a former detainee is suspected of reengaging in terrorism when we assess that plausible but unverified or even in some cases single-source reporting that indicates an individual is

directly involved in such activities. it's important to note, for the purpose of these definitions engagement in anti-u.s. statements or engagement in propaganda activities does not by itself qualify as terrorist activity. and it's also the case that some former detainees have been added to this list of suspected reengagement candidates and then later removed after information came to light suggesting that the individual had not, after all, reengaged. and just to quickly run through the numbers that brian cited again, 107 or 17.3% of the 620 detainees who have been transferred from guantanamo have been confirmed of reengagement in terrorist activities as of september 2014. at the same time, an additional 77 former detainees, approximately 12% were suspected of reengagement. of the 88 transfers that have occurred since the inner agency process, implemented in 2009

6.8% of those transferred during that time have been confirmed of reengagement with another 1% suspected of reengagement. the next unclassified report that the intelligence community will put out on those reengagement numbers is expected in early march. we will update those numbers. i can't say where that report will come out, but i would expect those numbers will largely be in line with the trends i've just outlined. and i'll stop there, senator reed, and i look forward to your questions. >> thank you very much. admiral, do you have any comments? >> thank you for having me here today to discuss this important topic. as the joint staffs representative in the capacity of current operations, i appreciate all your efforts and focus on this matter. may i also extend my personal thanks for your unwavering dedication and support to the men and women of the armed

forces. i look forward to answering your questions. thank you very much. >> thank you for your statement, admiral. it's succinct and to the point. let me first ask -- there was a letter referenced from 42 officers addressed to senator mccain and myself. i would ask that be made part of the record. hearing no objection, so ordered, with the presumption that when the chairman arrives he will be immediately recognized. let me ask a few questions, then begin to recognize my colleagues. you both testified that the trend line is going down significantly, and mckeon, you see this continuing, in terms of recidivism, which is a critical issue. is that your conclusion? >> senator reed, that is certainly what we're seeing in the data.

we've transferred a number of people recently, probably too soon to say whether they've reengaged or not, because they're still getting settled. but we don't have any indications for -- we feel good about where we are with those, that's correct. >> let me also ask both you and mr. rasmussen. as you analyze these individual cases of recidivism, are you using it to inform your judgments going forward, ie, the circumstances of the individual, the country which he or -- presumably he, but in some cases perhaps she, goes back to? anything like that? so this is a continuing learning experience, and you feel you're getting more capable of making judgments about the usefulness of the individual? >> the answer to that is yes sir. we take a very close look, not just at the individual who may be transferred but the assurances that the country

agrees to sign up to and the capability of its own security services to uphold the agreement. and the ic and the embassy help us with that kind of assessment. >> and there is a check on the assurances that are given by these various countries so that we are confident that they have both the capacity and the will and are actually keeping up their end of the bargain? is that accurate? >> we continue to monitor compliance with the agreements through various means, including the u.s. embassy and, where appropriate, liaison services and our own capabilities. >> one of the major points that you made is -- and specifically mr. rasmussen -- that the continued operation of guantanamo gives some of our adversaries propaganda points with respect to recruitment, retention, magnifying their operations.

is that the assessment of the intelligence community? >> yes, senator. from the director of national intelligence's perspective, who has asked to weigh in on these transfer decisions, from the perspective of intelligence, what underpins all of his decision making in this regard is an analytical judgment that the community has made that the benefits to national security, from closing guantanamo, in some cases, in many cases, outweigh the risks that are incurred by releasing if individual detainees. it's precisely because of that continued featuring of guantanamo in the terrorist narrative that he's made that calculation, the fact that guantanamo features in terrorist propaganda, it features in terrorist recruitment. and we assessed that it has continued significant resonance in the population that our terrorist adversaries are trying to recruit among.

isil has used guantanamo in its english language propaganda, including their online english language language. al-qaeda in the arabian peninsula, operating in yemen, has used guantanamo in their propaganda. and it's also noteworthy that al-qaeda's senior leader continues to reference guantanamo in his communications with al-qaeda members around the world. so, yes, senator. >> thank you. this is a specific issue which we're going to have to face. general kelly, the commander has voiced concern about the medical facilities there. you have an asian population of individuals, and last year in the senate version of the defense authorization bill, we put in language that will allow for a temporary transfer because of the medical condition, of an individual to a

more appropriate facility, on a temporary basis in the united states. this was not ultimately adopted. but is that something that concerns you, going forward, just in terms of a population that obviously is going to be -- if closure is delayed, more and more need of specialized care? >> it does, senator. there are certain members of the population who have acute health care issues, and as they get older, those will continue to get worse. and so i was down to visit a couple of months ago and had a conversation with the commander about this. and his concern is it's quite expensive. they have to bring in specialists to treat these individuals from the states. and i think we would prefer, if we could, on a short-term basis, as you indicated in your legislation, bring them to the united states for said specialist care as needed. >> thank you very much.

senator tillis, please. >> thank you, senator reed. gentlemen, thank you for being here today. i have a question about the five taliban members who were released. i think we got notified through the press, back in may of last year, and my question for anyone on the panel would be, were the five talibanis who were released subject to the periodic review? >> they were not, sir. >> they were not. if not, why? >> i was not in the department at that time, sir. i would have to go back and ask that question. as you know, it was part of an exchange for sergeant bergdahl. >> so the assessment of their risk level didn't go through the processes that were established? >> no. i didn't want to leaf you with that -- leave you with that impression. the periodic review board

process makes a determination whether detention of the individual is still permissible. the statute that you have given us requires the secretary still to make the determine prior to any transfer of the national security interests and mitigation of the risks. and that, sir, was undertaken. >> i don't believe you were there at the time, but why do you think that the department decided not to notify congress as per the statutes? >> sir, i believe -- >> perhaps, what's the legal basis for that as well? >> sir, i used to be -- well i'm still a lawyer technically and was counsel in the foreign relations committee for 12 years, but they've stopped paying me to give legal judgments and it would be malpractice for me to try to opine on it. my understanding is the department of justice and mr. presston, general counsel of the department, interpreted the president's powers because of the security risks and safety of

sergeant bergdahl, necessitated proceeding without the 30-day notice. but i'm happy to give you the more refined legal answer, because i'm not the person to do that for the department. >> another release for afghanistan nationals, i believe back in december, why did the administration not require continued detention of these four detainees? >> sir, these individuals had, i believe, been approved for transfer in 2009 by the -- >> did that go through the periodic review? >> no. they were already cleared -- approved for transfer by the 2009 task force, sir. >> another question i had was with respect to the process. i noted that a detainee is entitled to having counsel which presumably means the information that the periodic review board uses to determine

or to make a determination is available to that counsel. is that same information available to the public, or to the congress, on the periodic review cases that have gone through? >> sir, with the periodic review board, the detainee has a right to a personal representative who is a military officer. he can employ private counsel, and if that person is given clearance, we can share certain classified information. we have tried to have some measure of transparency with the prb process in releasing information about the hearings on the department website. we are not able to share everything that's available to the prb, because some of the information is classified. >> thank you. >> thank you, senator reed. >> thank you very much. senator king, please. >> thank you. mr. rasmussen, it seems to me

the key question here is weighing the risk of individual recidivism versus what i would call a reputational risk or the recruiting risk of the facility itself. could you elaborate on what the director of national intelligence -- i mean, that's what this is all about, it seems to me. is it more dangerous for the national interest to keep guantanamo open because of its use as a recruiting tool, or is there a greater risk of the people being released reengaging? give me your thinking on that. is that the question? >> sure. happy to answer that, senator king. because the director of national intelligence does have a voice in the process to approve a transfer, he does look at, as i said earlier, all of the relevant information related to the detainee's specific background. background before going to guantanamo, background during the course of detention at

guantanamo and anything we know, as i said, about the environment into which he might be transferred. at the same time, though, as i said earlier, he has that underlying analytic judgment that the director of national intelligence has made -- has been very clear about, that there is a cost in terms of our national security that we're bearing because of the continued operation of guantanamo, in the context of recruitment and potential radicalization of future terrorist adversaries. so the weighing process that he goes through looks at both factors. that does not mean in all cases he will look at detainees and say, ah, continuing to operate guantanamo creates too big an obstacle for him to oppose a transfer. it is still the case that there are some detainees that he would consider too dangerous to return in a transfer -- almost -- unless there were extraordinary arrangements made for their monitoring and disposition overseas.

so that calculus that has been made is not a singular cookie cutter calculus. >> if this is one of the key questions, and it sounds like it is, i would appreciate it if you or some of the witnesses could supply to this committee data supporting evidence of this recruiting factor, just rather than a reference to what somebody said or something, but a real set of materials, written materials, the way it's being used, because it seems to me that's one of the most important questions we have. and if we're going to decide to close the facility or collectively, the united states government is going to decide to close the facility based upon that, we better know it's real and not just a perceived threat. is the administration contemplating further executive order to close the facility

beyond what the current process -- how the current process operates? >> i am unaware of any contemplation of an additional executive order. we're working on the three lines of effort, transfers, prb process. and i'm blanking out on the third one. >> but there's no further -- you don't know of any other contemplation of additional executive -- exercise of executive authority to simply close the facility? >> i am not, sir. we are operating under the president's executive order from 2009. >> the question that bothers me is, okay, if we decide it's in the national interest to close it, there still are people there that are very dangerous. can we hold these people in the united states under the law of war? and the second question is, how does the law of war analysis work if the war, which was the

war in afghanistan, is officially over? does that undermine the legal analysis? in other words, we could bring some very bad guys here, put them in max security prisons and then suddenly find that they are subject to habeas and we don't have enough evidence to convict them in a federal court. you understand where i'm going with the legal question? >> i do, sir. on your second question, the detainees are already subject to habeas. they can file a habeas petition in the d.c. circuit pursuant to supreme court rulings. >> so there's no difference between guantanamo and someplace in the united states in that legal regard? >> that's correct. as to the question of the legal authority to continue to hold them, we are relying on the 2001 aumf. so if we did reach a point where the 2001aumf is either revealed by the congress or we decided it was no longer sustainable based

on the situation in afghanistan, then we would have an authority issued. no question about that. >> thank you, gentlemen. thank you for your testimony. mr. chair, welcome back. >> thank you. there are other members that were in attendance at the national prayer day breakfast. they will be coming in. and that obviously is a reason for me being late. i want to thank the witnesses. thank you, senator reid, for proceeding. and i'll withhold my questioning until senator sullivan. >> thank you, mr. chair and thank you, gentlemen. mr. rasmussen, congratulations on your recent appointment. so i want to follow up on senator king's questions. there's a lot of discussion here

about guantanamo -- how it potentially weakens national security that you made in your system testimony. at the same time, i think we would all agree that allowing known terrorists back on the battlefield to engage our troops, our citizens, also weakens our national security. and i think that that is one of the big concerns, certainly of this committee and members of congress. and i'm certain also members of the administration. so from a broad perspective, of the remaining gtmo detainees how many are currently assessed to be high or medium risk? >> senator, i don't have those numbers at my fingertips.

if you're referring to the assessments that were done by gtmo back in the last decade, my impression is, knowing the population of that which we've transferred most of those who are low-risk. but i don't know the precise data. >> but i mean, of the current remaining detainees, we don't have a handle on who is high or medium risk right now? >> i don't have that at my fingertips. as both i and nicholas rasmussen explained, sir, when we bring forward a case for possible transfer, we look at the totality of the evidence, what the detainee had done on the battlefield, how they have