tv Politics and Public Policy Today CSPAN January 13, 2016 3:00pm-5:01pm EST
voluntarily take the strongest possible actions to protect themselves which includes following the nist standards and best practices. the various critical infrastructure sectors are just that, critical. they're so important to our national defense, our economy, and our way of life that it's imperative government and private sectors encourage organizations in these sectors to use best security practices. one promising area of incentivizing companies is tied to the growth of the cyber-insurance market. the commerce department has described cyber-insurance as, quote, an effective market-driven way of increasing cybersecurity, end quote. the treasury department has also suggested that the increasing demand for cyber-insurance may help drive private sector policyholders to adopt the nist frame work. as insurance companies get their arms around the data they accumulate with each new breach
they'll want to have insights as to what their clients are doing for themselves. are they using the nist frame work or an equivalent standard. insurance companies may well require their clients to adopt the framework to reduce their premiums. when that happens we could see greater market-based pressure brought to bear that will effectively require other companies to do the same. so, market forces and the fear of legal liability may make the nist guidelines the effective standards for companies to demonstrate to insurers or in court that they've exercised all due care to protect customers and their assets. one additional point cybersecurity is just too important to do on the cheap. overreliance on, quote, lowest priced technically acceptable contracts can be very risky in a field with so little room for error. similarly our fifth war fighting domain ecyberspace must be
properly funded. by contrast, just four banks jpmorgan chase, bank of america, citibank and wells fargo are spending three times the amount on cybersecurity. jpmorgan chase after they got hacked decided to double their i.t. security spend from $250 million a year to $500 million a year more than all of cybercommand. the financial sector is an example of the private sector taking its risk management responsibilities very seriously and devoting the resoflss necessary to protect themselves. again, i appreciate the opportunity to share with you our perspective and i'd be glad to answer any questions. thank you. >> thank you. i will hear from dr. casado. >> chairwoman comstock, chairman laudermilk, ranking member lipinski and other members of the committee, thank you for the opportunity to testify today. i'm super thrilled to be here.
i'm senior vice president and general manager of networking security at vm ware. it's the fourth largest software company with revenues over $6 billion and over 18,000 employees. the nature of security breach at the office of personnel management was not particularly unique. hackers were able to penetrate perimeters security systems and gain access to interior systems where they were free to access and steal sensitive data over a period of several months. hackers typically use this attack methodology because traditional perimeter centric security systems are structurally designed to be doors to the network. these doors allow authorized users access to network systems and prevent unauthorized users from entering a network or data center. however, perimeter security is a single point of entry that must be breached or circumvented. once the intruder has passed the perimeter, there's no simple means to stop malicious activity from moving throughout the data center.
in many cases the response from companies and agencies and network security venders is to add more security technology to the perimeter which ignores the structural issue creating a maginot line. we submit three points for version. one, every recent agency breach has had one thing in common, the attacker once inside the perimeter security was able to move freely around the network. the techniques are necessary but insufficient in protecting the assets alone. three, the cyberattacks will continue but we can greatly increase our ability to mitigate them and limit the damage and severity of the attacks when they do. so, in today's legacy networks there are a lot of preof perime centric technologies, and it's not sufficient to combat today's attacks. they are analogous to a locked door that can only be accessed with a key, the primary function is to deny entry to anyone who
does not have a key. however, once the door is forced open or breached you can move around unabated. in order to prevent an attacker from moving around the network, agencies must compartmentalize the data center. a zero trust environment allows unauthorized movement within the data center. when a user or system breaks the rules, the potential threat incident is compartmentalized and security staff can take any appropriate remeadation actions. it is equivalent to securing each interior room with locks limiting the intruder's ability to move around freely within the house significantly. this mitigates the magnitude of a security breach or break-in. these new approaches are already the gold standard in the commercial industry and need to become the gold standard across the federal government.
we've seen many government agencies conclude that the most effective means of mitigating the potential for a breach is to create a greenfield environment. agencies reach this conclusion because existing data centers or brownfield environments are assumed to be compromised and unsalvageable. this is a legitimate strategy but it fails to deal with the existing security threat. there are two maybe issues with this approach. existing networks or data centers continue to operate while the new environment is being provisioned which leaves sensitive data vulnerable. it can take months or years to stand up a new environment. they wered building a new enhanced network but the attack occurred on the existing system. without clear guidelines mandating security standards the new environments are subject to attack as soon as they book operational. in an era of constrained
resources this is insufficient. you can upgrade the security posture of the existing structure and add solutions that are more cost effective than hardware based solutions. by employing these technologies agencies can avoid billions of dollars of new infrastructure when the compelling driver for an investment is security related. thank you very much for the opportunity to testify today and i look forward to answering the committee's questions. >> thank you. now we'll hear from mr. schneider. >> chairwoman comstock, ranking members thank you for the opportunity to testify today. the focus of today's hearing is right on point. sign -- >> i don't think your microphone is on. sorry. >> i'm sorry. sorry about that. chairwoman comstock, chairman laudermilk, and ranking members, thank you for the opportunity to testify today. the focus of today's hearing is right on point. cybersecurity is a shared responsibility and the public
and private sectors must work together closely to counter ever evolving threats. many of the recent headlines about cyberattacks have focused on data breaches both in government and across the spectrum of industries but cyberattacks do much more than that and the incidents we see is confidence schemes and to sophisticated and intrusions into critical systems. the attackers run the gamut and include highly organized criminal enterprises, disgruntled employees and state sponsored groups. attack methods vary and the only constant is that the techniques are always evolving and improving. spearphishing is still one of the most common forms of attack. social media is also an increasingly popular attack vector as people tend to trust links and postings that appear to come from a social media feed. we've seen the rapid growth of targeted web-based attacks and
trojanize updates where malware is cloaked. for example, last year legitimate software developers were tricked into using compromised software into their apps and they were downloaded by unsuspecting consumers. further the attack surface continues to expand as the private and public sectors move to the cloud and the internet of things and the billions of new devices coming online will bring them a new generation of security challenges. for example, ccs insight predicted the sale of 84 million wa wearables in 2015. each is transmitting sensitive data into cloud platforms that must be secured. preventing these attacks requires layered security. we refer to that as our unified security strategy. nist's framework for improving security reflects this holistic approach. first, is identify. simply put you can't protect
what you can't see. the task goes beyond just identifying hardware and software and includes a risk-based approach to ensure the most critical assets are identified and protected. next is protect and it starts with people. an organization needs to ensure that its workforce practices good cyber-hygiene but, of course, technology is important, too. modern end point security examines files to discover unknown or emerging threats that might otherwise be missed. it's critical to monitor the overall operation of a system to look for unusual, unexpect activity that could signal a breach. the third function is detect. an organization needs to know what is going on inside of its systems as well as who is trying to access what and how they are trying to do so. modern platforms with a huge
volume of machine data and use behavioral analytics to know whether there is malicious activity. they are able to detect threats that bypass other protections. fourth is respond. good planning is the foundation of an effective strategy. if and when an insdencident occ you must respond quickly and effectively. assigning roles and responsibility is not good use of time while an organization is hemorrhaging sensitive data. effective and efficient recovery requires preparation and planning. for example, poor preparation could leave an organization with incomplete or crumb ecorrupted . perhaps the most flawed part is to learn from the incident. cooperation is key to improving cybersecurity and we participate in numerous industry public/private partnerships to
combat cybercrime. it includes the fbi, interpol, nato and others. we've been involved in several operations to take down criminal networks including several high-prhig high-profile botnet. and the government can learn from the private sector's experience incorporating cutting edge security tools into their programs. we appreciate the committee's interest in learning from our best practices and i'll be happy to take any questions during the day. thank you. >> thank you. now we'll hear from mr. clinton. >> thank you, madam chair and members of the committee, it's an honor to be here. i appreciate the opportunity. i'd like to focus on five areas where i think the federal government can learn from the private sector. first, government needs to invest much more in cybersecurity.
private sector spending on cybersecurity has nearly doubled in the last several years to $220 billion annually. the federal nondefense spending on cybersecurity this year will be between 6 and $7 billion. private sector spending on cybersecurity will increase 24% next year the federal government is spending about 11%. i know of two banks who have a combined cybersecurity budget of $1.25 billion for next year. dhs' entire budget for cybersecurity next year is about 9 $00 million, 75% of what two banks are spending by themselves. cybercrime costs our nation a half trillion dollars a year. yet we are successfully prosecuting maybe 1% of cybercriminals. we need to spend more. two, government needs to act with greater urgency. it took congress two years -- sorry. it took congress six years to pass the information sharing bill. in 2009 major trade associations presented congress and the administration with detailed
recommendations on cybersecurity. in 2011, the house gop task force report on cybersecurity embraced these recommendations and president obama signed an executive order. but we've not seen any substantial work on the top recommendation in that report or the executive orders. for example, the gao task force report and the executive order and the national protection plan all call for the creation of a menu of incentives. yet aside from the information sharing bill, the president has not proposed, congress has not introduced a single incentive strategy bill. last month gao reported that 12 of 15 sectors, sector specific agencies, had not identified incentives to promote cybersecurity even though that's called for in the national infrastructure protection plan. the president's executive order called for the cybersecurity framework to be cost effective and prioritized. three years later there has been no objective measurement of the framework's effect on improving
security adoption or its cost effectiveness. three, the government needs to escalate -- educate top leadership as the private sector is doing. in 2014 there was a handbook created on cybersecurity for corporate boards which was published by the national association of corporate directors and is the heart of the training program that they are launching. price waterhouse coopers validated the success of this approach. they said boards appear to be listening to the guidance. this year we saw a double digit increase in board participation in cybersecurity leading to a 24% boost in security spending. other notable outcomes include the identification of key risks, fostering an organizational culture of security and better alignment of security with overall risk management and business goals. we believe, madam chair, that the government needs a similar program to educate the government equivalents of corporate boards. members of congress, members of the cabinet, agency secretaries. most senior government officials are not sophisticated with their
understanding of cybersecurity. if they are educated as we are educating the private sector we think we could have more effective policy. the government needs to reorganize for the digital age. the private sector has moved away from the i.t. department as the central focus of cybersecurity and is using a risk management approach. unfortunately the federal government is still caught up in legacy structures and turf wars that are impeding our efforts. a merrill lynch study found that the u.s. government is tistill the process of who will have jurisdiction in cyberspace. there are battles for jurisdiction and funding and it's muddled political agendas that is hindering the development of a secure system. and government needs to become more sophisticated in managing their own cybersecurity programs. a study compared federal civilian agencies with the private sector and found that the federal agencies ranked dead last in terms of understanding cybersecurity, fixing software
problems, and failed to comply with industry standards 75% of the time. the reason the government does so badly according to gao is that they simply evaluate by a predetermined checklist. the private sector on the other hand uses a risk management approach wherein we attempt to adopt standards and practices. we believe the government needs to follow the private sector's lead. they need to become more educated and sophisticated and act with greater urgency and commitment with respect to cybersecurity. i appreciate the opportunity to speak to you today. thank you. >> i thank the witnesses for their testimony. and we now will move to questioning. and we have five-minute question rounds. and i will recognize myself for the first five minutes. thank you all so much for your expertise and your passion about
this important issue. i remember back in 2014 i was able to sit down with mr. wood and we spent a pretty long afternoon i think identifying a lot of the problems. and i'm sorry to say that everything you said came true. that all the problems you identified were dead on. but i appreciate that you're here to help us address that. i was at the consumer technology conference earlier this week, so we're seeing a lot of the new things that are in practice. and certainly the concept of innovate or die is very much a reality here. so, i was wondering if -- because i think you've all addressed a little bit, but how do existing maybe government contracting provisions impact the ability for the public
sector to be agile and be able to do what you do in the private sector and how can we -- i know this is a little bit out of our jurisdiction in terms of government contracting. we have the standards. we have the practices, you know, we need to be more risk management based instead of just a checkchecklist. how can we get those type of policies in the government that are as agile as what you're dealing with in the private sector? start, john. >> one suggestion i would have is that i think it would be very helpful for the government to move more towards a best value approach to government contracting versus a lowest price technically acceptable approach. the same individuals that we put on assignment with the government often we can -- will receive a much higher rate for those individuals when we're working commercially, because commercial companies tend to
value the kind of capabilities that our security professionals have. and when i say much higher, often it's, you know, 200 to 300% higher. i think at the end of the day that's a really big issue that the government needs to at least address, because otherwise you tend to get what you pay for. >> mr. clinton? >> sorry. i agree completely with mr. wood. and i think this speaks to part of the education issue that i was speaking to. we need to have a better understanding of the breadth of cybersecurity. what you're talking about, madam chairwoman, is not an i.t. problem, it's an economic problem. that's what cybersecurity is, it's not an i.t. problem, it's an economic problem. we need to find a way from lowest cost items particularly in the federal space. we have examples where federal -- where federal agencies are buying equipment off ebay from nonsecure suppliers because it's lower in cost. and while we appreciate the
attention and the need for economy in these times, we have to understand that there is a direct trade-off between economy and security. and we're just going to have to come to grips with that and we haven't. i think if we could educate the federal leadership in the way we're educating corporate boards where, by the way, we had exactly the same problem a few years ago, we might be able to get a better appreciation of the interplay between the economics of cybersecurity and the technology of cybersecurity. the real problem that you're speaking to in my opinion mostly comes in the smaller business elements of cybersecurity. if you're going to deal with, for example, the major defense contractors, frankly you compensate them perfectly well and they have pretty good cybersecurity. but because of the procurement system, they are required essentially to farm out a lot of the procurement to smaller firms across the country and those smaller firms do not have the economies of scale to meet the cybersecurity standards that the
primes have. we have to find a way to provide incentives for those smaller companies to come up to grade. because it is not economic from their business point of view in order to do that. now, we think there are a number of suggestions that we've made and i referred to in my oral statement and in the trade association paper that could talk about how we can better incentivize the smaller companies so we can get them up closer to where the majors are and if we can do that we can achieve our goal which is a sci cybersecure system as opposed to cybersecure entities. >> mr. schneider? >> i think another thing, this isn't directly a contract issue, to use the tools that they've already purchased. i think one thing we see a lot in the private sector and in the public sector is the acquisition of technologies that then aren't even configured properly and used properly. so a lot of the investment that happens both within private organizations as well as the public organizations is to take
the technology purchases and make sure that you have the right human capital and the right best practices to deploy those properly. and i mean, the most cost effective thing you can do is use the money you've already spent more wisely, so i think that's one key that we see as well. >> okay. dr. casado? >> just kind of quickly more on a positive note, i think so i'm kind of a personal success story of this. when i graduated with my ph.d. i was thinking about being a professor, and instead i sort of worked in the intelligence community who decided to fund a start-up that we were doing and they were great to work with early on. and kind of to this point i think there's a lot we can learn from the government and that turned into one of the largest tech center acquisitions in the private sector ever. and more working with the start-up ecosystem funding that allowing us access to the way that you think about the security and the technology i think will hugely help
innovation. >> thank you. and i wanted to particularly note -- i think mr. wood you call it the fifth -- our fifth war fighting command is cyber here. i'm running out of my time. but if we can get -- and mr. clinton, the numbers and the comparison between private sector and the public sector and we're spending and sort of the quality i think that's a very helpful contrast and understanding. this is part of our defense system and certainly as we have seen social media being used in the terrorism area and all of those, so i appreciate you putting a real emphasis on that. thank you. and i'll now recognize mr. lipinski. >> thank you. so many things to talk about here and i just got set off in another direction with what dr. casado had just said, first i'll say it's good to see a stanford and berkeley guy be able to sit next to each other. i'm a stanford guy.
i'll ask you, you had just mentioned there should be more done by the government to engage silicon valley entrepreneurs. what more could the federal government be doing right now in this area? >> i am actually very positive with the actions the government has taken over the last few years. i've worked with government agencies and continuing to fund efforts that engage directly with start-ups understanding that they are risky propositions and there's a high level of risk, i think is very beneficial. again, i mean, all of the work that i've done in the last eight years has been based on my experience personally in the government and then funding from the government and it's turned into a major industry initiative, so i would just encourage you to continue a lot of the work that you're doing -- >> anything that's not being done that you think should be done with regard to the federal government side of engagement? >> well, i think -- i mean, i
think a lot -- i think it -- the problem is you're great at funding on the early stage and i think when things get bigger it's hard for the start-ups to engage with the government because you get into the difficult procurement processes that are owned by a number of people. normally what happens you get a great job getting the guys incubating and you find out you can't sell to the government because it's too hard and sticky so we ahead and sell to the private sector. what you could help with is get them incubated and started but give them inroads to selling to the government, being an actual vender to the government. originally we tried to engage in government and it wasn't until eight years later that we could do it in a viable way, but actually having hand holding of the procurement process early on would have been hugely helpful. >> anyone else on this subject before we move on? >> we're starting to see a lot more engagement in silicon valley from various elements of the government. one example is the dhs has been very active over the last couple of years.
there's a new dod project called diu where they bringing some of their technology needs to the valley so i think we're seeing a lot more engagement over the last year. >> mr. wood? >> thank you, sir. i'm honored to sit on the commonwealth of virginia's cybersecurity commission as well and one of the things that i've been encouraging the commonwealth of virginia to do is to encourage much closer relationships between the university ecosystem and the business ecosystem and to really promote research. i think that that will help propel a lot of the start-up activity that the gentlemen to my left are both talking about whether it's in silicon valley or research triangle or the state of virginia at the end of the day we need far more research than we currently have. the reason is when i talked about earlier the dollars the
difference between being spent in the federal government and the commercial side it's very simple. we have a real scarcity of resources in terms of cybersecurity professionals, so we need more tools being able to deal with the complex environment going on out there and the tools, ie, automation are the way forward i think in order to help deal with that scarcity of personnel resources. there are other things we can do as well, but i think that research would really help us a lot from the cybersecurity perspective really as a nation. >> and very quickly and continue it with mr. wood, i want to thank you for your work in s.t.e.m. education and thank you for bringing up how important it is that the human behavior is critical in, you know, preventing so much of this. i think you said nearly all of these attacks could have been avoided with better behavior. and i think that brings up the importance as i always talk
about here in understanding human behavior and funding social science research in to things like this. but the last thing i wanted to ask you is you talked about insurance. and i'm very interested in how do we incentivize the private sector. is this something that you think should be required, or do you just think that this will develop over time? i'm looking at do you see a need for the government to require insurance for these -- against these types of attacks? >> sir, i personally don't think there's a need for the government to require it because i think the lawyers will at the end of the day will help corporations and other organizations understand the legal liability associated with not taking the appropriate actions. >> have companies really suffered that much who have been -- who have had these data
breaches? >> oh, i definitely think they're beginning to. i am seeing more and more boardroom kind of calls being made to our company than ever before. i think the very public retail breaches that have occurred are now heading into not just the ceo's office but right into the boardrooms, so i also believe that the critical infrastructure industries that we have out there that are already regulated feel the pressure associated with doing something. and that's why i think that the insurance companies are doing what they are in terms of really trying to promote cyber-insurance. their feeling is if they can -- if the corporations can provide evidence that they are doing what's appropriate from a risk management point of view, that that will result in two things. one is lower premiums to the corporation who is looking to get the insurance and then, secondly, a better legal defense to the extent that they are sued. >> thank you. i yield back.
>> mr. clinton wanted to -- >> if i could just very quickly, mr. lipinski, first of all, we're big fans of insurance. we've been promoting cyberinsurance for over a decade, but i don't think that a requirement is appropriate. >> if you've been promoting it for over a decade, it doesn't seem like it's that widespread, is it? >> no. and that's because of systemic problems within the insurance market lack of actariuarial dat and the insurance companies realize if they insure and there's a major catastrophe, they're on the line for everything. we faced the same problem in terms of insurance in the last century with crop insurance and flood insurance. and there's ways we can work with the federal government in order to address that problem and i'd be happy to go into those in some details but i wanted to get to the specifics of the requirement piece. i think one of the things the federal government could do is require insurance --
cyber-insurance for your information systems in the same way that you require physical insurance when you bui build buildings and everything else. i think if the government did that, it would be a market leader in that regard. the other thing i just want to point out, this bears i think a little bit more conversation because i think this is a widespread misnomer of the reality when you look at the data of the economic impacts of the high-profile breaches is not what you think. if you go back and look six months after the sony attack, the stock price was up 30%. if you look six months after target, the stock price was up 26%. if you look at the high profile breaches you find there's an initial reduction and then there's a bounceback and i can explain why that is because the smart guys on wall street say, ooh, nice distribution system, i like the price point of their products and the price is down, buy opportunity. so, the natural things that we assume are going to happen really are not happening when we look at the data. but mr. wood is exactly right
about the fact that corporate boards are spending much more attention on this but i think that has more to do with the threat to their intellectual property which is being vacuumed out and is a tremendous economic risk. >> they're not concerned about the consumers and the people using their business, they're concerned about their own -- >> yeah. >> that's a suggestion there. from what you -- >> we're going to have to move on to our next question. >> i will get back to that. >> and please do submit a -- >> okay. >> we can -- i'd appreciate you submitting some more information on the insurance area. >> sure. >> i think that would be very interesting. i now recognize mr. laudermilk for his five minutes. >> after spending 30 years in the i.t. industry myself, i can equate to a lot the of what you're saying especially the cyberinsurance. big supporter of cyber-insurance simply because of the standards that the insurance companies put upon these businesses. and i sold my business a year ago.
was greatly relieved when i sold the business because while cybersecurity was on my mind 24 hours a day of owning this small company and managing it, it was not on the minds of my customers. mr. clinton mentioned ebay. we had many instances where we put a secure network into place, a network at a small government managing power distribution systems, and we engineer it, we put the products in, some of the products that some of you represent from, you know, everything from spam filters, fire wall, gateways, content managers, bandwidth managers, and then we would find out that they would go and buy parts for these off of ebay that would come from somewhere overseas and we don't know the firmware that's on it and i understand that what's on their mind. especially when you're dealing with small businesses is bottom line, it's -- doctors are being doctors, lawyers are being lawyers, they're doing what they're doing but we're supposed
to take care of it. do we have to upgrade. your network will still function, but you're very -- you're very -- at a high amount of risk. well, that usually doesn't change their mindset. so, having those sets of standards i think is important. another thing that was brought up is this risk based management. that's what we live by. we used to emphasize to our employees that's two types of computer users, those who have been hacked and those that don't know they've been hacked. and i think that's -- and another part of risk management is we emphasize to our customers don't keep what you don't need. if you don't need the data, you don't have it, you don't have to secure it. that really brings an issue that i have great concern about here in the federal government here and that's with the mida system which according to news reports is storing information on americans who access the
healthcare.gov website. not just those that got the health insurance but those that even shopped it. it's storing personal identifiable information of americans without their knowledge in a data warehouse. and for mr. wood, considering what's happened to the federal government, the recent expansive data breaches, does it concern you that the federal government would be holding information on citizens without their knowledge even for citizens who did not get their health care -- their health care coverage through this system? do you -- am i justified in my concern over the risk of storing this data especially data that is not needed? >> so, you're raising -- you're raising both a privacy perspective as well as a cybersecurity, you know, issue. you know, at the risk of being a monday morning quarterback, you know, which is what i would be doing if i were to reflect on
the opm situation, the very unfortunate opm situation, because like all of you, i also received my letter that gave me the good news. i think that in retrospect had opm been using, you know, two factor authentication, had they been using encryption at rest, had they been using -- had they had log files, we would mhave hd a much different situation than perhaps we ended up having with opm. so as relates to the healthcare.gov situation, i don't know how they're storing the data to be able to reflect to you about what is appropriate. but i think generally speaking most people are a little nervous because those of us that are in the know worry that there just isn't enough resources being applied from a financial perspective to the i.t. security issue. it's not just at the federal
level, it's at the state level, too. commercial corporations, on the other hand, i see around the world are taking the appropriate steps, you know, i gave the example early on in my testimony about jpmorgan chase. you know, when they were hacked, they were spending at that time about $250 million. after their customer information system -- after the customer pii got out, it went to the board. the board looked at it and determined that they had to increase substantially their spend. to do a couple things. one was to actually buttress what they were doing from an i.t. security perspective, but the other thing it was to do was to raise the confidence of their customers. so at the end of the day i would argue that while their shareholder price has gone up over time, they absolutely and every corporation cares about their customer data. thank you, sir. >> i'd like to ask mr. clinton to respond to the same question, but also mr. wood. part of mitigating your risk is not keeping data that you don't need. would you agree that that is a
good practice, if you don't need data to not store it? >> yes, sir. >> okay. thank you. mr. clinton? microphone. >> i'll say it again, that's absolutely right, sir. thank you. >> okay. thank you. thank you. and now i'll recognize mr. beyer. >> thank you, madam chairwoman. dr. casado, i was fascinated by your testimony. i'm quoting you a little bit. once the intruders passed the perimeter security there's no simple means to stop malicious activity from propagating throughout the data center. this whole notion of unauthorized lateral movement and your call for zero trust microsegmented network environments, interior rooms with locks. is this recognition built in to nist cybersecurity framework? the moving from just the perimeter security to the internal stuff? >> yeah. so, we're actually working with nist now. but i don't believe it's currently codified within nist,
i think making it part of a standard would be greatly beneficial. >> sounds like an part of the cybersecurity framework. >> i think this is rapidly becoming a best practice within industry and the private sector and actually some area of government as well putting it as part of a standard would be very beneficial. >> closely related, mr. schneider, we are well past the days when a password even a sophisticated one will be more than a speed bump for a hacker. authentication is essential for any system to be secure. is this part of the cybersecurity framework that nist developed? >> i think it's very similar in that it's a best practice. it's not codified directly into the framework but it's something in the ability to protect your information is becoming an industry best practice. i mean, the example i would give in the discussion about the future there should probably not be even passwords as a core
element of how we access information because it's so hackable and we really feel like a future with rich multifactor levels of authentication is the right approach. and you can imagine yourself you go back to your office afterwards and you sit down to check your e-mail if you are using a mobile device that tracks your location, there's two or three things that i'm accessing my e-mail you may ask for a p.i.n. or additional level of authentication but it's those dynamic authentication in the future and not the broken passwords. >> so, both of these are evolutions to cbf which leads me to mr. wood. you wrote very eloquently on page four of your testimony that most businesses would prefer the government impose the fewest possible requirements on them. we hear that every day in the house. but how many breaches will it take before it's recognized allowing the private sector especially critical infrastructure companies to use
the path of least resistance creates an opportunity that might but our citizens' information at risk and put our infrastructure at risk and put our national economy at risk. nist standards the csf is purely voluntarily. when do businesses come together to recognize that this really needs to be the mandated standard across the country? >> so, earlier we were talking about insurance. and the insurance industry and why hasn't it adopted more cyberinsurance more quickly. the simple reason is because the -- there was no standards, there was no agreed upon standard until not that long ago. and so i think that ultimate ultimately -- i look at the nist cybersecurity framework as a baseline and what these gentlemen are talking about are, in fact, good points and they're additive to the baseline if you will. but if we can all get to an agreement about what the baseline is and adhere to it, at least we know the other person i'm dealing with is going to be
able to evidence to me that i can do business with them because they're taking the appropriate steps. >> it just seems to me -- thank you very much -- that we look at so many things that affect us and we have mandated it and regulations have to be cost effective but, you know, we did air bags in cars and five mile an hour bumpers and seat belts. this may be, if it really is this huge threat to our national security and our personal security, that we think about mandatory standards rather than voluntarily rather than relying on the threat of a lawyer's lawsuit. mr. clinton? >> i would push back in the opposite direction. i would point out in my testimony i pointed to the fact that the federal government which basically does operate in the model that you're talking about with fisma standards that they must comply with, et cetera, and when we evaluate them independently versus the private sector the federal government comes out dead last.
the reason is, this is not air bags. this is not consumer product safety where there's some magic standard that we just come up to the standard and we are set. the problem is not that the technology is below standard. the problem is that the technology is under attack. that's a very, very different problem. we need to be forward looking. if we talked about mandating standards a couple years ago we'd probably be talking about mandating fire walls and things like that, that we now see as basically obsolete and all of our companies would be spending a lot of money complying with these outdated standards. so, we need a different model. the digital age is much more forward looking. that's why the obama administration and the house republican task force and the private sector all agree that what we need is a forward-looking, incentive-based model and we need to get industries to understand that it is in their best interests to be continually advancing security. they can't be looking backward.
they have to be looking forward. we can do this, by the way, but it is a completely different mindset and i think we need to understand in the digital age the old model just isn't going to work for this modern problem that includes nation-states attacking private companies. there's no minimum standard that's going to protect them. we need a different model and we think we can develop that but it is going to be different. >> i recognize chairman smith. >> thank you, madam chair. mr. wood, let me direct a couple of questions to you, but let me describe this scenario first and then ask you to comment on this particular situation. let's say a senior government official at an executive branch department approached your company to set up a private e-mail account and server for conducting both official and personal business. these e-mails could include sensitive or classified information about national security. in addition all e-mails would be stored on a server located in
their private residence. cyberattacks and attempted intrusions would be obvious threats among other security risks. the material being transmitted on the private e-mail account could be a matter of national security. so, two questions. could this scenario unnecessarily expose classified information to being hacked? >> yes. >> do you want to elaborate or that's pretty clear? second question is this, how would your company respond to such a request? >> we wouldn't do it. >> does any other witness want to comment on this scenario? >> well, for the simple reason that you're exposing classified data to -- in the open and at the end of the day that's -- that would not be prudent and it would also be illegal. >> okay. and why illegal? >> because the government requirement is that the -- that all official information be used through official means, meaning
through government networks. >> okay. thank you, mr. wood. i don't have any other questions and yield back, madam chair. >> thank you. i now recognize mr. tomko. >> thank you, madam chair. all of this hearing isn't focused on research. i know that mr. wood had addressed research as a component for growth in this region, in this area. as you know, the government plays an important role in supporting cutting edge research on all aspects of cybersecurity from prevention to detection to recovery. and through agencies such as the national science foundation, the national institute of standards and technology, and the department of homeland security, we fund everything from basic research to test beds for emerging technologies. and all of these federal investments in cybersecurity r & d are coordinated under the r & d programs. while mr. wood did raise the
issue of research, are there recommendations that you, mr. wood, or any of our individuals who are testifying, any recommendations that you would have about federal agencies and how to set research priorities and what major research gaps might exist out there so that we can better partner in a more effective manner with research opportunity? mr. wood? >> sir, thank you for your question. i agree. i think the national labs are doing a tremendous amount of work around all kinds of initiatives that regrettably many don't see the light of day ultimately. i think more can be done to, "a," make industry aware of what the national labs are up to and then, "b," provide a mechanism for industry to license some of those very critical research and development initiatives that
have really may have one specific customer but ultimately could have an entire industry that it could help serve. i think that would do a couple things. one, it would provide potentially an income stream back to the labs and, therefore, the government. the other thing it would do is provide if you will more innovation without having to spend a whole lot more dollars. thank you, sir. >> thank you. anyone else, mr. schneider? >> one area that we're very invested in right now is on helping kind of the people part of the equation. technology will continue to be an important element of any security approach and automation underneath. but clearly it's the people on top that we have to make sure are adequately trained. and one of the areas we've been highly invested in over the last couple years is simulation platforms to help us all understand what cyber breaches look like, what cyber incidents look like and be able to respond to those. many companies send out fake phishing e-mails to their employees and see whether they respond or not and if they report it to their -- to their
security organizations. that's one simple example. that's also simulation platforms that take real-world breaches and model those and allow security professionals to interact with those. so that's been an area i and mature for a number of years. really now coming into the private sector and civilian agencies and a mayor is yo semantac invested in heavily and potential for cooperation in some of the labs. >> thank you. there clinton? >> perhaps a slightly different. we strongly support of notion of the government doing research on the cost effectiveness of the framework. we are big fans of the framework and like to see it was our idea, we published material on this a number of years ago. supposed to be prioritizing, cost effective and voluntary. we believe in properly tested we would be able to determine
various elements of the framework. and the framework is enormous and applies to different ways in different companies and sectors. we could demonstrate what lemts of th element of to various sizes and once you demonstrate it's cost effective you don't need mandates for it. companies will do what is cost effective. you go to at board room, you can't just say this is a great idea. congress passed it. they'll say where are the numbers. show me it's cost effective. if we did that research, which is pretty easy and pretty inexpensive i think we could get a lot of bang for the buck in doing what i think we all one. adopting this on a forward-looking basis. >> thank you. doctor, please? >> i think over the last 15 years i've had a lot of experience and you paid for my
ph.d. program, a dhs ofellow, started my company. the biggest difference in my experience is the number's constraints on them. more flexibility in applying funds to our direct research agenda led to better research. the more agenda prior to the funding the harder for us to fit it within ow broad research agenda. it's great to fund certain areas, i don't think it's so great to overconstrain the problems looked at. >> thank you very much. with that i yield back, madam chair. >> thank you. >> i thank the witnesses for being here today and for your testimony. question. when we talk about cyber security and these breaches, whether in the private sector or in the government, and whether we describe them as hackers or
something more sophisticated, every time this is done either in the private sector or to a government agency or entity, would be describe that as criminal behavior? is that a violation of a state or federal statute in some respect? >> it's a global phenomena, many are in in the states in the u.s. but assets they're protecting may be. i think the legal kind of considerations can be pretty complicated. the other thing as more and more infrastructure moves to clod platforms deployed globally, even if the assets are becomes more of a challenge. in general the answer is yes, but a lot of complexity to the global nature of cyber security. >> i guess as a follow-up to that, then, you know, if we look at, you know, traditionally when there's criminal behavior that is engaged in, eventually
there's somebody held accountable or responsible. there's a prosecution. there's a legal process that happens. it seems as if, you know -- i guess the question to you is, are you aware of a successful prosecution where somebody's held accountable? where there's a deterrent effect? seems there's no penalty, no pain, no consequences to anybody that engages in this activity? yeah, mr. clinton? >> yeah. congressman, i think you put your finger on what i would think is one of the number one problems in this space. i would answer that it absolutely should be criminal in many instances is criminal but it's not. in certain places. we need to do two things. we need to be dramatically increasing law enforcement. we you successfully prosecuting 1%. no viable deterrent and need to dramatically helping law
enforcement guys doing a great job but are underresourced dramatically, and we also need to work aggressively with our international community to create an appropriate legal structure in the digital age. we don't have it. we are operating in an analog world with cyber attacks and it simply is unstainable. we need to do both of those things. >> i guess, is anybody leading the way on that, mr. clinton? out there? either -- i mean internationally or here domestically? i mean, where are we at with that process? >> we are not doing nearly enough. i mean, there are people who will give a speech here and there. again, i'm not going to point fingers at law enforcement. i think they're doing everything they can. they're underresourced. we need to fund it much more aggressively. >> thank you. mr. wood? >> thank you for your question. the issue is is that on a, from
a law enforcement perspective is, first of all, as mr. clinton pointed out, it requires global kwau cooperation and the standards of prosecution also have to be the same. the standard of prosecution here at the federal level might be different than the commonwealth level, might be different than in paris. there needs to be some agreement what the standards are for prosecution as well. >> yeah, but why are we waiting around for thatseems this is ongoing. there should be standards set to do that, instead of, doesn't sound like there's a framework in place to even address that? >> we did an analysis in the commonwealth on just that point. you know it was a really great analysis, i'd be more than happy to provide to you from the commonwealth of virginia. i don't know why. all i can say is that the -- the standards, even within the states are different, for prosecution. >> and can you point to me in the commonwealth of virginia where there's been a successful prosecution or that deterrence has been put in place in dia
virginia? >> we just changed laws in the last six months and i'll let you know. >> i yield back. thank you. >> actually one point, if i can. >> go ahead. >> a number of great examples where there's been cooperation between the private sector and law enforcement to do take downs. i could give you a number. game over zeus, a recent one. zeus has been a financial fraud botnet around successful a number of year es. put out by a private/public partnership. the next version came online, symantec and a number of private companies as well as fbi brought down that botnet propagating crypt other locker, takes people's machines encrypts the information and ex-extorts you to get the information back. kind of successful examples but to your point, a much more consistent global approach is needed. >> in your case, i appreciate you mentioning that, was there
actual individuals held accountable? in prison right now? >> a particular individual in eastern europe that has been prosecuted and convicted. >> and are they in the united states in prison? >> no, no. it's in europe. >> thank you. >> thank you. and i now recognize ms. bonamich >> thank you, madam, and there's a lot of room for bipartisan cooperation in this room. mr. clinton talked about setting policy because the technology changes faster than policy changing. so that being said i really look forward to, would go with all of my colleagues in continuing to raise awareness about this important issue, and, also, come up with policy that not only addresses the issue but prevents it. i was recently out in oregon visiting i.d. experts, an oregon business that specializes in health care, health data breaches. this is not just a federal issue as some of my colleagues might
have suggest pnd look at the an thing blue cross. we're talking about millions of people here, and most people think when they think about identity theft think about the financial consequences, but with medical identity, if someone gets a procedure or prescription or something and that is seented into the individuals health record, there is financial risks and majority of people don't carefully review their benefits statements, like a lot of people don't carefully review their financial statements or credit card statements that might alert them to something. i want to follow-up on something mr. lipinski started the conversation about the psychological aspects and ask you, mr. snyder, in your testimony, you say -- this is, put a picture in my mind here. like the lion in the wild who stocks a watering hole for unsuspected prey. cyber criminals lie and wait on legitimate websites that they
previously compromised and used to infect visitors. most of these attacks rely on social engineering simply put trying to trick people into doing something they would never do if fully cognizant of their actions for this reason we often say the most successful attacks are as much psychology agency they are technology. so now i'm going to have a lion, this vision of a lion waiting, maybe that will help stop me from clicking on things i shouldn't click on, but mr. snyder, could you talk a little about whether we -- do we need to fund more behavioral or social science research? do a better job educating people about those risks and how to identify them? how do we get in -- are we adequately addressing that psychological aspect, because when we talk about the risk and i think, doctor, you recommended, or brought this issue um as well, that -- we have to do more to prevent that. so -- doctor, and mr. snyder, could you address that, please?
>> ultimately social engineering is always going to be part of the security equation, because we as human being are fallible. so i think systems have to be put in place to enable us to do a better job. excuse me. of helping to secure our own information as well as our company, or our agency's information, and, i mean, some of the examples i would give you, though, are in that training area we've talked about. helping all of us to think about security and be more thoughtful about security. secondarily, it's the kind of security architecture underneath that makes it up in, much harder for attackers to get the information we care the mostable. all of the world's information is not identified equal. health records of much more important or financial records much more important to us than the lunch menu we're going to look at today. it's taken a much more i think granular approach, identifying sensitive information we care the most about and putting more security investment around those kinds of assets than the generic
assets out there. >> doctor, what is your thought on that? >> so i'm 39 years old, and when i was 37, i got an e-mail from my sister on my birthday and it was, like, dear brother, so happy you're my brother and a picture when we were kids, really sweet. nice to see it last night a picture more recently, happy birthday, a little link. i thought, so sweet. my sister has never reshed my birthday before. i thought, you know what? my sister's never remembered my birthday before. so i -- i looked through the mail header, it had come from russia. listen, i've got a tech nickel background and a sister that doesn't remember my birthday and if either of these -- >> it's now on record. >> that's right. and if either of these weren't true i'd have clicked on that link and infected my computer. this tells me fundamentally it's very important to train users. it's very important to do path
searches but a determined attacker will find a way in. i mean, they got pictures off of facebook. it wasn't that hard to do. probably two hours of work to send me that e-mail. if i was anybody else i would have clicked on that link. i think that's why -- >> can you quickly, i'm almost out of time but also serve on the education committee. what are we going to do in terms of educating the next generation and work force to make sure we are getting a step ahead? at what level -- >> core education around security perimeters actually is very, very clear and i think these factors are important. the second things, there are technic technical implements to put in place because a breach will happen. a determined adversary will get in and we need to advertise a zero-trust type model. >> and a huge gap of security professionals in the country today creating the educational programs to enable returning veterans and high school and college students to choose careers in cyber security.
something that's very important as well. >> thank you. my time is expire. i yield back, madam chair. >> and i recognize mr. palmer and doctor, work on that birthday, if you want to let your sister know, right now, what the day is. >> thank you, madam chairman. i'm happy to report for the record that my sister does remember my birthday, but my brothers do not. on that -- same line, though, doctor, you can have the best technology in the world. you can have great training, but if employees are neglect in their use of it, you're still exposing yourself and i bring this up in the context of an article in the "wall street journal" back june, actually june 9th. and it relates to the fact that the immigration customs enforcement agency had sent a memo to employees in 2011, because it seen an uptick in cyber attacks related to employees using the federal
website, federal server, to access their personal websites, or their personal e-mail. unfortunately, the labor union filed a grievance and prevented them from doing that, and that's apparently where one of the breaches occurred later that, last year. and my question is, and this would be both for corporations and for the federal government, does it make sense to prevent employees, either in the private sector or in the government sector, from using their company servers or the federal servers to access personal information? their personal servers, personal websites, their e-mails? >> so -- just quickly, i mean, it seems to me i.t. goes through phases where it collapses and expands. mainframes went to a bunch of computers, collapsed now
expanding again. mobile iphones clouds, all of this other stuff. i think it's unrealistic from a day to day perspective, innovative perspective to think people from outside aren't accessing work information and people inside accessing personal information. whether on vacation or not i'm constantly accessing and we need to assume this information will be accessed no matter where they are or what capacity we're running under. implt agree with the doctor's comments particularly with millennials. if you have a workforce policy you're probably not going to have much of a workforce left to deal with, but i think there are things we did do and are doing some in the private sector. one of the things we're trying to do, move out of this i.t. centric notion of cyber security. for example, involve the human resources departments in this and what we're advocating and seeing some success with, we are integrating good cyber security
policy into the employee valuation system, so that if you have downloaded things you shouldn't be downloading, you are less likely to get that step up increase or that bonus at the end of the year. we've got to make this part of the overall process and there are other things we did to and are seeing adapted in the private sector, such as separate rooms with separate equipment so that people can access their personal information or their data without using the corporate system. and so i think if we are a little more inventive about this and use that more incentive model we're probably going to have more success. >> i think that's a great point because you can have a public access, a separate environment, where people could do that, but they have to use it, because, for instance, if you'd been a federal employee, doctor, and you'd opened that e-mail from your sister through the federal mainframe, would that have potentially infected -- >> yes.
so i've worked in a skiff. had four computers that would measure -- there are very, very comfortable in these high, secure environments. i just think if you want to be competitive from a business perspective against other companies you have to assume that your employees will be fully connected at all times. >> can you not create a secret environment? >> not without haven an operational over head. you limit the ability to function. >> you want to comment? >> i want to follow-up on what the doctor said. so as the -- as the use of the internet increases and as the "internet" of things becomes more prolific, everything has an i.p. address. where do you draw the line? at some level i would almost prefer that people use my infrastructure, because i know what we do, from a security perspective. i don't know what they do, from a security perspective. so to the extent that you make the argument, there should be
some separation, i think there be very good arguments on both sides. i'd rather have them in my infrastructure because i know what we do. >> thank you, sir. >> i think the approach that makes a huge amount of sense when you think about all of this connectivity is really understand and protect the information and the identities of the folks trying to access it, and that's really what we've seen in security over the last five-plus years, a move towards not just protecting systems and networks but truly understanding the information and most sensitive information and put it in the right kinds of protection around that. >> my time's expired but i want to thank the witnesses for the clarity of your answers. it's been an excellent hearing. thank you, madam chairman. i yield back. >> thank you, and i recognize -- >> thank you, madam chairmani want to thank each of the panel members and talking about this important issue and that you graduated from stanford university in the bay area and began your career at lawrence livermore national laboratory in my congressional district and
i'm hon beered to represent folks there as well as san deoh national laboratory, many working on this issue. your solution for cyber security is to wall off certain segments of one network to prevent cyber intruders who have penetrated outer differences from gaining access to getting particularly sensitive information and argue such new approaches are the gold sentive for commercial industry and need to become the gold standard across the federal government. how much time and resources would it take for the federal government to do this and are the costs worth the benefits? >> that's a great question. so the technology and adoption evolved enough we know how to do this without disruption, basically. early on, well, extremely secure and sensitive environment, go and retrofit. now solutions to put in, do non-destructtively. cost benefits from a business per pickspective makes sense. so much so this is one of the fastest growing sectors of the
software space. not only practical but we have enough experience over the last couple years to see adoption. yeah. i think that actually this stuff is absolutely worth retrofitting. >> great. and just for all of the witnesses following up on mr. lahood's question earlier. as a former prosecutor, i, too, am quite frustrated it seems that individuals are able to attack networks and individuals with relative little punishment, and i understand the challenges of these attacks originating in russia, ukraine or from state actors, but for non-state actors, i'm just wondering what -- what could we do internationally to maybe have an accord or an agreement where we could make sure that we bring people to justice? i remember i asked a high-ranking cyber security official at one of our laboratories naively, i guess,
you know, well, are re going after these individuals? and this person kind of laughed, not being rude, but just saying, we're not going after them. we're just trying to defend against what they're doing, and i agree with mr. la hoahood, un people pay a stiff price, i don't know if it's going to change. as a prosecutor, purting a case together like this is very difficult. just the chain of evidence and proving who's fingertips were touching the keys to carry out an attack can be difficult, but what more can we do internationally? >> yes. mr. wood? >> thank you for your question, sir. so right after -- i'll answer your question in a -- in a, over a period of tile. right after september 11th i was sitting in a meeting with a large number of information security professors from within the intelligence community and the question was posed in the
auditorium where there were about 250 people, when are we going to start sharing information? and the answer came back from one senior person in 50 years. and the other, another answer came back from another person not in my lifetime. and it was very -- you know, disappointing to say the least. now, you roll forward 15 years and you look where the intelligence community at least my opinion is today, it's not like that at all. today i see the intelligence community sharing information in a way like they've never shared it before from dni on down. what's happened is as more and more breaches occur and more and more of breaches of trust are occurring there's a willingness to work together that didn't happen before. i sit, as i mentioned earlier on the cyber security commission in the commonwealth of virginia, and we work very closely with the dhs and fbi and the state police and they work very
closely with interpol and others and i can say there is a spirit of cooperation that i haven't seen in a long time. what is lacking, however, is the resources and the funding associated with actually prosecutes, number one. number two, having a common level of standards of what's prosecutorial and what's not. >> thank you all for your service on this issue and i yield back. >> thank you. and i now recognize mr. rosterman. >> thank you, madam chair and i also would like to commend the panel today for your very informative testimony and also for the zeal that you have in working in cyber security, and i believe it's potentially the war of the future that we're fighting here, in cyber security. and i'm from arkansas and i'm just for -- personal reasons, mr. clinton, do you have any arkansas ties?
just out of curious tie. curiosity. >> [ inaudible ]. >> okay. i've also been listening to the testimony and the answers to the questions and i've got a 20-year-old college student, and i had a fascinating conversation over christmas, and you guys were talking about how millennials are always connected. and he was telling me that, that's a huge consideration where you take a job now. what the connectivity speed is. you know? and, you know, it's -- it wasn't something we considered when i was getting out of college, but it played a big key where they would go to work and eventually live. so i know we're in this connective world now. to follow-up on a question,
talking about being on offense, and the prosecution, but from the technology side, is it all defensive or are there corrective ways to combat hackers before they make their attack? >> i think there's a set of approaches that are not defensive and much more pro-active that are in place today and will continue to expand. so one example is around things like honey pots. so if the bad guys are attacking you and you give them a place that looks like a legitimate part of your infrastructure that they go to and spend all of their time and energy attacking, you protect, you realize that and you're able to study what they're doing at the same time. there's also things like shock absorbers, where the harder attacker hits you with traffic, the more you slow them down, and do things like tarpitting. a whole set of defensive and more proactive defensive measures that aren't offensive and don't go directly after the attackers that are in place
today and actually very successful within the enterprise. >> congressman, if i may -- i think that's of course true and there are others. i think i want to build off this point into having a better understanding of the multifaceted nature of the cyber problem. so, for example, you know, one of the technological mechanisms that we use in the private sector is we understand that the bad guys are going to probably get in, you know, determined attacker will enter your system but we have more control over the bad guys when inside the network nan when outside the network. dealing with a cyber crime situation you're basically dealing with theft. meaning they have to get in the network, find the data and get back out. so if we block the outbound traffic rather than try to block the inbound traffic we can actually solve the cyber breach problem, get to have a good look at our data but not use it at all. from a criminal perspective, a
problem. looking at it from a national security perspective, the attacker may be interested in disruption or destruction. they don't have to get back outside their network and don't care about getting outside your network. we need to understand we are dealing with multiple different cyber problems. some of which are national security, defensive, critical infrastructure making sure the grid doesn't go down, et cetera and need a different strategy than for the strictry criminal or theft problem, and when we have a more sophisticated policy in this regard, i think we're going to be able to make more progress. >> and also just to briefly follow-up on a question that ms. bonamicci was talking about as far as developing new workers for the cyber security workforce, are your companies seeing a workforce shortage? do you see a lot of growth for the future in that? mr. wood? >> we do see a -- an enormous
shortfall of cyber security professionals. in the state of virginia alone the state government has -- has announced we have about 17,000 unfilled cyber security professional positions just in the commonwealth of virginia. sir, if i might go back to your other question, if you don't mind, about offensive. >> all right. >> a question near and dear to my heart. if someone were to come to my house uninvited and either hurt my children or my wife or take my stuff, i have the right to defend myself. but if someone were to come into my corporate house and virtually take my stuff, whether it be intellectual property or customer data, whatever it might be, or financial information, whatever it might be, we need the ability to defend ourselves. particularly if we don't have a -- if our cyber command is not going to fund itself in a way
that gives us the comfort the same way we have the comfort, i think, as a nation, from a standpoint of air, land, sea and space. thank you, sir. >> and madam chair, i'm out of time but would like to plug our congress' app challenge and encourage all members to promote that in their district, because it does help develop a new workforce for cyber security and a lot of other areas. >> thank you, mr. westerman and i will also join you in plugging that. i know it's on our website and our facebook page and i think the -- data is january 15th when things are due. right? >> unless you extend it. >> no. i now recognize mr. abraham. >> thank you, madam chairman for having this great hearing and i want to thank the witnesses for giving direct answers to direct questions that's rear freshing and somewhat of a novel idea in a committee hearing.
so kudos to you guys for answering straight up. we appreciate that. some of you have espoused the value of sharing cyber security information whether it be will cyber threat tread or a cyber crime with certainly other companies or government officials. this last cyber security bill we passed last month, did that help or hurt? in this area? >> sir, i think that that was a good bill. we endorsed the bill. we support the bill completely. the most important thing, however, is that that is not "the" cyber security bill. that's a very useful tool to have in the toolbox. it can help, but it is nowhere near sufficient. >> so we need to do more? >> absolutely we need to do a great deal more. >> and just give me your top three recommendations? what would be your bullet points for the new legislation? >> we would like to see the
incentive program that has been endorsed both by the president and by the house republican task force put in place. that would include things like stimulating the cyber insurance market we've talked about earlier today. include with providing some benefits for smaller businesses who don't have the economies of scale in order to get in here to. including streamlining regulation so that we had an opportunity to reward entities that were doing a good job with cyber security in the way we do in other sectors of the economy. a lot of the incentives we talk about and referred to in my testimony are things that we are already doing in aviation, ground transport, agriculture. even environment. we simply haven't applied these incentive programs to the cyber security issue, and so i think if we did that we could do more. and then the third thing would be i think we need to have a
much better, a more creative and innovative workforce development program. i mean, we've talked here about the fact that we are always in an online -- we are always connected now and we all know this, but the -- the slogan that dhs uses for their workforce education program is stop, think, connect. directly out of the dialup age. no millennial stops and thinks before they connect. it just makes no sense. we need to be leveraging espn and reaching to the millions of young people who are interested in gaming, and popularize that and use that as a bridge to get them interested in cyber security. we need to be much more aggressive and inventive in this space. by the way they are doing these things in other countries. we need to take a page from that and the final thing i'd mention, we would like to see, i'm not kidding. we need an education program for
senior government officials, like we're doing for corporate boards, who are just like you guys. really busy, lots of things that they have to do, demands on their time. we found when we actually educated them about cyber security, we got better policy. we got more investment. we got better risk management. we need to do that on the government side just like we're doing that on the private sector side. >> very enlightening. any of you guys want to comment? anything else? >> if you think about, you know, thread information, you haver in ability informatio you haver in act information, for many years sharing that information and some of the keys take it, aggregate it, analyze it and we're taking information is specific to a particular industry or set of customers in trying to gain the security knowledge but not -- not put any of that information at risk. so it's something that's been happening for many, many years in the security industry and an important element but not, of course, the final answer.
>> okay. thank you, madam chair. i yield back. >> okay. and i recognize you for your five minutes. >> thanks so much, gentlemen. thank you all for being here. a lot of things have already been asked and answered, but as we say around here, not everyone has asked that same question yet. so my turn. now, i've been trying to focus on a couple different things but thank you. i do think this is important and american people, constituents, are waking up and feeling some of that fear, and wanting to know the right thing to do. so we always want to hear from you of how we can be informing our own constituents of wise decisions along with ourselves, our families and our staff, to protect important information. so much of our society, so much of our financial system, is based on consumer confidence. and if there's a feeling that this isn't safe, or whatever it is. i think there's going to be -- we're going to lose the benefits that much of this technology
has. so we want to do this well. i do want to talk -- briefly or ask you, your thoughts. we've talked a little about what government can do better. learning from the private sector and certainly the private sector is ahead of us in so many areas. we've also heard, really appreciate it, mr. clinton, your response, that, you know, for us to say this is like an air bag problem. it isn't. it's completely different. for us to be prescriptive, you have to do this. we always pick the wrong technologies. it's always too late. instead it's really that framework, i think, of a way of thinking how to solve this problem. the question i would have is really with impediments that government is putting up to your business or other businesses from new innovation. what would you may be the greatest impediment you feel from government, from your business innovating or doing what you already do best. is there something that's been a hurdle you have to overcome?
doctor? >> so this is going to be an incorrect answer to your question, but actually working with the government on the pro cuesment side. something difficult and one there isn't flexibility in budgeting, which it's actually difficult for the agencies and definites to adopt new technology, because the works capital they have doesn't allow them to move at quickly as possible. so from a cell side, purely financial side, more flexibility in budgeting will help them and help us be able to introduce new technologies into the government. >> mr. clinton? >> i would offer two things, congressman. first of all, we need to really rid our government partners from the blame the victim attitude that they have, particularly at some of the independent agencies. i'm thinking of the ftc and fec, for example, as we have articulated here and i think it's fairly common knowledge up in the congress, it has been said, the determined attacker is
going to get in. the fact that you are subject to a breach is not evidence of malfeasance or non-feasance. there may be instances you are. we should investigate those, but preach, per se, is not one of them. we need to move beyond that particular notion. the second thing that i would say is that we need to, the government really needs to get its act together, with respect to cyber security. cyber security, you're right, sir. everybody -- cyber security is real hot now. so every entity in the government, every state, every locality are coming up with their own cyber security programs, and a lot of times these things differ just a little bit. and so when you try to do these things, you're forced to meet with multiple different compliance regimes, trying to do essentially the same thing. now, we're in favor of the framework and using that et cetera, but let's have one and make sure we're all working in
the same direction, because as we've also pointed out, we do not have adequate resources in this space and frankly, we've got -- one of the big problems my companies tell us, they're spurneding all of their time on compliance, which means they don't have time to spend on security. i have one company, they told me a story how they were following a legitimate best practice, quarterly pen testing, testing your system every quarter to make sure you've not been inv e invaded and went from quarterly pen testing to annual pen testing because off of the security people were too busy doing compliance. a 75% reduction in a key cyber security best practice due to overregulation coming from different elements. we need to streamline that process, have a good process, but one process that is cost effective. >> yeah. that's great. go ahead? i think, if you both can speak on this and then i'll be finished. i think this is real important. >> the one point i have and doubling click on again is education. there's a huge and growing gap
in the number of cyber security professionals available and symantec is doing a lot of work with universities. not just universities, it's primary education, getting boys and girls in high school today and actually really focusing girls to think about careers in cyber security and skill sets that go along with that. >> echo a comment and follow on top of it. yes, the determined hacker can get in today, no question. as the verizon breach report focuses on 94%, roughly, of those hacks could have were been avoided. then you get the hacker to have to focus on the 6% or 8% a lot harder to get in. we have the tools, the standards, the approach. second point i make in this framework, indeed something we can all get behind and it's something at least it's a baseline. then the third thing i would say, and the last thing i would say, is that, look, compliance and mission are not mutually
exclusive. you can make compliance work, but it has to be automated and has to be invisible to the guy that owns the mission so it doesn't inhibit they're ability to get their mission done. >> yes. that's a good point. thank you all. i'm over time and gentlemen, thank you all for being here. >> thank you. and i thank the witnesses for their very valuable testimony and the members for their questions. i think we have gotten a lot of sort of assignments for today in a new -- issues and areas that we need to explore further. so i would like to invite you all to keep an open dialogue with us and don't wait for us to call, please. provide us with any additional information that you think, or as you see issues going on. this is going to be, as you all said, this is going to be an exponentially growing problem. we do have a cyber war being waged against us, and we -- it's a little bit like post-9/11 when they're at war with us but we
weren't at war with them, i think. now we definitely have bad actors on all kinds of fronts, from individuals to nation states, who are waging a cyber war on us, and we need to respond in kind and have that be reflected in our budget but also our responsivenesses and how we plan and this, the 94% that we can get covered if we get the right systems in place then allow us to spend our time on those 6% we can't prevent, because i think we all agree here and we all understand that no matter what we do, this exponentially increasing information world we are going to have breaches because it's a little like i was talking earlier about when somebody before the hearing, how when i was out in las vegas said it's like asking never to get sick. you know? in the world we're going to be dealing with, there will be breaches. but what systems are in place to identify them and then if it's only 6% we have to deal with, then our creative resources and all that we need to do can be very quickly identified there
and then move on to solve these bigger problems. so i thank you for the challenges that you've put before us, and the record will remain open for two weeks for additional comments, and any questions from the members. so if there are questions that we didn't get an opportunity or people who weren't here, and i thank the witnesses very much. you're excused here, and the hearing is adjourned.
how much does congress or -- does the -- what -- how much does the president request and how much actually gets done by congress? >> sure. we look at where presidents requested action from congress. so presidents do a lot of things in these speeches one of the things they do is recommend measures to congress, which the constitution stipulates the president can do, and so presidents actually vary in how many requests they have. you will have presidents like bill clinton, for example, who was known for very long
speeches, being a policy whomp. throwing in a lot of requests. many of them of small bore, you have other presidents, like jimmy carter, who had relatively few requests and tended to talk more about big picture items in this particular speeches. nevertheless, there is a basic blueprint of speeches in which the presidents claim credit for things they have done. oftentimes that sets up, then, a request for action in terms of the legislature. so what we look at is only in the year, and many times presidents don't get anything in the following year but it may be a request they repeat in another state of the union address, and it may be successful or not in future years but we only track during that particular year and by and large, you know, presidents get less than half of what they ask for in some form. many times presidents ask for things and get some element of what they want and we track that also. so basically about 40% of the requests that presidents since lyndon johnson have asked for action on congress do they get some form of what they want.
again that will vary both across presidents and also within presidencies, because as we saw last night with the speech, what is happening in the current political environment, very much informs what the president has talked about in that speech. >> yeah. so specifically, what has been president obama's success rate on this front over his seven years of giving these speeches? >> it actually varies quite a bit. he had a very good year in 2010, for example, and was able to get about 56% of his requests. either fully or partially satisfied by congressional action. but then in 2013, the first year after his re-election, he was only able to get about 5%. a lot of variation there you see and, again, sometimes that is dictated by how the president approaches the speech. sometimes it's dictated by the composition of congress, what is happening there. lots of internal dynamics. a lot of variability, again, goes across presidents as well as within presidencies.
obama in 20 15sh15, the year we concluded actually had a decent year for him. about 36% of his requests that he asked of congress in some form were acted on successfully by congress. >> and what about last night? how many requests did he make? do you know yet? and how do you go about tallying that? >> yeah. it's something that we look at the speech and we do content analysis of that, where we are able to look at where the president is asking congress for some kind of congressional action, and so we have not yet -- i work on this with alison howard at the university of california and we have not tallied the request. it takes time to do that and certainly looking at success, what clanalendar years go by. why it was an unconditional speech, it really wasn't in most ways. again, a basic blueprint. while we don't have a number in
terms of the requests he had, he did have at least back at the envelope calculation, at least 15 in there, in which he was asking for things, and you know, they range from ending the embargo in cuba, authorization of force in terms of isil, immigration reform. some of the thing perennially obama talked about. again, looking at his final year he did kind of talk about more big picture items in this particular speech but still did the things presidents do in a speech, claiming credit and asking for legislative action. >> why do this tally in the first place? why do you think it's important to try to track? is this trying to track the success of a state of the union address? >> it's both about -- it is largely about the state of the union address, but it's also about the president in a new role in the modern presidency. the presidents have, the chief
legislator role. this is not a role the founders intended the president to have, because of modern technology, radio, television, the president using rhetorical skills to talk to the public, there was concern among the founders that the president could become a demagogue and didn't want that to happen. appeals in the 19th century, for example, were not something presidents were supposed to be doing in terms of conventional wisdom, but once we get radio, once we get television, presidents start to use their rhetorical, their bully pulpit, if you will, potentially as an advantage. the question we began research with, does this make the presidency more powerful? at the same time the state of the union address is off denigrated as a list of proposals that doesn't mean anything and it does mean something but we have to put it in proper perspective. it's not the case if the president says congress do x, congress will do that. that is proper in terms of the constitutional structure of
government. we wouldn't want that to happen. but one of the problems with the state of the union address and the way modern presidential campaigns goes forward as well is that there is the president in the center of the house chamber with all of are the people around him, lots of attention focused on him and for the public that tunes in, the speech can raise expectations for the way presidential candidates campaign. the public's expectations can be raised. and this is a problem, because presidents do not have the tools to fulfill all of the things that they ask for. they have to have congress to go along with them. when we have a presidential candidate out on the campaign trail saying elect me and i'll do x, they never say, if congress will go along with me, because that's not the way we do modern campaigns but that is the reality. if that person becomes president and they're giving a speech, it's still leading into the notion, here i am, asking to you to do this. year's end, hasn't happened, many times the public says there's the president, he didn't get anything done. it helps in putting things in
proper perspective both about the presidency as well as this particular speech. >> mpr wrote about the research and find it on the mrp website chart. how much gets done from state of the union speeches, if our viewers want to learn more there. donna hoffman, associate professor of political science at university of northern iowa. thank you. >> you are very welcome. the day after this last state of the union address to congress, president obama travels to the university of nebraska omaha to talk about jobs and the economy. c-span will have live coverage at 5:15 p.m. eastern. live at 7:00 p.m. on c-span, virginia governor terry mcauliffe delivers his state of the commonwealth address to lawmakers in richmond. also at 7:00 p.m. eastern on c-span2, west virginia governor earl ray tomblin, state of the state address to lawmakers in
the state capitol in charleston. booker t. said to him, you know, we have college-aged kids covered here in alabama. but it's really the, the kids in the elementary schools that are suffering. they're just not -- the african-american kids are getting poor education, horrible buildings. just not anything -- you know, separate and not equal. >> sunday night on "q&a," a documentary filmmaker talks about her latest film. about a partnership with booker t. washington and african mun communities in the south to build schools and bring education to african-american children in america. >> puts together kid houses. just use the kid houses? the best thing booker t. washington ever did was say, no. i want just like we do at tuskegee.
i want the communities to build it. first the six schools were built, and that's really amazing, but from that, it morphed into 5,000 schools, all over the south, including maryland. >> sunday night at 8:00 eastern on c-span's "q&a." next, a hearing on the veterans affairs department's implementation of the veterans benefits management system and its efforts to reduce the backlog in claims. veterans benefits administration officials told the veterans affairs committee that the electronic system improved their process, and reduced the backlog by 90%. committee members also expressed concern that the system has cost $1 billion so far. and a date for full implementation has not been set. happy new year. we're here to discuss yet another v.a. project that is
over budget, and underachieving. unfortunately this is becoming a similar theme in hearings of this committee. today we're going to address the mismanagement of the veterans benefit management system called vb mass. va's electronic claims processing system. vbms is supposed to help expedite benefits claims positions to eliminate rating inkivtsies and errors and enable a more processing flow. unfortunately it isn't work as intended. v.a. promised to eliminate the baglog in 2015. it's now 2016, and while v.a. has made progress, the backlog still exists and similarly, vbms is not yet completed and v.a. has been unable to provide this committee with a timeline as to when it will be completed. as of the first of this year, there were over 360,000 disact
cla ability claims pending. over 75,000 of which were pending more than 125 days which is what v.a. defines, as we all know, a backlog in the system and i'm going to address that definition in just a minute. this is despite congress devoting sub special resporeses including significantly inveesing their workforce by approximately 7,300 full-time employees between 2007 and 2014. to help v.a. meet its goal of eliminating the claims backlog by the end of last year. additionally, congressional low kated more than $1 billion to vbms, even though v.a.'s estimate in september of 2009 priced vbms at $580 million. since then the projected cost of the program has jumped to $1.3 billion.
and there is no guarantee that v.a. will not need more money for the system in the future. so it looks like history may, in fact, be repeating itself again. the cost overrun for vbms would be bad enough, but after six years in development, it's still not able to fully support disability claims in pension applications. it only acts as document repository for repeals, and that brings me to v.a.'s definition of what constitutes a backlog. as of april 1st of to 13, v.a. had an appeals inventory of almost $250,000, but as of january the 1st of this year, that number had ballooned to about $433,000 appeals, which are not counted by v.a. as a backlog. with the large increase in the number of appeals, it makes no sense that v.a. has not insured
vbms ability to actually process appeals as it did for initial claims work. in fact, i recently learned that the v.a. is pro fejecting it wi certify almost 360,000 new appeals s fiscal year 2017, in comparison to almost 70,000 certified appeals s is in fiscr 2015. i'm alarmed according to a report, january 2013 and may of 2013, vbms suffered from multiple system crash, and off-line a total of 117 hours, which is almost three full weeks. i expect v.a. to argue any temporary sdrungss caused by the implementation of the system have been outweighed by the program's benefits. based on recent oig and gao investigations i'm not sure that i agree, because of the many other factors in reducing v.a.'s
definition of the backlog. moreover, both of the ig and ga reports of september of 2015 criticized the department for not setting clear benchmarks for developing and implementing vbms. of course, without concrete deadlines for the system rollout, it is impossible to hold v.a. management accountable. a word we hear a lot here, for meeting deadlines and demonstrating progress. but even if the veteran benefit management system was performing perfectly, there are still management issues that add to processing time. in a report issued just last week, the ig found that the st. petersburg regional office had a significant backlog of unprocessed veterans claims information at a scanninging contract facility. i, and i'm sure the ranking member, are appalled that florida veterans may have waited
longer than any other veterans, due to this delay in scanning. i'd like to draw your attention to the image above, which demonstrates the extent of improperly stored and commingled veteran information at the contractor site. and there's a photograph of it in your packet, if you can't see the screen. everybody see it? understandably, i'm trucked that in addition to the scanning delays, based on how this information was insecurely stored at the scanning facility, veterans information was potentially vulnerable to loss, theft and misuse, and i'm going to further explore this and other issues outlined in my statement during the course of this hearing. with that, cheerful report, i yield to the ranking member for
her opening statement and, again, wish her a happy new year as well. >> thank you, mr. chairman, and thank you for holding this hearing. i find the title of this hearing interesting. we have spent trillions of dollars on wars since 1988, and as you would expect with those wars have come an increase in veterans' claims and backlogs. we need to remember taking care of the veteran is a cost of war. let me repeat that. we need to remember taking care of veterans need to be figured in as a cost of war. since our engagement in "operation iraq freedom" which i voted against we have seen va continue to be inundated with work as vietnam veterans grow
older and become ill and as our newest service members return home injured, va workload has risen to record high year after year. at the height of the va backlog the decision was made and encouraged and funded by congress to eliminate the backlogs by 2015 by implementing a paperless transformation. the va backlog have been significantly reduced from over 600,000 claims to 75-plus claims in less than three years. va has reduced the backlog by nearly 90%, which not mission complete and the change has been significant, we need to continue to work to reduce that backlog.
for our florida veterans, the height of the backlog was 248 days is now 92 days. we look forward to hearing about how much of this reduction is due to the investment that we have made from moving to an antiquated system to an updated one. our veterans deserve decisions today and not tomorrow. like the joint strike force of the iraqi war or the select committee on benghazi, surely the veteran benefit management system could and should cost less than it has. i hope to hear how va plans to improve their costs, budgeting and execute of i.t. projects. we need accurate numbers in
terms of the investment and the veterans benefit management system. i am also concerned that the ig finding regarding florida's backlog of veterans evidence in 2014. i hope to hear from the va and on the efforts to address both the gao and the va ig recommendations. i hope to hear that in the report. fighting for our veterans is a team effort, and it cost a war which va has had a remarkable progress on reducing the backlog. more is needed, so let us all get to work. i yield back the balance of my time. >> thank you very much. i would ask that all members waive their opening statement as is customary with this committee. joining us on our first and only panel this morning are ms. beth mccoy the deputy undersecretary for field operations at the veterans benefit administration.
she's accompanied by ms. dawn von tempo the director of the veteran benefit management system office. mr. steven suisseman, the assistant deputy chief information officer for program management and mr. thomas murphy, the director of compensation service. also testifying for us today mr. brent arente the deputy assistant director inspector general for the audits and evaluations with the office of the ig. he's accompanied by mr. michael bowman, the director of information technology of the security audits division of the office of inspector general and finally valerie melvin the director of information technology at the united states government accountability office. thank you all for being with us this morning. your complete written statements will be entered into the record. mis ms. mccoy, you are recognized
for five minutes to present your opening testimony. >> thank you. good morning, mr. chairman, chairman miller, ranking member brown, and members of the committee, thank you for the opportunity to discuss the recent department of veterans affairs office of inspector general and government accountability office reports dated september 14 and september 15th, 2015, respectively. also, chairman, thank you for recognizing those who have accompanied me today. the veterans benefits management system or vbms is a web-based application primarily used by veterans benefits administration employees to process disability claims. vbms has supported more than 30,000 -- yes, 30,000 unique users including those from the veterans health administration and our veterans service organization partners. vbms has a customized view of the electronic folder support
appeals processing at the board of veterans appeals also. vbms enables us to receive service treatment records electronically from the department of defense which is something we couldn't do before vbms. historically vba claims processors used a paper intensive process to deliver disability benefits to americans veterans at the end of fiscal year 2012, vbms was at only five regional offices with a limited number of users and about 1,000 claims completed in it. by june 2013, vbms was rolled out to all 56 regional offices, and it was done six months ahead of schedule. in november, 2014, we had processed 1 million veterans' claims in vbms and just ten months later, in september 2015, we reached that milestone of 2 million veterans' claims
processed end to end in vbms. the oig and gao reports both provided recommendations related to the scope and cost of vbms. scope and cost increases were planned, essential, and approved to move beyond just that initial electronic claims folder repository functionality to the point of an automation enhanced claims processing platform. vbms has delivered 17 major software releases and 56 minor releases in just four years and has implemented thousands of business requirements. vbms currently houses over 1.9 billion images. through modern tools and improved processes for employees, vbms enables va to provide better service for veterans. one key element is that multiple users can view a veteran's electronic folder at the same time so that various claims
actions can be done in parallel at the same time rather than sequentially and eliminating delays waiting for that one paper claims folder. additionally there are broader telework opportunities available for our employees in a paperless processing word. more veterans are receiving faster decisions because of the increase in both production and productivity that vbms has enabled. as vba's deputy undersecretary for field operations, from my perspective, vbms was delivered to the field quickly, six months early. it worked. and functionality has been added every three months with each new release. when i go to regional offices to talk to employees and veteran service officers, they tell me they would not go back to a paper-based process. and they are constantly bringing up ideas and recommendations for more things to do in vbms. we're working with our labor
partners to make sure that we get all of those recommendations and implemented as quickly as possible. i'm incredibly proud of our vba employees, 53% of whom are veterans themselves. for all of the changes they have adopted and all of the work they have completed for veterans and their families through vba transformation efforts. so, what have they accomplished? this past fiscal year va reached an historic milestone in delivery of benefits and services to america's veterans and their families and survivors. we reduced the backlog of disability claims pending to a low of just over 71,000 claims at the end of fiscal year of 2015, nearly 90% reduction in the backlong as ranking member brown pointed out from its peak of 611,000 pending. and in fiscal year 2015, we provided disability rating claim
decisions to nearly 1.4 million veterans. that is a new record as well. and we did not sacrifice quality. in fact, we improved national accuracy scores from 83% in june of 2011 to -- to nearly 91% in fiscal year 2015. and that's at the claim level. if you drill down to the individual contention, the individual issue level, we are at over 96% on our quality. at the same time we reduced the veterans pension backlog by 93% from a peak of 15,000 claims to less than 1,000 currently. also the number of appeals actions taken by vba increased from -- increased by 30% from 2011 to 2015. these milestones were achieved through implementation of an aggressive and comprehensive information plan that included people, process, technology