Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  August 6, 2015 7:00pm-9:01pm EDT

7:00 pm
likely doing business. so i think the short answer is do they -- there's no clear answer to that. but that factor is enough to make it that big businesses that are responsible are not going to touch it. >> when you start talking about extra territorial aggressive defense, that's a loser from the point go. if you do not have proper legal authority, i think it's a disaster. mainly because in a stand your ground circumstance, you're dealing with a personal threat to your life in the way the law is written it has to fit that criteria. this you would never make that legal argument here, number one. and number two, again when you go -- when you decide your going to breach territorial jurisdiction and go after someone, you have opened up a can of worms of which is well beyond the scope of your threat. and that's where i think we have to -- and our policy is not there. we don't even in the united states have a good offensive
7:01 pm
policy. it was emerrill rogers not that long ago said just as much as that, that we don't have a good cyber offensive policy. we talked about it ad infinitum in classified settings for the entire ten years i was on the intelligence community and we could never get consensus to move to the next place on what that cyber offensive is. and by the way just as a personal note i just saw that the administration says they're going to make china pay for the consequence of the opm hack. i can't wait. i cannot wait to see what the heck that thing is. and candidly i'm not too excited about what it's going to be. we haven't crossed that threshold to bring everybody in a room and try to work through this problem. i would -- long answer to your question, but i don't believe they have the right to go extraterritorial to protect what they perceive to be a threat at that point. >> that's fantastic. thank you, thank you so much. we can get a hand for the speakers.
7:02 pm
that's just great. you can see how we can make many hours speaking about that. but we'll roll into the next panel. capabilities needs to protect and defend in a cyber enabled economics world. so this played perfectly into that. thank you, thank you.
7:03 pm
we want to get you out in a relatively timely fashion. if we can ask you all to reclaim your seat or somebody else's. so while we're getting our seats, before i turn it over to the panelists for this discussion, i want to read a very short paragraph. there's an intellectual no man's land where military and political problems meet. we have no tradition of systematic study in this area and thus few intensity prepared experts. the military profession has
7:04 pm
traditionally depreciated the importance of strategy where politics are important as compared with tactics. now we're faced with novel and baffling problems to which we try to adapt certain ready-made strategic ideas inherited from the past. if we examine the origin and development of these ideas, we may be better able to judge whether they actually fit the present and future. so this was written in 1959 by bernard brody in his treaty strategy in the missile age. and it is a prescient piece. i recommend it to all. his calls for new ideas and scholarship to deal with the atomic age help the u.s. create the doctrine and capabilities that guided us for the last half century at least. but i would add to brody's assessment that there's an intellectual no man's land where political, military and economic problems meet, and that we have no tradition of systematic study in this area. so within our monograph and in earlier seminars i've turned to
7:05 pm
earlier work that i and others did on the nuke la kill chain and thought about it's applicability to this cyber economic warfare. and there aren't any vast dirnss, namely the hurdle for development, acquisition in use and also what i call in one of the previous panels somewhat referenced it, the could we be in a war and not notice metric. i think it would be hard to ignore the use of a nuclear weapon but as we heard in our last panel we're fully engaged in a cyber enabled economic world. so the kill chain of needed capability so to speak may have to be thought about differently but nonetheless it's basic elements, intelligence in warning, deterrence, detection, forensics, interdiction, battle management, consequent management and recovery serve as a useful way to gauge our current capabilities and create the doctrine and technologies that we need going forward.
7:06 pm
so at this point i want to welcome our three amazingly talented individuals that will talk about the nexus of policy and technological developments. the first is mark dubwits who is from the defense of democracies where he leads projects on iran sanctions and nonprolive igs ap about he's an expert on sanctions and has testified before congress and advised the u.s. administration, congress and numerous foreign governments on iran and the sanctions issues. he heads the foundation ftd center on sanctions and illicit finance and is the co-author of a dozen studies on economic sanctions against iran. mark, off to you. >> great. sam, thank you very much. first of all, sam, i hope you will keep me to my five minutes so maybe give me a nudge if i'm over five minutes. i'll try to make my remarks short. i want to thank sam very much for involving me in this project. a fascinating project, amazing people to be involved in.
7:07 pm
ken, thank you very much for hosting this and allowing fdd to co-host this. and i want to pay special note to the young woman who co-authored this report with me, annie fixherler who is based in new york about who is the next generation of economic warriors. i know juan knows her very well, samantha knows her very well and satisfying to the three of us that when we're all playing golf in our retirement someone like annie will be continuing the fight. let me talk a little bit about the paper that we wrote together. and i want to put us in context. the paper is called cyber enabled swift warfare. we call it swift warfare because the case study that we dealt with as part of the analysis is the swift financial messaging system. which is global standard if i want to wire money to juan my citibank has swift codes and juan's account at chase manhattan has swift koesd and it's the way our two financial
7:08 pm
institutions talk to each other so i can wire money to juan, which i do often. >> thank you. >> no, no absolutely. so the key -- looking at swift was swift really was the high point of the u.s. government's economic warfare campaign against iran. and it reminds me that there was a point in time where we actually engaged in economic warfare against irpaniran. this is coming at a very troubling moment for me having spent time working on iran to see the u.s. government dismantle the entire sanctions infrastructure that we put in place in pursuit of this nuclear deal, but that's the topic for another panel. but certainly for a period of time as david sanger explained in "the new york times," the u.s. treasury department where juan worked and under juan's leadership and stewart levy and david cohen and adam zubin, the u.s. treasury department was described as president obama's favorite noncombatant command.
7:09 pm
and for good reason. it had become the locus for economic warfare against the iranian regime. really it was a decade of escalatory measures that began under president bush, the designation of key iranian banks and revolutionary guard entities and it actually culminated in the passage of sanctions legislation by congress, congressman rogers certainly played a key role in that. and it really was -- it was fascinating because as these sanctions escalated, you saw over time a dramatic impact on iranian decision-making. some of the key events along the way included the u.s. treasury departments a usa patriot act 311. it was a finding that the entire jurisdiction of iran was a jurisdictional primary money laundering concern. it was legislation passed by senators menendez and kirk which designated the central bank of iran as the key pillar of that jurisdiction of money laundering
7:10 pm
concern. then in 2012, again congress over the objections of the administration and the europeans actually passed legislation threatening sanctions against the board of directors of swift. and that legislation encouraged the europeans and eventually swift to expel dozens of iranian banks through the swift system. was first time that there was a wholesale deswifting of a country's financial institutions and it cut off iran from the global financial system made it impossible for the iranians through the formal system to move money to finance trade to repatriate their foreign exchange earnings. now, it was certainly a tool of very effective coercion. but it was something that our adversaries have learned from. and i would note that when it comes to swift, we see calls from u.s. congress from the british government, in fact from pro-palestinian organizations to use swift again
7:11 pm
as this ultimate instrument of economic coercion. and in fact, last year the organizations asked swift to de-swift israeli banks particularly those banks that had branchs in the disputed territories. the british government asked for swift to deswift russian banks and that led to a response from the head of one of largest russia's bank who said that deswifting of the bank would be an act of war, an act of economic war. we've seen our adversaries try to take our playbook on iran and use it in other ways. in russia, the russians are using economic warfare against our allies in central europe and eastern europe. there they're using energy warfare. the dependence that our european allies have on russian natural gas, example. there's been a whole series of measures, both offensive against russia because of its annexation of crimea and invasion of eastern ukraine but also
7:12 pm
retaliatory measures by the russians against our allies and against the united states leading to the need for defensive measures. if you move to the asia pacific region, the chinese have used economic warfare and political warfare against taiwan, for example, for years to persuade the international community that taiwan should not be recognized as an independent state. the chinese cut off the export of rare earth minerals for a couple of months when there was a dispute with the japanese. and those rare earth minerals were very important actually critical to key industries of the japanese economy. in the south china sea there have been significant territorial disputes between china and the philippines and vietnam and japan and other countries and the chinese have matched their naval maneuvers with economic coercion. what you're seeing essentially is our adversaries learning from us that the power of economic warfare, the power of economic coercion as a dominant
7:13 pm
instrument of statecraft. the united states and certainly our allies in the middle east in asia and europe are lucky because the united states still remains the dominant global financial superpower. 81% i think it is of global transactions are done in the u.s. dollar. 60% of foreign exchange reserves are held in the u.s. dollar. 45% of global financial transactions are done in the u.s. dollar. because of the u.s. dollar's dominant position in the global financial system we still wield tremendous power. but make no mistake, that is changing. and it's changing in some fundamental ways. the russians and the chinese for example, are creating an alternative to the swift financial messaging system. it's in a nascent form right now. hard to track that support that swift has today with 10,financial snooss using the system. but over time it may erode the global dominant position of
7:14 pm
swift. the chinese have a combination credit card interact card which is a available in a hundred plus countries around the world. it has a market position that represents 45% of the total number of cards in global circulation. and something like 25 to 30% of the total transactional value. it's quite extraordinary. for the chinese it's useful and for the russians because it's moved from new york. the chinese moved in and offered this card to russian banks who could then offer an interact card and a global credit card delinked from new york and therefore not susceptible to our sanctions. the chinese have set up the bank which an alternative bank for infrastructure financing which has attracted global support including from most u.s. allies. as a final example -- and there are many others -- the chinese
7:15 pm
have gone to the imf and asked that the -- something called the sdrs which were special drawing rights which would represent a global asset, a foreign exchange asset, that asset is linked to a basket of currencies including the u.s. dollar and the chinese yuan. the chinese have been pressuring the imf to actually change the allocation the percentage allocation in that basket so that the yuan is more lilye ly highly represented. this these are examples of how the chinese want to erode our financial dominance. we may create a system that diminishes the power of the u.s. dollar. let me end on this. with this specific recommendations. annie and i conducted a lot of interviews with folks in the u.s. government, a lot of former treasury officials, state officials, people in europe and asia because what we really wanted to find out was what kind of defensive measures were we actually taking?
7:16 pm
we'd been very good on the offense, but how good on the defense? and what we discovered particularly in the u.s. there hasn't been as much thinking about defensive economic warfare, how do we create a defensive shield to protect the u.s. and the allies from the use of offensive weapons from the iranian iranians, the russians, chinese and others against our closest allies? and you'll see in the monograph came out with some specific recommendations. but specific recommendations within the u.s. government changes, institutional changes within the interagency, the idea of creating an office of policy planning at the u.s. treasury department. the state has an office of policy planning. our recommendation is the treasury department should have an office of policy planning where they're really thinking about these kinds of defensive measures and they have the time unlike our friends at treasury who are drinking from a firehose every day to think through what kind of specific measures we can put in place to defend the united states and our allies.
7:17 pm
number two was actually standing up economic warfare director at the nsc. our sense from the nsc was folks had strong planning on the economic side, they understand market, they understand financial markets, but the idea of having people at the nsc who understand sanctions and elicit finance and the use of economic warfare would be useful. three was actually establishing a doctrine on the use of economic warfare. we have doctrines from the nuclear age, about missile defense and a new cyber doctrine that folks have spoken about. an economic warfare doctrine would be useful. how should we be using this offensively and defensively and then maybe a controversial recommendation. but the idea of setting up ab economic warfare command. we have commands in the u.s. government. most of them are in the pentagon. but this would be an economic warfare command that would draw the best and the brightest and the necessary resources against
7:18 pm
the interagency. our recommendation was to locate it at treasury. i'm sure there will be a lot of debates about that. but those four specific recommendations on both doctrine and on institutional changes so we can actually protect our allies against the use of economic coercion. i'll finally end with this. israel's been an interesting example because the boycott difbestment of sanctions movement against israel suggests that we're seeing the canary in the coal mine. we're seeing that here is a small democracy liberal democracy, an ally of the united states where all of a sudden economic warfare is being used against israel in order to achieve political objectives of those who oppose israel's position in the territories. whatever position you take on the territories whatever position you take on these regional disputes, my assessment my conclusion is we should be protecting our allies with cyber defenses ballistic missile defenses military defenses and economic warfare defenses regardless of our
7:19 pm
assessment of who is right with respect to a regional dispute. this is the canary in the coal mine. as terrorism once came to our shores, economic warfare will one day come to our shores. we have to start thinking through the kinds of methodologies, doctrines and institutional changes to create that economic defensive shield. >> that's great. the only thing i would take issue with is economic warfare has reached our shores and i think mark and andy would agree. and in their chapter, they really do kind of delve down into, look, all right, if we're going to be serious about this then let's be serious. what does that mean in terms of organizational changes that may be necessary in the u.s. government. but our next two speakers focus on where really the rubber meets the road in terms of the technologies that are going to be needed. how we think about that. because ultimately, you know, we're going to have to be able to back up our words of deterrence with our
7:20 pm
technologies. and the first speaker is dr. michael she can who is a program manager in the innovation office at darpa, which for those who may not know is the defense advanced research project agency. his focus is on quantitative and cryptographic techniques for establishing big data and software. previously a research scientist and a scientific consultant at booze allen hamilton. and he holds a ph.d. in chemistry from princeton. >> first of all, thanks sam. i think i speak for mark as well, too, when i say that those of us who work on the technology side of the house found this to be a very useful and fun exercise to think about the broader context in which a lot of our work lives. as a prepare tory remark, i should say that all the opinions i express today since i'm still in government, are my own and not those of darpa or of the u.s. government.
7:21 pm
i'll start on a slightly downbeat note. today you can barely turn on your news browser without seeing a fresh story about another u.s. firm being a victim of intellectual property theft. what's vexing is that there does not seem to be a clear path out of this very bad equilibrium. the purpose of my article in the monograph is to hopefully provide some new thinking that may help us out of this state. one is taking a historical perspective as a timeless instrument of competition between nation states. and number two, a scientific perspective on technologies that can potentially help us flip the script on the economic spies and i.p. pirates that are targeting our industries and undermining our economic national strength. again we have history that can help us here. the notion of intellectual property actually evolved over centuries as an enshrinement of economic reward to the inventors of valuable ideas.
7:22 pm
the u.s. economy is particularly sensitive to the climate in which such rewards are protected because in a 2012 report by the u.s. patent and trademark office, 75 out of 313 u.s. industries are categorized as i.p. intensive. and they account for more than 27 million jobs and more than 18% of all employment in the u.s. in 2010. according to the 2013 report by the commission on the theft of american intellectual property, the u.s. loses over $300 billion a year in i.p. theft. the report stated that if i.p. were to receive the same protection overseas as it does here, the american economy would add millions of jobs an encourage significantly more r&d investment and economic growth. not all counties in the world are serious about a rule of law reveem. the united states has been here before in this problem, although on the other side of the problem. in the immediate aftermath of america's warfare independence from the uk our young republic
7:23 pm
itself engaged in a no holds barred campaign of privately conducted but officially tolerated i.p. theft against british industry in order to supercharge the young american manufacturing economy. now, the british response to this was quite rigorous. they were fully aware of the stakes of this kind of conflict. they imposed export controls on machines and designs restrictions on skilled immigration and sometimes even acts of arson against u.s. factories employing stolen british i.p. i know there's been talk about hack backs in the previous panel -- and this isn't really what we have in mind but the idea of hack backs is not ter tibly new, it's been tried. arson aside, the british strategy would not look unfamiliar to american officialdom today. yet but any reasonable accounting the british policy completely failed to stanch the defusion of their most sensitive manufacturing i.p. into the factories of its unfriendly transoceanic rival which went on to eclipse the uk as the world's manufacturing leader. all of this must sound
7:24 pm
distressing to all ourself today. in 2015 it's obvious that it's america that's playing defense in this game. so exemplify the struggles of all our ip sensitive industries, i'll focus on the software industry not only because they're the largest by export value but because there are also new ideas pertinent to that industry that might inspire new thinking for other industries protections as well. to give a partial illustration of what our software industry struggles with, in a report by the business software alliance, 19% of the software sold in the u.s. is pirated. but in china as one other example, 77% of the software transacted is pirated. but beyond the simple crime of making and running unauthorsed pirate copies there's the deeper theft made possible by prying into the source code of software to source the proprietary algorithms that are acquired by vast sums of research and development dollars. how do we stop something like
7:25 pm
this? through the lens of how we might protect our software industry, we develop a model for -- a new model for thinking about how to protect our i.p. based not only on law and diplomacy but on technology and economics as well. that may change the dynamic between the attacker and defender in this i.p. conflict. the status quo in defending our nation's i.p. interests in general tilts towards the kind of diplomatic and legal remedies favored by the british. as we've seen through historical experience, there are fundamental limitations to this kind of approach. so it is useful to pull back a step and think about the problem at a more basic level. i.p. theft is fundamentally as much an economic as criminal phenomenon. we've seen through historical experience that laws and diplomacy are lipted edlimited in their ability to deter criminals from this kind of crime. so the question is can we use technology and economics to deter economic decision makers from deciding to steal as
7:26 pm
opposed to not steal? can we raise the technical cost of stealing to such high levels that it no longer becomeswhile to do so? so the good news is that the answer is yes. but there are some major caveats. today commercial software is effectively defenseless against being wrong by reverse engineers because the state of the art in defending software against such theft largely consists of putting in code by essentially giving him more code to read and understand. however, this security through obscurity approach can almost always be defeated. in under a day with standard software tools and is almost universally regarded as ineffectual among software security experts. but the good news is that a recent mathematical breakthrough has opened up the door to making new kinds of software that can baffle even the best resource to reverse engineers. it entails writing the source code in such a way that
7:27 pm
enwrapping its secrets is equal to a mathematical problem and algorithms known today. this is exciting because this is the kind of technological breakthrough that could be the impetus for imagining a future where our i.p. rights are protected not by the laws of governments or nations but by the laws of mathematics. but here there are some huge caveats. realizing such technologies not only for software but maybe for other products as well, too, will very likely require radically new sintic ideas that will take years if not decades of sustained research and effort, but if these efforts are successful, such efforts could ensure economic leadership far into the future. and to pivot to another problem, one of the issues that we have in the cyber threat today is that victims are caught up in a very pathological dynamic in which they actually have sometimes an interest in concealing their own victimhood.
7:28 pm
we talked about this in the context of cyber threat sharing. so one of the other interesting things that has emerged in the academic research over the past 30 years is the field called secure multiparty computation. this really began as something of an academic problem about little more than 30 years ago. this is called the millionaires problem by which two millionaires wanted to see which one has more money but they don't want to reveal exactly how much money each has. i don't know how millionaires think, but it's a neat problem. so the bottom line is that this might seem like kind of a contrived problem but it's from a cryptographic and mathematical perspective it is not trivial at all actually. and the whole field of cart cartography built up around this that morphed into what we call snpc today. given that was a contrived problem 30 years ago, what this has evolved into 30 years later is a very valuable and practical technology in a very real problem. so in space today there's some
7:29 pm
dozens or if not scores space faring nations, thissy all have their slights s satellites going at very high speeds and every country has an interest in not having the satellites collide. when you reveal your trajectories you're giving away sensitive commercial information or national security information. how do you share information about your satellites without giving away those kinds of secrets? where the research has gone is from that contrived millionaires problem to actual software today that could actually help the likes of national space agencies and companies share their information without revealing private information. now, this is obviously exciting because these are not trivial problems. for the math geeks out there, these are 200 degree integrals actually over space and time, you know, for objects going at near relative listically relevant speed. it's a hard problem and
7:30 pm
computationally very difficult. but software after 30 decades of investment that gets us closer to that problem. it's not hard to see how this maps on to a lot of the kinds of sharing problems that we have within the cyber threat realm which has a pryivacy component to as well. to conclude, i think it's actually very fitting that the ingenuity of the american system that has created so many world changing ideas could be at the end of the day the source of defenses to protect those very ideas. thank you. >> thank you, michael. doesn't it make you feel good that he's in the government? >> yes. >> he's tremendous. but the modern-day i think problem of the millionaires problem now is to actually figure out how much money does donald trump actually have. so that's where it's evolved to. and finally mark tucker is the founder and ceo of temperal
7:31 pm
defense systems and founding member of the cyber insurance company of america. he leads a team of experienced white hat hackers that are redefining the technology paradigm to safeguard network fwhs the cyber war era. >> that was a mouthful. thank you, samantha. thank you for inviting me. i think this is a great way to look at the problem because this problem is a complex problem and it's really not quite understood. but when you marry those two terms of cyber war with economic cyber war, it brings multiple notions that help cross-pollinate and define the problem. so before i kind of go into a few things and ideas that i think might help encrack the problem, i think we need to quantify and understand the problem's dynamics. when i heard a few things in the previous panel ways diametrically opposed, right? but i was down there and couldn't talk.
7:32 pm
so i've held some of those things. i understand why the comments were made, and the comments were made because of these trends and these economic things happening and trying to understand the essence of what's going on here is what forums like this are about. so when you look at cyber economic warfare you're like well, what is it? well it's war it's not crime. there's a difference between having a war environment and a criminal environment. crimes happen in war, but i think it's very safe to say that if we kind of get some actionable assumptions and say, okay, maybe it's not provable a hundred percent, but a preponderance of the evidence this assumption is pretty good and we can start making some action plans around it. because ultimately america needs a cyber action plan. we've got the department of cyber command now. we've got multiple departments of everything. but the core of the problem i think is still a little bit
7:33 pm
elusive. so i think a few things in the first panel were perfect and spot-on. so let's say actionable assumption cyber war's here and upon us. and i would go so far as saying when did cyber crime become cyber war? what inflection point in time did that happen? that happened in the stuxnet attack. that was the shot heard around the world. that's when cyber war became kind of like the turning point of criminal gangs and all these activities happening to something that became a physical damage was caused and it caused, you know, geopolitical outcomes because of it. that one thing is like the shot heard around the world. we can assume that cyber war sheer. then we start looking at what is the dynamic of cyber war look like? it looks like a low intensity conflict in war terms to me. it doesn't look like the power balance between, you know, the nuclear war era where everybody built up these huge offenses and
7:34 pm
nobody struck. why? because there's proliferation has already occurred. that dynamic doesn't exist in cyber because there's too many actors, there's too many people. it takes one individual. so that would be equivalent to saying, well if we think about it like trying to do a nuclear power arms race buildup of offensive of cyber weapons, it just won't work because we can't control it. there's too many points of attack basically heading through. but if you look at it like a low intensity conflict you can pretty much say okay cyber is here to stay for a long time. there's going to be interesting things that happen. so the playing field is basically, if i could compare a few examples of where a low intensity conflict is occurring we look at iraq in 2004 when all of a sudden america comes in, we take the country over. i was there, by the way. so the ground truth i had then is equal to the ground truth i
7:35 pm
had now on the problem. so i've seen it from all different levels. so when i was first there there was a bomb here and there and it went off and, yeah it was scary. but in essence there was a power void. because saddam was gone and nobody knew what to do. so the criminal gangs started to move first. and there was, you know, a little bit of activity happening. well, what happens when those types of low intensity conflicts evolve? the next stage the coordination where all of a sudden there's six bombs going off and they're going off at the same time and the frequency is going up. so when we look at the threat horizon over a 20-year period in cyber war, basically what we're seeing is a negative threat for 20 years a negative trends that occurring. so now when most of that occurred in the -- think of it as cyber crime era now in the cyber war era we've seen the curve steepen. in essence what's happening is when you look at the battlefield
7:36 pm
and the battlefield's interesting in cyber war because it's all around all of us and it's global so what's going on the frequency of attacks is occurring and the battlefield is being softened. so when we see all these attacks happening on the banking systems, on the transportation systems and all these negative economic pieces, we haven't seen anything yet. this is just the normal course of a low intensity conflict. so the next stage is basically coordination. when coordination occurs people will get scared an a plan is completely required. what we should be doing is learning from these types of discussion points so that we can make this plan and get ahead of the curve. so if we take the assumption that we're in the cyber war era it looks like low intensity conflict. we've got a power void because nobody's controlling what's going on then we're saying okay, well maybe we need to come up with some assumptions of how we got here.
7:37 pm
well why is security so bad? and you can borrow economic principles to understand that. it's pretty easy. the question that was asked is why don't the manufacturers share in the liability? well, you want to know why? it's because bill gates' dad was an attorney and a very smart attorney. and every time you load software you hit an okay button and you basically take the liability and shift it over to you or if you're a company you shift the liability over to your company. so no it makes total sense that we've got so many security holes because the economic incentive is not with the manufacturer of these products. so a part of what steve was talking about, while i disagree with him, i understand how he got to those notions because you can't fix the problem so all we have is offense. i would suggest this that we can fix the problem. the defensive problem is fixable but like any problem we have to be able to quantify it.
7:38 pm
if we don't quantify the problem and we can't measure the problem, we don't know if it's improving or getting worse. we can see the attacks move up and down but we don't know how to compare one technology against another technology. what is the security of this industry, what is the baseline? we don't have any of those metrics right now. so one of the technologies that will shift that -- maybe it won't shift the liability back to the manufacturers but it will change purchasing habits when people know one operating system scores a three and another operating system scores a four in security. so what that will do is it will allow economic principles to basically take the security responsibility and allow the consumers or the companies or the purchasing managers to basically buy more secure stuff. so once we know how to measure it and that technology is in existence now, then all of a sudden we can start to say, all right, we're going to basically change the evolutionary path of
7:39 pm
technology because now that we can measure it it's no longer good enough to say i have good security, i have a firewall, i have antivirus and i have an intrusion detection system. what will actually happen is you'll say well your security's a three. you may have all those things but those things aren't basically raising your level of security. and so by basically creating the standard measure used for technology which is called qsm, which is one of our company's products that we worked at with george mason university over the last four years to solve is a huge building block to basically changing this shifting liability landscape and allowing the security level to go back into technology. so when we look at these problems, okay so there's an okay button. that sure did a lot. yes, it did. but there's also other things that did a lot to technology. and every two years a chip gets twice as fast. there hasn't been any
7:40 pm
interesting profound observational loss even. but if we've got this 20-year negative trend where the threats go higher and higher, if we can get ahead of that curve by let's say just two years where now all of a sudden we've got the ability to measure technology, security and we can start to use america's creativity and america's production force and harness the country's resources on a technological basis that's now focused toward better security, we can come up with maybe the law and say well if america stays two years ahead of security, then we're basically going to hit an inflection point where that trend starts to go down. as long as we stay two years ahead, then all of a sudden we're heading in the right trajectory for defensive security. i would also advocate that in this american cyber action plan we've got to say, okay, 85% of the resources or some number and
7:41 pm
85% defense and 15% is offense for example. and so we have to come up with those measures and those metrics and then we basically have to coordinate as a country to utilize our resources to win. we're america, we own the technology market still. we may not own the manufacturing base, but it's still our ideas. why do you think they're stealing our i.p.? because we're ahead. let's use the things that america can basically take to market and the fact that our vulnerability is the fact that we're connected, right but that's also our greatest strength. if we harness what put us here and look at it in a little bit different way, then i think we can make an improvement on the defensive side and i think on the offensive side if we start thinking of the problem like low intensity conflict and, you know, we create things to beat cyber insurgencies which is basically what's happening and we kind of look at the surge, you don't have a banking industry surge to basically take
7:42 pm
the fight back to them and create those deterrents portions. but it won't be a type of effort because there's no laws being enforced and the ability to bring someone to justice is very difficult. so it's going to look like a low intensity conflict cyber war environment. so anyway, my time's up. thank you. >> thank you mark. before we go to the question, i just wanted to mention when we started this project, we really wanted to create a larger group of people that are interested in this topic that take different pieces of the research on to move it forward. right? we never wanted it to be that this is the be all and end all, right? so there's a lot to go forward on this. one of the things that i think this panel and the last one really showcase are the needed kind of places where policy and new technologies you know come
7:43 pm
to bear. and you know on that i was -- hudson hudson's institute co-founder herman khan wrote the six desirable characteristics of a deterrent. he wrote that a deterrent to be successful, must be frightening, inexorable persuasive cheap nonaccident prone and controllable. so if we just even start with those six things and you can imagine having both the policymakers, the war fighter, the technologists around a table saying, all right, look here's the problem. how do we create a deterrent that both rests with sound policy doctrine and the technologies to be able to do what khan recommended i think we would really move this conversation ahead. okay. my interjection, yeah. no, wait one second.
7:44 pm
>> fdd and elicit finance. great thought provoking panels. both panels. there was something said in the first panel that provoked a question that i think is appropriate for you all. which was the reference to us losing the space race. and it made me think about president kennedy decades ago. he set the goal and the goal post. and the undercurrents of getting to the moon in the space race. the undercurrent was our competition with the soviet union and the tremendous threat that was there. but over that decade he really sort of galvanized or the country galvanized with this goal. it was inspiring and very positive. if we were to look at the cyber war, the cyber race, what would be the goal or the goal post? is there a way to sort of galvanize this next generation of young people and others within our society to target a specific goal so we could win the cyber race which we're losing? >> michael, you want the take
7:45 pm
this first? >> i think that's an analogy that's often drawn. and it's problematic because with a space race there's clearly defined goal posts as to progress. set sending a man into space sending a man to the moon and sending a device to mars and so on. the problem with cyber is the agenda is much more diffuse. the kinds of cyber problems that exist on machines and networks and there is as chairman rogers mentioned in the previous panel anthropological problems around cyber, too. one of the things that tends to be a distracter in the cyber debate is an over emphasis on the technological dimensions. there's a human dimension because it's a security problem and all security problems are human problems. looking at the statistics of the kind of compromises that occur because somebody opens an e-mail or attachment and goes to a link and then all hell breaks loose
7:46 pm
after that. at the end of the day, you won't get away from that. because we don't design software networks for machines we design them for ourselves. where we could possibly direct one area of research actually is to say that well we should stop blaming the human because we are human. we should be able to open up a link or an attachment or go to a site without trembling in mortal fear that it's going to compromise the entire enterprise. whereas i think there's going to be a much more diffuse kind of agenda for the cyber problem i think there are some problems that could still be very ambitiously stated very much like the problems of a space race as well, too. that's one of them. but i'm sure there's others as well, too. >> i would just add to that. maybe this is too simplistic but i think when it comes to cyber, the whole notion of winning is something that we're cautious about and we're careful about. we don't actually want to win in cyber. we just want to survive in
7:47 pm
historical terms we invent the cannonball. we don't want to win using the cannonball. we just want to survive if the other side gets one. we invent missiles. again, we don't want to just win. we want to create missile defense shields just in case the other side builds bigger miseyes than we have. there seems to be hesitation when it comes to cyber. i don't work in the cyber field but i sense it in the language. the goal should be we're going to win this cyber war. then any country that launches a cyber attack against us will be meet with fearsome retaliation. i don't know what we'll do against the chinese because of opm, but i don't hear in the rhetoric of the president a commitment to actually win. we need to send a message that we're the united states of america. and whether you hit us with cannonballs or missiles or cyber attacks, we're going to
7:48 pm
retaliate in a fearsome way and our goal is going to be to win in the cyber world as we won i think in missiles, and we won in cannonballs. it's a commitment at that level before we get into exactly how we do it on a technical level and how do we reorient the u.s. government on an institutional and a doctrinal level in order to do so. >> i also think there's measurable goalposts along the way. for example, when we hit this turning point and the 20-year trend ticks down what is going to actually happen? well, if we say what's going to happen on the pla side tore china side unit 16398, all of a sudden all the million of agents that they're watching oh their screens and monitoring go dark. that's actionable. and when that happens, you know what we're going to see? we're going to see that unit freak out. we're going to see them go back
7:49 pm
in to the drawing board we're going to see them working day and night. they'll send minions out to try to get new points so they can basically reinsert new types of agents. this is what i mean by we've got to be able to stay two years ahead. because if we can stay two years ahead, the effects are dramatic. right now what we've done is just stayed complacent and let all these agents and things and supply chain infections just permeate everything. so i think just like that where we're saying, all right, when the turning point hits, how will you know? because that unit that is the biggest unit in the world right now that's basically one unit against us they're basically their agents go dark and then we're going to see actions because of it. i also think that we can measure the number of cyber events that occur and i think we can measure the amount of money that's stolen from a bank or credit card. so i think we can come up with measurable, you know, are we winning metrics.
7:50 pm
>> here's just a quick addition to that. here's an indication of how you're losing. so i was reading through the iran deal the other day and every day it's a new surprise. but my yikes moment of last week was i surprise. i discovered the united states and our allyiesallies, we commit to protect the nuclear iranian program against nuclear sabotage. we're going to protect it against the ability of the united states, israel other allies to use cyber offensive weapons against iran's nuclear program regardless of what happens with that nuclear program. it will be a scale with near zero break out. even then, we will commit to defend iran's nuclear program against cyber sabotage. that's not the shot to the moon. that's not a commitment to winning. that's actually we're going to harden our adversaries cyber
7:51 pm
defenses. >> sir? >> my name is rich wilhelm. i ran all of our business with the intelligence agency, but 20 years ago, i had a job similar to yours where we did round one of all this. we're so much farther ahead now, but i'm struck by one thing. yes, we are much farther ahead. we understand the threat a lot better, and there's a lot more technology out there, but i'm struck by how little progress we've made in solving the central policy issues that are going to be required to actually move ahead. and, you know, my thinking over the years has matured somewhat, and it seems to me we're essentially trying to solve a problem where boundaries don't
7:52 pm
count on legal policy framework where boundaries really do count. and i'm not just talking about geographic boundaries. i'm talking about the difference between private and public sector responsibilities, between domestic and foreign you know, if you look at the intelligence community. and we need some new framework. what -- and this is a question, really, for you, mark. you talked about -- i mean, the government response has been to create new organizations but not fundamentally alter the existing boundaries that exist in law of our existing agencies. what do you think the likelihood is that we can solve that problem over the long run and that there is a new paradigm that will emerge so that the
7:53 pm
interfaces between the various agencies operate a hell of a lot more smoothly than they do right now? >> thank you for that question and for your service on these issues. i would say that i'm somewhat optimistic. i've sort of seen it from the outside on the offensive side. i think we've done a pretty good job. a lot of credit to juan and the folks at the office of terrorism. who ever heard of tfi or ofac a decade ago? what juan and his colleagues did at tfi is they took institutions, agencies in the u.s. treasury department and they turned them on offense. i think they did a really remarkable job not just leveraging government but leveraging markets. because the real secret sauce of our financial coercion on
7:54 pm
offense is not what we did to governments. it's actually what we did to companies and financial institutions in changing their risk-reward assessment. you can do business with our $17 trillion economy, or you can do business with iran's $350 billion economy. if you do business with their $350 billion economy, you're going to be doing business with bad actors who are engaged in illicit financial activities. it's been a very successful program. i'm obviously very skeptical about whether we have actually used those incredible resources and achievements towards the right diplomatic ends, but at the end of the day we certainly hone the instruments. and our paper tries to look it from the other point of view. with those instruments honed on offense and other countries and
7:55 pm
adversaries using some of those same powers how can we reorient the government to start think about creating a defensive economic shield? we have cyber command. i'm learning a lot about some of the deficiencies we have in that area. but from an economic warfare perspective, the folks at tfi don't actually have the time to think through defensive shields which is why an offense of policy planning would be useful at treasury. it would be useful to have an economic warfare command with all the powers to work on an interagency level, to actually think through both on the cyber side and the traditional warfare side how do we defend the united states. here's a good news story for me. the state of success south carolina just passed legislation. the legislation says that any country that uses economic warfare against one of our allies will be denied federal --
7:56 pm
state grants from south carolina and the state pension fund of south carolina will have to divest from any companies engaged in economic warfare against one of our allies. it's interesting. it's at the state level. it's the state of south carolina. if you use economic warfare against the united states or our allies, don't do business in the state of south carolina. illinois just did something similar and other states are contemplating. that's creating a defensive shield at the state level, which i think could be created at the federal level through executive orders, legislation, and creating a defensive economic architecture led by so many of the people who have been successful on offense. >> just so that you political scientists or ir theorists out there don't think that there's a place for you in this robust debate and moving forward and
7:57 pm
that it's just a place for ekon economists and technologists, we need a better strategy. there's no reason to think that what the russians are doing or how they're organizing is in any way similar to what the chinese are doing or the iranians are doing or the nkorth koreans are doing. one telling point on this is that in the weeks before the sony hack, the north koreans were speaking out at every opportunity they had, screaming that the movie that sony was going to release "the interview," was an threat to
7:58 pm
north korea. they were some of the first ones to say, look over. yes, sir? >> the doctor used the phrase krip krip to grapically sound. any comments? >> again, i should preface all this by saying today i'm speaking as an individual and not as a representative of
7:59 pm
either my agency, the department, or the u.s. government at large. i'm essentially talking about things that still live very much in the research space you know. so obviously crypting toography means a very different thing versus the kinds of things that still happen in academic circles. so when i say -- when i use terms like security in this context, maybe the better word to use is provable security rather than cryptographic security. i think that probably is a more accurate way to characterize that. >> well, that's wonderful. i think with that i'm going to wrap up unless you have one last comment? good. all right. i thank you so much.
8:00 pm
again, stay tuned for the sin synopsis of this seminar. thank you again. have a good day. tonight on c-span 3 a senate hearing on relief programs for small businesses effected by natural disasters. the brookings institution looks out new military defense technologies and the new commandant of the u.s. coast guard, and a discussion at the hudson institute about cybersecurity. today the senate small business committee held a hearing on disaster relief for small businesses. it focused on changes made since hurricane katrina hit the gulf coast ten years ago. the senate began its district
8:01 pm
work period yesterday. this is an hour. well, good morning everyone. welcome. thanks very much for joining me here today for this discussion roundtable about a very important ongoing challenge in relation to disaster recovery. natural disasters are obviously indiscriminate and sweeping. with this roundtable, i hope to highlight the improvements made in disaster recovery efforts in the last decade discuss continuing challenges that local, federal, and state officials still face, and have a conversation about disaster mitigation and response. this is, as you know, the tenth anniversary of hurricane katrina. we're going to acknowledge that
8:02 pm
in just a couple of weeks, and i want to take this opportunity to remember the tens of thousands of families horribly impacted by that disaster. ten years ago this month, we experienced a deadly and costly disaster. the most costly and defrvastating in history. hurricane katrina caused $108 billion of damages. the damages from that year's hurricanes rita and carina caused some 50,000 people to be unemployeed ed unemployed by the second half of 2009 and here we are in 2015 still dealing with katrina's impacts on top of the other significant disasters we have suffered through in the last decade. between 2008 and 2012 with hurricanes gus tav, ike, and
8:03 pm
isaac, there was over $44 billion in damages and then on october 29th 2012 superstorm sandy devastated the vast majority of the east coast of the u.s. 131 people lost their lives and 12 states, which includes the district of colombia were declared major disaster areas. the lives lost, exorbitant amount of money spent, and the lasting impact still felt today from all of these events are highlighted here as the foundation for discussing ways to mitigate these losses in the future and tore recoverre
8:04 pm
recovery by getting our lives back in order as soon as possible after the disaster. while businesses and communities came together willing and able to deliver vital relief, too many times they were turned down actually by bureaucracy within government agencies. immediately following the event i heard reports of hellish conditions at the super dome witnessed unacceptable response times from fema long delays in the delivery of federal emergency assistance, failing evacuation systems and ineffective federal contracting practices. disaster relief funds either never made it to the hands of those they were intended for or arrived way too late.
8:05 pm
all these failures obstructed vital recovery out of katrina. long-term disaster recovery assistance comes from others whose responsibility is to provide our homeowners, renters businesses, and nonprofit long-term recovery loans that can get these economic resources back on track. after hurricane katrina struck louisiana ten years ago we learned the hard way what worked and didn't work in this longer term category as well. and after each major disaster since then we have learned that small businesses need, really extra help to get back on their feet, and so that's a very important focus of this discussion. as chair of the senate small business and entrepreneurship committee, i'm committed as are all of our members, to serving small businesses across the country and ensuring they are afforded the resources and
8:06 pm
assistance they need to help them recover as well. a completely separate category, which was certainly very very important in the hurricane katrina and rita context is the corps of engineers and disaster recovery and storm protection in that category. i've done quite bit of work on that reforming the corps process, improving how they respond before and after disasters. that has more been in the context of my work on the environment and public works committee, but certainly that's another very important piece of the equation that we may touch on here today. earlier this year with all of these thoughts in mind and as chair of the small business committee, i passed through the committee with unanimous
8:07 pm
bipartisan support s 1470, the rise after disaster act of 2015 along with other legislation to address the needs, protections, and recovery of america's small business in particular. the act reflects a number of things that we have learned, and i think it'll definitely help future disaster victims recover more quickly and with less red tape from the federal government. specifically, the bill provides long-term recovery loans to small businesses when disaster assistance is no longer available, and it directs federal agencies to utilize local contractors for response and recovery efforts rather than government contractors from washington, d.c. and other far flung areas. i also introduced last month a bipartisan national disaster relief tax act that will provide
8:08 pm
tax relief for victims across the country that have experienced disaster in recent years, including businesses effected by the red river flooding and hurricane isaac in 2012. the bill will also allow businesses to create national disaster funds in order to prepare for disaster costs and insurance. to have this discussion we're really honored by having six great leading participants and i want to briefly introduce them and i look forward to hearing from all of them. james rivera. during his 25 years at the sba, mr. rivera has led several
8:09 pm
efforts to improve the agency's disaster operations including development of more efficient loan and underwriting processes computer upgrades, which was resulted in quicker loan disbursements, and other accomplishments. gerilee bennett. she's been leading disaster recovery programs since 2003. she's supported disaster recover recovery operations through businesses since the 1990s. russ paulsen is the executive director for nationwide community preparedness and building resilience programs at the red cross. he's led some of the largest disaster response and recovery
8:10 pm
efforts in that organization's history. william shear is director of financial markets and community investment at the u.s. government accountability office and will be offering significant insight into today's issues having directed substantial bodies of work having addressed sba, community, and economic development programs and housing finance. andrea deadwyler is the director of the credit programs group in the audit division in the sba's office of inspector general. and finally last but certainly not least tee rowe is the ceo of the small business network which leads nationwide educational system programs to
8:11 pm
strengthen business management. so i look forward to hearing from all of you and then we'll have a discussion coming out of those observations so why don't we start with mr. rivera. >> thank you, chair for inviting us up here and our partners as we work through the disaster assistance. we've made almost $200 million in loans since we started in 1953. while we're not a first responder, i'm glad gerilee is here. from our perspective we've worked very diligently since katrina. we continue to learn from every disaster. most recently with sandy, we also continued to learn from the sandy experience. we took a step back after both
8:12 pm
katrina and after sandy and gus tav. we've now implemented a three-step process to simplify the process to make it easier for the disaster survivor to understand what we're doing. we also take advantage of credit scoring opportunities on how we can approve individuals, homeowners and businesses with higher credit scores and put them through the system faster. we recently updated our standard operating procedure, took a back to basics approach. we always take a look at what works works, what doesn't work, and how we can approve going forward. thank you. >> great. thanks very much mr. rivera. gerilee bennett. >> thank you very much for the invitation to be here today.
8:13 pm
as mr. rivera said fema is please to be able to participate in this roundtable with our partners the sba, and the red cross, who we've been working very closely with since katrina and throughout the years in support of many disasters such as hurricane sandy hurricane isaac in louisiana, hit before that and somewhat got overshadowed but we had already implemented a lot of changes even by then. i want to focus today on some of the improvements that we have done in partnership with the interagency members of the national disaster recovery framework. the framework was developed really in response to hurricane katrina, the post-katrina reform act called for a national disaster recovery strategy.
8:14 pm
some of the key elements of the framework are that it promotes partnership, planning for disaster recovery in advance, and the development and establishment of an organizational structure and leadership in advance that focuses on disaster recovery not just response. one example of this is at the federal level we have developed the economic recovery support function. it's led by the department of commerce, economic development administration. and the key partners include sba, the department of treasury, the department of agriculture, fema is also one of the primary partners, and all of these agencies work together to support communities and states and more importantly businesses after disasters to find the support they need to get their
8:15 pm
businesses back up and running. some of the strategies that the economic recovery support function undertakes, they do economic assessment post-disaster, what the real needs are. is this a rural disaster? is this a small-town, small-business kind of disaster? is there a major employer in the area whom if that business gets back up and running quicker, will make all the difference in the world in getting people back to the area? they also work together to make sure there are business recovery centers usually sponsored by the sba. they have all the partners available for all the businesses to find what resources are available. it is to make sure education, technical assistance and
8:16 pm
networking for resources and support are available. after a disaster, it's a good opportunity to provide support and information to community -- to businesses about resilience. that never before a disaster are people as much in tune to be resilient, to have good insurance, to have good supply networks that are also resilient, so it is a good time to take advantage of that. again, i look forward to the conversation. thank you for the invitation. >> great. thank you. i will move to russ paulsen. >> mr. chairman, thank you for inviting the red cross to participate. my name is russ paulsen. i'm executive director at the red cross. in 26 years with the red cross,
8:17 pm
i've seen the importance of small business recovery throughout the country. we do it about 70,000 times a year on average. we just did it after red river floods where we opened three shelters in north louisiana. and we keep that promise after home fires across the country that happen about every eight minutes every day every year. we can only do this because of the financial generosity of the american people and sometimes heroic actions of volunteers, americorps members and our employees. kay wilkins organized her team to open up shelters throughout south louisiana after katrina came through or while it came through. not seeing her family for days. a young woman who never lived away from home before she came to the new orleans area to be a
8:18 pm
red cross americorps member, who after being there for two weeks was sent to run a shelter at north shore and who had to deal with the needs of all sorts of people, including helping a gentleman who didn't have his home health aide with him. never had any training but it's people who step up and do what they need to do. a young man who ran a shelter and had to figure out what to do with a shelter full of scared people when the roof started peeling back. it's heroic actions by people in the response phase and for people who they will never meet again. we serve 68 million meals and snacks. we serve clients who have evacuated in all 48 of the
8:19 pm
contiguous united states. we were also able to contribute to the recovery for years after the storm. rebuilding their homes. we helped people access mental health service, which is often not thought about. but after a trauma like katrina it is really more than what most people are built to handle. we designed it almost like an insurance program where people could make sure they could pay the bills of independent providers, and those providers knowing they had a market that could pay the bills could move back to town. recovery is such a gourdian knot after a big disaster. businesses are reluctant to come back without employees and a customer base. residents are reluctant to come back without businesses where they can shop and work. people don't want to come back
8:20 pm
without government providing services. it's a really tricky proposition and oftentimes it's the small business that comes back first. sort of homesteading in a neighborhood and then people can come back around it. katrina taught all of us in emergency management there are some disasters that are bigger than any of us. but we learned that we have to not only work with our traditional partners but people who wouldn't normally get involved with disasters, so now we have faith-based services and organizations who haven't thought about disasters before. church groups like national baptists, islamic relief lutheran church methodist church church of latter day saints groups like the naacp and others at the national level. at the local level, too many to count. we have put in place technology
8:21 pm
apps to help people find shelters, first aid apps so they need what to do. we outnumber firefighters and rescue workers 400 to 1. apps to help people find their relatives when they are separated by disaster. now we're working inging to get ahead of the disaster. fires kill more than anything in this country. talking to them about hurricane preparedness or tornado preparedness. we have mad a lot of progress. still more to go, but it was quite an experience. >> great. thank you very much for that perspective, mr. paulsen. now william shear. >> thank you. thank you, chairman for the invitation. it's very good to be back here with senate small business. we've done a very large body of work looking at sba's disaster
8:22 pm
loan program going back to hurricane katrina, and i'll just state as always in going forward view me and us as a resource of terms of navigating reports and everything we have done. they're all on our home page. think of me and us as a resource to help navigate that. what i brought today for the purposes of an introduction, i'm glad to answer any questions about our body of work but i highlights pages to two testimonies and they're on the table over there. one was a testimony in may of 2010 before this committee, and it was based on a report that came out in july of 2009. and we were asked to look out how much progress had sba made in implementing the small business disaster response and improvement act of 2008.
8:23 pm
it's a mouthful. i'll now call it the 2008 act. very important piece of legislation. it was a good way to look at progress sba had made from basically the problems that incurred during katrina and rita and it was also what remained to be done. the other thing we did was extensive fieldwork looking at the response of the 2008 disasters, which were of a smaller magnitude of katrina or sandy. it was the midwest floods and hurricane ike in particular where we did extensive fieldwork and we could see well how sba had done and the response had improved, so that's one, you know, data point that i want to provide through that testimony. then the other document is last month we testified before house
8:24 pm
small business on a response to hurricane sandy, and it was based on a report and updates the report. the report was issued in september of 2014. here we looked at obviously a much larger disaster, and looked at the response. we saw certain deficiencies in terms of timeliness and deficiencies in terms of following through with plans instated plans to initiate other provisions of the 2008 act. and in particular three loan programs that would operate through private sector lenders, and so i'll just to close up this statement and look forward to questions is that our report in 2014 on sandy had two recommendations. one was to better account for the early influx of applications
8:25 pm
due to greater use of electronic reporting, electronic applications. the other one had to do with really get -- do a documented evaluation of lender feedback on in particular the immediate disaster disaster assistance program. to really evaluate lender input and to move forward with a pilot. and this is something that goes back a number of years. it's one that it is important in terms of developing a capacity,
8:26 pm
at least testing how well a program of that nature could work in a future disaster. so for now, i say, again, thank you for the invitation. i look forward to the discussion. >> great. thank you very much for that body of work. next we'll hear from andrea deadwyler. >> on behalf of our inspector general, i represent the dedicated men and women of the sba. the sba's disaster assistance program is a high risk program. i believe our investigations and audit recommendations are having a positive impact on the integrity of the program. the disaster loan program plays a vital role in the aftermath of
8:27 pm
disasters to assist with rebuilding disaster-damaged properties. following hurricane katrina the sba released several reports. sense the gulf coast hurricanes sba hazardss addressed many of our recommendations. sba controls to prevent duplication with huds. regarding dupelication of benefits, our 2010 audit provided controls. as a result of our audit, hud and sba improved internal
8:28 pm
controls. when we conducted our audit in 2015, we found that controls were adequately designed and generally working as intended. sba implemented an electronic application for hurricane sandy survivors. however, the office of disaster assistance did not anticipate the surge in workload, which resulted in a backlog of over 29,000 loan applications. excuse me. consequently the agency implemented expedited process for home and disaster loans based on credit scores and loan amount. but the expedited process for business loans did not result in any time savings. we have identified challenges with sba's ability to meet disaster performance goals. contributing factors includes
8:29 pm
sba's need to significantly increase staffing levels especially in response to a large-scale disaster as well as a need to mobilize and train staff quickly. sba reported an improper payment rate of 12% in its disaster program, which is a significant reduction from the 18.4% reported in the prior year. the reduced volume of approved disaster loans for one went from 2014 from 332 million compared to the 2.8 billion in approved loans in 2013 primarily due to hurricane sandy. they also implemented multilayer reviews at a distribution center to identify proper payments.
8:30 pm
however, we also note that the improper payment rate continues to exceed the 10% level. hence, we consider this an ongoing challenge. in closing, the oag acknowledges the challenges that the office of disaster assistance faces in balancing its mission to provide loans with the responsibility of ensuring prudent loan practices. due to the impact and risk associated with the disaster loan program, we will continue to emphasize these programs as a priority in our office. thank you for the opportunity to participate today. i look forward to your questions. >> okay. thank you very much. next is tee rowe. >> thank you mr. chairman. appreciate the opportunity to be here to discuss sba's disaster assistance program.
8:31 pm
i'm tee rowe the president of america's sbdc which suspects the small business development centers. when a disaster hits, we're there. we're there because it's our neighborhood, it's our clients, it's our community. and in every case and particularly with katrina, sbdcs have learned a lot. our past state director in louisiana did an amazing job with our committee on disaster recovery helping people share best practices and really tear down our effort to coordinate with sba and improve the response. and i have to say from my personal experience during katrina, i was head of congressional affairs at sba, so i was there in the trenches with
8:32 pm
james. maybe not as deep in the trenches, but i saw what sba went through and how they've come forward. and my members of the sbdcs have seen that same change. in every disaster people are overwhelmed. and at the sbdcs, we pool together as a family to try to share resources to try and bring volunteers from other sbdcs to help set up the disaster recovery center. because when you set up a disaster recovery center, we work with sba now. they're temporary because they've got to move from place to place, so they're there for about a week, and we're still there at the sbdc helping the small businesses. and that process has gotten so much better. our new york state director can't say enough great things
8:33 pm
about the work that james has done. i just was on a call with our southeast directors so they're kind of the disaster specialists just because of the way mother nature works. and they truly appreciate both the changes that sba has implemented but also the changes in your bill because you're removing some roadblocks to the cooperation we try to achieve. for instance the ability of an sbdc to operate across state lines. when things were started i think when the legislation was written, it just kind of forgot about disasters. your bill does a great thing in letting us in disaster situations send folks from across the country to help out. it's a great improvement in the
8:34 pm
way sbdcs will be able to assist small businesses. and i would like to talk really quickly because ms. bennett mentioned something very important. while we're there at a disaster recovery center and we're helping people work through their disaster loan applications, we're helping them retrieve information put their lives back together. because as mr. paulsen said the small business is the hub of the community, and what we've been focusing on more and more -- and we actually have two specialists in florida who work all throughout the gulf region. they're recovery specialists, but they're really resiliency specialists. and we work so hard to make sure that the clients all across the country are prepared to recover. because without that preparation
8:35 pm
preparation, you're just that many more steps behind. now, i'll just quickly sum up that the last thing we really appreciate section 102 of your bill, the additional awards to sbdc. we've found in sandy how helpful that additionally fund was because even still three years after, we're still doing recovery work. it's vital to us to be able to provide that long-term assistance in a recovery situation. with that, i'll finish up and thank you so much. >> great. thanks to all of you for the comments. now, we just want to have a open conversation following up on all these topics, so there's no particular format. please, jump in whenever you have a relevant thought. my questions and concerns are probably naturally going to focus more in light of the
8:36 pm
katrina experience my experience, and also the small business side of things since we're in the small business committee. i guess this thought or question is mostly for sba, fema, red cross, and sbdcs. how is your response different for catastrophic disasters whatever that means, sandies versus other events? do you have a different rule book, a different playbook and where roughly is that line that you would distinguish between catastrophic disasters and other events? anybody want to take a stab at that? >> i can go first and then i look forward to hearing what fema and the american red cross says. we are much more coordinated today than we've ever been before, so the major disaster declarations are handled by
8:37 pm
fema. red cross is always around in every major disaster. we've been on the ground. we'll stay there for 60 days. generally, we were there for two months or as long as there's a need from that perspective, but we're well coordinated in our recovery centers where there's a disaster recovery center for the major disaster re erer declarations. coordination between our agencies, we hiccupped a lot back during katrina rita wilma. today, we have the framework in place. it may look like a larger bureaucracy, but it's a much more efficient process. when gerilee and i first met we were discussing the difference between response and recovery. we figured that out now. ten years later, we're mature organization when it comes to these are the roles and
8:38 pm
responsibilities of the responders and the recovery players. now we have disaster preparedness 3r5igsprepared ness operation teams so we can continue asut of the disaster the longer term effect from that perspective. >> okay. fema? gerilee, you want to take a stab? >> yes. thank you, mr. chairman. i would say we don't have a different playbook for a catastrophic disaster because it's really important we have the basic plans and systems and teams in place for all disasters in that they practice on the smaller disasters and it exercises what they would do if there were a catastrophic disaster. if we designed things that we would do things much differently in a catastrophic disaster, we wouldn't be as ready because we haven't practiced it that way.
8:39 pm
we have some plans for very specific high-risk scenarios that we work together clab collaboratively with our partners, so we do do that but those plans are really very much based on the systems and teams and all hazard plans that we have in place for all scenarios. >> okay. russ? >> the commitment we make for people to have a warm safe, dry place to go with their family, food to eat, someone to talk to about what's next doesn't change. we provide services beyond that in regular, big disasters. after sandy for example, we did case work with individual families trying to help bridge gaps things that the fema programs can't cover due to statutory limitations. we would try to bridge gaps.
8:40 pm
that one on one casework assistance is very labor intensive and long and something we probably wouldn't get to quickly after a catastrophic disaster. we don't have a number in mind for what's the difference between a catastrophic and a regular, big disaster, but i would say when something is like katrina, ten times bigger than anything we've dealt with before, that counts as catastrophic. sandy was a big disaster. certainly, if you go through any disaster, it's catastrophic for you, but regular systems worked for that scale of a disaster. >> okay. anybody else? >> well, i just echo what russ said that any disaster is big for you. at an sbdc level the playbook doesn't necessarily change center by center in a localized
8:41 pm
disaster. where it becomes a problem is when you do get the larger disasters and you need the extended resources for the extended recovery. you know, at sbdc, you can absorb it on a localized level understanding that you're going to have to do that much extra work with the businesses that have been affected in your area as they recover. but when you run into something like sandy where, i think, sba had, what, 600,000 applications or 400,000-plus is what we had in katrina sbdcs are literally working with hundreds of thousands of businesses in helping them with long-term recovery? and at the same time, while a year or two later, everybody thinks, oh, the disaster is over that was then, it's still affecting the community.
8:42 pm
it's still affecting the businesses. >> let me jump in one. one of the reasons i asked this question is i know the gao concluded about sandy that the sba didn't surge operations quickly enough, didn't sort of realize the scope quickly enough, so that's part of the reason i'm asking. is there a metric where you get it immediately that this is another category and there's a surge that starts that would not be required in lesser disasters? >> so in response to the gao question, one of the things we did post-disaster, we always do an after action report. we've shared that with your staff as far as what we've done. in regards to how we staffed up, we had 800 people on the roles. we went up about 200, 300 people as a result of the louisiana
8:43 pm
hurricane that predated sandy. we ended up with 2500 employees. staff wasn't the issue. it's just because we didn't put them on board fast enough. at katrina, we didn't have a staffing strategy. we had 800 employees. we hired 6,000 employees in six months. post-katrina, we have 2,000, 3,000 reservists that are on call, that are available. the timing of how quickly we on boarded the staff, that was really the issue internally. we were prepared to on board much quicker. the difference between the electronic loan application coming in sooner versus the traditional paper intake curve we tripped up there, but we've addressed that. we've changed our sop. we've changed an updated our disaster preparedness plans internally, so that shouldn't be an issue, if we have any type of disaster activity. the staff is available. we've even taken another step
8:44 pm
where we have a contract in place that will supplement if we go beyond that 3,000 level employee where we can have them fill any gaps that we may have across the disaster program. >> okay. go ahead. >> sure. >> it was -- sandy was obviously the biggest disaster since katrina, so it was a much bigger task then let's say the 2008 disasters. james said it wasn't a matter of having the planning in place to take into account the electronic applications and the speed of them coming, so that was definitely part of it and part of the delays. where we're at now is there have been changes at what we call at
8:45 pm
sba the playbook which is one of three major elements of the disaster process. there's the disaster recovery plan. there's disaster forecasting models. we've seen a change to the playbook. james and i have talked about this and a liaison at sba. we need a little bit more assurance from them. it might just be talking us through the steps as far as how do these different pieces fit together to make sure that if there was another major disaster like sandy or that magnitude that the process would work out differently and that sba would be more ready to respond. >> okay. let me move to a slightly different topic, which was a huge frustration of mine after katrina and continues to be in general, which was that i saw in
8:46 pm
so many cases federal response, roof contracts debris removal, et cetera, focus on national mega firms. and local small businesses were virtually completely left out. if they had any participation, it was literally five subcontracting layers down getting pennies on the dollar. as all of you acknowledged in various ways in your comments a big part of recovery is local small business recovery, right? so here's a huge opportunity to drive that through this work, debris removal, blue roofs whatever, and i saw so many cases after katrina where the locals again either were forgotten or
8:47 pm
what are you doing differently since katrina to involve far more local small business? i guess that's primarily fema, but certainly involves others as well. gerilee, you want to start? >> i can get back to you later with specific statistics, but i can describe to you the approach changes we are taking.
8:48 pm
in order to be able to get in fast and provide that surge, we do still rely heavily at fema on standby contracts and on interagency agreements where we provide funding to the army corps of engineers. but i think what we're doing differently in approach is we have those and we don't provide the full scope for the full scope of the disaster upfront. we asked that they get in and do early work and then transition to local business contracts as soon as possible, so we can get you more details about how that works and statistics afterwards. >> okay. anybody else? >> so post-katrina, we saw that as a challenge. we under. we met interagency. as a procurement goal, we met
8:49 pm
with fema and with the other federal agencies and we said, look, we need to focus in. as gerilee explained, the first step is they come in but we definitely make sure there's a focus of small business contacts. we can make the referral directly to the organization that has the assignment on how to get the work. that didn't exist pre-katrina but that's something we have developed for all disasters since then. >> okay. let me just also make the comment. to me this is a problem outside of disasters too. to me there's been a trend for federal government agencies to deal more and more with mega contracts or bundling contracts that by their size have to go to mega entities. and i think it's mostly easier on the bureaucrats. if you have one mega contract you're dealing with versus 100, it's a lot easier within the
8:50 pm
government bureaucracy. i think that's a very worrisome trend. it is completely cutting out small business. small out small business. small businesses either can't participate or if they do, they are layers down in terms of subcontracting, getting pennies on the dollar. i think a lot of post-disaster contracts and work is a particular worrisome example of that. but i think it's a bigger trend. that's just my two cents. i'd love for you all particularly small sba to look at the relevant provisions regarding this in my bill, s-147. we rare that they use local subcontractors for debris removal or demolition and provide incentives to federal agencies to work with local contractors. i'd love your very specific feedback on those provisions.
8:51 pm
and i'm guessing most of those provisions really could be implemented in some form or fashion by you if you wanted to do it now. so i'd love your feedback on that. any other comments on that -- in that general area? okay. let me ask the ig based on your audits and investigations of sba's disaster recovery programs, what are the outstanding biggest concerns that you have and what areas have the disaster programs been vulnerable to fraud or waste or abuse, and what are your top line recommendations? >> [ inaudible ].
8:52 pm
i'm sorry. [ inaudible ] waste and abuse in those programs. i think our investigators get referrals from many different sources. and they diligently look into any allegations of fraud. they participate on task force with regard to especially the big disasters. and that was a multilayer question. >> as we speak what would be your top line recommendations in that whole category? >> top line recommendation well one of the big things we talked about and it's been talked about with regard to the work as well and that's the gearing up in emergency. as james mentioned, they've implemented a lot of different results to make sure they're prepared for future disasters when it comes to receiving those recommendations. i think in sandy they had just
8:53 pm
started the electronic application and got so many more than they anticipated initially. so it took a while to address that back log. but i think with the implementation of the rapid, expedited process, i think they should be, and with the new plan to ramp up more quickly. i would like to think they'd be able to address those issues. we just have to wait and see. james mentioned every disaster is different and the approach is different. i think we just have to wait and see. >> okay. let me highlight another concern, and it's probably outside any of y'all's specific focus because it's about the flood insurance program which isn't feem amafema but it's not direct disaster response. one big issue we've seen and focused on in flood insurance programs is participation rate.
8:54 pm
there's been very low participation rate. that, obviously is a major problem and issue in terms of solvency of the program and affordability of the program. by some estimates like a study in 2006 said only 49% of homes in special flood hazard area had flood insurance. so we're having half the participation rate we should. i think this is a continuing problem. we've talked about it. we've talked about it in committee, in the banking committee with administrator fugate. but i have not seen those rates rise dramatically. i haven't seen studies that document that. ms. bennett, do you have any observations on that or maybe fema can follow up and give us a status on work in that area? >> i'll just mention that fema
8:55 pm
has taken the concerns of the flood insurance issues post-sandy very seriously and we've established a task force that's focusing on revamping the way the program is operated and making sure its customer focus and customer friendly. we have an ombudsman function to help people better understand how their par tasipation, how they can participate in the program and make sure they have a place to provide feedback about the program. as to specific efforts to address participation rates we'll get back to you on that, sir. >> okay. let me start wrapping up. thank you all again for your participation and ongoing work for this discussion. i want to highlight something i mentioned in my opening comments, which is some recent legislation we've developed and worked on in this committee.
8:56 pm
i just mention s-1470, the rise after disaster act. i'd love you all to continue to work at those provisions and respond and react pro/con, anything in between suggestions. it's anything in between but it's still moving through the process, and also the national disaster relief tax act we introduced that last month. take a look at that as well and please after any suggestions you might have. this is obviously ongoing work for all of us. and ongoing discussion. i'm sure we'll have plenty of follow-up, including the specific things i mentioned as follow-up for the record. with that we'll be adjourned. thank you very much.
8:57 pm
on the next "washington journal," your phone calls and reaction to the fox news republican debate. after that, thom file and philip bump discuss voter turnout and demgraph ics from presidential and congressional elections
8:58 pm
since the late 1970s. plus your facebook comments and tweets on "washington journal" live at 7:00 a.m. eastern on c-span. sunday night on q&a former emergency manager of detroit kevin orr talks about detroit's financial issues and his job overseeing the largest municipal bankruptcy in u.s. history. >> if detroit had taken that $1.5 billion in 2005 and 2006 when the stock market went down to 6700 and if it had just invested it in an index fund the stock market is now trading at 18,000. almost three times what it was. they not only would have tripled their money but could have paid the pensions in full. used to be a practice of giving pensioners a 13th check at the end of the year, including to
8:59 pm
the 12 they're do. they could have fixed themselves if there had been some sober management going on. if you have some strong leadership and some focused leadership you can resolve these problems but it takes a lot of effort. >> sunday night on c-span's q&a. at the brookings institution, military analysts and defense contractors discussed new technologies that have the potential to transform how wars are fought. much of their discussion focused on 3d printing technology and reforms to how the government procures defense contracts. this is an hour and a half. good morning, everyone. welcome to brookings. i'm michael o'hanlon with the foreign policy program here. we've got a wonderful event here
9:00 pm
today talking about defense technology. and i'm pleased to have a number of members of our national security industrial based working group, from a number of america's greatest companies, thinking about technology innovation across defense and nondefense sectors, and i'll introduce the panelists in just a moment. they represent companies that have been part of our group in an important way for a number of years. in some cases more recently than others, but a lot of expertise on several topics. i'm going to say a brief word of introduction about the panelists and the topic. let me do that first. what we're trying to do is look at a few specific areas of defense technology and innovation. a lot of you have heard of so-called 3d printing or additive manufacturing. we're also going to talk about propulsion technologies which in some ways are, you know, a longstanding interest of the u.


info Stream Only

Uploaded by TV Archive on