tv Politics and Public Policy Today CSPAN January 11, 2016 11:26am-1:27pm EST
live coverage later today on c-span 3 with a bipartisan task force to combat the heroin epidemic holding a hearing to look into how the drug is being abused in america. we have it live at 2:00 p.m. eastern. later former defense secretaries from the obama and clinton administrations on the state of u.s./china relations. that's live at 5:00 p.m. eastern here on c-span 3. >> members of the congress, i have the great pleasure, the high privilege and the great honor of presenting to you the president of the united states. [ applause ] >> i'm don ritchie, i'm a senate historian. the state of the union messages mandated by the constitution in
the words from time to time the president of the united states should give a message to congress on the state of the union and recommendations of programs that he thinks should be followed. george washington began that practice of giving a state of the union message to congress when the first congress met, but washington went in person to the congress, went to the senate chamber and delivered a speech that had a series of recommendations, relatively short speech, but in those days before there were standing committees of congress they actually used to cut the state of the union message up into paragraphs and created a who can committees to address each one of the issues that the president suggested. washington and adams, john adams, his vice president who became president, followed that practice and so they created this sort of idea that the time to time was an annual message. in fact, for years it was known as the annual message.
it didn't become known as the state of the union message really until the 1940s. in fact, in 1948 there was a hollywood movie called state of the union and that sort of really cemented the idea that the annual message was the state of the union message. president washington, adams went in person to congress, thomas jefferson, however, didn't enjoy public speaking, in fact, he gave only two public speeches while he was president, his first inaugural address and his second inaugural address. other than that jen son liked to be known as a writer not as a speaker and jefferson also felt the idea of the president going to congress personally to deliver a list of things that he wanted to see done was too much like the british king, the monarch going to parliament and he thought this was not appropriate for a republican. so jefferson sent his message to congress. each year after that presidents would send their messages which would then be read by the clerks of the senate and the house,
rather than by the president. because the most members of congress could read it in the congressional record or in the newspapers, they didn't necessarily have to go and listen to a clerk reading the message. that became the tradition. and again, the constitution is not that specific about what it is, just time to time this message needs to be given on the state of the union. in 1913 we had a new president who had been trained as a political scientist, in fact, he had a ph.d. in history and political science and that was woodrow wilson and he had written his doctoral dissertation about congress and congressional government. one of the things he felt was that the american president needed to be more like the british prime minister. couldn't be separate from the legislative branch, had to be the chief legislator as well as the chief executive. wilson decided that he would go in person to deliver his messages. the first one he did was in april of 1913 and it was about the tariff.
it was not a state of the union message per se. just absolutely shocked members of congress, they didn't know what to do with this. the idea that the president was going to come up and speak to them. they finally decided, well, they would do in the house chamber and invite the senators over, there was a lot of grumbling. if congress had been left on its own it probably would not have wanted the president to come up, but the president said he wanted to and his party said okay. so wood row wilson then began the modern tradition of presidents each year going to give their state of the union message. he gave his first state of the union message in december of 1913 and he continued to do it in person until he was in paris negotiating the end of the first world war and he actually telegraphed his state of the union message back to congress in 1919. since then presidents have followed both patterns. the only president of the united states who has not given a state of the union message in person since then was herbert hoover who also was not a great public
speaker, didn't think much of the occasion and just sent his message up. almost every other president almost every year has felt that this is too good an opportunity to miss to not be able to go in person and the drama of the session to give a state of the union message. >> the president of the united states. [ applause ] >> this is the point when everybody in congress is sitting there listen to you, the senate and the house in the same room, the cabinet is there, the supreme court is there, diplomats are there, the galleries are packed with people. it is sort of a major moment that's coming together. the only other occasion like that is the inauguration. >> i propose that we begin a
massive attack on crippling and killing diseases. [ applause ] >> i should propose to this congress a $10 billion nationwide clean waters program to put modern municipal waste treatment plants in every place in america where they are needed to make our waters clean again and do it now. >> it does influence the legislative agenda for the year, whether or not congress chooses to follow the president's suggestions or ignores them or rewrites them, at least the president has given them an outline of what he wants to see. sometimes presidents never got a chance to give their inaugural addresses, william henry harrison and james garfield died before their first opportunity. they came into office in march, congress wasn't going to begin until december so in the 19th
century state of the union messages were almost always given in december. when the constitution was changed it moved the beginning of congress up to january and now they are usually in january and february. there have been some miscues in some of the state of the union messages. president cleveland send a controversial message to deal with the tariff. the chief source of revenue in the country was the tariff and it was one of those things that divided parties and created great passions and unfortunately for cleveland has party was not united on this issue and, in fact, they lost the next election probably because of that division. a lot of people blamed his state of the union message. in both cases most state of the union messages are long laundry lists of things that the president wants to see done and they are not particularly controversial speeches more are they particularly inspiring speeches. they are really wish lists the presidents are putting forward.
when anything is done in congress, of course, the galleries are open and as long as there are galleries and there have been galleries in the senate since 1795 and in the house since 1789, the public can come in, but of course, there aren't that many seats in the galleries and there's great demand. each member of congress gets a single ticket for a spouse or for a member of their staff or a favored con sit went of somebody to sit in that gallery. the press gallery is absolutely packed, the diplomatic gallery is packed. usually the first lady is there with guests of the president. so there is not a lot of space for the public on those occasions, but over time the public has gotten to see this, hear this, read this through the media because newspapers covered it in general and in the 19th century you would have read the entire speech in most newspapers. in the 20th century beginning in
1923 calvin cool i think's state of the union message was broadcast on the radio. in 1936 franklin roosevelt suggested moving the state of the union from the middle of the day when it was traditionally given to the evening because it would get a much larger audience on radio. in the 1940s it was back to during the day, but television came along in 1947, harry true man's state of the union message was covered by television. in 1965 lyndon johnson said, well, let's move the tv show back into the evening so that more people can get to see the state of the union message. major net rorks are always covering it so it gets a considerable audience that way. and since the late '90s it's been streaming on the internet around the world. in recent years two parties have
become chief leading squads for their presidents, but there are moments when clearly something that the president says inspires something more than just a partisan reaction, there is a bipartisan reaction and you can tell what the mood of the congress is to some degree, what the responses are. >> and all the world knows that no successful system builds a wall to keep its people in and freedom out. [ applause ] >> and of course immediately after the speech members of congress will rush out into statuary hall where there will be dozens of cameras set up for television stations around the country that they will be getting the personal reactions of the members, the immediate reactions. nowadays in the house chamber you can also twitter and tweet and some of those people will be responding instantly. >> mr. speaker, mr. president,
distinguished members of the house and senate, when we first met here seven years ago many of us for the first time, it was with the hope of beginning something new for america. we meet here tonight in this historic chamber to continue that work. if anyone expects just a proud recitation of the accomplishments of my administration i say let's leave that to history. we are not finished yet. [ applause ] >> the one thing that you cannot do that is very different than, say, most parlance where heckling is considered fair sport, in the u.s. congress you are to be respectful of the president when he speaks and a few years ago one member of the house did interrupt the president and shout out and he was censured by the house
representatives for doing that. that is considered to be unbecoming conduct. >> the reforms -- the reforms i am proposing would not apply to those who are here illegally. >> you lie. >> not true. >> the office of the constitution believed in transparency and they did require -- even though they wrote their constitution in secret they did require certain things to be open. not everything. for instance, they don't actually require congress to meet in open session. just from time to time to public a journal of their proceedings. and the same thing is they don't ask the president to give an annual message but they ask him from time to time to deliver a message on the state of the union. i think they would be pleased to see that the president comes pretty much every year to do this. i think they would be astonished to realize that the congressional record is published every day after the proceedin proceedings. not only would the stooilt message be in there but the
words of every member of the house and senate on the floor on that particular day. that was something that they had certainly intended that this was a republic, a democratic republic, it was represented of the people and the people had a right to know what was going on. so in that sense even though they were not all that specific, they certainly set some goals that i think the government has met. >> i can report to you that the state of this old but youthful union is good. [ applause ] >> as president obama prepares for his state of the union address on tuesday he released this video on twitter. >> i'm working on my state of the union address. it's my last one. as i'm writing i keep thinking about the road that we've traveled together these past seven years. that's what makes america great, our capacity to change for the better. our ability to come together as one american family and pull
ourselves closer to the america we believe in. it's hard to see sometimes in the day to day noise of washington, but it is who we are and it is what i want to focus on in this state of the union address. >> and c-span's coverage starts at 8:00 p.m. eastern with senate historian betty coad and james harken looking back at the history and tradition of the president's annual message and what to expect in this year's address. then at 9:00 our live coverage of the president's speech followed by the republican response by south carolina governor nikki haley. plus your reaction by phone, facebook, tweets and e-mail as well as those from members of congress on c-span, c-span radio and c-span.org. we will reair our state of the union coverage and the republican response starting at 11:00 p.m. eastern, 8:00 p.m. pacific. also live on c-span 2 after the speech we will hear from members of congress in statuary hall
with their reaction of the president's address. next, private sector cybersecurity specialists make recommendations to two house subcommittees on how the u.s. can better protect it's cyberinfrastructure since many attacks comes from outside the country. friday's hearing was about two hours. the subcommittee on research and technology and oversight will come to order. without objection the chair is authorized to declare recesses of the subcommittees at any time. good morning. welcome today's hearing entitled cybersecurity, what the federal government can learn from the private sector. in front of you are packets containing the written
testimony, biographies and truth in testimony disclosures for today's witnesses. i now recognize myself for five minutes for an opening statement. today's hearing continues this committee's commitment to find solutions for one of the great challenges of the 21st century, cyber security. this is the second hearing we have held on cyber security since the news over the summer that the office of personnel management was the target of two massive data breaches exposing the sensitive information of over 21.5 million americans, including many of my constituents. the opm breach highlighted the growing challenge of preventing and responding to cyber threats for both the public and private sectors. in 2014 and '15 cyber attacks on target, ebay, home depot and anthem health insurance were only a few of the many publicly disclosed breaches. the data breach of anthem alone exposed the social security numbers of 80 million americans. the time has come for every
manager and every employee in both government and private organizations to make cyber security a top priority in their daily work and for leaders to be held accountable for negligent failures to protect information. the american public and shareholders are demanding it. when criminal hackers gained access to some 40 million target customer credit cards the ceo and the cio were fired in the private sector. although the opm director resigned in the wake of the opm breaches i am still not satisfied that the responsible parties have been held accountable for the failure of the agency to address known security vulnerabilities. the most recent ig audit found opm has 23 systems that have not been subject to a thorough security controls assessment. opm does not have a complete inventory of servers, data paces and network devices in their system. just this week i did meet with newly appointed senior cyber and
information second nolg adviser clifton triplet. i look forward to working with my colleagues and all federal agencies to ensure we are protecting the identities and information of our employees, applicants and their families. the cyber criminals, activists and state sponsored cyber terrorists are getting more creative and bolder in their attacks. the private sector has been at the forefront of dealing with these threats for some time as both the target of many of these attacks and the leaders in developing the technology and work force necessary to counter cyber threats. visa, which is in my district, is preparing to open a new cyber fusion center in my district just this week. this state of the art cyber facility brings together nearly 100 highly trained security professionals into one high tech campus and provides for collaboration both internally and with payments and with partners enabling information sharing, rapid response, et cetera.
i am privileged to have a number of companies who are very much on the forefront in this area in my district and we have a number of those witnesses here today. i look forward to hearing from our witnesses who are all innovative thinkers from the private sector. i hope we can take the lessons learned from you today and help apply them towards protecting our federal information systems and the sensitive and valuable information they contain. we clearly must work together and be able to be more agile and adaptive to the ongoing threats that we know with the multiplication of information in all of our systems which is going to exponentially increase over the coming years that we will always need to -- this will be a permanent employment area for all of you i'm sure. i now recognize the ranking member of the research and technology subcommittee, the gentleman from illinois, mr. la pin ski, for his opening
statement. >> thank you, chairwoman come stock and chairman lawyer milk for holding this hearing. i want to thank all the witnesses for being here today and i look forward to hearing your testimony. chairwoman come stock had mentioned in her opening statement the real need to make sure we do more in this area. we need to make sure that both in the public and private sector that people are held responsible for the hacks that do occur. we need to make sure that we have in place what we can do here that congress does what it can do to make sure that there is an incense in both public and private sector to try to avoid these hacks, this loss of -- loss of information. so very interested to hear more from our witnesses on this. i'm certainly pleased that we're
holding our first hearing on cyber security which is certainly an increasingly urgent challenge for our national security and the personal security of every american. it's important that we continue to hear from experts and government and the private sector about the latest developments with respect to both the risks that confront security and cyberspace and the technologies and policies to combat those threats. our community plays an important role in both the technology side and the policy side. and this is an area in which members have successfully collaborated across the aisle. in december 2014 congress enacted the cyber security enhancement act, a bipartisan research, education and standards bill that i worked on with mr. mccaul over several years. over the last month congress enacted a cyber security law to promote information sharing, to strengthen coordination between the private and public sectors. as a committee and as congress we need to continue to confront
these serious cyber threats. unfortunately we continue to see an increase in major cyber attacks in both the public and private sectors. in the hearing we held here in july we heard from the significant breach at the office of personnel management. in which the personal information of millions of current and former federal employees and job applicants was compromised, including some of us here. highly sensitive security clearance files were also compromised making it not just a problem for all those individuals, but national security issue as well. we have laws in place to address the security, the federal information systems. the federal information security management act or fisma in subsequent amendments established the necessary policies and procedures for the development of standards and protocols. nist has an important role in this but it is clear federal agencies need to do a better job at implementing protocols and
congress needs to do them adequate resources to do so. the public sector is also under constant threat from cyber attacks. a recent study conducted found that there was a 19% increase in cyber crimes between 2014 and 2015. the study also found that cyber crimes caused significant economic damage. for 2015 cyber attacks resulted in a total average cost of $15 million. while threats continue to grow many in the private sector are increasingly taking steps to protect their information systems and the personal information of americans that they gather in a routine business. to reduce our risk and improve the security of cyberspace it will take the combined effort of the federal government, the private sector, our researchers and engineers and the general public. although cyber attacks are becoming more sophisticated often cyber attacks are successful because of human error, such as unknowingly opening a malicious e-mail or
allowing one's credentials to be compromised. part of our effort must be to educate the public. another part must be to better understand human behavior in order to make i look forward to hearing from our witnesses today. best practices, those opportunities for public/private partnerships that could help address our shared cyber security challenges. i'm also interested in hearing to what extent private business and organizations voluntarily implement fisma and how you may be participating in or benefiting from other from the excellence in the framework for critical infrastructure. thank you and i yield back the balance of my time. >> thank you, mr. lipinski. i recognize the chair of the oversight subcommittee, the gentleman from georgia, mr. loudermilk.
>> this discussion on our federal information systems, i would like to thank our witnesses for being here today and to help us understand industry's best practices when it comes to cyber security. i look forward to hearing about lessons learned and how to apply those lessons to our federal systems to help prevent future cyber attacks. it is clear that our federal systems are not adequately protected. in fact, just this past summer a witness from the government accountability office before this committee stated, it is incumbent upon federal agencies to implement the appropriate security controls to mitigate those risks at a cost effective and acceptable level. and we found out that these agencies have not consistently implemented agency wide programs to mitigate that risk effectively. when i asked that same witness to grade our federal cyber security, he gave it a "d." a rating of "d" is not an acceptable grade. this administration owes it to the american people to significantly improve its
deplorable standing in order to sufficiently protect government information and thereby our national security. this administration also needs to explain how it is protecting the american people's personal information. as i stated at the hearing this summer the breach of data from the office of personnel management is exactly why the oversight subcommittee i chair continues to look into the collection of americans' personal data through the website healthcare.gov. in fact, i am still waiting for complete answers from the administration to questions i posed in letters to the science and technology policy and the centers for medicare and medicaid services back in june. this administration has not sufficiently explained why it was ever necessary to indefinitely store americans' personal data they submitted when logging into the healthcare.gov website, particularly those who did not end up enrolling. one would think president obama would agree such a practice is unnecessary as he identified
cyber security as one of the most serious economic and national security challenges we face as a nation. but one that we as a government or country are not adequately prepared to counter. if cyber security is one of the most serious challenges this government faces, why on earth would the government ever consider storing all of this personal information indefinitely in data warehouses? as the chairman of the oversight subcommittee, i will continue to ask questions and demand answers until we are satisfied the federal departments and agencies are making decisions in the best interests of protecting the personal information of all americans. the safety and security of americans and this nation must be our number one priority. having continuously subpar security of our federal system is embarrassing and must be rectified immediately. the delays must stop. it's time to finally do something about federal cyber security. i look forward to the witnesses' testimony in today's hearing. i hope to learn more about the various industry best practices
and lessons learned in hopes that it will shed light on what the government could and should be doing to protect our citizens from constantly evolving cyber threats. madam chairman, i yield back the balance of my time. >> thank you, chairman loudermilk, and i now recognize the ranking member on oversight for his opening statement. >> thank you, chairwoman comstock and chairman loudermilk for holding this hearing. thank you witnesses for spending friday morning with us. as we keep learning after each new attack cyber security is obviously a critical and daunting challenge. today the data we create store access and often share online information about almost every aspect of our lives, our collective digital universe is composed of banking records, birth records, personal health files, tax filings, on and on. last week i was going on realage.com to see how long i was going to live and now the cyber security attackers are going to know my cholesterol, my weight, the name of my dog and the last year i had a cigarette.
i took an alzheimer's test last night online which results i hope don't show up in my next campaign. we electronically communicate with our kids' teachers about their academic achievements. i find that none of my kids will return my phone calls but they will text me right back. news flash -- none of this information is secure. immediate access to these digital connections provides tremendous advantages for businesses and consumers and our own family business were highly dependent on all the information we've gathered on our customers the next time congresswoman delbene needs an oil change on her subaru, for example. nefarious opportunities for cyber criminals, foreign governments intent on espionage and even more dangerous actors. protecting against known and emerging cyber threats is an ongoing enterprise that requires constant vigilance and continuous adoption. last year's opm attack was a huge concern for all the federal workers that live in our districts across the country and
procedural issues being addressed, but nobody is immune to cyber attacks, not in the government, not in the private sector. in 2015 there were 17 reported breaches against dot-gov addresses that resulted in access to $27.8 million records, the big one was opm. during the same time period the private sector experienced 184 breaches that resulted in exposure of 131.5 million records. a huge problem for both sides. and i believe sharing best practices to reduce i.t. vulnerabilities, educate federal workers is very important. i really look forward to today's hearing. i'm sure there are many lessons that we will learn from you today. i also look forward to the equal certainty that there's much that the private sector can learn from the government especially department of defense and our intelligence community.
so i look forward to today's discussion and thank you so much for being with us. madam chair, i yield back. >> thank you. and i now recognize the distinguished chairman of the full committee, mr. smith. >> thank you, madam chair. last year more than 178 million records of americans were exposed in cyber attacks. the breach of the office of personnel management alone compromised the personal information of more than 20 million people which included members and staff of this committee. the united states is a top target for foreign countries. cyber criminals and hackivists exploit vulnerabilities in our cyber networks to obtain valuable information. the number of incidents reported by federal agencies has increased over 1,000% in the last eight years. in 2014 more than 67,000 cyber attacks were reported and many others, of course, were not. a number of federal agencies guard america's cyber security
interests. several are under the jurisdiction of the science committee. these include the national science foundation, the national institute of standards and technology, the department of homeland security science and technology directorate and the department of energy. all of these promote cyber security and set federal standards. however, it is clear that too many federal agencies like opm fail to meet the basic standards of information security. more must be done to ensure agencies make cyber security a top priority. last year audits revealed that 19 of 24 major federal agencies failed to meet the basic cyber security standards mandated by law, yet the administration has allowed deficient systems to stay online. what are the consequences when a federal agency fails to meet its basic duties to protect sensitive information? what does it say to federal
employees not to mention our adversaries when cabinet secretaries don't take cyber security seriously and fail to follow the most basic e-mail security practices involving our country's classified information? in the private sector those who neglect their duty to keep the information of their customers secure are usually fired. in the federal government, it seems the only people penalized are the innocent americans who have their personal information exposed. during the last congress the science committee approved cyber security enhancement act which was signed into law. this law improves america's cyber security abilities and strengthens strategic planning for federal cyber security research and development. it supports scholarships to improve the quality of our cyber security workforce. it also improves cyber security research development and public outreach organized by nist. the cyber security act of 2015
was signed into law. very importantly this bill encourages private companies to voluntarily share information about imminent cyber threats with each other as well as with the federal government. the science committee will it continue research and development. i look forward to hearing from our witnesses today about what more we can do to support innovation and help set national standards and guidelines that will enhance our cyber security. i thank you again, madam chair, and yield back. >> thank you. at this time i would like to introduce our witnesses. john wood is chief executive officer and chairman of the
board for the telos corporation, a leading technology company that addresses cyber security, secure mobility issues for corporations and governments worldwide. mr. wood serves on the boards of the northern virginia technology council and the wolf trap foundation for the performing arts, home of the nationally acclaimed wolf trap institute for early learning through the arts and its early stem arts program. he is also the founding chairman of the loudoun county ceo cabinet and served for five years as chairman of loudoun county's economic development commission. prior to joining telos in 1992, mr. wood worked on wall street after completing computer science at georgetown university. he also is very active in s.t.em. education throughout loudoun county and our district in getting young people engaged and involving them personally i know both with your company and with our school system so we appreciate all you do in that area. dr. martin casado is a vmware
fellow and senior vice president and manager for the networking and security business unit. dr. casado joined vmware in 2012 when the company acquired nesara of which he was co-founder and chief technology officer. he has previously held a research position where he worked on network security in the information operations assurance center. he has been recognized as one of the industry's leading innovators and featured as one of business insider's 50 most powerful people and enterprise tech forbes next generation innovators and dr. casado received his masters and ph.d. from stanford. mr. ken schneider serves as vice president of technology strategy at symantec where he focuses on driving overall technologies strategy across the company. he was previously chief technology officer of the enterprise security and security endowed management groups. prior to joining symantec mr. schneider served as cto and vp
of operations for brightmail, the leading anti-spam software company acquired by symantec. mr. schneider founded south beach software, a consulting company that developed products for the professional video market. he also received a master of science and mechanical engineering from university of california berkeley and a bachelor of science in engineering from swathmark. mr. larry clinton is the president and chief executive officer of the internet security alliance, a multi-sector trade association focused on cyber leadership, policy advocacy and promoting sound security practices for corporations. mr. clinton is widely published on cyber security and is the principle author of the cyber risk handbook for corporate boards published by corporate directors in 2014 and endorsed by the department of homeland security in 2015. the nacd also named mr. clinton as one of the 100 most
influential individuals in the field of corporate governance last year. mr. clinton is in demand internationally having spoken in europe, asia, and latin america, and we are glad to have him here today. in order to allow time for your discussion, please limit your testimony to five minutes and then your entire written statements, which i know are more extensive and have lots of good information that we'll have in our public record. and since we're on c-span today i would encourage the public to look at those full statements to get more information there. with that, i will now recognize mr. wood for five minutes to present his testimony. >> thank you. i'd like to thank chairwoman comstock and the other chairs and ranking members for the invitation to share some thoughts on behalf of telos corporation on industry best practices for cyber security and risk management. as i noted in my written statement, we protect the world's most security conscious enterprises providing our customers with solutions for
cyber security, secure mobility, and identity management. the first point i'd like to highlight is that all enterprises, public and private need to emphasize cyber hygiene in their day-to-day operational practices and employee training. why do i make this first point? because the 2015 verizon data breach investigations report found that the overwhelming common denominator in security incidents is people. nearly all of the security incidents verizon cataloged might have been avoided if organizations had taken basic steps to help their employees follow simple cyber security precautions. here are five basic steps that organizations should take to help better protect themselves from attacks. first, establish and enforce cyber security policies and procedures. second, include effective password management practices.
third, require regular security awareness training. fourth, implement timely updates and patches to manage vulnerabilities and, fifth, to use up-to-date end point security solutions. these five basic steps serve as the foundation for a strong cyber security program. every i.t. security professional knows them and yet the importance of following through with them cannot be overstated. further, these practices must be embraced in the boardroom and by management so that a culture of cyber security is created throughout the organization from the top down. that being said, every organization with high value digital assets needs to assume it has already been breached or will be. this leads to my second point. and that is that incident response and remediation are just as important to organizations as cyber defense and depth strategies. telos has developed incident response with essential steps
like preparation, containment, eradication and recovery which we use ourselves and implement for our customers. further, it isn't realistic to expect every organization to have the time or financial and human resources needed to successfully defend everything. that's why management is so critical to effective cyber security. risk management involves identifying, evaluating and either accepting or mitigating uncertainty in decision making. private and public sector organizations need to make cost benefit choices about which systems to defend and how to defend them based on the likelihood of an asset being attacked, the value of the asset being attacked, the cost of defending the asset, and the cost of losing the asset. that approach is reflected in the continuous diagnostic and mitigation program established by congress, quote, to provide adequate risk-based and cost-effective cyber security
and more efficiently allocate cyber security resources, end quote. this continuous diagnostics and mediation program or cdm program extends continuous monitoring into the areas of diagnostics and mitigation while acknowledging that risk management is called for when you have to meet nearly infinite needs with finite resources. that's also the value of initiatives like the nist risk management framework and cyber security framework. they put cyber security solutions and best practices in the context of risk management and compliance which brings me to my third point, the standards in the nist cyber security framework are very good but they cannot succeed unless companies follow them. we should be looking for ways that market forces can incentivize companies to voluntarily take the strongest possible actions to protect themselves which includes following the nist standards and best practices. the critical sectors are just
that, critical. they're so important to our national defense, our economy, and our way of life that it's imperative government and private sectors encourage organizations and these sectors to use best security practices. one promising area is tied to the growth of the cyber insurance market. the commerce department has described cyber insurance as, quote, an effective market driven way of increasing cyber security, end quote. the increasing demand for cyber insurance may help drive private sector policyholders to adopt the cyber security framework. as insurance companies get their arms around the data, they want insights into what their clients are doing to protect themselves. are they applying ongoing protection for the systems and
data? are they using the framework or an equivalent standard? in fact, insurance companies may require their clients to adopt the framework in order to demonstrate insurability and reduce premiums. we could see greater pressure brought to bear. so market forces in the fear of legal liability may meet voluntary guidelines to standards to demonstrate to insurers or in court that they've exercised all due care to protect their customers and their asset. one additional point, cyber security is just too important to do on the cheap. overreliance on technically acceptable contracts can be risky. our fifth war fighting domain, cyberspace, must be appropriately funded. u.s. cyber command has been funded at a level that represents a mere 1/1000th of the budget.
by contrast, just for you banks, jpmorgan chase, bank of america, citibank and wells fargo are spending three times of the amount on cyber security. jpmorgan, after they got hacked, decided to double their i.t. security spent from $250 million a year to $500 million a year more than all of cyber command. the financial sector is an example of the private sector taking their responsibilities very seriously and devoting resource s to protect themselves. i'd be glad to answer any questions. thank you. >> thank you. now we'll hear from dr. casado. >> thank you, members of the committee, for the opportunity to testify today. i'm super thrilled to be here. i'm martin casado general manager of networking and
security at vmware, the fourth largest software company in the world with revenues over $6 billion and over 18,000 employees. the nature of security breach was not unique. hackers were able to gain access to opm and department of interior systems where they were free to access and steal sensitive data over a period of several months. hackers typically use this attack methodology because traditional perimeter centric security systems are structurally designed to be doors to the network. these doors allow authorized users access and prevent unauthorized users from entering a network or data center. however, perimeter security is a single point of entry that must be breached or circumvented to enter the network. once the intruder has passed the perimeter, there's no simple means to stop malicious activity from moving throughout the data center. in many cases the response from companies, agencies and network
security vendors is to add more security technology to the perimeter which ignores the structural issue creating an imaginary line. salient points for consideration. one, every recent agency breach has had one thing in common, the attacker once inside the perimeter security was able to move freely around the agency's network. two, perimeter centric cyber security policies, mandates and techniques are necessary but insufficient and ineffective in protecting cyber assets alone. three, the cyber attacks will continue but we can greatly increase our ability to mitigate and limit the damage and severity of the attacks when they do. so in today's legacy networks there are a lot of centric technologies designed to stop an attacker from getting inside a network. clearly this is not sufficient to combat today's cyber attacks. perimeter centric security solutions are analogous to a locked door that can only be accessed with a key. the primary function of the door is to deny initial authorized entry by anyone who does not have a key. however, once the door is forced open or breached, the unauthorized actor is free to move about unabated. in order to effectively prevent
an attacker from moving freely around the network agencies must add zero trust or micro segmented network environments within the data center. a zero trust environment prevents unauthorized lateral movement by establishing automated governance rules that manage the movement of users and data between business systems or applications within the data center network. when a user breaks the rules, the potential threat incident is compartmentalized and staff can take remediation and not put the entire network in jeopardy. compartmentalization is equivalent to limiting the intruder's ability to move around freely within the house significantly. this mitigates the magnitude of a perimeter security breach or break-in. these approaches are already the gold standard in the commercial industry and need to be across the federal government. many government agencies conclude the most effective means is to build a new network environment or data center
called a green filled environment with enhanced security protocols. agencies reach this because environments are soon to be unsalvageable. this is a legitimate strategy, however, it fails to address the persistent threat to existing cyber infrastructure. there are two main issues with this approach. existing networks or data centers continue to operate while the new environment is being provisioned which leaves sensitive data vulnerable to continued attack. it can take months or years. as we've seen this is what happened with the attack at opm. they were building a new enhanced network but the attack happened on the existing system. without clear cyber security guidelines mandating new software based security strategies that go beyond centric security, the new environments are subject to attack as soon as they become operational. in an era of constrained resources and imminent threat this is insufficient and untimely. agencies have the ability to upgrade the posture of their infrastructure and add zero trust software than new
expensive based solutions. by deploying these technologies within our existing net works and data centers, agencies can avoid billions of dollars in new greenfield infrastructure when the driver is strictly security related. thank you very much for the opportunity to testify today, and i look forward to answering the committee's questions. >> thank you. now we'll hear from mr. schneider. >> gentlewoman comstock, chairman loudermilk, ranking members lipinski and beyer, thank you for the opportunity to testify today. the focus of today's hearing is right on point. cyber -- >> i don't think your microphone is on. sorry. >> sorry about that. chairwoman comstock, chairman loudermilk, chairman smith, ranking members lipinski and beyer, thank you for the opportunity to testify today. the focus of today's hearing is right on point. cyber security is a shared responsibility in the public and private sectors must work together closely to counter ever evolving threats. many of the recent headlines about cyber attacks have focused on data breaches both in
government and across the spectrum of industries but cyber attacks do much more than that and the incidents we see today range from basic confidence schemes to massive denial of service attacks to sophisticated and destructive intrusions into critical infrastructure systems. the attackers run the gamut and include highly criminal enterprises, disgruntled employees, activists and state sponsored groups. attack methods vary and the only constant is the techniques are always evolving and improvement. spear fishing or customized e-mails is still one of the most common forms of attack. social media is also an increasingly popular attack as people tend to trust links and postings that come from a friend's social media feed. we've seen the rapid growth of targeted web-based attacks known as watering hole attacks, and trojanized updates where malware is cloaked in updates. for example, last year legitimate software developers were tricked into using compromised software to publish
their apps, then pushed into apple's app store and downloaded by unsuspecting consumers. further, the attacks continue to he can panned as both the private it tech tore move to the cloud and the internet of things and new devices coming online will bring a new set of security challenge. ccs insight predicted the sale of 84 million wearables in 2015. each of those 84 million users is transmitting sensitive data into cloud platforms that must be secured. preventing these attacks requires layered security. and an integrated approach. we refer to this as unified security strategy. the national institute of standards and technologies framework for improving critical infrastructure reflects this approach and its functions serve as an outline for discussing an approach to security.
first is identify, simply put, you can't protect what you can't see. the task goes beyond just identifying hardware and software and includes a risk based approach to make sure the most critical are identified and protected. next is protect and it starts with people. an organization needs to ensure that its workforce practices good cyber hygiene and is alert for the latest scams and schemes but, of course, technology is important, too. modern end point examines numerous characteristics of files for emerging threats that might otherwise be missed. it's critical to monitor the overall operation of a system to look for unusual, unexpected or anomalous activity. information protection is equally important. this requires a data loss prevention system that indexes, tracks, and controls the movement of data across an organization. the third function is detect. an organization needs to know what is going on inside of its systems as well as who is trying to access what and how they're trying to do so. monitoring analytics in a huge volume of machine and user data and advanced behavioral analytics to know whether a series of anomalies is malicious activity. the systems are able to detect
threats that bypass other protections. fourth is respond. good planning is the foundation of an effective cyber security strategy. if and when an incident occurs an organization must have a well-defined and practiced playbook to respond quickly and effectively. interviewing potential vendors and assigning roles and responsibility is not a good use of time while an organization is hemorrhaging sensitive data. the last function is recover. this is twofold, getting the impacted systems back up and running and improving the lessons learned. it requires preparation and planning. for example, poor preparation could leave an organization with incomplete or corrupted backups. but perhaps the most important part of fixing identified mraus in both systems and processes is to learn from the incident. cooperation is key to improving cyber security. public/private partnerships to combat crime including forensic and training alliance, fbi nato and ameripol.
taking down networks including high-profile such as the financial fraud, the botnet. the only path to improving security for the nation is through partnership and shared expertise and the government can learn from the private sector's experience incorporating cutting edge security tools into their security programs. we appreciate the committee's interest in learning from systemex and i'll be happy to take any questions during the day. thank you. >> thank you. and now we'll hear from mr. clinton. >> thank you, madam chair and members of the committee. it's an honor to be here. i appreciate the opportunity. i'd lick to focus on five areas where the federal government can learn from the private sector. first, the government needs to invest much more in cyber security. spending on cyber security has nearly doubled in the last several years to $120 billion annually. the federal nondefense spending
on cyber security this year will be between $6 billion and $7 billion. private sector spending will increase 24% next year. the federal government spending is increasing about 11%. i know of two banks of a combined cyber security budget of $1.25 billion for next year. dhs' entire budget for cyber security next year is about $900 million, 75% of what two banks are spending by themselves. cyber crime costs our nation a half trillion dollars a year, yet we are successfully prosecuting maybe 1% of cyber criminals. we need to spend more on cyber security. two, government needs to act with greater urgency. it took congress two years to -- sorry, it took congress six years to pass information sharing bill. in 2009 major trade associations presented congress and the administration with detailed recommendations on cyber security. in 2011 the house gop task force reported on cyber security embraced the recommendations as
did president obama's executive order. four years after the task force report we still have not seen any substantial work on the top recommendation in that report or the executive orders. for example, the gao task force report and the executive order and the national protection plan all call for the creation of a menu of incentives to promote the adoption of cyber security yet aside from the information sharing bill, the president has not proposed, congress has not introduced a single incentive strategy bill. last month gao reported that 12 of 15 sectors -- sector specific agencies had not identified incentives to promote cyber security even though that's called for in the national protection plan. the president's executive order called for the framework to be both cost effective and prioritized. three years later there has been no objective measurement of the framework's effect on
improving security, adoption, or its cost effectiveness. three, the government needs to escalate -- to educate the top leadership as the private sector is doing. in 2014 isa and aig create add handbook on cyber security for corporate boards which was published by the national association of corporate directors and is the heart of the training program that they are launching. price waterhouse cooper recently validated the success of this approach saying boards appear to be listening to the nacd guidance. this year we saw a double digit increase in board participation cyber security leading to a 24% boost in security spending. other notable outcomes include the identification of key risks, fostering an organizational culture of security, and better alignment with overall risk management and business goals. we believe, madam chair, the government needs a similar program to educate the government equivalence of corporate boards, members of congress, members of the cabinet, agency secretaries. most senior government officials are not sophisticated with their understanding of cyber security. if they are educated as we're educating the private sector we think we could have more effective policy. four, the government needs to
reorganize for the digital age. over the past several years the private sector has moved away from the i.t. department as the central focus of cyber security and involving more enterprise wide risk management approach. unfortunately the federal government is still caught up in legacy structures and turf wars that are impeding our efforts. a bank of america/merrill lynch study found in 2015 the u.s. government is still in the process of determining who will have jurisdiction in cyberspace, departments, agencies and commands are all battling for jurisdiction and funding. the result is a fragmented system, muddled political agendas that is hindering the secure system and, finally, five, government needs to become more sophisticated in managing their own cyber security programs. a 2015 study compiled -- compared federal civilian agencies with the private sector and found that the federal agencies ranked dead last in terms of understanding cyber security, fixing software problems, and fail to comply with industry standards 75% of the time. the reason the government does so badly according to gao is
they simply evaluate by a predetermined check list. the private sector, on the other hand, uses a risk management approach wherein we anticipate what the future attacks will be based on risk posture and forward looking attempt to adopt standards and practices. we believe that the government needs to follow the private sector's lead. they need to become more educated, more sophisticated and innovative and act with greater emergency and commitment with respect to cyber security. i appreciate the opportunity to speak to you today. thank you. >> i thank the witnesses for their testimony, and we now will move to questioning and we have five-minute question rounds. i will recognize myself for the first five minutes. thank you all so much for your expertise and your passion about this important issue. i remember back in 2014 i was able to sit down with mr. wood and we spent a pretty long
afternoon identifying a lot of the problems. i'm sorry to say everything you said came true and that all the problems you identified were dead on. i appreciate that you're here to help us address that. i was just out at the consumer technology conference earlier this week, and so we're seeing a lot of the new things that are in practice and certainly the concept of innovate or die is very much a reality here. so i was wondering if -- because i think you've all address add little bit, but how do existing maybe government contracting provisions impact the ability for the public sector to be agile and to be able to do what you do in the private sector, and how can we -- i know this is a little bit out of our jurisdiction in terms of
government contracting, but sort of identifying the problem and how we can address it. we have the standard. we have the practices. we need to be more risk management based instead of just a check list. how can we get those type of policies in the government that are as agile as what you're dealing with in the private sector? >> one suggestion i would have is that i think it would be very helpful for the government to move more towards a best value approach to government contracting versus lowest price technically acceptable approach. the same individuals that we put on assignment with the government often we can -- will receive a much higher rate for those individuals working commercially because commercial companies tend to value the kind of capabilities that our security professionals have. when i say much higher, it's often 300% higher.
that's a really big issue that the government needs to at least address. otherwise you tend to get what you pay for. >> yes, mr. clinton. >> i agree with mr. wood. i think this speaks to part of the education issue that i was speaking to. we need to have a better understanding of the breadth of cyber security. what you're talking about is not an i.t. problem. it's an economic problem. that's what cyber security is. it's not an i.t. problem. it's an economic problem. and we need to find a way to move away from lowest cost items particularly in the federal space. we have examples where federal agencies are buying equipment off ebay from nonsecure suppliers because it's lower in cost. while we appreciate the tension and the need for economy in these times, we have to understand that there is a direct trade off between economy
and security. we have to come to gyps with it and we haven't. we had the same problem a few years ago. we might be able to have a better appreciation between cyber security and the technology of cyber security. the real problem that you're speaking to in my opinion mostly comes in the smaller business elements of cyber security. it you're going to deal with the major defense contractors, frankly, you compensate them per -- perfectly well and they have pretty good cyber security. but they are required essentially to farm out a lot of the procurement to smaller firms across the country and districts and those smaller firms do not have the economies of scale to meet the cyber security standards that the primes have. we have to find a way to provide incentives for those smaller companies to come up to grade
because it's not economic from their business point of view in order to do that. we think that there are a number of suggestions we have made and i referred to in my oral statement paper that could talk about how to better incentivize the smaller companies so we can get them up closer to where the majors are and if we can do that, we can achieve our goal, which is a cyber secure system as opposed to cyber secure entities. >> mr. snider? >> i think another thing and this isn't directly a contract issue is to use the tools that they have already purchased. one thing we see a lot in the private sector and the public sector is the acquisition of technologies that then aren't even configured properly and used properly. a lot of the investment that happens both within private organizations as well as the public organizations is to take the technology purchases and make sure that you have the right human capital and the best practices to deploy those properly.
the most cost effective thing you can do is use the money spent more wisely. that's one key we see as well. >> thank you. >> just quickly on a positive note. i'm kind of a personal success story, when i graduated with my ph.d. i was thinking of being a professor. instead i worked with the intelligence community who decided to fund a startup that we were doing and they were great to work with early on. kind of to the congressman's point, there's a lot we can learn from the government. that turned into one of the largest tech sector acquisitions ever and a huge security initiative. so i think more working with the startup ecosystem funding that. allowing us access to the way that you think about the security and technology will hugely help innovation. >> thank you. i want to particularly note mr.
wood you call it the fifth war fighting command. the numbers and comparison and the public sector and what we're spending in the quality, that's a very helpful contrast in understanding. this is part of our defense system and certainly as we see in social media being used and the terrorism area and all of those, i appreciate you putting a real emphasis on that. thank you. i will now cognize mr. lipinski. >> thank you. so many things to talk about. i just got set off in another direction, so first i'll say it's good to see a stanford and berkley guy be able to sit next to each other. i'm a stanford guy. you had just mentioned there should be more done by the government to engage silicon
valley entrepreneurs. what more could the federal government be doing right now in this area? >> i'm actually very positive about the actions the government has taken over the last few years. i've worked directly with government agencies and i think continuing to fund efforts that engage with start ups understanding that that risky propositions and the high level of risk i think is very beneficial. again, all of the work that i have done in the last eight years has been based on my experience personally and then funding from the government and it's turned into a major initiative. i would encourage you to continue the work you're doing. >> anything not being done now that should be being done? >> i think -- i think the problem is you're great at funding on the early stage and when things get big.
-- bigger it's harder to engage with the government because you get into procurement processes that are owned by a number of people. so normally what happens is you do a great job incubating and find out that we can't sell to the government because it's too hard and too sticky. not only get this and providing the initial funding but give them end roads being an actual vendor to the government and helping that out. originally we try to engage the government and it wasn't until eight years later we could do it in a viable way. now we're doing it in a way that we're excited about. hand holding would have been helpful. >> anyone else on this subject before we move on? >> we're seeing more engagement. dhs has been active over the last couple years. there's a new dod project where they have now established a field across from silicon valley
trying to invest in startups to bring some of their technology needs to the valley. i think we're seeing a lot more engagement over the last year. >> anyone else? mr. wood? >> thank you, sir. i'm honored to sit on the commonwealth of virginia's cyber security commission as well. one of the things i have been encouraging the commonwealth to do is encourage closer relationships between the university ecosystem and the business ecosystem and to really promote research. i think that will propel the startup activity that the gentleman to my left are both talking about whether it's in silicon valley or research triangle. we need far more research than we currently have. the reason is is because when i talked about earlier the dollars being spent in the federal government and the commercial side, it's very simple. we have a scarcity of resources in terms of professionals.
so we need more tools being able to deal with the complex environment that's going on out there. the tools are the way forward in order to help deal with that scarcity of resources. there are other things we can do as well. but i think that research would really help us a lot from a cyber security perspective really as a nation. >> very quickly and continuing with mr. wood, i want to thank you for your work and education and thank you for bringing up how important it is that the human behavior is critical in preventing so much of this. i think you said nearly all of these tasks would have been awarded with better behavior and that brings up the importance in understanding human behavior and funding social science research into things like this.
but the last thing i wanted to ask you is you talked about insurance. i'm very interested in how do we incentivize the private sector. is this something that should be required or do you think this will develop over time? do you see a need for the government to require insurance against these types of attacks? >> sir, i personally don't think there's a need for the government to require it because the lawyers will at the end of the day will help corporations and other organizations understand the legal liability associated with not taking the appropriate actions. >> have companies really suffered that much who have been -- who have had these data breaches? >> i think they are beginning to. i'm seeing more and more board room kind of calls being made to our company than ever before.
i think the very public retail breaches that have occurred are now heading into not just the ceo's office but right into the board rooms. i also believe the critical infrastructure industries that are already regulated feel the pressure associated with doing something. that's why i think that the insurance companies are doing what they are in terms of really trying to promote cyber insurance. their feeling is if the corporations can provide evidence that they are doing what's appropriate from a risk management point of view, that will result in two things. one is lower premiums to the corporation who is looking to get the insurance, and secondly, better legal defense to the extent that they are sued. >> thank you. i yield back. >> mr. clinton. >> if i could very quickly,
first of all, we're big fans of insurance so we have been promoting cyber insurance for over a decade but i don't think that a requirement is appropriate. >> if you have been promoting it for over a decade, it doesn't seem like it's that widespread. >> no, that's because systemic problems in the insurance market. lack of data and in particular the enormous risk that the insurance companies realize that if they insure and there's a major capacity there. they are on the line for everything. we face the same in terms of insurance in the last century with crop insurance and flood insurance. there are ways we can work with the federal government in order to address that problem. i'd be happy to go into those in some detail, but i wanted to get to the requirement piece. one of the things the federal government could do is require insurance, cyber insurance ii your information systems in the same way that you require physical insurance when you build buildings. i think if the government did
that, it would be a market leader in that regard. the other thing i want to point out, and this bears more conversation because i think this is a widespread misnomer, of the reality when you look at the data of the economic impacts of the high profile breaches is not what you think. if you go back and look six months after the sony attack, their stock price was up. if you lock at most of the high profile breaches, you find there's an initial reduction and then there's a bounceback. i can explain why that is because the smart guys on wall street say, oh, nice distribution system, i like the price point of their products and the price is down, buy opportunity. so the natural things we assume are going to happen really are not happening when we look at the data. but mr. wood is right about the fact that corporate boards are spending much more attention on this. but i think that has to do with the threat to their intellectual property, which is being
vacuumed out and is a tremendous economic risk. >> so they are not concerned about the consumers and people using their business. they are concerned about their own -- that's a suggestion there. >> we're going to have to move on. >> i will get back to that. >> and please do so. i'd appreciate submitting some more information on the insurance area. i think that would be very interesting. i now recognize mr. loudermilk. >> after spending 30 years in the i.t. industry myself, i can equate to a lot of what you're saying. especially the cyber insurance. big supporter of cyber insurance because of the standards that the insurance companies put upon these businesses. and i sold my business a year ago. was greatly relieved when i sold the business.
while cyber security was on my mind 24/7, it was not on the minds of my customers. mr. clinton mentioned ebay. we had many instances where we had a secure network in place and we engineered it and put the products in. some of the products that you represent from spam filters, firewalls, content managers. then we would find out that they would go and buy parts for these off of ebay that would come from somewhere overseas and we don't know the firmware that's on it and i understand that what's on their mind, especially dealing with small businesses, is bottom line. lawyers are being lawyers, they are doing what they are doing. we're supposed to take care of them. but when we go forward and say this is what we need to upgrade and say we don't want to do that right now, do we have to do it. your network will still function but you're very -- at a high
amount of risk. that usually doesn't change their mind set. so having those standards is important. another thing brought up is risk based management. we used to emphasize to our employees. there's two types of computer users. those that have been hacked and those that don't know they have been hacked. i think that's -- another part of risk management is we emphasize to our customers don't keep what you don't need. if you don't need the data, you don't have it, you don't have to secure it. that really brings to an issue that i have great concern about here in the federal government here and that's with the midas system, which is storing information on americans who access the health care website. not just those who got their health insurance, but those who even shopped it. it's storing personal identifiable information of
americans without their knowledge in a data warehouse. mr. wood, considering what's happened to the federal government, the recent data breaches, does it concern you that the federal government will be holding information -- citizens without their knowledge, even for those who did not get their health care coverage through this system. am i justified in my concern over the risk of storing this data, especially data that is not needed? >> so you're raising both a privacy perspective as well as a cyber security issue. at the risk of being a monday
morning quarterback which is what i would be doing if i were to reflect on the opm situation, the unfortunate situation because like all of you, i also received my letter that gave me the good news. i think that in retrospect had opm been using two factor authentication, had they been using encryption at rest, had they had log files, we would have had a lot -- a much different situation than perhaps we ended up having with opm. so as it relates to the healthcare.gov situation, i don't know how they are storing the data to be able to reflect to you about what is appropriate, but i think generally speaking most people are a a little nervous because those of us in the know worry that there just isn't enough resources being applied from a financial perspective to the i.t. security issue. it's not just that the federal level, it's at the state level too. commercial corporations, on the other hand, i see around the world are taking the appropriate steps.
i gave the example early on in my testimony about jpmorgan chase. when they were hacked, they were spending at that time about $250 million. after their customer information -- after the customer pii got out, they went to the board. the board determined that they had to increase substantially what they spend. to do a couple of things. one was to actually buttress what they were doing, but the other thing it was to do was to raise the confidence of their customers. so at the end of the day, i would argue that while their shareholder price has gone up over time, they care about customer data. >> i would like to ask mr. clinton to respond to the same question, but also mr. wood, part of mitigating your risk is not keeping data that you don't need. would you agree that that is a good practice? if you don't need data to not store it. >> yes, sir. >> mr. clinton?
>> that's absolutely right, sir, thank you. >> and now i'll recognize mr. myer. >> i was fascinated by your testimony, especially, once the intruders pass the perimeter security, there's no simple means to stop malicious activity from propagating throughout the data center. this whole notion of unauthorized lateral movement and your call for zero trust microsegmented network environments. interior rooms with locks. is this recognition built into this cyber security framework? >> moving from just the perimeter to the internal stuff? >> we're actually working with nist now, but i think making it part of a standard would be greatly beneficial. >> it sounds like an essential part of the cyber security framework president bush.
>> this is becoming a best practice. part of a standard would be very beneficial. >> mr. snider, you said we're well past the days when a password will be much more than a speed bump for sophisticated attacker. and authentication combining something you know with something you don't know like a text message is essential for any system to be secure. is this part of the cyber security framework that was developed? >> i think it's similar in that it's a best practice that's not codified into the framework, but the ability to protect your information is becoming a best practice. the example i would give there should not be passwords as a core element of how we access information because it's so hackable. we really feel like a future with rich multifactor levels is
the right approach. you can imagine yourself. you can go back to your office and sit down to check your e-mail. if you're using a mobile device, there's already two or three that tracks your location, there's already two or three factors of authentication that say i'm supposed to be in my office, i'm in my office, i'm accessing e-mail. my device says i'm there. you may then ask for a pin or additional level of authentication, but it's having those kind of authentication we see in the future and not static pass words that have been such a broken part of security today. >> so both of these revolutions, to cvf which leads me to mr. wood. you wrote very eloquently on page 4 of your testimony that most businesses would prefer the government impose the fewest possible requirements on them. we hear that every day in the house. how many breaches will it take before it's recognized that allowing the private sector to choose the path of least resistance creates an opportunity that might put our
citizens' personal information at risk, put our critical infrastructure at risk and our national economy at risk. in this standard the cfs is purely voluntary. when do businesses come together to recognize this really needs to be the mandated standard across the country? >> so earlier we were talking about insurance. and the insurance industry and why hasn't it adopted more cyber insurance more quickly. the simple reason is because there was no standard, there was no agreed upon standard until not that long ago. and, so, i think that ultimately that i look at the ncs cyber security asframework as a baseline. what these gentlemen are talking about are, in fact, good points and they are additive to the baseline. if we can get to an agreement about what the baseline is and all adhere to a baseline, we know the other person i'm dealing with is going to be able
to evidence for me i can do business with them because they are taking the appropriate steps. >> it just seems to me, thank you very much, that we look at so many things that affect us and we have mandated it. regulations have to be cost effective. we did air bags in cars and seat belts and health care. with the fda. this may be if this really is a national security into our personal security that we think about mandatory standards, rather than voluntary. relying on the threat of a lawsuit and insurance. mr. clinton. >> with respect, sir, i would push back in the opposite direction. in my testimony i pointed to the fact that the federal government which basically does operate in the model which you're talking about with standards that they must comply with, et cetera, and when we evaluate them independently, versus the private sector,le federal government comes out dead last. the reason is that this is not air bags. this is not consumer product safety where there's some magic standard that we come up to the
standard and we are set. the problem is not that the technology is below standard. the problem is that the technology is under attack. that's a very, very different problem. we need to be forward looking. if we talked about mandating standards a couple years ago, we would be talking about mandating firewalls and things like that that we now see as obsolete and all of our companies would be spending a lot of money complying with these outdated standards. so we need a different model. the digital age is much more forward looking. that's why the obama administration and the house republican task force and the private sector all agree that what we need is a forward looking incentive-based model and we need to get industries to understand that it is in their best interest to be continually advancing security. they can't be looking backward. they have to be looking forward. we can do this, by the way, but it is a completely different
mind-set. and i think we need to understand that in a digital age, the old model isn't going to work for this model problem. it includes nation states attacking private companies. there's no minimum standard that's going to protect them. we need a different model. we think we can develop that, but it's going to be different. >> i recognize chairman smith. >> thank you, madame chair. mr. wood, let me direct a couple questions to you. but let me describe this scenario first and ask you to comment on this particular situation. let's say a senior government official in an executive branch department approached your company to set up a private e-mail account and server for conducting both official and personal business. these e-mails could include sensitive or classified information about national security. in addition, all e-mails would be stored on a server located in their private residence. cyberattacks and attempted
intrusions would be obvious threats, among other security risks. material being transmitted could be a matter of national security. so two questions. could this scenario unnecessarily expose classified information to being hacked? >> yes. >> do you want to elaborate? or that's pretty clear. second question is this, how would your company respond to such a request? >> we wouldn't do it. >> you're exposing classified >> any other with theness witness want to comment on the scenario? >> for the simple reason you're exposing classified data in the open. at the end of the day that would not be prudent and would also be illegal. >> and why illegal? >> because the government requirement is that all official information be used through official means. meaning through government networks. >> okay. thank you, mr. wood. i don't have any other
questions. i yield back, madam chair. >> thank you, and i recognize mr. tomko. >> thank you, madame chair. >> all of this hearing isn't focused on research. i know mr. wood had addressed research as a component for growth in this region, in this area. as you know, the government plays an important role in supporting cutting edge research on all aspects of cyber security. through agencies such as the national science foundation, national institute of standards and technology and the department of homeland security we fund everything from basic research to test beds for emerging technologies. and all of these federal investments in cyber security are indeed coordinated and you the longstanding networking and information technology programs. so while mr. wood did raise the issue of research, are there
recommendations that you mr. wood or any other individuals that are testifying, any recommendations about federal agencies how to set research priorities and what major research gaps may exist out there, so we can better partner any a more effective manner with research opportunity. mr. wood? >> sir, thank you for your question. i agree. i think the national labs are doing tremendous work around all kinds of initiatives that regrettably many don't see the light of day, ultimately. i think more can be done to, "a," make industry aware of what the national labs are up to. and then "b," provide a mechanism for industry to license some of those very critical research and development initiatives that have really may have one specific customer. but ultimately could have an entire industry that it could
help search. that would do a couple things. it would provide an income stream back to the labs and the government and the other thing it would do is provide more innovation, without having to spend a whole lot more dollars. thank you, sir. >> thank you. anyone else else? mr. snyder? >> one area that we're very invested in right now is on helping the people part of the equation. technology will continue to be an important element of any security approach and automation underneath. but clearly it's the people on top that we have to make sure are adequately trained. one of the areas we've been highly invested in last couple years is simulation platforms, to help us all understand what cyberbreaches look like, what cyberincidents look like and be able to respond to those. so many companies send out fake phishing e-mails to their employees and see whether they respond to it or not and they report it to their security
organizations. that's one simple example. there's also simulation platforms that talk real world breaches and allow people to interact with those. so that's an area that's been, i think, on the dod side, things like cyberrange initiatives, very mature for a number of years. this is really now coming into the private sector and civil agencies in a situation that they've invested in and there's a lot of potential for cooperation with some of the labs. >> thank you. mr. clinton? >> mr. tonko, perhaps a slightly different level of abstraction. we would strongly support the notion of the government doing some research on the cost effectiveness of the ns framework. we are big fans of the framework. we like to think it was our idea. we published material on this a number of years ago. the executive order says that it's supposed to be prioritized and cost effective and voluntary. we believe that if properly tested we would be able to determine various elements of the framework. the framework is enormous and applies in different ways to to companies and sectors.
but i think if we did cost effectiveness studies, they were could demonstrate what elements of that department are most effective to varying sizes and sectors of the industry. once you can demonstrate that the framework is cost effective, you don't need mandates. companies will do what is cost effective. when you go to a board room, you cant just say it's a good idea. and congress passed it. they're going to say, where are the numbers? you know, show me that it's cost effective. if we did that kind of research which is pretty easy, we can get a lot of bang for the buck in terms of doing what we all want, which is for industry to adopt these things on a forward-looking, voluntary basis. >> thank you. doctor, please. >> i think in the last 15 years i've had a lot of experience getting research grants from the federal government. i was a research scientist in the national lab. you guys just paid for my grant as a dhs fellow, paid for my
program, was a fellow, started my company. i have done a number of research grants. the biggest difference in my experience between funds is the number of constraints that are on them. more flexibility in applying funds to our direct research agenda led to better research. so i think the more agenda that goes prior to the funding, the harder it is for us to fit it within our broader research agenda. so i do think that it's great to fund certain areas. i don't think it's so great to overconstrain the problems that are being looked at. >> thank you very much. with that, i yield back, madam chair. >> thank you. and i now recognize mr. lahood. >> thank you, chairwoman comstock, and thank the witnesses for being here today and for your testimony. question, when we talk about cyber security and these breaches, whether in the private sector or in the government, and whether we describe them as hackers or something more sophisticated, every time is this done, either in the private
sector, or to a government agency or entity, would you describe that as criminal behavior? is that a violation of a state or federal statute in some respect? >> i think one of the challenges of cyber security is it's a global phenomenon. many attackers are not in the united states and the assets that they are protecting may be. are protecting may be. so i think the legal considerations can be pretty complicated. the other thing is as more and more infrastructure moves to cloud plat forms which are also deployed globally, even where those assets are, books more of a challenge. so i think in general the answer is yes, but there's a lot of complexity to the global nature of cyber security. >> and i guess as a follow-up to that, you know, if we look at traditionally, when there's criminal behavior that is engaged in, eventually, there's somebody held accountable or responsible. there's a prosecution, there's a legal process that happens.
it seems as if i guess the question to you is are you aware of a successful prosecution where somebody is held accountable where there's a deterrent effect. seems like there's no penalty, there's no pain, there's no consequences to anybody that engages in this active. yeah. mr. clinton? >> congressman, i think you put your finger on what i would think is one of the number one problems in this space. i would answer that it absolutely should be criminal, in many instances is criminal. but as mr. schneider points out, it's not in certain places. so we need to be doing two things. we need to be dramatically increasing our law enforcement capability. as i said in my testimony, we're successfully prosecuting maybe 1% of cyber criminals. there's no deterrent on the criminal side or a viable deterrent. so we need to be dramatically helping our law enforcement guys who are doing a great job, but they are underresovereigned
dra dramatically. then we also need to be working aggressively with our international community to create an appropriate legal structure in the digital age. we don't have it. we're operating many an analog world with cyber attacks and it simply is unsustainable. we need to be doing both of those things. >> i guess, is there anybody that's lead egg waing the way o there, mr. clinton? either inteationally or here domestically? where are we at with that process? >> we are not doing nearly enough. there are people who will give a speech here and there. i'm not going to point fingers at law enforcement. i think they are doing everything they can. they are underresourced. we need leadership from the congress to demonstrate that this is a priority and we are going to fund it much more aggressively. >> thank you. mr. wood? >> thank you for your question, sir. the issue is that on a law enforcement perspective, first
of all, as mr. clinton pointed out, it requires global cooperation, but then the standards of prosecution also have to be the same. so, in other words, a standard of prosecution here at the federal level might actually be different than at the commonwealth level which actually might be different than in paris. there needs to be some agreement as to what the standards are for prosecution as well. >> why are we waiting around for that? it seems this is ongoing. there should be some standards set to do that and it doesn't sound like there's a framework in place to even address that. >> we did an analysis in the commonwealth on just that point. it was a really great analysis, which i would be more than happy to provide to you from the commonwealth of virginia. i don't know why. all i can say is that the standards, even within the states are different for prosecution. >> and can you point to me in the commonwealth of virginia where there's been a successful prosecution or that deterrence has been put in place in virginia? >> we just changed the laws within the last six months. i'd have to refer to my colleagues in law enforcement to
let you know. >> thank you, i yield back. >> actually one further point if i can. >> go ahead. >> there are a number of great examples where there's been cooperation between the private sector and law enforcement to do takedowns. i can give you a number of them. game over zeus was a recent one. zeus has been a financial one. that's been around successful for a number of years. the next version of that came online. this was a botnet that was proper gaiting things like an encry encryptor. maybe you heard about where it takes people's machines and encrypts the information. so there's some successful examples, but to your point, a much more consistent global approach is needed. >> in your case, was there actual individuals held accountable there in prison right now? >> there's particular individual
in eastern europe that's been prosecuted and acquitted. >> are they in the united states in prison? >> no, it's in europe. >> thank you. >> thank you. >> thank you very much, madame chair. thank you for holding this hearing. it's such an important issue. certainly one where there's a lot of room for bipartisan cooperation. i think mr. clinton identified the challenge of setting policy in this area because the technology always changes so much faster than policy changes. so that being said, i look forward to working with all my colleagues and continuing to raise awareness after this important issue. and also come up with policy that not only addresses the issue but prevents it. i was recently out in oregon visiting id experts that specializes in health care data breaches. this is not just a federal issue, as some colleagues might have suggested. you look at the anthem blue cross. we're talking about millions of people here.
and most people think when they think about identity theft think about the financial consequences, but with medical identity, if someone gets a procedure or prescription or something and that's entered into the individual's electronic health records, their health risks involved in that as well as financial risks. and it's no surprise that the majority of people don't carefully review their benefits statements just like a lot of people don't carefully review their financial statements or credit card statements that might alert them to something. i want to follow up on something mr. lupinski started, the conversation about the psychological aspects. in your testimony, you say this is put a picture in my mind like the lion in the wild who stalks a watering hole for prey. cyber criminals lie in wait on legitimate websites that they previously compromised and used to infect visitors. most of these attacks rely on
social engineering, simply put, trying to trick people into doing something that they would never do if fully cognizant of their actions. for this reason, we often say the most successful attacks are psychology as they are technology. i'm going to have this vision of a lion waiting and maybe that will help stop me from clicking on things i shouldn't click on. but, mr. shd neid -- schneider, could you talk more about do we need to fund more behavorial or social service research? do we need to do a better job educating people about those risks and how to identify them? how do we -- are we adequately addressing the psychological aspect? when we talk about the risk, you brought this issue up as well that we have to do more to prevent that. so could you address that, please? >> yeah, i think, ultimately, social engineering is always going to be part of the security equation, because we as human
beings are fallible. systems have to be put in place to do a better job of helping to secure our own information as well as our company or agent's information. and, i mean, i think some of the examples i would give you, though, are in that training area that we've talked about, helping all of us to think more about security. be more thoughtful about security. but secondarily, it's kind of the security architecture underneath that makes it much harder for attackers to get the information that we care the most about. so all the world's information is not created equal. medical health records are much more important to us, financial records are much more important to us than the lunch menu we're going to look at today. it's taken a much more, i think, granular approach to information protection, identifying the sensitive information we care the most about and putting more security around those kinds of assets than the generic assets that are out there. >> doctor, what's your thought on that? >> yeah, so, i'm 39 years old,
when i was 37, i got an e-mail from my sister on my birthday. it was like, dear brother, i'm so happy you're my brother and there's a picture of us when we were kids. it was really sweet. it was nice to sigh last week there was a picture of us more recently and happy birthday. there's a a little link. the first thing i thought is this is so sweet. my sister has never remembered my birthday before. i thought my sister has never remembered my birthday before. so i looked through the mail headers and it had come from russia. now, listen, i've got a technical background and i've got a sister that doesn't remember my birthday -- >> it's now on record. >> -- that's right. and if either of these weren't true, i would have clicked on that link and i would have infected my computer. i think this tells me fundamentally that it's very important to train users. it's very important to do passwords, but a determined attacker will find a way in. i mean, they got these pictures
off of facebook. it wasn't that hard to do. that was probably two hours of work to send me that e-mail. if i was anybody else i would have clicked on that link. so, i think that's why -- >> can you real quickly, i serve on the education workforce committee. what are we going to do in terms of educating the next generation to make sure that we are getting a step ahead? >> i think core education about security i think actually mr. wood was very, very clear. i think these are important. the second thing there are approaches we need to put in place, a determined adversary will get in. therefore we need to input a zero trust model. >> i think the other point is there's a huge gap of security professionals in this country today. creating the educational programs to enable returning veterans and high school and college students to choose careers in cyber security is something that's very important as well. >> thank you, my time is expired. >> thank you. i now recognize mr. palmer.
we'll have to work on that birthday. >> i'm happy to report for the record that my sister does remember my birthday but my brothers do not. on that same line, though, you can have the best technology in the world you can have. the right training if employees are negligent in think use of it, you're still exposing yourself. i bring this up in the context of an article that was in "the wall street journal" back june 9th. and it relates to the fact that the immigration, customs enforcement agency had sent a memo to their employees in 2011 because they had seen an uptick in cyberattacks related to employees using the federal
server to access their personal websites, or their personal e-mail. unfortunately the labor union filed a grievance and prevented them from doing that and that's apparently where one of the breaches occurred later last year. and my question is, and this would be both for corporations and for the federal government, does it make sense to prevent employees either in the private sector or the government sector from using their company servers or the federal servers to access personal information. their personal servers, their personal websites, their e-mails? >> so, just very quickly, it seems to me, i.t. goes through these phases where it collapses and expands. where we had main frame and then a whole bunch of other computers. we've got mobile, icloud, phones
and all of this other stuff. it's unrealistic from a day-to-day perspective to assume people at work aren't assessing outside information. every time i travel i'm constantly connected. so we need to assume that this information is going to be accessed no matter where they are or what capacity we're running under. >> i agree with the comments. particularly with respect to millennials. if you adopt that kind of workforce policy, you're probably not going to be having much of a workforce left to deal with. but i do think that there are things that we can do and we are doing some in the private sector. so one of the things we're trying to do is move out of this i.t. centric notion of cyber security. and involve the human resources involve the departments and what we're seeing some success with is we are integrating policy into the employee evaluation
system so that, you know, if you have downloaded things you shouldn't be downloading, you're less likely to get that step up incase or bonus at the end of the year. we've got to make this part of the overall process. there are other things we can do and we are seeing adapted in the private sector such is having separate rooms with separate equipment so that people can access their personal information or the data without using the corporate system. and so, i think if we are a little more inventive about this and use that incentive model, we're probably going to have more success. >> i think that's a great point. you can have public accesser a separate environment where people can do that but they have to usethat. for instance, if you'd been a federal employee, doctor, and you had opened that e-mail from your sister through the federal main frame, would that have potentially infected? >> yes, i work in a skiff and i
had four computers that were very comfortable. competitive from a business perspective against other companies, you have to assume that your employees are fully connected. >> but can you not create a separate requirement? >> i don't think you can do this without having an operational overhead. i really don't. you eliminate the ability to function. >> would you like to comment? >> i would just want to follow up on what was said. as the use of the internet increases. and as the, quote, internet of things becomes more prolific, everything has an ip address. so where do you draw the line. at some level i would prefer that people use my infrastructure because i know what we do from a security perspective. i don't know what they do from a security perspective. so, to the extent that you make the argument that there should be some separation, i think there are very good arguments on both sides. i would rather have them in my
infrastructure because i know what we do. >> i think the approach that makes a huge amount of sense when you think about all of this connectivity is to really understand and protect the information and identities of folks that are trying to access it. that's really what they're seeing as security not just protecting the networks, but truly understanding the information and putting the right kinds of protection around that. >> my time is expired, but i want to thank the witnesses for the clarity of your answers. this has been an excellent hearing. thank you, madam chairwoman, i yield back. >> thank you. >> thank you, madame chairman. i want to first thank each of the panelists for their service and for talking about this important issue. and mr. s could cosasdo, i want to highlight that you graduated from stanford university in the bay area and began your career in my congressional district.
so i'm honored to represent the folks there. your solution for cybercomputer is to wall-off segments to prevent intruders who penetrated outer defenses from gaining access to sensitive information. you argue that they need to become the gold standard across the central government. how much time and resources would it take for the federal government to do this and are the costs worth the benefits? >> yeah, that's a great question. so, the technology and adoption has aevolved enough that we know how to do this without disruption, basically. so early on it was like this extremely secure environment and we can kind of go and retrofit things. now we have mostly software based solutions you can put in and do nondisruptively. cost makes sense. so much so that this adoption is one of the fastest growing. it's not only practical, but we have enough experience to see adoption.
so, yeah, i think there's actually, this stuff is absolutely worth retrofitting. >> great. just for all of the witnesses following up on mr. lahood's question earlier, as a former prosecutor, i, too, am quite frustrated that it seems that individuals are able to attack networks and individuals with relative little punishment and i understand the challenges of these attacks are originating in russia, ukraine or from state actors. but for nonstate actors, i'm just wondering, what could we do internationally to maybe have an accord or an agreement, where we could make sure that we bring people to justice? i remember i asked a high ranking cyber security official at one of our laboratories naively, i guess. you know, well, are we going after these individuals? this person kind of laughed not
being rude, but just saying, we're not going after them. we're just trying to defend against what they are doing. i agree with mr. lahood. until people start paying a stiff price, i don't know if this is going to change. i know as a prosecutor putting together a case like this is very difficult. just the chain of evidence and proving whose fingertips were touching the keys to carry out an attack can be difficult. what more can we do internationally? >> yes, mr. wood. >> thank you for your question, sir. so right after -- i'll answer your question over a period of time. right after september 11th, i was sitting in a meeting with a large number of information security professionals from within the intelligence community. the question was posed in the auditorium where there are about 250 people. when are we going to start sharing information?
and the answer came back from one senior person from 50 years. and the other answer came from another person, not in my lifetime. it was very disappointing, to say the least. now, you roll forward 15 years and you look at where the intelligence community is, at least in my opinion is today. it's not like that at all. today i see the intelligence community sharing information in a way like they have never shared it before from dni on down. i think what's happened as more and more breaches are occurring and as more and more of this culture of trust is occurring, there's a willingness to work together that didn't happen before. i sit, as i mentioned earlier on the cyber security commission in the commonwealth of virginia, and we work very closely with dhs and fbi and the state police, and they work very closely with interpol and
others. i can say there is a spirit of cooperation that i haven't seen in a long time. what is lacking, however, is the resources and the funding associated with actually prosecuting, number one, and number two, having a common level of standards of what's prosecutorial and what's not. >> thank you, mr. wood. thank you all for your service on this issue. and i yield back. >> thank you. i now recognize mr. westerman. >> thank you, madame chair. i would like to commend the panel today for your very informative testimony and also for the zeal you have in working in cyber security and i believe it's potentially the war of the future that we're fighting here in cyber security. and i'm from arkansas. and just for personal reasons, mr. clinton, do you have any arkansas ties? jut out of curiosity.
[ inaudible ]. >> okay. also, i've been listening to the testimony and the answers to the questions. i have a 20-year-old college student and i had a fascinating conversation over christmas and you guys were talking about how millennials are always connected. he was telling me that that's a huge consideration where you take a job now what the connectivity speed is. and that wasn't something we considered when i was getting out of college, but it played a big key in where they would go to work and where they would live. so, i know we're in this connected world now. to follow up on mr. swalwell's question, he was talking about
being on offense and the prosecution. but from the technology side, is it all defensive or proactive ways to combat hackers before they make their attack? >> yeah, i think there's a set of approaches that are not defensive and are much more proactive, you know, that are in place today and will continue to expand. so, one example is around things like honey pots. so if the bad guys are attacking you and you give them an infrastructure that they're protecting to attack. there's also things like shock absorbers where the attacker hits you with traffic, the more you slow them down and do things like tarping. there's a whole set of defensive and more proactive defensive measures that aren't offensive and don't go after the attackers that are in place today and are actually very successful within the enterprise. >> congressman, if i may.
i think that's true. there are some others. i think i want to build off this point into having a better understanding of the multifaceted nature of the cyberproblem. so, for example, one of the technological mechanisms that we use in the private sector is we understand that the bad guys are going to probably get in, you know, an attacker will pierce your system. but we have more control over the wad guys when they are inside the network than when they are outside the network. if you're dealing with a cyber crime situation, you're basically dealing with theft, which means they have to get in the network and find the data and get back out. if we block the outbound traffic rather than try to block the inbound traffic, we can actually solve the cyber breach problem they get to have a good look at our data but they don't get to use it at all. from a criminal perspective, that's a problem. if you're looking at this from a national security perspective,