tv Hearing Focuses on Wanna Cry Ransomware Cyberattack Implications CSPAN June 20, 2017 1:17am-3:10am EDT
recent hearing to examine the impact of last month's rent some are a tech which affected more 300,000 users and more than 100 countries. they focus on ways to better attack from future cyber threats. this is just under two hours. >> come to order. without objection the chair is authorized to declare resource -- recess of the committee at any time. good morning and welcome to today's committee. the government cyber security, wanncry.earned from myself for an opening statement. i want to welcome the witnesses and chairman smith and others.
maintaining an effective cyber tourity posture is important remain vigilant. too often when we hear about the importance of cyber security we are left without concrete steps to take to ensure our positions position against emerging threats. one of the goals today is to learn about tangible measures the government can take to its i.t. systems to defend against new and emerging threats including novel and
sophisticated rent somewhere threats. the specific focus will be the wannacry ran somewhere attack. it was last month in a worldwide attack that impacted nearly every country in the world. although the concept of ransom ware is not new, the type of rent somewhere employed by -- wannacry was novel. it made people pay to get access to documents. it signaled a new type of wo rming. it would spread more rapidly with each new infection. in light of the method of
attack, cyber security experts including those we will hear from today have expressed concerns that the virus is only a preview of a more sophisticated rent somewhere infection many believe will be launched by hackers in the near future. writteng in 2017 the somewhere infection moved rapidly across asia and europe, eventually hitting the united states. it affected 7000 computers in the first hour. 100 10,000 distinct ip addresses in today's and in almost 100 countries including the u.k., russia, china, ukraine, and india. got to found it 1,000,000-2,000,000 systems worldwide prior to activating switch. in illinois, cook county systems wannacry.omised by
is work took county appropriately patched systems, it is important we work to be sure all vulnerabilities are appropriately remedied in event of a more sophisticated attack. fortunately, the hackers killnsibly created a switch which was uncovered by an employee of crypto's logic and terminate the attack. they exploited a key mistake made by the hacker when they registered the domain connected to the rent somewhere attack. ransomware attack. although based on information best far, the federal government systems were fortunately spared.
we want to make sure the government is sufficiently prepared and light of a more sophisticated attack. we want to hear what congress can do to appropriately address this climate of new and emerging cyber security threats. through the lens of the aftermath, today's witnesses will help shed light on key steps to take to ensure systems are protected. we will also hear about how public-private partnerships are an instrumental tool to bolster the cyber security harsher. finally we will learn about how the border which makes it mandatory on the executive branch is a significant step toward ensuring the federal government cyber security posture incorporates the most innovative measures to defend against evolving threats. it is my hope our discussions today will highlight areas where improvement is necessary while
offering recommendations as we move forward to enter federal government is prepared to repair -- respond to emerging security threats. i look forward to hearing from our distinguished witnesses. i recognize the ranking member of the subcommittee for an opening statement. >> thank you so much. cyber security should be a key concern for every government, business, and private citizen. in 2014, the opposite of personnel management systems and contractorssed by were breached. a compromise the personal information of minds of americans and that same year, actors release personal information of sony records employees and copies of unreleased sony movies. hackers took control of a power grid in western ukraine and shut up power for over
200,000 residents. these examples show the varied security breaches. we know the cyber security cry 00 -- the one a wannacr breech. findingu to them for it. we are lucky that was found quickly and fortunate that federal systems work resistant to wannacry. we might not be as lucky next time. security upload our uploads on our personal computers and smartphones. executive order on strengthening the cyber security of federal networks seems to build on the arena.uccesses in the
i'm happy the trump administration identive group them on every topic but they have taken this next step. reports of federal cyber security from every government agency and simultaneously the trump administration has been agenciesunderstaffed are going to have significant of a cultic meeting the executive order and frankly the budget cuts in the trump-maldini budget tol make the task harder secure the systems. we have to make sure the federal government has the resources and staffing meet the need in this vital area. the executive order also calls for the government to begin using the security framework and i am glad we have them with here today the can help us beat cyber attacks. world renowned expertise and standards development will stop
meddling and our system far worse than what was reported. according to the report, hackers in atto delete data and least one instance access day campaign database. these efforts did not need change votes to influence. we need to take cyber security threats seriously. it is a war on our democracy. during the last congress including the one protecting the election from cyber and voting attacks, given what we know about the meddling in 2016 i hope this will be a precursor to more hearings on how we can better protect our voting systems. >> thank you for your opening statement. i recognize mr. abraham for an opening statement.
the eggs over the last few years we have seen an alarming increase in cyber attacks. unfriendly governments have compromised personal information of millions of americans and businesses and employees and threatened interruption of services.ublic the most recent demonstrates cyber attacks are going from bad to worse. the most recent affected 1,000,000-2,000,000 systems and and more than 190 countries. it appears it could've been even more catastrophic considering how fast the rent somewhere spread and while individuals were largely unscathed due in part to a security researcher with a kill switch, the potential destructiveness want us to expect similar attacks in
the future. we need to make sure our information systems are ready. a witness reported earlier this year the u.s. government office i quote, over the past four years, gao made about 2500 recommendations to federal information's to enhance februaryand as of 2017, about 1000 recommendations had not been implemented. it is clear the status will is a virtual invitation to more cyber attacks. we must take strong steps to secure our systems before happens.yber attack committeene, this
approved a cyber security framework. the bill i introduced is part of my interest over the state of our nation cyber security. this bill takes concrete steps to strengthen cyber security. one of the goals of today's hearing is to learn about real, tangible measures the government can take to ensure its i.t. security systems are appropriately reinforced, to defend against new and emerging threats, including novel and sophisticated ransomware threats. the specific focus of today's hearing will be the recent wanna cry ransom attack, a new type of ransomware infection which infected over one million unique systems last month in a worldwide attack that impacted nearly every country in the world. although the concept of ransomware is not new, the type of ransomware employed by wanna cry was novel. in house experts develop guidelines under the federal guideline information act of 20 14 and also develop in
collaboration with government and private sector the framework for improving critical infrastructure cyber security that federal agencies are now required to use pursuant to the 's recent cyber security executive order. i was very pleased to read that language. there is an urgent need to ensure americans at all federal agencies are doing everything they can to protect government networks and sensitive data. the status quo simply is not working. we cannot put up with more bureaucratic excuses and delays. singularertise is a asset. we should take singular advantage of that asset starting with annual cyber audits of high-priority federal agencies. a cyber attacks in cyber andinals continue to evolve become more sophisticated, our
government cyber defense must also adapt in order to protect vital public services and shield hundreds of millions of americans's confidential information. we will fear about lessons learned and how the government can bolster security and we must keep in mind the next cyber attack is just around the corner and can have a far greater impact than what we have thus far seen. our government systems need to be better protected and that starts with more accountability, and transparency by federal agencies. i look forward to hearing our panel. i'd yield back. >> i now recognize the ranking member of the research and technology committee for an opening statement. >> thank you.
the good news is that systems were not negatively impacted. this was a clear victory for cyber defenses but there are lessons to be learned. a combination of factors likely contributed to the success including getting rid of most of outdated windows operating systems, diligently and stalling patches and maintaining robust networks. as we know, microsoft sent out a security patch in march. two months before the attack. aese and other factors played role in minimizing damage to u.s. businesses as well. wannacry and its impact in the other places helps make let ourwe should never
defenses down. our defenses should evolve accordingly. the modernization act lays out responsibilities for security of civilian information systems. this, there are central roles in development and implementation of policy as well as tracking and response. this develops an update security standards and guidelines responsive to policies established by omb. each agency is responsible for its own compliance and each office as an inspector general to audit its compliance on an annual basis. we must continue to sport agencies and efforts to be compliant while conducting careful oversight. structureritical infrastructure was released.
it is currently being updated. while it is too early to evaluate the full impact, it appears the framework is being widely used to cost industry sectors. it was cosponsored to ensure the cyber security framework is easily usable by our nation's small businesses. i hope we get into the president's desk quickly. in the meantime, there is an executive order directing agencies to use the framework to minimize their security risk. as we have heard and private hearings, many experts have applauded this and i applaud the administration from moving ahead. administration the- be responsible for framework and the variant of responsibilities. budgetppointment in the
proposals. the topline budget cut of 25% is so severe that if it were implemented, and if would have no choice but to reduce its cyber security efforts. this is penny wise pound foolish decision making. this is the best of the best for security research standards and our modest investment for their efforts help secure the federal systems not just of the government that the entire economy. i trust my colleagues will join me in ensuring this receives robust funding in the fiscal year 2018 budget and does not suffer from the drastic cuts of the president. thank you to the extra witnesses for being here this morning and i look forward to your testimony. i'd yield back. >> thank you mr. lipinski. i now recognize mr. smith. >> i appreciate your holding this hearing.
ralphg next to me is abrahams. in the wake of last months this is an important conversation we must have as we look for ways to improve our cyber security posture. while wannacry failed to compromise government systems it's almost certain the outcome was due in part to a measure of chance. rather than seeing this outcome as a sign of bulletproof cybersecurity defenses, we must instead increase our vigilance to better identify constantly evolving cybersecurity threats. this is particularly true since many cyberexperts predict that we will experience an attack
similar to wannacry that's more sophisticated in nature, carrying wit an even greater possibility of widespread disruption and destruction. congress should not allow cybersecurity to be ignored across government agencies. i am proud of the work the committee has fleshed to improve the federal government's cybersecurity posture. during the last congress the committee conducted investigations into the federal deposit insurance corporation, the internal revenue service and the office of personnel management. as well as passed key legislation aimed at providing the government with tools it needs to strengthen its cybersecurity posture. president trump understands the importance of bolstering our cyber security. he signed a recent executive order on cybersecurity which is a vital step toward ensuring the federal government is positioned to detect, deter and defend against emerging threats. included in the president's executive order is a provision mandating that executive branch departments and agencies implement nist cybersecurity framework. while continuously updating its cybersecurity framework, nist takes into account innovative cybersecurity measures from its private sector partners. nist's collaborative efforts help ensure that those entities that follow the framework are
aware of the most pertinent, effective and cutting edge cybersecurity measures. i believe the president's decision to make nist framework mandatory for the federal government will serve to strengthen the government's ability to defend its systems against advanced cyberthreats like with the recent wannacry ransomware attack. similarly the committee's nist cybersecurity framework and assessment of 2017, sponsored by representative abraham, draws on findings from the committee's numerous hearings and investigations relating to cybersecurity which underscore the immediate need for a rigorous approach to protecting u.s. cybersecurity infrastructure and capability. like the president's recent executive order, this legislation promotes federal use of the nist cybersecurity framework by providing guidance that agencies may use to incorporate the framework into risk mitigation efforts. additionally the bill directs
nist to establish a working group with the responsibility of developing key metrics to use. i hope our discussions here today will highlight distinct areas where cybersecurity improvement is necessary while offering recommendations to ensure cybersecurity objectives stay at the forefront of our national security policy discussions. and with that, i yield back, mr. chairman. mr. lahood: thank you, chairman smith. at this time let me introduce our witnesses here today. our first witness is mr. salim neino, founder and chief executive officer of kryptos logic. he's credited with discovering new solutions for companies like i.b.m., dell and avaya. he received a bachelor's degree in science from university of california-long beach.
kryptos is credited with largely stopping the wanna cry attack. we'll hear more about that during his testimony today. our second witness today is dr. charles romine director of the technology laboratory at nist, he received a masters degree in mathematics and ph.d. in apply mathematics from the university of virginia. our third witness, mr. tuhill is a retired brigadier general in the united states air force. he's an adjunct professor of cybersecurity at carnegie mellon university. previously he was chosen by president obama to serve as the nation's chief information security officer. he received his bachelor's degree from penn state university and a master's degree in systems management and information systems from the university of southern california and our final witness today is dr. hugh thompson, chief technology officer for symantec. he also serves as an advisory board member for the anti-malware testing standards
organization and on the editorial board of ieee security and privacy magazine. he received his bachelor's degree and master's degree and ph in applied mathematics from the florida institute of technology. we're glad you're all here today and look forward to your valuable testimony. i now recognize dr. nino for five minutes to present his testimony. >> thank you, chairman lahood. thank you for the opportunity to appear before you today at this joint subcommittee hearing, we greatly appreciate your interest in cybersecurity and look forward to sharing our thoughts and perfect i haves with you and members.
-- a threat was identified. the intent of the threat was unclear it was immediately evident that its approach was unusually reckless. this threat has now popularly become known as wannacry. it was at this time that our director of threat intelligence for breach monitoring platform notified me of our team's active monitoring of the developing situation. on this date at approximately 10:00 a.m. eastern time while investigating the code wannacry we identified what had looked like an anti-detection mechanism which tested for certain do main -- a certain domain name. our team registered this domain name and directed it to one of our sink holes. we noticed that the propagation of the attack came to a standstill because of what we refer to as a kill switch being
activated by our domain registration efforts. while our efforts stopped the attack and prevented wanna cry from deploying the ransom component, we knew it had propagated freely for many hours at minimum. based on our estimates, we believe that anywhere between one and two million systems may have been infected in the hours prior to activating the kill switch. contrary to widely reported and more conservative estimates of 200,000 systems. one month after registering he kill-switch domain, we have mitigated over 60 million infection attempts. approximately seven million of those are in the united states. and we estimate that these could have impacted at minimum 10 million to 15 million unique
systems. i will note that the largest attack we thwarted and measured to date from wanna cry was not on may 12 or may 13 when the attack started but began suddenly on june 8 and 9 on a well-funded hospital on the east coast of the united states. it is very likely the health system is still unaware of the event. we measured approximately 275,000 thwarted infection attempts within a two-day period, another hospital was also hit on may 30, in another part of the country. a high school in the midwest was hit at the beginning of june 9. presumably every system at this location would have had its data held hostage if not for the kill switch. moreover, cryptos logic has been under attack by those attempting to knock us offline thus propagating the attack. many of these came from a well-known botnet which took down parts of the united kingdom and the east coast. despite tease attempts our systems remain resilient. we believe the success of wanna
wannacry illustrates two key facts about our nation's systems. vulnerabilities exist at virtually every level of computer infrastructure, ranging from operating systems to browsers, from media players to internet routers. exploiting and weaponizing such vulnerabilities has a surprisingly low entry barrier. anyone can join in, including rogue teenagers, nation states, and anyone in between. so how to we adapt an overcome and mitigate the threats and weaknesses? while many cybersecurity experts who have come before me offer the usual gloomy there are no silver bullets. i have had the opportunity to see both sides. our attack responses must be more agile and with higher velocity and intensity. while the nation has considerable risks the actual resources for cyberdefense are
scarce and there simply is not presently an adequate level of highly skilled, highly experienced and highly available operators in the cybersecurity field. while there's no shortage of good ideas which claim to be able to solve the problem and every subsequent idea needs development and support and testing, maintenance, etc., all of which we characterize as developer debt. many of these take too long to procure and end up being outdated and essentially useless before the ink is dry on the paper it's written on. i am hopeful that there is a path forward. mitigations are effective and have increased the cost of attacking systems. other mitigations include various design approaches, including data systems and transmissions. such -- they measurably raise the bar for critical software like internet browsers, web servers and every protocols which are fundamental to business continuity. investing in technology doesn't necessarily guarantee any actual improvement. in fact, one could argue that introducing more intel technology exacerbates the maintenance an creates immediate monetary loss because there are few metrics to measure the effectiveness of any particular tech nothing. this is ca
operations we undertake, more open to failure and ready to adapt and learn from failure. we need a stronger focus on threat modeling and fire drill simulation that will focus on the events of magnitude which will cause significant damage. a significant response with the wannacry incident was there was no real cry for the course of action well communicated. the media focused on points contrary to the defense whodunit and this could have resulted in a complete breakdown of processes had this been an unpatched zero day vulnerability and there was no luxury of a kill switch. the largest success, though incomplete, was the ability for the f.b.i. and ncsc of the united kingdom to disseminate the information we provide sod -- cryptos logic provided so affected organizations could respond. information sharing can be valuable but our framework could be vastly improved by triaging cybersecurity threats in a clear and repeatable scale. not too dissimilar to the richter scale which measures the energy released in an earthquake. likewise a scale that takes
technical and social elements of a threat into account to evaluate its allows first responders, us, to focus on the most important areas of risk. while there do exist various scoring systems for evaluating the purely technical element, they fall short in terms of clear and actionable information. we focus too much on vulnerables with names like emmitt-172010. none of these impact the wider environment. we need an easier to grasp method to prioritize threats that large-scale destructive potential. to this end, once we determine a method to evaluate the risk, we can apply the appropriate mitigation. in conclusion, one of the largest issues the transer to nature of the crisis.
-- the transitory nature of the crisis. we think this can be explained by the fact that organizations are too slow to adapt. there's a vast human resource shortage and lit bill way of metrics to demonstrate return on investment in defensive technologies. again, i thank the subcommittee for inviting me here today to discuss our involvement and the lessons learned from wanna cry and i welcome the opportunity to answer any questions you may have when they're fielded. mr. lahood: thank you, mr. neino. i now recognize dr. romine for his opening statement. >> chairman lahood, ranking member smith and others, thank you for the opportunity to appear before you today to discuss nist's key roles in cybersecurity and how they relate to recent incidents. in the area of cybersecurity we have worked with federal agencies, industry and academia since 1972 starting with the development of the data encryption standard. nist's role to deploy standards to protect the federal government's information systems against threats to the confidentiality, integrity and availability of information and services was recently reaffirmed in the federal information security modernization act of 2014.
nist provides ways to recover from these attacks by ensuring that the recovered system is trustworthy and capable. nist's guide for cybersecurity event recovery provides guidance recover from a cyber event and integrate the processes and procedures into the enterprise risk management plan. the guide discusses hypothetical
cyberattack scenarios including one focused on ransomware and steps taken to recover from the attack. thee years ago, nist issued the framework. it created through tight collaboration between industry and government promotes guidelines and practices. the framework prompts decisions affecting infection by the ransomware, propagation of the ransomware and recovery from it. while the framework does not prescribe a baseline of cybersecurity, for example a baseline that would have prevented wannacry, it does prompt a sequence of interrelated cybersecurity risk management decisions which should help prevent virus, infection, and propagation and support expeditious response and recovery activities. on may 11, president trump signed executive order 13800, strengthening these have security networks that mandated federal agencies to use the framework. under the executive order, every
federal agency or department will need to manage their cybersecurity risk by using the framework and provide a risk management report to the director of the office of management and budget and to the secretary of homeland security. on may 12, nist released a draft interagency report, the cybersecurity framework implementation guidance for federal agencies which provides guidance on how the framework can be used in the united states federal government in conjunction with the current and planned suite of nist security and privacy risk management guidelines and practices developed in response to the federal information security management act as amended, or fisma. another nist resource that can assist in protecting against similar future attacks is the most recent release of the nist national software reference library or nsrl. it provides a collection of software from various sources and unique file profiles, most often used by law enforcement, government and industry organizations to review files on
a computer by matching the profiles in the system. nist retains a database of all known vulnerabilities, such as the one exploited by the wanna cry malware. the list is an authoritative source of security vulnerabilities that nist updates dozens of times daily. nist analyzes and provides a common severity metric to each identified as a rule initial. we recently initiated a project at our national center of excellence focused on recovering from cyberattacks. organizations will be able to use the results of the research to recover trusted backups, roll back data to a known good state, alert administrators when there's a change to a critical system, and restore services
after a wannacry-like cyberattack. nist is extremely proud of its role in establishing and improving the comprehensive cybersecurity technical solutions standards and plans to address cyber threats. in general and ransomware in particular. thank you for the opportunity to testify today on nist's work in cybersecurity and in preventing ransomware attacks. i'd be happy to answer any questions you may have. mr. lahood: thank you, dr. romine. i now recognize dr. touhill. >> good morning, chairman lahood, ranking member beyer, members of the committee, thank you for the opportunity to appear today to discuss cyber risk management. i'm retired air force brigadier general greg touhill. i serve on the faculty of hines college where i instruct on cybersecurity and risk management. prior to my current appointment
i served as the united states chief security officer and before that in the united states department of homeland security where i served as deputy assistant secretary for cybersecurity and communications. during that period i also served as director of the national cybersecurity integration system, commonly referred to by its acronym, n.k. during my air force career i served as one of the air force's first cyberspace operations officers and i currently maintain both the certified information systems security professional and certified information systems management. cybersecurity is a risk but manyt issube people mistakenly view this as solely a technology concern.'s have a security -- cyber
security is a multidisciplinary management issue and an essential part of an enterprise risk management program. i recognize we have a very full agenda of topics today and i'm sensitive to your time. i have submitted for the record a written statement and in that i discuss the recent wannacry attack and assess how it may impact the public and private sectors. i view wannacry as a slow pitch softball while the next one may be a high an fast fastball. i also discuss the public-private partnership. and i urge the congress to continue its great efforts to strengthen our enterprise risk posture. i urge you to authorize and empower the federal chief information security officer position which currently is not authorized for specified position. i also suggest that instead of calling it the nist cybersecurity frame without objection and i'm a huge fan of this framework, i suggest we call it the national cybersecurity framework. to reinforce the fact that it applies to everyone.
further, nist did a brilliant job in crowdsourcing the go this framework but it was really people from around the country that brought to the table best practices. nist was a great trail boss for this but it is really a national cybersecurity framework. finally, in regards to the proposed h.r. 1224 legislation, i congratulate the committee and the members of the congress for taking the initiative to really reinforce the need to implement the framework across the federal government. i do suggest based upon my experience in both the military and the government sectors of the federal government, that we do two things with that act. one, is we amend that act to make it apply to national security systems as well. having served extensively in the military and in the federal government, i believe that the national cybersecurity framework applies equally to national security systems and i recommend you make that amendment. further, i concur with my colleagues who suggest that
let's leverage the inspector general and auditing communities that are currently in the different departments and agencies and reinforce their need to conduct appropriate audits using that cybersecurity framework. again, i thank you for inviting me to discuss cyber risk management with you today and i look forward to answering any questions you may have. further, i concur with my colleagues who suggest that let's leverage the inspector general and auditing communities that are currently in the different departments and agencies and reinforce their need to conduct appropriate audits using that cybersecurity framework. again, i thank you for inviting me to discuss cyber risk management with you today and i look forward to answering any questions you may have. mr. lahood: thank you. i now recognize dr. thompson to present his testimony. mr. thompson: thank you for having me. chairman lahood, vice chairman abraham, ranking member lipinski and ranking member beyer, i
appreciate the opportunity to be -- opportunity to be here today to talk about what is a critical subject. understanding the current threat environment is essential to crafting good policy and effective defenses. last month's wanna cry ransomware attack is one of the manifestations of the kinds of disruptive attacks we are now facing. the timeline of wannacry i think has been well covered by the other folks on this panel. but i did want to share with you a graphical timeline that hopefully you can see in the
monitor, apologies for the small print. what's interesting, i think, about that and where i'd like to add some color is to give you some -- is to give you symantec's perspective on events as they unfolded. we are the world's largest cybersecurity company, with technology protecting over 90% of the fortune 500 and being used extensively by government agencies around the world. in addition, we protect tens of millions of home users through our norton and lifelock branded products. the threat to -- the threat telemetry we get from these represents the largest in the world. wannacry was unique and dangerous because of how quickly it could spread. it was the first ransomware as a worm that had such a rapid global impact. once on a system it propagated autonomously by exploiting a vulnerability in microsoft windows. after gaining access to a computer, wannacry installs the ransomware package. this payload works in the same fashion as crypto ransom ware.
it demands payment from those infected. symantec worked closely with the u.s. government from the first hours of the outbreak. we connected d.h.s. researchers with our experts, provided analysis and received the same back. during the outbreak, d.h.s. held twice daily calls with private sector to coordinate operational activities. from our perspective this was one of the most successful public-private collaborations that we've been involved in our -- involved in. our analysis of wannacry revealed that some of the tools and infrastructure it used had strong links to a group referred to as lazarus by the security community. which the f.b.i. has connected with north korea. lazarus was linked to the
destructive attack on sony pictures in 2014. and also the theft of approximately $81 million from the bangladesh central bank last year. the links we saw between wannacry and lazarus include shared code, the reuse of i.p. addresses and similar code obfuscation techniques. as a result, we belief it is highly likely that the lazarus group was behind the spread of wannacry. beyond wannacry, the threat landscape continues to evolve very quickly. we're seeing attacks become more sophisticated, not just in technology but in the social engineering of -- social engineering approaches these attacks use. we're also seeing more attacks being leveraged against i.o.t. devices such as the massive weaponization of i.o.t. devices
that we saw with the morai botnet last fall. moria launched one of the largest distributed denial of services ever. the explosive growth of attacks like wannacry and morai underscores the need for preparation and employing integrated and layered defenses. these attacks showed the response and recovery planning and tools as an essential part of cyber risk management because when good defenses will stop any attacks, we have to be prepared that a determined adversary may get through those initial defenses and we must lay a foundation for recovery. there's no question that wannacry was an important event but unfortunately it will not be the last of its kind.
in fact, it's more likely an indicator of what's to come. good fortune played a significant role in minimizing its impact, particularly in the u.s., but we will not always have luck on our side. which is why we must learn the lessons of wannacry and make the necessary improvements to our defenses and response capabilities. this hearing is an important part of that effort and we appreciate the opportunity to be here. look forward to answering any questions that you may have. thank you. mr. lahood: thank you, dr. thompson. thank all the witnesses for your testimony. the chair recognizes himself for five minutes and we'll begin questioning.
as i talked about in the begin, the title of this hearing is lessons learned from wannacry. and we've talked a lot this morning about wannacry and how that played out across the world. but in terms of what we learned about the genesis and origin of where this came from, i know "the washington post" came out with an article yesterday that the n.s.a. linked the wannacry computer worm to north korea. i'm wondering if, dr. neino, you can talk about the genesis and origin of where this came from, particularly because it appears it's from a nation state and i know there's references to what occurred with sony pictures and also with the bangladesh bank and what we know about it and what is being implemented, i guess, on the government side to prevent this or hold an entity or the government accountable. dr. neino: thank you, mr. chairman. i think if i understand your question, you're asking about one, the origin, and our conjecture to that, and number two, perhaps if i understood also correctly what would be the rules of engagement for
something like that with another nation state. while we think it's ambiguous, to conjecture over the origin of wannacry, there are codes in there that suggest some nation state could be responsible. unfortunately, anyone could have created this level of attack and often misdirection is found, typically in binaries like these attacks we see. i would compare it perhaps an analogy to photo shop being a program to look a certain way, or it could have simply been what it is, which is exactly what we see. it's hard to tell. so we won't -- i won't say that i know the origin of the attack, nor should i conjecture on it. what i can say is that these attacks are very difficult to attribute.
we are a cybersecurity company not an intelligence agency. it would be difficult for us to pursue an answer to that. as far as rules of engagement, i think the question segues the same way. it would be difficult to create attribution or origin to any attack and therefore rules of engagement would be difficult for us to give an assessment on. mr. lahood: dr. thompson? dr. thompson: this is an interesting attack. we spent a lot of time in our research labs looking at both the code used in wannacry but also where wannacry communicated out to. and there were very, very close similarities to other kinds of attacks that we have seen. specifically attacks that we attribute to a group called lazarus.
and these attacks, malware, the reuse of strings in that malware, the reuse of command and control infrastructure out on the internet by that malware led our researchers to believe this is strongly linked to the lazarus group. now similar to my colleague on the end, we're not the intelligence community either. and i agree with those comments that attribution is often difficult. but what we've seen leads us to believe it was a part of this lazarus group. separately the f.b.i. has linked the lazarus group with north korea. and i think chairman lahood, the article that you're referring to from yesterday is another potential evidence point on that as well from the n.s.a. mr. lahood: thank you. dr. neino, we talked about the kill switch and how that stopped the attack but we also referenced the fact that last week a hospital on the east
coast and a high school were subject to attack. can you explain how, if the kill switch was implemented correctly how the hackers responsible for wannacry were able to continue to perpetuate the attack despite registration of the kill switch? dr. neino: absolutely. though i'd like to be a doctor, it's mr. neino. mr. neino: you have to understand the makeup of the malware. why wannacry was so significant is that it's self-propagating. that's what givests it the title the worm. meaning the actors don't need to be in existence. sometimes we refer to these things as zombies, zombie botnets, because they continue
to proliferate regardless of the actors that were parents or creators of the attack. in the case of the examples i gave in the testimony regarding health systems, of which there are many, that was just a case that was very significant, the worm continues to propagate because it is scanning and seeking to expand itself and that portion of the worm is not subject to the kill switch. so it's ex-- so its expansion and spreading, which -- in effect, it's still exploiting systems worldwide. what it's not trigger is the payload, the ransom component. and that component therefore doesn't trigger most of these organizations worldwide right now don't know they're getting actively exploited still. but it's because they don't see the ransom portion of it. so that's why we have 60 million attacks thwarted to date. if not more. just nobody knows it's still happening. that's why i said, i don't think the message has resonated, given those figures, that this still needs to be patch and this again points to the -- to be patched and this again points to the question of resources. mr. lahood: thank you, mr. neino. i yield to ranking member beyer. mr. beyer: i'm so impressed by our panel today, congratulations to dr. romine and dr. thompson for being ph.d. mathematician.
mr. neino, congratulations on winning the hacking tournament, i never had a chance to say that before, it's very cool. and general touhill this is it's -- in general to the -- touhill it is very cool that now after all the things you've done in your life, combat and diplomacy and first ciso to be at carnegie mellon with their buggy races around the park. every university has something that makes it cooler than every place else. and general, i want to start with you. you talked in your long written testimony about h.r. 1224, co-sponsored, a bipartisan bill here. but we have expressed a lot of concern about the audit function that nist would be asked to take on. i was particularly fascinated by your points which we didn't raise when we had the hearing here that it would make it much more difficult for nist to be viewed as an honest broker, that this would change the perceptions about their current and future roles.
and have a chilling effect on many of the relationships nist has within government and industry. a lot of these relationships are quote-unquote learning relationships based on a common quest to identify and incorporate best practices and this would change those relationships not in a good way, might inhibit or stifle the free exchange of information from public and private entities to nist. can you expand on that at all? it seems to be a powerful argument against that audit function. mr. touhill: i'm a fan of the legislation, section 20-a in making sure folks are in fact using the cybersecurity framework across the federal government is brilliant. we need to follow through on that, big time. frankly it was something i was promoting while i was the united states chief information security officer. as a matter of fact, my last federal chief information
security officer council meeting in january of this year, i proposed and we had a unanimous vote amongst counsel to do risk assessment based on the framework. that portion of the legislation i'm wholly supportive of. section 20-b, the proposal to do the auditing and compliance activities, i am also a fan of. i think it's important that we do auditing and compliance. however, i do stand by what i wrote in the written testimony that i think that nist is not the best place to put that. it doesn't have the culture. it doesn't have the mission. it doesn't have the personnel. to do it as effectively as the existing inspector general and auditing functions. from a practical standpoint, nist is a great organization that i've been working with for the last 35-plus years. and the relationships that nist has is in fact as a neutral party that is on the quest to
choreograph efforts to find the best ways of doing things. an auditing function or compliance function on the other hand is looking to see if you are in fact following the checklist. i think that if we want to have an auditing and compliance function, which i definitely think we should be doing, we should be giving direction to those folks that -- whose job it is to do that auditing and compliance function. and frankly, this is an operational issue. inspector generals have always been in my book the folks that do performance inspections that are the ones that are going to help those commanders in the field in the military as well as the executives in the federal government. do their job better and have better visibility into their risk posture.
i believe we need to have the inspector generals and auditing functions currently in place be the ones who execute the intent of the committee and congress. >> thank you, general, very much. mr. neino. based on your testimony you should be a doctor, it's filled with interesting things. your three-part conclusion that the largest issues were, a, that organizations are too slow to adapt, b, that we have a vast human research shortage, and c, there are lit bill way of met rics to demonstrate return on investment, an you talk about creating a method to prioritize threats, something like the richter scale, magnitude in a clear and repeatable scale. who should put this together, who should manage it, who should maintain it, how do we make this happen? mr. neino: i think it would be interesting to see nist's participation in something like this, or basically crowd sourced but various commercial and private entities to see how
their prioritizing -- how they're prioritizing risks and threats and see if that could be put into some sort of simulation system that allows it to be scalable, where people as a resource, is not scalable, technology can be. that would be an effective area. technology can be and that would be an effective area. and i see the commercial sector alone can produce that as well and that could be adopted. but i think any time you have some sort of regulatory mandate that is taken much more seriously. what i mean by that, if we had an event that was measured and put an arbitrary number with a 7.5 magnitude, some arbitrary figure, shouldn't that
particular event be required to be fixed by organizations? mostly voluntary. with the water system or a power grid doesn't fix it, post, shouldn't we see that sort of mandate where we can know that is regulated because that has context versus you can't boil the ocean. we aren't going to win that war. but we should be able to win the war. >> i now recognize chairman abraham. >> i stand on the brain cell on our panel and we could use a couple of those as we go through our budget process. dr. thompson, if north korea has a role in this virus exploitation, i find it ironic that it suppresses and uses a libly call name. my question to you, when news started spreading did nist take to ensure that information systems were protected and was nist involved in any government
meeting that took place around that time? >> thank very much for the question. the response for an event like wannacry, the primary goal as an institution that provides guidance is to learn as much as we can about the incident -- not the origin, but the technical origins and to determine whether the guidance that we issue is sufficiently robust to help organizations prevent this kind of attack. i'm not aware of specific meetings that we were involved in that were discussing the operational side of the wannacry. i think the law enforcement and intelligence communities -- you heard reference to d.h.s. being quite active in helping the private sector to deal with this issue.
from our perspective it's more learning whether we can improve the guidance we make available to entities to try to not only prevent these attacks but recover from them and to be prepared from them in the future. >> in your testimony, which i did read, you said nist recommendation in the nist guide cybersecurity framework would sufficiently address the wannacry incidents, will the executive order to agencies to implement the framework help them be better prepared in the future to prevent against these types of incidents and will this be enough or should more be done? >> thanks for the question. it's difficult to know whether it will be enough for the next event. one of the important things that emerged in our discussions with the private sector in the
development of the framework was the -- we are often thinking about detection and prevention of attacks. sometimes we don't pay enough attention to response and recovery. and so one of the things that the framework does is to spell out the five functions to identify, respond and protect and we are providing with the guidance we provided. to help different organizations be better prepared to respond and recover. one of the analogies that i have drawn recently, the boy and girl scouts are right. their motto is be prepared. and the better prepared an organization is prepared through its risk management activities, which we think the risk management framework from fsma
coupled with federal agencies and under the umbrellas of the cybersecurity framework, we think those are the tools necessary to implement the kind of preparedness that organizations should have. >> what specific steps in lieu does nist take to help agencies be better prepared? >> we are looking at some of the consequences associated and some of the incident response work that we have. some of the data integrity work. we launched the integrity project. it has a very strong tie-in with attacks. we launched it before the wannacry came out.
we are accelerating the work that's going on so we hope to be able to provide very practical guidance or practical examples of how to be prepared so that organizations can see how it's done. >> thank you for your service to the country. i yield back. >> i recognize ranking member lipinski for his questioning. mr. lipinski: i thank the witnesses for their testimony and all the work that you do. we are i think taking cybersecurity more seriously in washington although there is much more we need to do. part of the problem is understanding what this really means and the impact it can have. we also need to make sure the american public knows the significance of cybersecurity
and what could happen. we know when we are dealing with cybersecurity that technology is part of the solution. what often merits is more that is personal behavior and organizational behavior. individuals and information system managers must regularly install security passes. organizations prioritize cybersecurity for a quick response. these are social science issues. another social science angle is understanding criminal and terror networks. using that understanding to help inform our intelligence gathering and our cyber defenses. i would like to hear from each of our witnesses your thoughts on whether we are investing enough in the human factors of cybersecurity and what more would you like to see us do -- so we are taking care of these issues?
>> thank you, mr. lipinski. i think it is a great point that you bring up. there are other issues other than technology at play. cybersecurity is hard. one thing that we know will be quite difficult is resources, resources to fully maintain their need for quite some time and technology is evolving. systems are changing. we have to relearn our resources and people. this makes it very difficult for those responsible in those areas to manage risk to actually keep up with the actual threat, the pragmatic threat, not just the way we measure our own threats. in that case, i think we could see a huge value if we were to
see investments in things that allow for threat prioritization, again going back to the event magnitude. you can't boil the ocean but look at the areas that can hurt you the most and the people that hurt you the most. and we will have a better chance of being more resilient. i would like to talk with r about two nist programs.
>> i don't want to comment. and i have seen people saying it was china and others saying it has been people. i'm not an expert in intelligence. mr. higgins: when security software design, how easy is it to build a back door access that would be virtually undetectible within that cybersecurity software?
>> we have seen that a multitude of times and seen it from a variety of areas. the level of entry to do that is very low. mr. higgins: thank you for concluding that, my question to you brigadier general. thank you for your service. are you familiar with the labs out of moscow, manufacturer of cybersecurity products. a long list of cybersecurity products that top intelligence officials at the f.b.i., c.i.a., n.s.a. and others advise this body that they don't trust the lab, and will not use their product on their personal devices. however it's still used widely across the united states government. can you explain that to this committee? >> i don't know what kind of conversation my colleagues from those agencies had with this committee.
however, as i go and take a look at the different products that are in the market today, i believe the american products are the best ones out there and just on a value proposition, i buy american. mr. higgins: i concur. >> that's the brigadier general speaking right there. >> that's an american speaking, sir. mr. higgins: let me say, although there is no public evidence of collusion between the labs and the russian government, it is not a large leap. and eugene has suggested that his products have no ties to the russian government. however as part of the national conversation, mr. chairman, and it's widely known that the russians have been involved efforts to influence governments
across the world with cyberattacks and he has suggested that he would testify before this body and i suggest that we take him up on his offer. i would like to talk to him regarding the tail switch. -- the kill switch in north korea. that having been rather glaring error on the part of the designer that that worm cyberattack, what do you think should happen to that guy in north korea? it was a kill switch, wasn't it? this message should it get to any of the cyber experts in north korea, if you can get out of the country, you are welcome in the west and would love to
have you before this committee and give you some real good food. mr. chairman, i yield back. >> i now yield to congresswoman esty. ms. esty: there are a couple of points i want to return to and drill down on and one is the human element because it is important because you can buy all the great equipment in the world and if you leave the door open, it doesn't do you any good. and i think a little bit about the analogy in hospitals about people washing their hands and it may be low tech, but it works. but one thing we have to emphasize, hygiene. what are proper hygiene practices. and how we make that standard operating procedure. government and nongovernment. we have an issue in the federal government in particular, in all levels of government of really old systems and look at the fact this was exploiting a
vulnerability. who is using this systems? it is local and state governments who don't have any money and they are still using these old systems so that makes it an even greater issue. your point about threat assessment, we knee triage help -- threat assessment, we need triage help to recognize what devcon level is this. defcon level is this. everybody gets those notes on those phones and i don't have time to upgrade my system. and that's the reality. i suggest a couple of things. we ought to be social media experts to your point, dr. thompson. that means to part of what nist is doing. stay ahead of the game.
we need to do it. we had a briefing where some of the folks from the top level of the private sector talking about how our emphasis has been the incentive for us to be on attack mode. we are developing our attacks. we have left it to the private sector. obviously, we need to be doing more defense. -- how do we incentivize it. it is less sexy and what can we do to the cultural change? is that out of nist to put the incentive there and make sure we are getting the broader sector talent pool. it may not strike people bringing in people who do snapchat for figuring out how do we make sure people don't click on that link. if we don't do that.
if we look at the hacking on the electoral system and last year with john podesta's email. and going to be the strongest and weakest link at the same time. anyone who has thoughts -- that is what happens when you are at the end of the hearing and batting cleanup and raise a number of issues. thank you for your efforts and in joining with us and figuring out how to do better for america. >> i'll make two quick points. we have active research going on now under the program we just talked about, trying to understand susceptibility to phishing attacks and what are the factors of people not recognizing it is a fishing attack. -- phishing attack.
with regard to culture change, it is going on in board rooms and among c.e.o.'s in light of the framework as a catalyst for this, but i think this might have been on their radar. but the framework is a means of cataloging the understanding of board rooms and c.e.o.'s managing risk to financial reputation and business operational risk and all the other risks that you are managing as a c.e.o., you now have the tools that you can use to incorporate cybersecurity risk into that entire risk management. >> i would like to pile on. the cyber hygiene, we all need to do better. and we work very closely with nist to help promote the national cyber education programs that we have. and i think we need to do better on that.
i propose that we probably need a woodsy owl. let's get kids out there fully educated and bring that pipeline up. and we have been working with nist and across the agency to do that. we need to incentivize. we should not be seen as the government who is here to help but not help but overregulate and need to encourage to do the right thing and buy down their enterprise risk. risk is an intrinsic part of management of any business and we have to be careful we don't ham shackle the boards from actually managing their risk and need to give them the tools and support to be good wing men. and finally, we have had a lot of discussions publicly in this town over the last two, three,
four years about who does what. as for me, having served in uniform for over 30 years and done some public service on top of that, it takes team work and i view the d.o.d. and n.s.a. and intelligence communities' mission to help us with deterrence and interdiction and stop them and take the fight to the bad guys but protecting hometown america that is more appropriate for d.h.s. to cor yeoh graph different activities across the federal government. >> the kinds of folks that are
-- the practice of security is changing very much because of that. i think about the folks we hire at symantec as an example. the kinds of folks that are hunting the malicious networks today aren't just computer scientists and experts but computational linguists, psychologists and and flow poll gifts and people who are looking at the human behavior of an attacker group. that's one side. on the consumer side, which seem to ignore, we spend an amazing amount of time thinking about how do we make security similar to the ipad? and i call it the ipad because
it's the only piece of technology i have ever given to my mom and i didn't have to give her any instruction about how to use it. she just understood it. and we spend a massive amount of time now today on design. how do we make it intuitive and make it more secure than less secure? and that is where a lot of effort must go in in the security community today, how do we make it easier to be more secure than less secure. >> i was thinking as you referenced smokey the bear, maybe a new company, smokey the bear malware. i recognize mr. palmer for his questions. mr. palmer: accept our thanks that allowed the kill switch to
prevent so many infections but with regard to your measurements, 200,000 infections is too low and before the implementation of the kill switch, there may have been one or two million infections. how do you explain practically no one tried to pay the ransom? the measure of success is hard to determine. mr. palmer: i think there were some who try to pay the ransom. a largeyou have got is portion of the companies pay the rent by monitoring the bitcoin seems that less than 500 people did so. that's 200ths of 1%. that is inconsistent what what you are saying. >> it is hard to associate the
payments to the actual spread and i'll tell you for a variety of reasons. when you look at the actual attack and magnitude of the attack and trace it to the payments, if you look to the mechanisms, not clear whether you would get your system back and at this point, the attacks have been abandoned. if you paid it, you didn't go anywhere. most of the media and experts were asked not to pay the attack. what i can say the data we are receiving is absolute. it's not just one, but doing this close to a decade and we see analyzed data. it is accurate. mr. palmer: i would like to address this question to the general and i would like to thank you for your service. your testimony refers to people that people were running windows 95, but most infected was
windows 7. the main reason people were infected was because a vulnerability was leaked to the public? >> sir, thanks for the question. just for clarity sake. i highlighted windows 95 being used as an exemplar, but there were plenty of operating systems that were susceptible including windows me, -- mr. palmer: i'm asking about intelligence community vulnerability that was leaked to the public. >> if we look at it from that standpoint, i'm concerned about that and this highlights a couple of things. we have been telling you all along to do that.
second of all, that as we take a look at the leakage of information or the attribution of leakage of information that is unacceptable. mr. palmer: with regard to the patch, and that happened in january, 2017 and microsoft released a patch that addressed that vulnerability three months later. so it was not a problem. seems out of date and if you hadn't put all the recommended patches on, all the machines within 60 days, you would become a victim. it was a zero day attack. there was no way to protect the computer from it. >> i don't believe i would characterize this one as a full zero day attack.
from my perch, frankly because the fact that we had some patches and microsoft went through extraordinary measures to go out and create those patches for operating systems that had previously been declared unsupportable many years before and i used windows 95 in my testimony because windows 95 had been online for 19 years before it was retired. and for the last three years, microsoft had not been supporting it and for them to come back and put out that patch in march was extraordinary. and through federal government and other organizations around the world, we went out and we clearly communicated and carnegie mellon was one of them, communicated to the communities of interest, this is an important patch. mr. palmer: i have one more question.
no one was actually paying the rans omp m it was to allow access to machines. >> thanks for your question. it's difficult to anticipate what the true intention was of this attack, whether it was ransomware. but what is interesting as a characteristic of the attack which i think goes back to your first question of why didn't we see the quote normal or expected rates of ransomware payment, it was very weak compared to the typical piece of ransomeware we see out there in the wild.
it is incredible that these attacks have a very robust infrastructure behind them. they have almost the equivalent of customer support of people that have been infected with the ransomware and didn't see that level of sophistication on the back end. >> i yield to congressman webster for his questions. mr. webster: thank you, mr. chairman. thank each of you for coming. my mind has been on something else and the statements that were given here were similar to that in that they fit. there was an attack yesterday and i thought about the fact that it was an advanced persistent threat and not only
that, it was a personalized attack. and there are some people who acted heroicically to turn it around. and so i just that was on my mind. the capitol police service who protected life and heroic acts by members of this congress, maybe it's a different kind of threat, but it was real. and in this case, there was no human error. and so i want to take this time i have just a few minutes and say thank you for our people who work here and for the members who serve here who prove there are still heroes in our country. so thank you, mr. chairman. i yield back. >> we have a couple of more questions and go for a short second round. i yield myself five minutes. you note in your written
testimony that the national vullingnerkt data base that nist maintains and updates dozens of times daily of all known and publicly vulnerabilities that vullingnerkts were exploited. a recent report notes 75% of the vulnerabilities were disclosed elsewhere first and takes seven days between the discovery of a vulnerability and reporting. what is the reason for the delay there if you talk about that and is nist working to get rid of that lag time? >> thank you for the question. we are interested in trying to shorten time to deliver important information to our stakeholders. our goal is not first to disclose or first to disseminate
-- although we want to do it as early as we can, our real goal duration, -- accurate curation, including assessment of the impact that a vulnerability might have and that requires a certain analysis before we can include something in the national vulnerability data base. the disclosures are often from sources that are not necessarily reliable. >> was there a delay in reporting the vulnerability that the want to come across -- the wannacry exploited -- the
>> i believe it was a matter of days. >> general, you were the first chief information security office. you to best position last september under the obama administration? >> yes or. -- yes sir. >> you believe the government should have this position. i know the trump administration any reason why you left at the time that you did and whether it will be refilled? >> thank you for the question. i believe this is a best practice to have a chief information security officer in different organizations. the first chief security organization was created in the private sector 20 years ago and took 20 years for the federal government to create one. i think it is important as part of an enterprise risk management
approach that you have someone who is focused on information security and the risk to the enterprise and advising the corporate community as it were, up, down and across as far as what those risks are and best practices to buy down and manage that risk. we still don't have an authorization for a federal chief information security officer in statute. it was my position was appointed
you never know who the attack is and focusing on that doesn't solve the problem we are vulnerable. you leave the door open. there could be thousands of people who walk by your house everyday. would it matter because you leave yourselves exposed? they do it because they can and should not make it that way. we should make it so we are resilient and strong nation in regards to defense. >> do you want to pile on at all? >> i do. we don't look at who is the country behind it and who is the person behind it but it is very critical of us to associate patterns of behavior. it will let us learn more about that group and the tactics and make us better prepared to protect against a new attack sight unseen and that was the case with a.v. engines because
of previous training on this against the wannacry malware and leave it up to the intelligence community to decide who that group actually belongs to. >> mr. lipinski, any follow-up questions? mr. lipinski: i thank the witnesses for the testimony and all the work as i said and i'm sure we will be continuing this discussion. so thank you. >> in closing, i want to thank all the witnesses today for your important, insightful and impactful testimony. and as our committees looks to cybersecurity and the issues of
national security, economic vulnerabilities, privacy, we look forward to work with you on those issues and appreciate you taking time out of your busy schedule to be here today. and the record will remain open for two weeks for additional written comments and questions from members. at this time, the hearing is adjourned. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] [captions copyright national cable satellite corp. 2017]
subcommittee on financial services and it gets underway at 2:30 p.m. eastern. recently on c-span, new orleans mayor on the removal of a robert e. lee statue. lay out thely reasons why the statues were erected in the first place. why we were taking them down. and how we could recover from the h-old battles that have divided us for so long. and because of new orleans's role in that dark time. we were one of the country's markets.lave i felt that i and other people in the city had a responsibility to help the nation move through racial discord. announcer: actress mira skill hargitay on a task force for
ending sexual violence. >> words like dehumanizing. these lives derailed. the way lives go off track. these are not kids sitting on ace -- a show. these are kids sitting on a shelf getting derailed. children getting derailed. what is life supposed to be? cannot even make sense of what we havening to me and been letting perpetrators go by and saying weese do not care about the issue. we will discuss something even more important than the and arms sale. we will discuss whether or not we should be actively involved with refueling the saudi planes, targets, with
having advisers on the ground? should we be at war in yemen? announcer: c-span programs are available at c-span.org, on our homepage, or by searching the c-span library. 4-2 decision on monday, the supreme court ruled that undocumented aliens cannot sue the government for civil rights approval fromout congress. it did however -- detainees were allegedly subjected to harsh conditions including sleep deprivation in frequent strip searches. this oral argument from january's just under one hour. morning,rgument this