district this week. this state-of-the-art facility bring together 100 highly trained security professionals. it provides for collaboration internally and with partners enabling information sharing, rapid response, etc.. i'm privileged to have a number of companies who are on the forefront in this area. we have a number of those witnesses here today. i look forward to hearing from our witnesses who are all innovative thinkers from the private sector. i hope we can take the lessons we learn and help apply them toward protecting our federal information system and the sensitive and valuable information. we clearly must work together and be able to be agile and adaptive to the ongoing threats we know with the multiplication .f information

it is going to exponentially increase over the coming year. a will -- this will be permanent employment area for all of you. i now recognize the making member of the research and technology subcommittee, the gentleman from illinois, mr. lipinski. >> thank you for holding this hearing. i want to thank all of the witnesses for being here today and i look forward to hearing your testimony. comstock mentioned in her opening statement the real need to make sure we do more in this area. we need to make sure that both in the public and private sectors, that people are held responsible for the hacks that do occur. we need to make sure that we have in place what we can do here, that crime does -- that

congress makes sure there is a avoid these and hacks and loss of information. interested to hear more from our witnesses. i am pleased that we are holding our first hearing on cyber security which is an urgent challenge for our national security and personal security of every american. it is important that we continue to hear from governments about the latest developments in respect to security in cyberspace and the technologies and policies. our community plays an important role in the policy side. this is an area in which members have successfully collaborated. december 2014, congress enacted the cyber security enhancement act. i parse and research -- a

bipartisan bill. over the last month, it promoted information sharing to strengthen coronation between the private and public sector. and as congress, we need to continue to confront these serious cyber threats. unfortunately, we continue to see an increase in major cyberattacks and the private sectors. in the hearing we had in july, we heard a significant breach in the office of personnel management in which personal information of millions was compromised. highly sensitive security files were also compromised, making not only a problem for individuals but national security as well. we have lost in place to adjust security. -- to address security.

establish amendments necessary aussie procedures for the development of standards and protocols. clear that federal agencies need to do better jobs and lamenting protocols -- and implementing protocols. are under asectors constant threat from cyberattacks. foundnt study conducted there was a 19% increase in 2015.crimes in 2014 and the study also found cyber crimes cause economic damage. for 2015 cyberattacks resulted in cook a cost -- resulted in a cost of $15 million. they are increasingly taking steps to protect the information you'd -- information. will takeour risk you

a combined effort of the federal government, private sector, our researchers and engineers and the general public. although cyber are becoming more sophisticated, often they are successful because of human error, because of unknowingly opening an e-mail. part of it is educating the public. another part is understand behavior. i look forward to hearing from witnesses today. practices are opportunities for hardships. i'm also interested in hearing to what extent private business and organizations voluntarily implement standards. how you may be participating in

other efforts. including the cyber security center for excellence. thank you and i yield back. >> thank you mr. lipinski. i now recognize the chairman, and gentlemen from georgia. >> thank you chairwoman comstock. especially for continuing this discussion. i would like to thank our witnesses for being here today. help us understand industry best practices when it comes to cyber security -- to mitigate those risks at a

cost effective and acceptable level. we found out these agencies have not consistently implemented agencywide information programs to mitigate that risk effectively. when i asked that same witness to grade our cyber security, he gave it a the -- he gave it an "d." improveto the public to the standing to tech government information and thereby our national security in this administration needs to explain how it is protecting the american peoples personal information. as i stated at the hearing the summer, the breach of data from the office of personnel --agement is one of the continues to look into the collection of americans data at healthcare.gov. i'm still waiting for complete answers from the administration back inions i posed june. this administration does not --

has not explained why it was data.america's personal particularly those who do not end up and rolling. one would think that president obama would agree that such a practice is unnecessary as he identified cyber security as one of the most serious economic and national security challenges we face as a nation. one that we as a government are not adequately prepared to in -- prayer -- prepared to encounter. what on earth with the government consider storing this information indefinitely in data warehouses. as a chairman i will continue to ask questions and demand answers until we are satisfied. and we are making decisions in the best interest in protecting the information of all americans.

this nation must be our number one priority. having continuously subpar security of our federal system is embarrassing and must be rectified. the delay must stop. it is time to do something about federal cyber security. i look forward to the testimony in today's hearing. hope to learn more about the best practices and lessons learned. in hopes that it will shed light on what the government should do to protect our citizens from cyber threats. madam chairman, i yield back the balance of my time. >> i now recognize the ranking member of the subcommittee on oversight for his opening statement. quick's thank you -- >> thank you chairwoman comstock. as we keep learning after each attack, cyber security is a critical challenge. today, the day we create store and information about

every aspect of our lives. it is comprised of bank records, text files, on and on. last week i was going on real age.com to see how long i was going to live. knowttackers are going to my cholesterol, the weight of my dog in the last year i had a cigarette. i took an alzheimer's test last night online which i hope do not show up on my next campaign. we communicate with teachers about their academic achievements. newsflash, none of this information is secure. immediate access to these digital connections provide tremendous damages. we are highly dependent on all of the information we are gathered -- there highly dependent on all of the information gathered of their customers. abundant nefarious

opportunities for cyber criminals, foreign governments and even more dangerous, actors. that an ongoing enterprise requires constant vigilance. last year's attack was a huge concern for all federal workers that live in our district. perfect -- there were failures and opm, but nobody is immune, not the government or private sector. according to the privacy rights clearinghouse, a nine private -- a nonprivate -- there were against.goveaches -- the big one was opm. during the same time, the private sector experience 174 breaches. the huge problem for both sides.

sharing best practices, educate federal workers is very important. i look forward to today's hearing. i am sure there are many lessons we will learn. i also look forward to equal certainty, there is much the private sector can learn from the government, especially the department of defense. i look forward to today's discussion. think you so much. -- thank you so much. madam chair, i yield back. >> i recognize mr. smith. mr. smith: last year more than 178 million records of americans were exposed in cyber attacks. the breach at the office of personnel management compromised the information of 20 million people included members and staff of this committee. united states is a top target for foreign countries. exploitiminals vulnerabilities in our networks

and cyber systems to obtain viable information. -- obtain valuable information you'd -- information. in 2014, more than 67,000 cyberattacks were reported. many others were not. --umber of federal agencies several under the jurisdiction of the science committee. these include the national science foundation, the department of homeland security science and technology directorate. and the department of energy. critical research and development to promote cyber set federal standards. however, it is clear that too many federal agencies like opm failed to meet a sick standards of information security here at more must be done to make sure agencies last year's audits revealed

that 19 of 24 major federal agencies failed to meet the basic standards mandated by law. yet the administration has allowed deficient systems to stay on line. what are the consequences when a federal agency fails to meet its basic duties to protect sensitive information? what does it say to federal employees not to mention our adversaries when cabinet secretaries don't take cyber security seriously and fail to follow the most basic email security practices involving our country's classified information. in the private sector those who neglect their duty to keep the information of their customers secure are usually fired. in the federal government it seems the only people penalized are the millions of innocent americans who have their personal information exposed. during the last congress the science committee approved the cyber security enhancement act which was signed into law. this law improves america's cyber security abilities and

strengthens strategic planning for federal cyber security research and development. it supports nsf scholarships to improve the quality of our cyber security workforce. it also improves cyber security research development and public outreach organized by nist. last month a similar bill was signed into law. very importantly, this bill encourages private companies to voluntarily share information about imminent cyber threats with each other as well as with the federal government. the science committee will continue its efforts to support research and development to strengthen america's cyber defenses. i look forward to hearing from our witnesses today about what more we can do to support innovation and help set national standards and guidelines that will enhance our country's cyber security. i thank you again and yield back. >> i thank you.

>> mr. ward soifers on the boards of the technology council. he is also the founding chairman of the ceo cabinet and served for five years as chairman of louden county's economic commission. mr. wood worked on wall street after earning his degree on finance and computer science at georgetown university. he also is very active in stem education throughout louden county and our district in

getting young people engaged and involving them personally both with your company and with our school system. so we appreciate all you do in that area. dr. martin is a fellow and senior vice president general manager for the networking and security business unit. he joined vm wear in 2012 when -- the any acquired company chefs cofounder and chief technology officer. he has previously held research position at lawrence liver morn national laboratory where he worked on network security in the information operations assurance center. he has been recognized as one of the industry's leading innovators, 50 most powerful people, forbes next generation, and received his master's and phd from stanford.

mr. snyder serves as vice president where he focuses on driving overall technology strategy across the company. he was previously chief technology officer. prior to joining he served as cto for bright mail the leading anti-spam soft scarewpchaffs acquired by smantic. before, he founded south beach software, a software consulting company that developed products for the professional video marketed. he also received a master of science in mechanical engineering from university of california berkeley and a bachelor of science and engineering. mr. quinton is the chief executive officer of a multisector trade association focused on cyber thought leadership policy advocacy and promoting sound security practices.

he is widely published on cyber security and is the principle author of the cyber risk handbook for corporate boards published by the nation yale sosheation of corporate irectors in 2014 and endorse bid the department of homeland security. also named him as one of the 100 most influential individuals in the field of corporate governance last year. he is in demand internationally having spoken in europe, asia and latin america. and we are glad to have him here today. in order to allow time for your discussion, please limit your testimony to five minutes and then your entire written statement which i know are more extensive and have lots of good information that we will have in our public record and since we are on c-span today i would encourage the public to also look at those full statements to get more information there. with that i now recognize mr. wood for five minutes to present his testimony. >> i would like to thank

chairwoman comstock and the other chairs and invitation to share some thoughts on industry best practices for cyber security and risk management. as i noted, we protect the world's most security conscious enterprises providing our customers with solutions and services for cyber security, secure mobility and identity management. the first point i would like to highlight is that all enterprises public and private need to emphasize cyber high jeen in their day to day operational practices and employee training. why do i make this first point? because the 2015 verizon data breach investigations report found that the overwhelming common denominator in security incidents is people. nearly all of the security incidents verizon catalogged might have been avoided if they would taken basic steps to help

employees follow simple security precautions. here are five steps organizations should take to help protect themselves. first, establish and enforce cyber security policies and procedures. second, include effective password management practices. third, require regular security awareness training. fourth, implement timely updates and patches to manage vulnerabilities. and fifth use up-to-date end point security solutions. these five basic steps serve as the foundation for a strong cyber security program. every it security professional knows them and yet the importance of following through with them cannot be overstated. further, these practices must be embraced in the board room and by management so that a culture of cyber security is created throughout the organization from the top down. that being said, every organization with high value

digital assets needs to assume it has already been breached or will be. this leads to my second point. and that is that incident response and remediation are just as important to organizations as cyber defense in-depth strategies. we have developed a rigorous framework for incident response with essential steps like preparation, containment, eradication and recovery, which we use ourselves and implement for our customers. further, it isn't realistic to expect every organization to have the time or financial and human resources needed to successfully defend everything. that's why management is so critical to effective cyber security. risk management involves identifying evaluating and either accepting or mitigating uncertainty in decisionmaking. private and public sector organizations need to make cost benefit choices about which systems to defend and how to defend them based on the

likelihood of an asset being attacked the value being attacked, the cost of defending the asset and the cost of losing the aset. that's reflected in the program established by congress to provide adequate risk-based and cost effective cyber security and more efficiently allocate cyber security resources. this continuous digenost ticks and mediation program extends continuous monitoring into the areas of digenost ticks and mitigation while acknowledging that risk management is called for when you have to meet nearly infinite needs with finite resources. that's also the value of resources and the nist cyber security frame work. they put cyber security solutions and best practices into context of risk management and compliance. which brings me to my third point. the stancheds and the nist

cyber security framework are very good but they cannot succeed unless companies follow them. we should be looking for ways that market forces can incentivize companies to voluntarily take the strongest possible actions to protect themselves which includes following the nist standards and best practices. the various critical infrastructure sectors are just that. critical. they're so important to our national defense our economy and our way of life that it is imperative government and private sectors encourage organizations in these sectors to use best security practices. one promising area of insent vising companies is tied to the growth of the insurance market. the commerce department has described cyber insurance as "an effective market driven way of increasing cyber security." the treasury department has suggest that had the increasing demand may help drive private

sector policy holders to adopt the nist cyber security framework. as insurance companies get their arms around the data that accumulate with each new breach they will want insights into what their clients are doing to protect themselves. are they applying sufficient ongoing protection? are they using the framework or an equivalent standard? in fact, insurance companies may well require their clients to adopt the nist framework in order to demonstrate insureability and reduce their premiums. when that happens we could see greater market-based pressure brauths to bear that will effectively require other companies to do the same. so market forces and the fear of legal liability may make nist voluntary guidelines the standards for companies to demonstrate to insurers or in court that they have exercised all due care to protect their customers and assets. one additional point. cyber security is just too important to do on the cheap. overreliance on lowest price

contracts can be very risky in a field that has so little room for error. similarly, our fifth warfighting do main, cyber space, must be appropriately funded. u.s. cyber command has been funded at a level this year that represents a mere 1/1000 of the budget. just four banks, jp morgan, bank of america, city bank and wells fargo are spending three times the amount. jp morgan decided to double their it security from 250 million a year to 500 million a year, more than all of cyber command. the financial sector is an example of the cyber sector taking responsibilities very seriously and devoting the resources necessary to protect themselves. again, i appreciate the opportunity to share with you our perspective and be glad to answer any questions. >> thank you. now we will hear from dr. cassado.

thank you for the opportunity to testify today. i am super thrilled to be here. i am very vice president and general manager of networking security. the fourth largest software company in the world with 2014 revenues of over $6 billion and over 18,000 employees. the nature of security breach at the office of personnel management was not unique. they were able to gain access to systems where they were free to access and steal sensitive data over a period of several months. hacker typically use this attack methodology because traditional systems are designed to be doors to the network. these doors allow authorized users to network systems and prevent unauthorized users from entering the center. however, perimeters security is a single pointed of entry that

must be breached or circumvented in order to enter the network. once the intruder has passed the perimeter there is no simple means to stop them from moving throughout. in many cases the response is to add more security technology to the perimeter which ig no, sir the structural issue, basically madgal lines. it smits three points for conversation. one, every recent agency breach has had one thing in common. the attacker once inside the perimeter was able to move freely. two, perimeter centric cyber security policies mandates and techniques are necessary but insufficient and ineffectively of protecting assets alone. three, the attacks will continue but we can greatly increase our ability to mitigate and limit the attacks when they the do. in today's legacy networks there are a lot of technologies designed to stop an attacker. clearly this approach is not

sufficient to combat today's cyber attacks. solutions are analogous to a locked door that can only be accessed with a key. the primary function of the doors to deny initial authorized entry by anyone who does not have a key. however, once the door is forced open or breached the unauthorized actor is free to move throughout. in order to prevent an attacker, agencies must compartment lies within the data center. zero tust environment prevents unauthorized lateral movement by establishing automated governance rules that manage between business systems or applications within the network. when a user system breaks the rules the potential threat incident is compartment liesed and security staff can take any appropriate actions to investigate the threat and not put the entire network in jepzi. prove on the analogy above, compares tw locks limiting them

to move around freegly freely significantly. these approaches are already the gold standard in the commercial industry and need to become the gold standard across the federal government. the agencies conclude that the most effective means of mitigating is to build a new network environment with enhanced security protocols. agencies reach this because centers are soon to be compromised and unsalvageable. this is a legitimate street. there are two main issues with this approach. centers continue to operate while the environment is being provisioned which leaves sensitive data vulnerable. it can take months or years to stand up a new greenfield environment. this is what happened with the attack. they were building a new enhanced network but the attack occurred on the existing system. without clear cyber security guidelines mandating new

software based security strategies that go beyond, the environments are subject to attack as soon as they become operational. in an era of constrained resources this approach is insufficient and untimely. agencies have the ability to date to update the security posture and add zero trust operatives solutions are more cost effective than new solutions. by deploying these technologies within our nation's existing networks agencies can avoid billions of dollars of additional investments when the compelling driver with the investment is security related. thank you for the opportunity to testify. i look forward to answering the committee's questions. >> we will hear from mr. snyder. >> thank you for the opportunity to testify today. the focus of today's hearing is right on point. -- >> i don't think your microphone is on. thank you for the

opportunity to testify today. the focus of today's hearing is right on point. cyber security is a shared responsibility and the public and private sectors must work together closely to counter ever evolving threats. many of the recent headlines about cyber attacks focused on data breaches both on government and across the industries but do much more than that and range from basic confidence schemes to massive denial of service attacks to sophisticated and intrusions. the attackers run the gament d include highly organized criminal organizes, and state sponsored groups. attack methods vary and the only constant is that they are always evolving and improving. customized targeted e-mails still one of the most common forms of attack. social media is also an

increasingly popular attack vector as people tend to trust links and postings that appear to come from a friend. we have seen the rapid growth of targeted web-based attacks. and mall ware is cloaked in legitimate soft ware updates. for example, last year legitimate software developpers were compromised. pushed into apple stores and downloaded. further the attack surface continues to expand as both the private and public sectors move to the cloud and the internet of things and the billions of new devices coming on line will bring with them a new generation of security challenges. for example, insight predicted the sale of 84 million wearables. each of those users is transmitting sensitive data into cloud platforms that must be secured. preventing these requires an integrated approach. the national institute of standards and technologyings'

framework for improving infrastructure this approach and its core five functions serve as a useful outline. first is identify. simply put you can't protect what you can't see. the test goes beyond just identifying hardware and software and includes a risk-based approach. next is protect. starts with people. an organization needs to ensure its workforce practice good cyber higene. but of course technology is important, too. modern end point security examines numerous characteristics to discover unknown threats. it's critical to monitor the overall system to look for unusual activity that could signal an infection. information protection is equally important. this requires a data loss prevention that indexes tracks and controls movement of data across an organization.

third function is detect. an organization needs to know what is going on inside of its systems as well as who is trying to access what and how they are trying to do so. modern analystics platforms can use advanced behavioral and reputational analytics to know if it's an indicator of mall ishes activity. fourth is respond. good planning is the foundation of an effective cyber security strategy. if and when an incident occurs an organization must have a well defined practice play book to respond. interviewing potential vendors and assigning rolls and spolets is not a good use of time. the last function is recover. this is two fold getting systems back up and running and improving security based on the lessons learned. effective and efficient recovery requires planning. core preparation could leave an organization with incomplete or corrupted backups. perhaps the most important part

of fixing this is to learn from the incident. cooperation is key to improving cyber security. we participate in numerous industries and public private partnerships. these include national forensics, f.b.i., you're pole, interpol, nato. we have also been involved in several operations to take down criminals such as the financial fraud. the crypto locker. the only path to improving security for the nation is through partnership and shared expertise. the government can learn from the experience incorporating culting-edge security tools into their programs. we appreciate the committee's interest. i will be happy to take any questions. >> thank you. now we will hear from mr. clinton. >> thank you. it is an honor to be here.

i appreciate the opportunity. i would like to focus on five areas i think where the federal government can learn from private sector. first, government needs to invest much more in cyber security. private sector spending on cyber security has nearly doubled in the last several years to 120 billion annually. the federal nondefense spending on cyber security this year will be between 6 and 7 billion. will increase 24% next year. the federal government spending is about 11%. i know of two banks who have a combined budget of 1.25 billion for next year. d.h.s. entire budget is about 900 million. 75% of whether or not two banks are spending by themselves. costs our nation a half trillion a year yet we are successfully prosecuting maybe 1%. we simply need to spend more on cyber security. government needs to act with greater urgency. t took congress two years to

-- six years to pass information sharing bill. in 2009, the trade associations presented to congress with detailed recommendations on cyber security. in 2011 the house g.o.p. task reported embraced these recommendations as did president obama's executive order. but four years after the house report we still have not seen any substantial work on the top recommendation in that report or the executive orders. for example, the g.a.o. task force report and the executive order and the national protection plan all call for the creation of a menu of incentives to promote the adoption of cyber security. yet aside from the bill the president has not proposed, congress has not introduced a single incentive strategy bill. last month g.a.o. reported that 12 of 15 sectors specific agencies had not identified incentives to promote cyber security even though that's called for.

the president's executive order called for the framework to be both cost effective and prioritized. three years later there has been no objective measurement of the framework's effect on improving security, adoption, or its cost effectiveness. three, the government needs to escalate -- educate top leadership as the private sector is doing. in 2014,, they created a handbook on cyber security which was published by the corporate directors and is the heart of the training program that they are launching. recently validated the success of the approach. they said boards appear to be listening to the guidance. this year we saw a double digit increase in board participation cyber security leading to a 24% boost in security spending. other notable outcomes include the identification of key risks fostering an organization and better alignment of security with overall risk management and business goals. we believe that the government

needs a similar program to educate the government equivalence of corporate boards. members of congress, members of the cabinet, agency secretaries. most senior government officials are not sophisticated with their understanding of cyber security. if they are educated as we are educated the private sector we think we could have more success. the private sector has moved away from the it department as the central focus of cyber security and is involving a more integrated approach. unfortunately the federal government is still caught up in legacy strouktturs and turf wars impeding our efforts. the merrill lynch found in 2015 that the u.s. government is still in the process of determining who will have jurisdiction. all battling for jurisdiction and funding the result is a fragmented system that is hindering the development of a secure system system. government needs to become more

sophisticated. a 2015 stoipped compared federal civilian agencies and found that the federal agencies ranked dead last in terms of understanding cyber security, fixing software problems, and failed to comply with industry standards 75% of the time. the reason the government does so badly according to g.a.o. is that they simply evaluate by predetermined check list the private sector on the otherhand uses a risk management approach wrn we anticipate what the future tasks are going to be and then forward looking attempt to adopt standards and practices. we believe that the government needs to follow the private sector's

tasks are going to be and then forward looking attempt to adopt standards and practices. we believe that the government needs to follow the private sector's lead. they need to become more educated, more sophisticated and act with greater emergency with respect to cyber security. i appreciate the opportunity to speak with you today. thank you. thank you all so much for your expertise and your passion about this important issue. i remember back in 2014, i was able to sit down with mr. wood and we spent a pretty long afternoon i think identifying a lot of the problems and i'm sorry to say that everything you said came true. all the problems you identified were dead on. but i appreciate that you're ere to help us address that. i was at the consumer technology conference earlier this week and so we're seeing a lot of the new things that are in practice and certainly the concept of innovate or die is very much a reality here.

i think you have all addressed a little bit. but how do existing government contracting provisions impact the ability for the public sector to be agile and to be able to do what you do in the private sector? and how can we -- i know this is a little bit out of our jurisdiction in terms of government contracting but sort of identifying the problem and how we can address it. we have the standards, we have the practices. we know you need to be more risk management based instead of just a check list. w can we get those type of policies in the government that are as agile as what you're sector? >> i think it would be very helpful for the government to move toward a best value approach for government contracting as opposed to lowest priced technically acceptable

approach. the same individuals we put on assignment with the government, often we can, we will receive a much higher rate for those individuals working commercially because commercial companies tend to value the kind of capabilities that our security professionals have. higher" it isch often 200% to 300% higher, and that is a big issue that the government needs to at least address, because otherwise you tend to get what you pay for. i agree completely with mr. would, and i believe this speaks to part of the education issue that i was taking to. we need to have a better understanding of the breath of cyber security. it is not an i.t. problem, it is an economic problem. we need to find a way to move said,rom, as mr. woods

lowest cost items, especially in the federal space. federal agencies are buying equipment off of ebay from nonsecure suppliers because it is lower in cost. when we appreciate the attention in need of the economy at these times, we have to understand there is a direct trade-off between economy and purity. we are going to have to come to grips with that, and we have not. if we could educate federal leadership, we had exactly the same problem a few years ago. we might be able to get a better appreciation between the interplay between cyber security and technology of cyber security. the real problem you are speaking to mostly comes in the smaller business elements of cyber security. if you are going to deal with the major defense contractors, frankly you compensate them perfectly well and they have pretty good cyber security, but

because of the procurement system they are required to farm out a lot of the procurement to smaller firms across the country. though smaller firms do not have the economy and scale to meet the society standards. we have to find a way to provide the incentives for smaller companies to come up to grade, because it is not economic for their business point of view to do that. there are a number of suggestions we have made. that could talk about how we could better incentivize the smaller companies so that we can get them up closer to where the majors are. if we do that, we can achieve our goal, which is a cyber secure system as opposed to cyber secure entities. >> mr. snyder? >> another thing that is not directly a contract issue is to use the tools that they have purchased.

in the private sector and the public sector, we see the acquisition of technology that is not used properly or configured properly. it happens and private organizations as well as public organizations. take the technology purchases and make sure you have the right human capital and best practices to deploy those properly. -- the best thing you can do is use the money you have spent more wisely. >> thank you. just kind of quickly, more on a positive note, i am kind of a personal success story. when i graduated with my phd i was thinking about being a professor, and instead i started working with the intelligence community who decided to find a startup. they were great to work with early on, and to congressman there's point, i think there is a lot we can learn from the government.

issue, so iity think when we are working with the startup ecosystem, funding that, allowing us access to the way that you think about the security and technology i think will hugely help innovation. >> thank you, and i want to would,larly note, mr. you call it our fifth war fighting command is cyber. i am running out of my time. ,f we can get -- mr. clinton the numbers and comparisons between private sector and public sector, and what we are spending and the quality, i think that is a helpful contrast in understanding. this is part of our defense and social media being used in the terrorism area, so i appreciate you putting a real emphasis on that. i now recognize mr. lipinski. mr. lipinski: so many things i

could talk about, and i got set into another direction with what the doctor had just said. good to see a stanford guy and a berkeley guy sit next to each other. i would ask the doctor, you had just mentioned there should be more done by the government to engage silicon valley entrepreneurs. what more could the federal government be doing right now in this area? , veryave actually positive about the actions the government has taken over the last two years. i have worked directly with government agencies, and continuing to fund efforts that engage with startups, understanding there is a high level of risk i think is very beneficial. all of the work i have done in the last eight years has been based on my experience personally and the government, and funding from the government. i would just encourage you to

continue a lot of the work you are doing. lipinski: is there anything that is not being done that you think should be done? -- the problem is, you are great on funding in the early stage but when things get bigger it is difficult for startups to engage with the government. you do awhat happens, great job getting these guys incubating and then we find out we cannot sell to the government , so we go ahead and sell to the private sector. one thing you could really help out with his get these guys incubated and provide them initial funding, but give them inroads to selling to the government, being a vendor to the government. we tried to engage in government and it was not until eight years later that we could do it in a viable way. having handholding of this suit -- procurement process would of

been hugely helpful. mr. lipinski: anyone else? : one example is dhs who has been active over the last few years. project where dod they have established at moffett field across from silicon valley , trying to invest in startups to bring some of their technology needs. i think we are seeing a lot more engagement over the last year. mr.woods?i: woods: one of the things i have been encouraging the commonwealth of virginia to do is encourage much closer relationships between the university ecosystem and business ecosystem, and to really promote research. i think that will help propel a lot of the startup activity that the gentleman to my left are

both talking about, whether it is silicon valley or research triangle or the state of virginia, we need far more research than we currently have. the reason is, because when i talked about earlier the dollars being spent in the government and the commercial side, there is a real scarcity of resources in terms of cyber security professionals, so we need more tools being able to deal with the complex environment going out. automation going forward to help deal with that scarcity of personnel resources. there are other things we can do as well, but i think the research would help us a lot from a cyber security perspective as a nation. mr. lipinski: i want to thank you for your work in stem education, and think for bringing up how important it is that the human behavior is preventing so much

of this. i think he said nearly all of these attacks could have been avoided with better behavior, and i think that brings up the importance and i want to talk about here, in understanding human behavior and funding social science research into things like this. but the last thing i wanted to ask you was, you talked about insurance, and i'm very interested in how do we incentivize the private sector. is this something you think should be required, or do you just think this will develop over time? comic you see a ied for the government to -- am looking at, you see a need for the government to provide insurance. od: the lawyers, at the

end of the day will help corporations and other organizations to understand the legal liability associated with not taking the appropriate actions. mr. lipinski: have companies suffer that much you have had these data breaches? are.ood: i think they more board room calls are being made to our company than ever before. i think the very public retail breaches that have occurred are now heading into, not just the ceo's office into the boardroom. i also believe the critical infrastructure industries we have out there that are already regulated feel the pressure associated with doing something, and that is why i think the insurance companies are doing what they are in terms of trying to promote cyber insurance. , ifr feeling is if they can the corporations can provide evidence that they are doing what is appropriate for a risk management point of view, that

will result in two things, lower premiums to the corporation looking to get the insurance and secondly, a better legal defense to the extent that they are sued. mr. lipinski: yield back. clinton: we are big fans in promoting cyber insurance. i do not think a requirement is appropriate. lipinski: if you have been promoting it for over a decade and it seems like it is not widespread? mr. clinton: in particular, the enormous risk of the insurance realize ifhat they there is a major catastrophe. we face the same problem in with cropnsurance insurance and flood insurance,

and there are systemic ways we can work with the federal government in order to adjust that problem. i would be happy to go into those, but i want to get into the specifics of the requirement peace. one of the things the federal government could do is require cyber insurance for your information systems in the same way that you require physical insurance when you build buildings and everything else. i think if the government did that, it would be a market leader. the other thing i wanted to point out, i think this is a widespread misnomer of the reality when you look at the data of the economic impact of the high-profile breaches, is not what you think. if you go back and look, six months after the sony attack, the stock price was up 30%. six months after target, the stock price was up about 26%. you will find there is an initial reduction and a bounce back, and i can explain why that is.

the smart guys on wall street say, i like the price point, --ce is up, why opportunity price is down, by opportunity. corporate boards are spending much more attention on this, but i think that has to do with the threat to their intellectual property, which is being vacuumed out and is a tremendous economic risk. mr. lipinski: they're concerned about their own, that is a suggestion. comstock: we are going to have to move on. i would appreciate you submitting some more information on the insurance area. i think that would be very interesting. i now represent -- recognize mr. loudermilk. mr. loudermilk: thank you, madam chair.

a big supporter of cyber insurance simply because of the standards that the insurance companies put up on these businesses. i sold my business a year ago, was greatly relieved when i sold the business because while cyber security was on my mind 24 hours a day owning this small company and managing it, it was not on the minds of my customers. ebay, weon mentioned had many instances where we put a secured network and to place managing power distribution systems, and we engineer it. we put some of the products in that some of you guys represent. firewalls, gateways, content managers, bandwidth managers. then we would find out they would go and buy parts for these off of ebay that would come from somewhere overseas, and we do not know the firmware on it. i understand what is on their

mind, especially when you are dealing with small businesses, is small -- is bottom line. we are supposed to take care of that. forward and say, this is what we need to do to upgrade, we do not want to do that, do we have to? your network is still functioning but at a high amount of risk. that usually does not change their mindset, so having the sets of standards i think is important. those were brought up as risk-based management. we used to emphasize to our employees, the computer -- there are two types of computer users, those that have been hacked and those who do not know they have been hacked. customers,e to our do not keep what you do not need. if you do not have it, you do not have to secure it. that really brings an issue that

i have great concern about here in the federal government, and that is with the midas system. according to news reports, it is storing information on americans who access the healthcare.gov website, not just those who got their health insurance but those who even shopped it. is storing personal identifiable information of americans without their knowledge, in a data warehouse. , considering what has happened to the federal government, the recent expansive data breaches, does it concern you that the federal government would be holding information on citizens without their knowledge , even for citizens who did not get their health care coverage through the system? i justified in my concern over the risk of storing this data, especially data that is not needed? : you are raising a

privacy perspective as well as a cyber security issue. at the risk of being a monday morning quarterback, which is what i would be doing if i were to reflect on the opm situation, the very unfortunate situation because like all of you, i also received my letter that gave me the good news. i think in retrospect, had opm been using two factor authentication, had they been using encryption at rest, had they been using, had they had log files, we would've had a much different situation then perhaps we ended up having with opm. as it relates to the healthcare.gov situation, i do not know how they are storing the data to be able to reflect to you about what is appropriate.

but i think generally speaking, most people are a little nervous because those of us that are in the know where he there is not enough resources being applied from a financial perspective to the i.t. security issue. it is not just at the federal level, it is at the state level as well. commercial corporations are taking the appropriate steps. i gave the example early on in my test and never any -- testimony about jp morgan hayes -- j.p. morgan chase. at that point when they were hacked they were spending about $250 million. after it went to the board, they looked at it and determine they had to increase substantially their spend to do a couple theys, buttressed with were doing from an i.t. security perspective, but the other thing was to raise the confidence of their customers. at the end of the day i would argue while their shareholder price has gone up over time, every corporation cares about

their customer data. loudermilk: i would like to ask mr. clinton to respond to wood,me question, but mr. part of mitigating your risk is not keeping data you do not need. would you agree that is a good practice if you do not need data do not store it? mr. wood: yes. mr. loudermilk: thank you. ms. comstock: i recognize mr. buyer. beyer: dr., i'm fascinated by your testimony. this whole notion of unauthorized lateral movement, and your call for interior rooms , is this recognition built into

this cyber security framework? >> moving from just the perimeter security to the internal stuff. butre working with nist now i do not believe it is currently codified, so making it part of a standard would be greatly beneficial. beyer: it sounds like an essential part of the cyber security framework. >> it is rapidly becoming a best practice. part of including it as a standard would be beneficial. saideyer: mr. snyder, you we are well past the days when a password will be much more than a speed bump for a attacker. it is essential for any system to be secure. is this part of the cyber security framework that nist has developed? is bester: i think it

practice but not codified directly into the framework. it is becoming an industry best practice. an example i would give, and the future there probably should not be passwords as a core element of how we access information because it is so eminently . you can-- hackable imagine yourself, you go back to work and check your e-mail. device,se a mobile there are already two 23 authentication devices -- two to three authentication devices. it is having those kind of dynamic authentication we see in the future, and not a static password. beyer: mr. wood, you wrote mosteloquently that

businesses would prefer a the government impose the fewest possible requirements on them. we hear that every day. how many breaches will it take before it is recognized that allowing the private sector, especially critical infrastructure companies, to choose the path of least resistance might create a situation to put our citizens' information at risk and our national economy at risk. nist standards are purely voluntary. when do businesses come together to recognize that this really needs to be the mandate and standard across the country? mr. would: earlier we were talking about insurance and the insurance industry, and why hasn't adopted more cyber insurance more quickly. standards,e was no no agreed-upon standard until not that long ago. , i lookthat ultimately at the nest cyber security framework as a baseline. what these gentlemen are talking

about is in fact good points, and they are additive to the baseline. if we can all get to an agreement about what the baseline is and all adhere to it , at least we know the other person i'm dealing with is going to be able to evidence for me that i can do business with them because they are taking the appropriate steps. eyer: we look at so many things that affect us and we have mandated it. the regulations have to be cost-effective. airbags in cars and five mile an hour bumpers and seatbelts, this may be, if it is a threat to our national and personal security, that we think about mandatory standards rather than voluntary. rather than relying on the threat of a lawyer's suit. mr. clinton: i would point out in my testimony i pointed to the fact that the federal

government, which basically does operate on the model that you are talking about, has standard they must comply with. when we evaluate them independently versus the private sector, the federal government comes out dead last. the reason is this is not airbags, this is not consumer product safety where there is some magic standard and we are set. the problem is not that the technology is below standard. the problem is that the technology is under attack. that is a different problem. we need to be forward-looking. if we talked about mandating standards couple years ago, we would be talking about mandating firewalls and things like that that we has basically obsolete, and a lot of our companies would be spending a lot of money complying. we need a different model. the digital age is much more forward-looking. that is why the obama administration and the house republican task force and the private sector all agree that

what we need is a forward-looking, incentive-based model and we need to get industries to understand it is in their best interest to be continually advancing security. they cannot be looking backward, they have to be looking forward. we can do this, but it is a completely different mindset. we have to understand in the digital age, the old model just is not going to work for this modern problem that includes nationstates attacking private companies. there is no minimum standard that will protect them. we need a different model and we think we can develop that. ms. comstock: i recognize chairman smith. mr. smith: let me direct a couple of questions to you, but let me described this scenario first and ask you to comment. let's say a senior government official at an executive branch department approached your

company to set up a private e-mail account and server for conducting official and personal business. includemails could sensitive or classified information about national security. in addition, all e-mails would -- serveron a survey located in their private residence. cyber intrusions would be obvious threat. being transmitted on the private e-mail it to dutch account could be a matter of national security. could this scenario unnecessarily expose classified information to being hacked? mr. would: yes. mr. smith: how would your company respond to such a request? it.wood: we would not do for the simple reason that you are exposing classified data in the open. at the end of the day, that

would not be prudent and also would be illegal. mr. smith: why illegal? wood: the government requirement is that all official information he used through official means -- be used through official means, meeting government facilities. ms. comstock: i recognize mr. tomko. tomko: all of this hearing is not focused on research. i know mr. woodhead addressed research as a component for growth in this region, in this area. the government plays an important role in supporting cutting edge research on all aspects of cyber security from prevention to protection to recovery. it is agencies such as the national science foundation, missed, and dhs, we find everything from research to

emerging technologies. all these federal investments are coordinated under long-standing networking r&d programs. mr. would did raise the issue of research. are there recommendations that you, or any of our individuals that are testifying, any recommendations about federal agent these and how to set research priorities, and what major research gaps exist out there so that we can better partner in a more effective manner with research opportunity? agree.d: i i think the national labs are doing a tremendous amount of work around all kinds of regrettably,hat many do not see the light of day ultimately. i think more can be done to make industry aware of what the national labs are have to and

be, provide a mechanism for industry to license some of those very critical research and development initiatives that may customerne specific but could have an entire industry that it could help serve. that could do a couple things, provide potentially an income stream to the labs and government, and provide more innovation without having to spend a whole lot more dollars. tomko: anyone else? mr. schneider: one area we are invested in is helping the people part of the equation. technology will be an important part of any, but clearly it is the people on top we have to make sure are adequately trained. one of the areas we have been highly invested in a simulation

mr. schneider: -- and respond to those. simulationso platforms that take real world breaches and model those. side.s an area on the dod this is coming into the private sector and civilian agencies. there is a lot of potential for cooperation. mr. clinton? mr. clinton: i think we would strongly support the notion of the government doing research on the cost-effectiveness in this framework. ideake to think it was our

, publishing material on this a number of years ago. it is supposed to be prioritized , cost-effective, and voluntary. tested, we would be able to determine various elements of the framework. i think if we did cost-effectiveness studies, we could demonstrate what elements are most effective to varying sizes and sectors of industry. you can demonstrate cost-effectiveness, you don't need mandates for it. companies will do what is cost-effective. au can't just say this is great idea and congress will pass it. they will say, where are the numbers? we did that kind of research, which is easy and expensive, i think we could get a lot of bang for the buck.

thank you. i think i've had a lot of experience getting research grants in the government. program.for my phd 've done a number of research grass. nts. more flexibility in applying funding led to better research. i do think that it is great to fund certain areas. don't think it is good to over constrained the problems. rep. tonko: thank you. i yield back. lahood.cognize mr. rep. lahood: thank you for your

testimony. when we talk about cyber securities and these breaches in the private sector or government and whether we described them as hackers or something more sophisticated, every time this is done in the private sector or to a government agency, which you describe that as criminal behavior? is that a violation of a state or federal statute in some respect? >> cyber security is a global phenomenon. more infrastructure moves to cloud platforms, even where those assets are becomes

more of a challenge. the general answer is yes, but there is a lot of complexity to the global nature of cyber security. rep. lahood: if we look at traditionally when there is criminal behavior that is engaged in, eventually somebody is held accountable or responsible, a prosecution, a legal process that happens. i guess the question to you is are you aware of a successful prosecution where someone is held accountable? it seems like there are no consequences for anybody engaged in this activity. mr. clinton: i think you put your finger on what i think is one of the number one problems in this space. i would answer that it absolutely should be criminal, and in many instances is criminal, but as mr. schneider points out, it is not in certain places, so we need to be

dramatically increasing our law enforcement capabilities. my testament that we are successfully prosecuting 1% of cyber criminals. deterrent oniable determinat the criminal side. we need to be working aggressively with our international community to create an appropriate legal structure. we don't have it. we are operating in an analog world with cyber attacks, and the tempo is unsustainable. anybodyood: is there leading the way on that internationally or here domestically? where are we at with that process. mr. clinton: we are not doing nearly enough. there are people who will give a speech here and there, and again i will not point fingers at law enforcement. they are under resourced.

theeed leadership from congress to demonstrate that this is a priority and we are going to fight it much more aggressively. rep. lahood: thank you. mr. would. mr. wood: thank you. the issue from a law-enforcement perspective is as mr. clinton pointed out, it requires global cooperation, but then the standards of prosecution also have to be the same, so in other words a standard of prosecution at the federal level may actually be different than of the commonwealth level, which may be different than in paris, so i think there needs to be agreement as to what the standards are of prosecution as well. rep. lahood: why are we waiting around for that? it seems there should be some standards to do that, and it doesn't sound like there is a framework in place to address that. we did an analysis and on thatonwealth wil

point. i don't know why. , even within the state, are different from prosecution. rep. lahood: can you point to me and the commonwealth of virginia where there has been a successful prosecution? mr. wood: we just change the laws in the last six months, and i would have to refer to law enforcement to let you know. rep. lahood: thank you. i yield back. a number of great examples between law enforcement and the private sector. i can give you a number of them. , a fraud botnet aound, put out by public-private partnership. online, version came companies and fbi rock down that botnet. this was the botnet propagating things like crypto locker,

extorting you to get information back. so there are some successful examples, but to your point, a much more consistent global approach is needed. rep. lahood: were there actual individuals held accountable? there was ar: particular individual in eastern europe that was prosecuted and imprisoned. rep. lahood: in the united states? mr. schneider: no, in europe. thank you for holding this hearing. it is an important issue where there is a lot of room for bipartisan cooperation. the technology always changes so much faster than policy changes. that being said, i look for to working with all my colleagues and continuing to raise awareness about this important issue and also come up with t only addresses

the issue, but prevents it. this is not just a federal issue as some of my colleagues might have suggested. look at anthem blue cross, millions of people here, and most people when they think about identity theft think about the financial consequences. with medical identity, if someone gets procedure and prescription and entered into the electronic health records, there are health risks involved as well. that mosturprise people don't review their benefit statements, like most people don't review their credit card statements that might alert them to something. somethingfollow up on about the psychological aspect and ask you mr. snyder, in your like the lionsay

in the wild who stalks a waterhole for prey. most of these attacks rely on social engineering trying to trick people into doing something they would never do if fully cognizant of their actions . the most successful attacks are as much psychology as they are technology. ,he vision of a lion waiting maybe that will stop me from clicking on things that i should not click on. can you talk about whether we --d to find more behavioral fun more behavioral or social science research? addressinguately that psychological aspect?

, you brought this , you up as well -- casado brought this issue up as well, that we have to do more. engineering will always be part of the system because we are fallible. to help to secure our own information as well as our company or agency information. some of the examples i would give you are in the training area we have talked about helping all of us to think more about security, but secondarily, security architecture underneath makes it much harder for the attackers to give the information we care most about. all the world's information is not created equal. orical health records financial records are much more

important than the lunch menu we will look at today, so it has a granular approach to information protection, identifying sensitive information, and putting more security investment around those kinds of assets rather than the generic assets out there. old,asado: i'm 39 years and when i was 37 years old i got an e-mail from my sister on my birthday. there was a picture of us as kids, really sweet. link and so forth. the first thing i thought was, this is so sweet. my sister has never remembered my birthday before. then i thought, my sister has never remembered my birthday before. then i look at the mail header, and it comes from russia. it's now on record. [laughter]

mr. casado: if either of these weren't true, i would have clicked on that link and infected my computer. it is important to do passwords, but a determined attacker will find a way in. they got these pictures off of facebook, not hard to do, two hours of work to send me that e-mail. i think -- >> i'm almost out of time. i serve on the educational workforce committee. terms ofwe doing in educating the next generation of workers to make sure we are getting a step ahead? mr. casado: core education around security, mr. wood was very clear. implementsechnical we need to put in place, because a breach will happen. a determined adversary will get in.

we need a zero-trust type model. >> there is a huge gap of security professionals in the country today. toating educational programs allow students to choose careers in cyber security is important as well. >> i recognize mr. palmer. rep. palmer: i'm happy to report for the record that my sister does remember my birthday, but my brothers do not. you can have the best technology in the world you can have come a great training, but if employees are negligent, you are still exposing yourself, and i bring this up in the context of an article in the wall street 9, and itck june

the iceto the fact that agencies in the memo to employees in 2011 because they had seen an uptick in cyber attacks related to employees using the federal website, theirl server to access personal websites or personal .-mail unfortunately, the labor union filed a grievance and prevented them from doing that, and that's apparently where one of the breaches occurred. my question is, and this would be both for corporations and the federal government, does it make employeesrevent either in the private sector or in the government sector from orng their company servers federal servers to access personal information, their personal websites, e-mails?

, it seems to me that i.t. goes through these phases, mainframes, then a bunch of computers, now expanding again, mobile, iphones, clouds. i think it is unrealistic from a day-to-day perspective that people aren't accessing outside information. every time i travel, i am constantly connected no matter where i go, so i think we need to assume that this information will be access no matter where they are or what capacity we are running under. clinton? mr. clinton: i agree with the comments with respect to millennials. if you doubt that type of workforce policy, you will not have much of a workforce left to deal with. we are doing some in the private

sector some things. is thing were trying to do move out of this i.t.-centric notion of cyber security, for example involve human resources departments and what we are advocating, and were seeing success with that. are integrating good cyber security policy into the employee violation system, so if you have downloaded things you should not have been downloading , you are less likely to get that step-up increase or on us at the end of the year. we have to make this part of the overall process. there are other things we can do, such as having separate equipment so that people can access their personal information without using the corporate system. if we are a little bit more inventive and use that incentive model am a we will probably have more success. great point.at's a you could have a separate environment where people could

do that if they have to use it. you had been af federal employee and open that e-mail from your sister through the federal mainframe, with that have potentially infected -- uromputer : i had for computers, very comfortable and secure environments. if you want to be competitive, you have to assume your employees would be fully connected at all times. >> can you create a separate environment? mr. casado: not without additional operational overhead. >> mr. wood, you would like to comment. mr. wood: i would like to follow-up on what dr. casado said. as the use of the internet increases and the internet of things becomes more prolific, everything has an ip address, so where do you draw the line?

i would almost prefer that people use my infrastructure, because i know what we do from a security perspective. i don't know what they do from a security perspective. i think there are good arguments on both sides for separation. i would rather have them on my infrastructure because i know what we do. think the approach that makes sense is to understand and protect the information and the identities of the folks who are trying to access it, and that's what we are seeing insecurity over the last five less years, the move to not just protecting systems and networks, but understanding the information and putting the right kinds of protection around them. >> my time has expired. i want to thank our witnesses for the clarity of your answers. thank you, madam chairman. i yield back. rep. swalwell: thank you madam chairman. i want to thank each member of

the panel for their service. highlight i want to you graduated from stanford -- highlight the to fact that you graduated from stanford. i know you have been working on this issue. your solution for cyber security is to wall off segments of one's network in order to prevent cyber intruders from gaining access to particularly sensitive information. such approaches are already the gold standard for industry, and need to be the gold standard across government. how much time and resources would it take for the government to do this ? mr. casado: that's a great question. the technology has evolved enough to do this without corruption. extremely secure environment, extremely sensitive

environment, we can retrofit things. we now have software-based solutions. is one of the fastest growing sectors of the enterprise software space. it is not only practical, but we have enough experience over the last couple of years to see adoption. i think this stuff is absolutely worth retrofitting. >> for all the witnesses following up on mr. lahood's frustratedtoo am that it seems individuals are able to attack networks and individuals with relative little punishment, and i understand the originating in russia, ukraine, or state actors. for non-state actors, what could we do internationally to maybe have an accord or in agreement

where we could make sure that we bring people to justice? a high-ranking cyber security official in one of our laboratories naïvely, i guess, are we going after these individuals? the person kind of laugh, not being rude, but just saying that we are not going after them. we are just trying to defend against what they are doing. d, untilwith mr. lahoo people start paying a stiff price, i don't know if this will change. putting together a case like this is very difficult, the chain of evidence, proving whose fingertips were touching the keys to carry out an attack can be difficult, but what can we do internationally? mr. what? wood?od mr. wood: thank you for your

question. right after september 11, i was sitting in a meeting with a large number of information security professionals from within the intelligence community. the question was posed in the auditorium where there were about 250 people, when we going to start sharing information. the answer came back from one senior person, in 50 years. another answer came back from another person, not in my lifetime. it was very disappointing to say the least. now you roll forward 15 years and look at where the intelligence community, at least in my opinion, is today, and it is not like that at all. today, icy intelligence community sharing information and away that they have never shared before. a way that they have never shared before. culture is occurring,

a way to work together that did not happen before. cyber security commission in the con wealth of virginia, we worked closely with dhs, fbi, state police, and they were worked closely with interpol and others. there is cooperation i have not seen in a long time. resources and funding associated with prosecuting, number one, and number two, having a common level of standards of what can be prosecuted and whatnot. >> thank you. i yield back. mr. now recognize westerman. thank you.man: i would like to commend the panel for their testimony today, and the zeal you have been working in cyber security. i think it is the war of the

future we are fighting here in cyber security. . am from arkansas mr. clinton, do you have any arkansas ties? just out of curiosity. [laughter] mr. clinton: [inaudible] rep. westerman: ok. i have a 20-year-old college student and had a fascinating conversation over christmas, talking about how millennials are always connected, and he was telling me that that is a huge consideration where you take a job now, what the connectivity speed is. it wasn't something we

considered when i was getting out of college, but it played a big key and where they would go to work and where they would eventually live, so i know we are in this connected world now. on the question, he was talking about being on from the technology ore is at all defensive, are there ways to combat hackers before they make their attack? one is around things like honeypots, giving them up ways that looks like a legitimate ,art of your infrastructure to and you're able to study what they're doing at the same time. there are things like shock absorbers, the harder they hit

you with traffic, the more you slow them down. defensive and proactive defensive measures that don't go directly after the attackers that are in place today, and they are very successful within the enterprise. may? i to build office this point into having a better understanding of the multi-faceted nature of the cyber problem. for example, one of the technological mechanisms that we use in the private sector is we understand that the bad guys are going to probably get in, a determined attacker will pierce your system, but actually have more control over the bad guys when they are in the network then outside the network. you are basically doing with theft, so they have to get in the network and get back out.

if we block the outbound traffic, rather than locking the inbound traffic, we can solve a cyber breach problem. they can look at the data, but not use it at all. if you're looking at this from a national security perspective, the attacker may be interested in disruption or destruction, they don't have to get back outside the network. so we need to understand that we cyberaling with multiple problems, some of which our national security, defense-critical infrastructure, making sure the grid does not go down, and we need a different strategy with regards to that than the criminal problem. a more have sophisticated policy in this regard, i think we will make more progress. >> just to briefly follow up on , as far as developing new workers for the cyber

security workforce. are your company seeing a workforce shortage? do see a lot of growth for the future in that? mr. wood? mr. wood: we do see an enormous shortfall of cyber security professionals. in virginia alone, the state government has announced that we have 17,000 unfilled cyber security positions in the commonwealth of virginia. if i might go back to your other question, if you don't mind, about offenses? it is near and dear to my heart. if someone were to come to my house uninvited and either hurt my children or my wife or take my stuff, i have the right to defend myself, but if somebody were to come into my corporate house and virtually take my stuff, whether it be intellectual property or

customer data or whatever it might be or financial information, whatever it might be, we need the ability to defend ourselves, particularly if we don't have -- if our cyber command is >> i'm out of time, but i would promoteclose and all members to develop a new workforce for cyber security and other areas. >> i will join you in plugging that. i know it is on our website. i think the date is generally 15, when things are due. >> unless you extended. >> [laughter] i will now recognize mr.

abraham. >> thank you for having this great hearing. i want to thank the witnesses. isave a direct question that a novel idea -- kudos to you for addressing that. with other companies or government officials -- this last cyber security bill that we passed last month, did that help or hurt? >> i think that was a good bill. we endorsed the bill. we support the bill completely. the most important thing however the besthat is not cyber security bill. it is a very good tool to have

in the toolbox, but nowhere near sufficient. >> we need to do more? >> absolutely. >> give me your top three of recommendations. will the points for new legislation. >> we would like to see the that wouldrogram include things like stimulating ,he cyber insurance market providing some benefits for , streamliningsses we have an so that opportunity to reward entities that are doing a good job inside othercurity, as we do in sectors of the economy. a lot of things that we refer to in my testimony i are things we

already do in aviation, ground transport, we simply have not applied these programs didn't cyber security issue. if we did that, i think we could do more. needhird thing, i think we to have a more innovative workforce development program. we have talked here about the facts that we are always connected down. .-- now we all know this. the slogan that dhs uses for its workforce education program is -- stop, think, connect your ignoble lineal stops and thinks before they connect. ,e need to be leveraging espn and reaching to the millions of young people who are interested in gaming, and use that a popular spot and use as a bridge to get them interested in cyber

security. we need to be much more aggressive in this space. they are doing other things and other countries. we need to take a page from that. we would like to see -- i'm not kidding -- and education program for senior government officials, just like you guys, lots of things they have to do, demands on their time. we found that when we actually educated them about cyber security, we got better policy, better investment, better risk management. on the publicthat side, just as we do in the private side. >> for many years in the cyber security industry, we have been sharing information. some of the keys are anonymizing and sharing it in a safe way. if we are taking information that is specific to a certain

set of industry or customers tried to gain security knowledge, but not put any of itat information at risk -- is something that has been happening for years and has been an important element. back.ield >> i will now recognize mr. holton for five minutes. >> i know a lot has already been asked and answered. my turn. thank you. i do think this is so important and i think the american people are waking up and feeling some of that fear, and wanting to know the right thing to do. we always want to hear from you, how we can inform our own constituents about wise decisions along with our friends, family, and staff.

so much of our society, our financial system is based on consumer confidence. if there is a feeling that this is not safe, or whatever it is, i think we're going to lose the benefits that much of this technology has. i do want to talk briefly, or ask you your thoughts. we have talked about what government can do better. certainly the private sector is ahead of us in so many areas. we also appreciate your response. for us to say this is like an airbag problem, it is not, it is completely different. it is really this framework, i think, of a way of thinking. the question i would have is with impediments that government is putting up to your business or other businesses from new

animation, what would you say may be the greatest impediment ,hat you feel from government from your business innovating. is there something that has been a hurdle that you have had to overcome? >> this is going to be an indirect answer to your question. working with government on the recruitment side one thing -- procurement side, one thing that .s difficult is budgeting the working capital does not asow them to move as quickly possible. more flexibility in budgeting would help them, and certainly help us to reduce new technologies into the government. >> two things. really moveed to away from the blame the victim attitude that they have,

particularly at some of the independent agencies. as we have articulated here, and i think it is fairly common knowledge in congress, the determined attacker will get in. the fact that you are subject to a breach is not evidence of malfeasance. there may be incidences of per seance, the breaches is not one of them. we need to move beyond that notion. , the government really needs to get it back together with respect to cyber security. you are writes. cyber security is real hot now. every locality is coming up with their own cyber security program.

when you try to do these things, you are forced with multiple different compliance regimes, trying to do essentially the same thing. we are in favor of this framework, but let's have one, and make sure we are all working in the same direction. as we also pointed out, we do not have adequate resources. frankly, one of the big problems that might company is telling us is they are spending all their time on compliance, which means they don't have time to spend on security. one company was following a legitimate best practice, testing their system every quarter to make sure was not being invaded, and they had to testing.ual decrease 70 set -- 75% due to over regulation. we need to streamline that

process, have a good process. >> if you both can speak on this, then i will be finished. would double-click on again is education. there is a huge gap in the cyber security professions available. it is not just universities. it is primary education. it is getting the boys and girls in high school today -- really focusing in on girls as well -- to focus on careers in cyber security, and the skill sets that go along with that. a comment.echo as the verizon reach report focuses on 94% roughly of those hacks could have been avoided. then, you have to focus on the lawr the 8%, which is a harder. we have the tools, the

standards, the approach. the second point is something that we can indeed get behind. it is a baseline. the third thing and the last thing is compliance and mission are not mutually exclusive. .ou can make compliance work it has to be automated and invisible to the guy who owns the mission so does not inhibit the ability to get the mission done. >> i'm over time. thank you. >> thank you. i think the witnesses for the very valuable testimony and the members further questions. i think we have got a lot of assignments for today, and new issues and areas that we need to explore further. i would like to invite you all to keep and open dialogue with us, and don't wait for us to call. provide us with any additional information, or the issues going

gone. this will be -- we have a next eventually growing problem. we have a cyber war being waged against us. it is a little bit like post 9/11. we definitely have bad actors on , and we needfronts to respond in kind, and have it , andcted in our budget also our responsiveness of how we plan. i think we all agree, and we all understand that no matter what we do, this exponentially increasing information world, we will have breaches. it was like talking to someone in las, when i was out

vegas, it is like, us, we never get sick. in the world that we live in, there will be breaches. what systems to be have in place ?hat will identify them i thank you for the challenges you put before us. the record will remain open for two weeks for additional comments and questions from the members. if there are questions that we did not get an opportunity, or for people who are not here -- i think the witnesses very much. the hearing is adjourned. [captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]

>> a former member of the national security council will be part of a discussion on escalating tensions between iran and saudi arabia after the execution of a shiite cleric by the saudi government. we will have live coverage from the hudson institute at noon eastern. over on c-span 2, a look at the tactics that business used to try to silence critical online reviews. state johntary of kerry laying out the obama administration's foreign-policy agenda for 2016. he also talks about the 10 u.s.

servicemembers who were released by iranian authorities this week. this event was held at the national defense university. [applause] mr. kerry: thank you, thank you very much, major gen :r nation.kerry all with great distinction. and it's a privilege to be at ndu. i'm also honored that the secretary of the air force is here. thank you very much for being part of this. before i begin, i want to underscore how pleased i am that our sailors were safely returned into united states hands this morning. [applause]

as a former sailor myself, as the general mentioned, i know as well as anybody how important our naval presence is around the world. and certainly in the gulf region. and i could not be, and i know the president could not be, prouder of our men and women in uniform. i also want to thank the iranian authorities for their cooperation and quick response. these situations have an an ability, if not properly guided, to get out of control. and i'm appreciative for the quick and appropriate response of the iranian authorities. all indications suggest or tell us that our sailors were well taken care of, provided with

blankets and food and assisted with their return to the fleet earlier today. and i think we can all imagine how a similar situation might have played out 3-4 years ago. in fact, it is clear that today this kind of issue was able to be peacefully resolved and resolved and that is a testament to the critical role that diplomacy plays in keeping our country safe, secure and strong. and that is really at the core of what i am here to talk about today. as all of you know, yesterday president obama delivered his final state of the union address. and i might add from my part, with nearly 29 years in the united states senate, i have been attending state of the union messages since 1985.

ronald reagan was my first. so, it was my last too. the president's agenda for 2016, it is clear from the speech he gave last night, is bold and ambitious. and i think that is particularly true when it comes to foreign policy. the reason for that is simple. in this extraordinarily complicated time, the demand for united states leadership, the demand for leadership everywhere, but the demand particularly for leadership from what the president appropriately called the most powerful nation in the world, is as high as it has ever been. and we understand that. and we accept that responsibility willingly. that is why the united states will remain more engaged and in more places around the world than at any other time in history.

the president's primary responsibility is, as all of you know, is and always has been to protect the people of our country, protect the american people. he understood scored that again last night. and i know that each of you here can relate to that because n.d.u.'s mission is to educate, develop and inspire national security leaders. not all of them from our country. but to inspire national security leaders. and many of you here today have already contributed significantly to our nation's security and safety, including some of you on the front lines of battle. and we are grateful, very grateful, for that. the goal of keeping our country safe for american officials, but i know i'm talking to visiting officers from various parts of the world, the goal for all of you with respect to your own countries and at the core of everybody's foreign policy is to

have a strategy that most effectively represents the interests and values of your nation. that is our goal. certainly a big part of achieving that is addressing the immediate crises of the day. and believe me, they arise suddenly and without anticipation. i was yesterday sitting with secretary of defense carter to my left and with the secretary of foreign affairs and of defense from the philippines to our right, when we got a message regarding our two vessels in the gulf and the fact that they were at farsi island. so, things can change in a nanosecond. as we plan for the coming year, we are focused on looking for long-term solutions. not the crises of the day. but on finding a way to lay the groundwork for security and stability for decades to come.