[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                 ASIA: THE CYBER SECURITY BATTLEGROUND

=======================================================================


                                HEARING

                               BEFORE THE

                  SUBCOMMITTEE ON ASIA AND THE PACIFIC

                                 OF THE

                      COMMITTEE ON FOREIGN AFFAIRS

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 23, 2013

                               __________

                           Serial No. 113-42

                               __________

        Printed for the use of the Committee on Foreign Affairs


Available via the World Wide Web: http://www.foreignaffairs.house.gov/ 
                                  or 
                       http://www.gpo.gov/fdsys/

                                ______





                  U.S. GOVERNMENT PRINTING OFFICE
82-145                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                      COMMITTEE ON FOREIGN AFFAIRS

                 EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey     ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida         ENI F.H. FALEOMAVAEGA, American 
DANA ROHRABACHER, California             Samoa
STEVE CHABOT, Ohio                   BRAD SHERMAN, California
JOE WILSON, South Carolina           GREGORY W. MEEKS, New York
MICHAEL T. McCAUL, Texas             ALBIO SIRES, New Jersey
TED POE, Texas                       GERALD E. CONNOLLY, Virginia
MATT SALMON, Arizona                 THEODORE E. DEUTCH, Florida
TOM MARINO, Pennsylvania             BRIAN HIGGINS, New York
JEFF DUNCAN, South Carolina          KAREN BASS, California
ADAM KINZINGER, Illinois             WILLIAM KEATING, Massachusetts
MO BROOKS, Alabama                   DAVID CICILLINE, Rhode Island
TOM COTTON, Arkansas                 ALAN GRAYSON, Florida
PAUL COOK, California                JUAN VARGAS, California
GEORGE HOLDING, North Carolina       BRADLEY S. SCHNEIDER, Illinois
RANDY K. WEBER SR., Texas            JOSEPH P. KENNEDY III, 
SCOTT PERRY, Pennsylvania                Massachusetts
STEVE STOCKMAN, Texas                AMI BERA, California
RON DeSANTIS, Florida                ALAN S. LOWENTHAL, California
TREY RADEL, Florida                  GRACE MENG, New York
DOUG COLLINS, Georgia                LOIS FRANKEL, Florida
MARK MEADOWS, North Carolina         TULSI GABBARD, Hawaii
TED S. YOHO, Florida                 JOAQUIN CASTRO, Texas
LUKE MESSER, Indiana

     Amy Porter, Chief of Staff      Thomas Sheehy, Staff Director

               Jason Steinbaum, Democratic Staff Director
                                 ------                                

                  Subcommittee on Asia and the Pacific

                      STEVE CHABOT, Ohio, Chairman
DANA ROHRABACHER, California         ENI F.H. FALEOMAVAEGA, American 
MATT SALMON, Arizona                     Samoa
MO BROOKS, Alabama                   AMI BERA, California
GEORGE HOLDING, North Carolina       TULSI GABBARD, Hawaii
SCOTT PERRY, Pennsylvania            BRAD SHERMAN, California
DOUG COLLINS, Georgia                GERALD E. CONNOLLY, Virginia
LUKE MESSER, Indiana                 WILLIAM KEATING, Massachusetts


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               WITNESSES

Phyllis Schneck, Ph.D., vice president and chief technology 
  officer, Global Public Sector, McAfee, Inc.....................     6
Mr. James Lewis, director and senior fellow, Technology and 
  Public Policy Program, Center for Strategic International 
  Studies........................................................    15
Mr. Karl Frederick Rauscher, chief technology officer and 
  distinguished fellow, EastWest Institute.......................    23

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Phyllis Schneck, Ph.D.: Prepared statement.......................     9
Mr. James Lewis: Prepared statement..............................    17
Mr. Karl Frederick Rauscher: Prepared statement..................    25

                                APPENDIX

Hearing notice...................................................    56
Hearing minutes..................................................    57


                 ASIA: THE CYBER SECURITY BATTLEGROUND

                              ----------                              


                         TUESDAY, JULY 23, 2013

                       House of Representatives,

                 Subcommittee on Asia and the Pacific,

                     Committee on Foreign Affairs,

                            Washington, DC.

    The subcommittee met, pursuant to notice, at 2:24 p.m., in 
room 2172, Rayburn House Office Building, Hon. Steve Chabot 
(chairman of the subcommittee) presiding.
    Mr. Chabot. The committee will come to order.
    Good afternoon. I would like to welcome everyone, my 
colleagues and our distinguished witnesses, to the Subcommittee 
on Asia and the Pacific hearing this afternoon. The ranking 
member Mr. Faleomavaega and I will make opening statements, and 
then other members of the subcommittee will be recognized for 
making 1-minute statements should they wish to do so.
    Over the course of the last few years, there has been 
growing acknowledgment of the need for an international cyber 
security policy. The growing interdependence of the world by 
way of the Internet and vast frequency and similarity of cyber 
attacks reported in nearly every corner of the Earth 
illustrates why.
    As they say, cyberspace knows no borders. This implies that 
cyber security is only as good as its weakest link. In other 
words, we can work tirelessly to build up the defenses of our 
critical infrastructure systems and networks here in the U.S., 
but back doors could still be found in overseas routing points 
and links in the global supply chain, for example, through 
which adversaries can find ways to attack U.S. Government 
systems and private companies. This is why the U.S. must engage 
its allies around the world to promote the preservation of 
global network functionality, in addition to establishing 
confidence-building measures that foster trust and reliability 
with nations that have become Wild West havens for cyber 
criminals so that we can close these back doors.
    As an effort to recognize cyber security's growing 
international attention and importance, the State Department 
established the Office of the Coordinator for Cyber Issues in 
2011 to more effectively coordinate global diplomatic 
engagement on cyber issues. It was around the same time that 
the White House issued its International Strategy for 
Cyberspace.
    While we are not here today to discuss the progress or 
effectiveness of this relatively new State Department office, I 
think at the very least it is an acknowledged step in the right 
direction, even if they could not somehow provide anyone to 
brief the subcommittee on its activities before this afternoon. 
Even so, today's hearing is part of our efforts here in 
Congress to examine how to advance this strategy in such a 
critical region of the world as Asia.
    Almost every day U.S. businesses are victims of cyber 
exploitation and theft by nation-state actors such as China. 
Theft of intellectual property not only takes away American 
jobs and hurts innovation and competitiveness, but it costs 
U.S. businesses anywhere between $200 billion and $400 billion 
a year. In order to engage American economic prosperity and 
security, the integrity and openness of our networks must be 
maintained. And as we discuss this afternoon the evolving 
threats and a growing number of cyber challenges facing our 
Nation, I recognize this will be no easy task.
    Asia is a region beset by some of the world's most 
aggressive cyber actors. I think it is fitting that today's 
hearing calls the region the cyber security battleground, 
because as Asia has become the most economically dynamic region 
in the world, it has also become the hub of cyber conflict. 
Alternatively, while Asia is not an actual battleground as we 
know one to be or in the throes of a drawn-out war, this term 
symbolizes that the region is faced with many serious threats 
and actors that are unstable, uncertain and volatile.
    It is unlikely for a real cyber war to start between Asian 
nations at this point, but it is critical to note how 
cyberspace has become a source of great economic and military 
rivalry, as well as the primary medium for political activism. 
As we know, in many Asian nations political dissent via the 
Internet is obstructed by ruling governments and considered a 
threat. An issue we discuss here frequently, this is a source 
of great internal conflict and human rights abuses.
    Nevertheless it is the networked interconnection of our 
lives, information, financial systems and institutions that is 
enabling global business to expand and thrusting growing Asian 
economies forward, providing before-unavailable economic 
opportunities to people throughout the world. Competition is 
growing, and with the growth of competition has come the growth 
of malicious activities aimed at stealing economic and military 
secrets for groups and nations to get ahead. Nearly every 
military in Asia will eventually have some level of cyber 
capability, if they don't already, and because of cyberspace's 
lack of security or an established set of norms, the risk of 
miscalculation only grows. This is why regional engagement on 
cyber is imperative because building trust capacity and 
security is not going to be easy and it will take time.
    The ``cyber powers'' in Asia include the U.S., China, 
Taiwan, South Korea, North Korea and Australia. Just like many 
other issues in Asia, the growth of cyber capabilities in these 
countries and other Asian nations revolves around China's 
strength and growing desire for influence. China has been 
called by numerous high-level officials in the Obama 
administration an advanced cyber actor and an aggressive 
practitioner of economic espionage against the U.S., and no 
doubt, our allies in Asia as well.
    The instances in which China was behind cyber attacks or 
intrusions of U.S. Government systems and companies are 
endless. While I think that opening dialogue with the Chinese 
about cyber crime, theft and espionage is good, establishing 
some sort of norms or principles to guide actions in cyberspace 
that the Chinese can agree to will be incredibly difficult. 
China will continue to deny accusations, and its behavior is 
unlikely to change.
    Similarly, North Korea's behavior has shown its aversion to 
change; however, the Kim regime is not only unstable, 
irrational, and erratic, but it is also risk averse. North 
Korea's growing cyber capabilities present the greatest 
likelihood of a cyber conflict in Asia. Earlier this year it 
demonstrated its capabilities in South Korea, where it crippled 
the operations of banks and news agencies by wiping the hard 
drives of thousands of computers. While McAfee's report on what 
is now called Operation Troy does not attribute these attacks 
to North Korea, it could not be clearer who was responsible. 
North Korea is not only a nuclear threat, but it a serious 
cyber threat as well.
    Lastly, we cannot forget the cyber threats emerging from 
Pakistan that challenge the national security of the U.S. and 
its neighbor, India. Mutual distrust dominates the 
relationship, which severely hampers opportunities for 
bilateral cooperation. As home to numerous terrorist groups, 
the cyber risks materializing from Pakistan are exceedingly 
multifarious. Just the other day the Director of the National 
Security Agency said, ``Terrorists use our communications 
devices. They use our networks . . . they use Skype, they use 
Yahoo, they use Google . . . and they are trying to kill our 
people.'' Cyber terrorism is real.
    I look forward to hearing the witnesses' testimonies today, 
and I thank each of you for making the time to be here. The 
private sector's role in building cyber collaboration and 
awareness in Asia is just as important as what our 
administration is doing, so I am glad we have a diverse panel 
here this afternoon.
    I now yield to my good friend, the gentleman from American 
Samoa, the ranking member, Mr. Eni Faleomavaega.
    Mr. Faleomavaega. Thank you, Mr. Chairman. And I do 
appreciate your leadership and especially for calling this 
hearing this afternoon.
    I also want to welcome personally our distinguished guests 
and members of the panel, who are pretty capable experts in 
this area of cyberspace or cyber security.
    Cyberspace is a global infrastructure that has become the 
backbone of the world economy, but as we know, it is badly 
secured and governed. Asia Pacific is a focal point for 
cyberspace, and the information technology industry is mostly 
Pacific-based with the U.S., India and other Asian countries 
creating the most digital products.
    While this kind of technology is providing economic 
opportunity in the region, there is also a downside when it 
comes to cyber conflict. Cyber conflict involves the planning 
for military and strategic competition, and asymmetric warfare 
and engagement, and economic espionage to gain long-term 
economic and trade advantages. Cyber powers include the United 
States, China, Taiwan, South Korea, North Korea, and Australia, 
and New Zealand. And Japan and India are exploring military 
cyber capabilities as well.
    China and the United States are engaged in the strategic 
competition: How do we plan ahead of establishing rules of the 
road in cyberspace? Interesting to note, Mr. Chairman, there 
are some 500 million people in China are Internet users, with 
some additional 300 million use Twitter, like our version of 
Twitter. So it is very interesting that the fact that out of 
the total population of some 7 billion people living on this 
planet, over 50 percent of the world's population reside in the 
Asia Pacific region, and I think it is quite obvious that this 
region is very important.
    I recall a couple of years ago when the People's Republic 
of China had developed a missile that was capable of shooting 
the satellite, Chinese satellite, that was traveling some 
18,000 miles per hour, and they were able to do it. Oh, there 
was a tremendous uproar about China violating whatever it was. 
The fact of the matter is the United States and Russia were 
about 20 years ahead of China as far as this kind of cyberspace 
security technology that we have developed.
    I think it is important that in terms of what is happening 
in countries like China, I am a little more optimistic to the 
fact that because of this number of Internet users, despite the 
problems with security and the way the government controls this 
technology, the fact of the matter is I don't see how any 
government is going to be able to control public demand and the 
wanting to use the way it is done right now in China, and I 
think it is going to come out with better results in terms of 
greater freedom and greater access to the Chinese consumers and 
whatever it is that they want to do as far as developing and 
improving their economic well-being.
    With that, Mr. Chairman, I look forward to hearing from our 
witnesses this afternoon. Thank you.
    Mr. Chabot. Thank you.
    We will now recognize members in case they would like to 
make opening statements. We will do it in the order they 
arrived once we started.
    The gentleman from Pennsylvania, Mr. Perry, is recognized.
    Mr. Perry. Thank you, Mr. Chairman.
    Gentlemen, ladies, thank you for your time and testimonies 
today in advance.
    Consumers in government, private companies have grown 
increasingly reliant on cyberspace to manage projects, reach 
potential clients, serve their constituents and disseminate 
mission-critical information. Unfortunately, as you know, cyber 
threats have more than kept pace, and, according to reports 
this year, will be an even more sophisticated assault on 
business, private citizens and government organizations.
    Former Secretary of Defense Panetta warned government and 
business leaders to be prepared for an escalation of cyber 
attacks. Rather than simply being prepared for disruption in 
organizations' activities in cyberspace through denial-of-
access regimes, leaders need to develop strategies to handle 
destructive behavior that cripple systems or corrupt data.
    There has been no shortage of recommendations to address 
this concern because of the immense value of information shared 
on secured networks and systems. Private-sector companies have 
a financial and competitive incentive to safeguard their 
intellectual property and to ensure novel innovations are 
brought to market. Public-sector entities must safeguard 
sensitive information, including intelligence reports, 
citizens' personal information, and financial data, and 
national security information, to keep it secure and protect it 
from those who wish to harm our people and our economy.
    In light of our military and economic strategic shift to 
the Asian Pacific region, it is increasingly important that we 
put great focus on this area of the world when considering 
cyber security policy.
    Thank you. I look forward to your testimony, and I yield 
back.
    Mr. Chabot. Thank you. The gentleman's time has expired.
    The gentleman from California, Mr. Bera, is recognized.
    Mr. Bera. Thank you, Mr. Chairman, and thank you, Ranking 
Member, and thank the witnesses.
    We live in an interconnected world. We live increasingly in 
a world and an economy that is global and interconnected, and 
that does create more marketplaces. It does create more 
efficient opportunities for us to move information, for us to--
a more efficient financial marketplace.
    But with that interconnectiveness are real threats and 
vulnerabilities, and the opportunity for us to come together as 
democratic countries, as freedom-loving countries, you know, 
particularly countries like the U.S., India, Taiwan, South 
Korea, Japan, to really protect this interconnectedness and 
protect what the future looks like, but at the same time be 
very cognizant of the threats and vulnerabilities.
    I look forward to hearing from the witnesses on how we 
allow this marketplace to grow, how we allow this 
interconnectedness to grow, but, again, being vigilant of the 
threats that they pose and how we protect us from those 
threats.
    So thank you. I yield back.
    Mr. Chabot. Thank you. The gentleman yields back.
    If there are no other members who wish to make opening 
statements, we will go ahead and introduce the panel at this 
time.
    Our first witness will be Dr. Phyllis Schneck. Dr. Schneck 
is the chief technology officer for public sector at McAfee, 
Inc. In this role she is responsible for the technical vision 
for public-sector applications of security and global threat 
intelligence, cyber security technology, and policy strategies, 
leading McAfee security and intelligence initiatives in 
critical infrastructure protection and cross-sector cyber 
security.
    She has served as a commissioner and a working group co-
chair on public-private partnership, and co-chaired the 
Critical Infrastructure Protection Congress. She is also the 
chairman of the board of directors of the National Cyber 
Forensics and Training Alliance. Previously, Dr. Schneck served 
for 8 years as chairman of the national board of directors of 
the FBI's InfraGard program and founding president of InfraGard 
Atlanta.
    Named one of the Information Security Magazine's top 25 
women leaders in information security, she has briefed the 
Governments of Japan, Australia and Canada on information 
sharing and infrastructure protection. Dr. Schneck has also 
served as vice president of research integration for Secure 
Computing, vice president of Enterprise Services for 
eCommSecurity, vice president of Corporate Strategy for 
SecureWorks, Inc., and was founder and chief executive officer 
of Avalon Communications, among many others. She received her 
Ph.D. in computer science from Georgia Tech. We welcome her 
here this afternoon.
    Next, I would like to introduce James Lewis, who is a 
senior fellow and program director at CSIS, where he writes on 
technology, security and international relations. Before 
joining CSIS, he worked at the Departments of State and 
Commerce. He has also served as the Rapporteur for the 2010, 
and the 2012-2013 United Nations Group of Governmental Experts 
on Information Security. His current research examines the 
political effects of the Internet, asymmetric warfare, 
strategic competition and technological innovation. Dr. Lewis 
received his Ph.D. from the University of Chicago. We welcome 
you here this afternoon.
    Finally, we have Karl Frederick Rauscher, who is a 
distinguished fellow and the chief technology officer of the 
EastWest Institute. Leading the institute's Worldwide 
Cybersecurity Initiative, he oversees strategic track 2 
bilaterals among the world's cyber superpowers--China, India, 
EU, Russia and the U.S.; pioneers--policy for norms of behavior 
for cyber conflict, advances emergency preparedness for crises 
in cyberspace, and helps foster innovative problem solving in 
the private sector. He recently led and authored reports for 
three major bilaterals between the U.S., China, and Russia.
    He previously served as executive director of the Bell Labs 
Network Reliability and Security Office of Alcatel-Lucent. Mr. 
Rauscher has also served as an advisor for senior government 
and industry leaders on five continents, including as vice 
chair of the U.S. President's National Security 
Telecommunications Advisory Committee industry executive 
committee and as leader of the European Commission-sponsored 
study on the Availability and Robustness of Electronic 
Communications Infrastructures.
    Mr. Rauscher is the founder and president of the nonprofit 
Wireless Emergency Response Team, which led search-and-rescue 
efforts using advanced wireless technology in the disaster 
sites of September 11th, 2001, and the 2005 Hurricane Katrina 
New Orleans flood.
    We welcome all three of our witnesses here this afternoon. 
You will each be given 5 minutes to testify. There is a 
lighting system on the desk. The yellow light will let you know 
you have 1 minute to wrap up. The red light will let you know 
that your time has expired. We would ask you to wrap up by that 
time. Then we will have 5 minutes to ask questions.
    Dr. Schneck, we will go to you first. You are recognized 
for 5 minutes.

 STATEMENT OF PHYLLIS SCHNECK, PH.D., VICE PRESIDENT AND CHIEF 
     TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, MCAFEE, INC.

    Ms. Schneck. Thank you, and good afternoon, Chairman 
Chabot, Ranking Member Faleomavaega, and other members of the 
subcommittee. As said, I am Phyllis Schneck, VP and chief 
technology officer for global public sector for McAfee. We 
really appreciate the subcommittee's interest on these issues 
and the security threats as well as the solutions on certainly 
how we keep that economy going to the point before.
    My testimony today will focus on three areas: The threat 
landscape; and, as the chairman mentioned, the attacks against 
South Korea that McAfee investigated and named Operation Troy; 
and recommended security solutions. Again, how do we allow this 
economy to grow?
    A little bit about McAfee. Our role in cyber security is to 
protect our customers worldwide from these cyber threats. We 
are headquartered in Santa Clara, California; Plano, Texas; and 
a wholly owned subsidiary of the Intel Corporation. And we are 
the largest dedicated security company in the world focused on 
protecting against those threats with products, services, and, 
as I will describe in a moment, deep investigations of that 
threat which help us understand how to go out and protect 
against an adversary that moves faster than we do, because they 
have no lawyers, they have no laws, and they have plenty of 
money. So we have to find ways to maintain our economies and 
execute even faster.
    I am going to focus on a little bit different today. 
Instead of just the threat that we hear about from the Asia 
Pacific region, let us talk a little bit about the threat to 
the region as we saw in Operation Troy demonstrated against 
South Korea. As was mentioned, the Asia Pacific region has a 
large economy. It affects a lot of our global marketplace 
today, and so many of those businesses that are impactful there 
are based on Internet, Internet communications, which makes 
cyber security so important so that we build in resilience and 
keep those markets up for the rest of the globe.
    We heard about on March 20th the attacks against South 
Korea against the banking and financial institutions. McAfee 
led an investigation we called Operation Troy. I do want to 
call out my colleagues, one for McAfee Labs, Ryan 
Sherstobitoff, for the record; and one from Office of the CTO 
with me was Jim Walter, who really led and dove into this 
investigation.
    I also want to start out by defining ``malware.'' Malware 
is an enemy's instruction or a malicious instruction that 
executes on someone else's machine, thus giving someone else 
control of your cyber. Their instruction is next to execute 
memory, and that is important, and I will get to that in a 
moment.
    But on March 20th, in the end of an operation that we 
discovered was actually a covert operation of espionage 
spanning 4 years, Operation Dark Seoul landed instructions on 
machines in South Korea that erased the disk drives of many of 
those machines, and also you hear in the news it said 
it, quote, deg. ``wiped the master boot record.'' That 
means it disabled or erased the record that would have been 
used by that machine to even start up. So the industry term is 
it bricked them, it destroyed the machines. And what we 
discovered is that this had been going on about 4 years. This 
was the seventh variant. That is just sort of a different 
version of malware that had been used over those 4 years.
    And here is how we actually investigated that. If you look 
at two things, one we call fingerprints, what it looks like. 
Actually we discovered the same file path, or directory, or 
names in malware going back all the way to December 2009 used 
by campaigns all the way, again, through 4 years, winding up in 
this attack. And the second thing we look at is called 
footprint. So, again, not what it looks, the fingerprint; the 
footprint is how the thing moves.
    So over the past 4 years, the adversaries had used 
dedicated machines to send the instructions to the malware. So 
they were literally shipping instructions to malware that was 
embedded in machines in South Korea. And it is important to 
note this malware got to the machines in South Korea likely by 
a first victim clicking on a link in what they call a spear 
phish, or a custom-made email that looks like it is just for 
you. Then the instructions would be sent in from a dedicated 
machine, and we believe that the malicious code was propagated 
to the other machines from that; and then a second stage 
through a regular software update. So it looked like you were 
improving the security of your software when really you were 
downloading more enemy code. And, again, the footprint of this 
or how they did it for the first 4 years was having a dedicated 
machine to feed the malicious instructions.
    The more modern, sophisticated version that they landed in 
Dark Seoul in South Korea was through the use of a botnet, a 
more dynamic system which made actually the adversary more 
resilient. You take out one machine, there are thousands of 
others you can use.
    So on the more optimistic side, what can we do to keep 
economies up? At McAfee we believe very strongly in connected 
security systems. Every component of your network should be a 
producer and consumer of information. Don't let instructions 
execute that should not. Have networks run resilience, like the 
human body and immune system behaviorally attack viruses or 
disease or things that we know are bad without knowing their 
name. And all computer systems should learn from events from 
others, having them connected in real time. And we are active 
worldwide in these types of operations to ensure that we share 
information and, again, keep these economies alive.
    So again, thank you very much for requesting McAfee's views 
on these issues, and happy to answer any questions.
    Mr. Chabot. Thank you very much.
    [The prepared statement of Ms. Schneck follows:]
    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Chabot. Dr. Lewis, you are recognized for 5 minutes.

   STATEMENT OF MR. JAMES LEWIS, DIRECTOR AND SENIOR FELLOW, 
  TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC 
                     INTERNATIONAL STUDIES

    Mr. Lewis. Thank you, Mr. Chairman. I thank the committee 
for the opportunity to testify.
    Weak cyber security creates the risk of conflict in Asia. 
In cyber security, as in so many other issues, China's behavior 
is the central strategic issue. North Korea's cyber actions are 
worrisome, but China's actions have a destabilizing regional 
and global affect.
    The U.S. response to this should have four elements. One, 
we need to engage with China to reduce cyber espionage and the 
risk of a cyber incident escalating into armed conflict. Two, 
we need to modify existing alliances with Australia, Japan and 
Korea to make collective cyber defense a reality. Three, we 
have to expand formal cooperation with ASEAN countries and 
India on cyber security. And four, we need to make Asia a 
central part of the global effort to build common 
understandings on the secure cyberspace.
    The most important thing we can do to increase stability is 
to reach agreement on norms for responsible state behavior, the 
rules, practices and obligations that states observe in their 
dealing with each other and with the citizens of other states.
    In June of this year, a 15-nation group at the U.N., a 
group of government experts that included the U.S., China, 
India, Indonesia, Australia, Japan and Russia, agreed on rules 
for cyber security. They agreed that the U.N. Charter applies, 
that international law applies, the principle of state 
responsibility applies, and that national sovereignty is 
applicable in cyberspace, which means you can define borders.
    This U.N. Agreement is a significant step forward. China 
agreed to this only reluctantly and after considerable 
pressure. Cyber security is a fundamental task of China's 
willingness to play by the rules and will determine if its rise 
will be peaceful. China can choose to play the game by the 
rules, or it can ignore them. This choice will influence future 
relations with China and the stability of Asia.
    The U.S. can influence China's decision with persistence 
and the right strategy. We have done this before in the 1990s 
and later, and while China is now more powerful than it was 
then, we can again persuade it to change its behavior to save 
global norms.
    Military competition between the U.S. And China is 
increasing, but there is no military solution for cyber 
security. No Asian country, including any of our allies, wants 
a cold war with China. Asian nations will consider both their 
relations with the U.S. And their relations with China. They 
want to find some way to balance both. China is too important 
as a market, and the U.S. is too important as a guarantor of 
regional stability. Asian nations would prefer not to have to 
choose between the two.
    Political issues will complicate efforts to reach agreement 
on cyber security. Many Asian nations want to regulate content, 
citing pornography and online gambling as examples of Web 
services they would like to block. It is also too early to 
measure the affect of Snowden revelations on U.S. efforts to 
build international agreement on cyber security.
    Making sure that Asia does not become a cyber security 
battleground will require sustained engagement with China and 
cooperative arrangements with other Asian nations on cyber 
security. Reaching agreement will not be easy, nor will it be 
quick, but it is the best and probably the only way to advance 
U.S. interests.
    I thank the committee and look forward to your questions.
    Mr. Chabot. Thank you very much.
    [The prepared statement of Mr. Lewis follows:]
    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Chabot. Mr. Rauscher, you are recognized for 5 minutes.

  STATEMENT OF MR. KARL FREDERICK RAUSCHER, CHIEF TECHNOLOGY 
      OFFICER AND DISTINGUISHED FELLOW, EASTWEST INSTITUTE

    Mr. Rauscher. Good afternoon, Mr. Chairman, members of the 
committee and fellow panelists. My name is Karl Frederick 
Rauscher, and I am the chief technology officer and a 
distinguished fellow of the EastWest Institute, where I lead 
the institute's Worldwide Cybersecurity Initiative and its new 
Cyber Policy Lab. I am pleased to be before the committee today 
to testify about cyber in Asia.
    I submitted my full statement to the committee, which I ask 
to be made part of the hearing record.
    Mr. Chabot. Without objection, so ordered.
    Mr. Rauscher. Thank you on that. I now move to give a brief 
opening statement.
    I am an electrical engineer that has spent over 25 years in 
the Bell Labs environment. In the course of my career, I have 
provided guidance on ultra-high reliability and ultra-high 
security applications to senior governments on five continents.
    As the primary challenges of reliability and security have 
shifted in recent years from technology to policy, my primary 
association is now with the EastWest Institute. EWI is a global 
think-and-do tank whose board of directors comes from highest 
levels of government, business and civil society, and has had 
bipartisan and international representation from the East and 
the West, allowing it to maintain its neutrality and fiercely 
guarded independence.
    My recent publications include India's Critical Role in the 
Resilience of the Global Undersea Communications Cable 
Infrastructure; Fresh Tracks for Cybersecurity Policy 
Laterals--Updating the Track 1 and Track 2 Paradigm to Tracks 
Kappa, Epsilon and Phi; a Russia-U.S. Bilateral on Critical 
Infrastructure Protection: Rendering the Geneva and Hague 
Conventions in Cyberspace; and a China-U.S. Bilateral on 
Cybersecurity: Fighting Spam to Build Trust. Perhaps of 
interest to the committee, this last publication was recently 
singled out by the New York Times editorial board as 
recommended reading for Presidents Obama and Xi prior to their 
recent June 2013 California talks.
    The point of my testimony today is that policy innovations 
that break through the East-West ideological gridlock are 
essential for the stability of cyberspace. I see solutions to 
the current predicament between the U.S. and China that are 
based on a major overhaul of ideological and political regimes 
as having a low probability of success. Thus my focus is on 
real, tangible steps to progress that will actually make 
cyberspace better for all of us.
    There are four key aspects of navigating the solution 
space: First, recognizing that the U.S. and China have both 
shared and unshared, or simply different, interests. This is 
what makes the world interesting and also very dangerous.
    Second, regarding the shared interests, there is potential 
for cooperation; however, the current environment of growing 
mistrust impedes straightforward understanding of each other's 
interests.
    Third, the contour of cooperation can be optimized if we, 
(A) extend cooperation into new areas based on enlightened 
understanding of actual shared interest; and, (B) pull back 
cooperation where shared interests are not, after careful 
examination, in reality enjoyed.
    And fourth, an optimized contour of cooperation of shared 
interest can reset the tone for discussions, giving both sides 
the confidence the relationship can improve as steps of new 
cooperation are taken. As we have found with the success of the 
fighting spam work, we can now move into arenas of higher 
complexity and higher consequence.
    I offer some tangible evidence that demonstrates the 
doability of breaking through policy gridlocks with Asia and 
cyberspace by pointing out examples of recent successes. We are 
encouraged that to date we have forged 27 innovative 
recommendations that break through policy roadblocks. And most 
encouraging, we have seen within a short period of time an 
uptake of these recommendations by major companies and 
governments. In fact, over 50 percent of the innovative 
recommendations are being implemented, and over a quarter are 
now institutionalized for long-term sustainability.
    The first examples I draw attention to are the 2 
recommendations and 46 best practices of the Fighting Spam to 
Build Trust report, which was prepared jointly by a combined 
dream team of Chinese and U.S. subject-matter experts and 
stakeholders. Spam can make up as much as 95 percent of email 
messages sent and is often a vehicle for malicious code, as was 
referred to earlier.
    The report's two recommendations have not only been 
implemented, but their continued, sustained implementation has 
been institutionalized by the highly recognized international 
Messaging, Malware and Mobile Anti-Abuse Working Group, also 
known as the M3AAWG.
    I pivot now in my remarks to facing the future. What are we 
going to go do next? As we look at the U.S.-China relationship, 
I submit that we would do well to remember a lesson from our 
great American sport of baseball. Home runs are hard to come by 
and if there are many people swinging for the fence and 
striking out. In contrast, consistently hitting singles, and 
keeping a good batting average is still a great strategy for 
putting points on the board. I humbly submit that these 
examples are proof that striking out is not inevitable, and 
that we can get on base.
    In conclusion, the top priority for engaging Asia and 
specifically China at this time is to make genuine, tangible 
progress. Policy breakthroughs with Asia are needed for the 
safety, stability and security of cyberspace. Policy 
breakthroughs have been shown to be possible, and more policy 
breakthroughs in key areas are also possible.
    Thank you, Mr. Chairman and committee members, for the 
opportunity to appear before you today. I stand ready to answer 
any questions that you may have.
    Mr. Chabot. Thank you very much.
    [The prepared statement of Mr. Rauscher follows:]
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Chabot. Before we get into the 5-minute questioning by 
panel members, the Chair would like to call on the gentleman 
from Georgia to be recognized for a moment. Mr. Collins.
    Mr. Collins. Mr. Chairman, I do appreciate it. And, Dr. 
Schneck, I just wanted to--from Georgia, so I could not let it 
pass by. Although I represent the University of, Georgia Tech 
is a wonderful institution. She would--for those in the 
audience don't know, Go, Dogs. But Tech is also my heart as 
well. But just your expertise in the way you have represented 
in your doctorate coming from Georgia Tech, and the 
instruments, and where you played in this field, and the 
expertise that you give give your alma mater a wonderful name, 
and I just wanted to say that for the record.
    This a huge issue. It is the defining issue, I believe, for 
the next number of years, and not only in our warfare, but also 
in our relations between countries. And I could not let it go 
without recognizing your accomplishments and achievements from 
the fine institution of Georgia Tech.
    Mr. Chabot. Any response?
    Ms. Schneck. I would love to say thank you. You know the 
response I need to give someone from Georgia. I cannot say that 
in this venue. But thank you so very much for your comments, 
and I did really love my time in Georgia.
    Mr. Collins. Well, I am going to be having to leave, so I 
wanted to make sure I recognized that fact.
    Ms. Schneck. Thank you so much.
    Mr. Chabot. Thank you.
    I now recognize myself for 5 minutes.
    I mentioned in my opening statement that establishing cyber 
confidence-building measures with our allies and friends in 
Asia is critically important. There has been much discussion, 
mostly negative, about creating a global treaty, and that this 
goal is impractical and unenforceable. The large number of 
actors and new and fast-changing technologies in cyberspace 
increases the complexity of collaborating to resolve issues 
domestically and internationally in a timely manner.
    Because of the cross nature of cyber security, different 
countries in Asia have different interests concerning privacy, 
openness, and regulation of cyberspace--vastly different in 
some cases. As a result, what is the best way to go about 
establishing greater trust and confidence? While many efforts 
to enhance cooperation have taken a bilateral approach, what 
form would you see cyber cooperation in Asia taking in the 
future? How much influence does the U.S. have in actually 
building capacity and security in cyberspace? Lastly, how do 
you think broad security concerns about revealing intelligence 
sources and methods will prevent cooperation from advancing, 
especially considering China's growing presence and 
aggressiveness in the region?
    I will go down the line and ask each of you to take a 
relatively brief shot at those questions. Dr. Schneck, we will 
begin with you.
    Ms. Schneck. Thank you very much.
    When it comes to how much influence the U.S. has in 
building that cooperation, I look at cyber security and cyber 
resilience: How do you keep our networks up while they are 
being attacked? They will always be attacked.
    Right now we are setting, I think, a beautiful example in 
the U.S. with the work that is being done by NIST and with the 
Department of Homeland Security and across interagency in 
combining information in people time and in machine time. So 
building ways--and we need liability protections, of course, 
for companies to share information in good faith about cyber 
threat, but also building ways for people to get together 
across, transcending those boundaries between competition in 
companies as well as transcending private-sector and industry 
boundaries.
    And in machine time the Department of Homeland Security is 
actually crafting protocols to build that Internet ecosystem 
that I mentioned, which would allow cyber threat indicators--if 
you see something behaviorally strange or off, computers could 
communicate to other computers around the Internet just as your 
body communicates and fights a disease without knowing its 
name, so that you build an ecosystem that is learning where an 
adversary is trying to attack before it propagates so much that 
it causes damage.
    I think the U.S., between our academic institutions, our 
industry, and our government, is doing a very good example of 
taking the first couple of steps at building that framework to 
foster global innovation instead of regulation, which is always 
so many years behind.
    And we are also setting a great example working with many 
in the Asia Pacific community, many in the EU to really build 
those protocols, because the competitor is not the adversary 
anymore in industry, government is not an adversary, other 
countries are not adversaries necessarily. It is all about how 
we keep these networks up to sustain our way of life. And to 
wrap that part of your question, I think the U.S. is doing a 
beautiful job in that way, and we have a lot of work to do 
globally on that.
    Mr. Chabot. Can I stop you there so I can include the 
others? I have about 1\1/2\ minutes left, so I will give you 
about 45 seconds, Dr. Lewis, and about 45 seconds to Mr. 
Rauscher.
    Mr. Lewis. Okay. I should note that for the last 3 years I 
have led semiformal talks with the Chinese Government, with the 
Ministry of State Security and the PLA. State was able to go to 
them along with DOD. And what we found in those talks is that a 
global treaty just isn't possible. One morning is the Russians 
are the guys proposing a global treaty. That alone should be 
enough to tell us it is a bad idea.
    There is a meeting coming up in Korea this October that is 
part of a process begun by the U.K. To get agreement on norms 
and confidence-building measures. We are not going to get a 
treaty; we can get agreement on norms and confidence-building 
measures, and the U.S. is a leader in this.
    Mr. Chabot. Thank you.
    Mr. Rauscher.
    Mr. Rauscher. Yes, I think there are several opportunities 
that are ripe for the picking. The first deals with the 
underpinning of cyberspace, how we are connected between North 
America and the major financial center, Hong Kong, in China, 
and that is through undersea cables that all come together 
underneath in the Luzon Strait, and that is a choke point.
    A recommendation in this ROGUCCI report suggests that we 
need geographic physical diversity and a route around the west 
side of Taiwan, very sensitive waters, that will land in North 
America would bring great stability to our two economies. This 
is really something that needs to be done. The Chinese need to 
take a step where they would give assurances to investors, but 
in North America we need to make it clear that the United 
States has places that cables could land.
    Another great opportunity for a confidence-building measure 
is to implement priority international communications. This is 
a capability at a national level that was critical for us, but 
we do not have an extension of it internationally. We are 
increasingly dependent on each other, and yet we cannot 
communicate in a crisis like Fukushima or 9/11 because there is 
massive congestion that works particularly internationally. 
This is a great opportunity.
    I think there are other opportunities in areas that we are 
exploring. Perhaps I will have a chance to address that later 
in the hearing. Thank you.
    Mr. Chabot. Thank you very much.
    I will now recognize the ranking member, the gentleman from 
American Samoa, Mr. Eni Faleomavaega.
    Mr. Faleomavaega. Thank you, Mr. Chairman.
    I have become somewhat apprehensive about the idea that 
China is the new monster, you have to be very careful, you have 
to watch out for them. The fact is I think they are not that--I 
mean, it seems to me, in my opinion, they are not really up to 
the same capacity in terms of the advancements that we have 
made as far as cyber security is concerned, and technology has 
been primarily still between Russia and the United States. 
Correct me if I am wrong on that.
    And, Dr. Schneck, you mentioned something about the 
activities that the McAfee Company has operated on this 
Operation Dark Seoul as well as Troy. I am not very good in 
your technical explanations that you gave. What exactly 
happened? Was it a virus, or how--and did it come from China? 
Where is the source of this virus that seemed to have gotten 
Seoul really upset in the month of March?
    Ms. Schneck. In a nutshell, malicious instructions, 
computers were given direction to erase their hard drives. They 
were rendered useless. So that takes down systems of----
    Mr. Faleomavaega. Who was doing this?
    Ms. Schneck. When we focus these investigations, we don't 
like for attribution. We look for how to protect our customers. 
We leave the attributions, the corporate decision, to law 
enforcement, who are trained to get that right. Our 
investigation is about protecting the networks worldwide that 
are being bombarded with these literally instructions that say, 
erase now, which can cause damage.
    Mr. Faleomavaega. So you were able to save it, but you 
don't know the source--who originated the virus and all of 
that. Am I correct on this? I am a little confused here.
    Ms. Schneck. We don't know that definitively. I can go back 
and get the actual guides from the lab to see what else they 
know. Our corporate direction and our mission is to protect. So 
we focus on what is the damage being done, how is it being 
done, and how do we make sure that no one else on the planet 
has to take it from this particular attack, and how do we learn 
it from that.
    Mr. Faleomavaega. Dr. Lewis?
    Mr. Lewis. The Chinese are pretty good, and we don't want 
to underestimate them. They are not as good as the U.S. in 
offensive capabilities. And the big problem for China is that 
they use pirated software, and pirated software just can't be 
made safe. So they are in a weaker position, and they are a 
little afraid of us, but they are also not constrained in 
engaging in cyber espionage, and that is really the big 
problem.
    So we don't want to paint them as a monster, but they are 
also not entirely innocent when it comes to this stuff.
    Mr. Faleomavaega. No different than the Russians or any 
even of our allies.
    Mr. Lewis. The Russians are at the top of league, and one 
of the reasons you see China in the paper all the time and not 
Russia is just because the Russians are better at not being 
caught.
    Mr. Faleomavaega. And the United States as well.
    Mr. Rauscher. Cyberspace has inherent, intrinsic 
vulnerabilities in the ingredients that make it up. And so, in 
fact, if you removed Asia from the map, if Asia didn't exist, 
the fact is, we must face it, America, our government, our 
businesses, our personal information is still exposed just as 
it is now. And so we are fundamentally at risk because of the 
intrinsic vulnerabilities within the ingredients that make up 
cyberspace, the networks that connect us, the software that 
controls things, and hardware that obeys the commands that it 
is given.
    So reliance on cyberspace is the first-order problem. The 
malicious actors who take advantage of vulnerabilities in 
cyberspace no matter where they come from are the second-order 
problem.
    Mr. Faleomavaega. I mentioned earlier the fact some 500 
million Chinese have access to the Internet. That is a pretty 
good number as far as potential marketing, business, consumer, 
and demands and all of that. If were you to do it in terms of 
proportions, how would any government be able to put any kind 
of controls on that number of people are currently using the 
Internet even alone here in the United States? I seem to look 
at this as a positive trend rather than saying that it is bad 
that people have access to the Internet is something that we 
should be careful about. I don't know, maybe you could help me 
on that.
    I have 30 seconds left now.
    Mr. Rauscher. My observations are that China's primary 
concern regarding hacking is unlike ours. They are concerned 
about the insider threat. They do have--they are very 
challenged about controlling their own citizens.
    On the other hand, quickly, to contrast with India, they 
well are the third largest country in terms of online 
population, yet they have a very low penetration rate. Only 10 
percent of them are online. And so malicious actors are able to 
exploit the relatively low maturity of their ICT (information 
communications technology) in their country.
    Mr. Faleomavaega. I am sorry, my time is up.
    Thank you, Mr. Chairman.
    Mr. Chabot. Thank you.
    The gentleman's time has expired. The gentleman from 
Pennsylvania, Mr. Perry, is recognized for 5 minutes.
    Mr. Perry. Thank you, Mr. Chairman.
    So since we know what China is interested in and what they 
are not interested in, they are not interested in having their 
population informed. They are interested in stealing 
intellectual property from various countries, including ours, 
and they have been pretty prolific as far as we know and expect 
and announce.
    Should it be our policy to hit them where it hurts, to coin 
the phrase, I mean, to find a way? I imagine there is a way to 
open up the Internet to free information for the Chinese 
people. I mean, what would you say should be our plan from a 
national security standpoint regarding cyber security and 
diplomacy with China to avert? Because all the warnings, all 
the discussions, all the announcements seem futile; they do 
what they--they disavow it, and they continue to do it. So what 
should be our plan? 
    Mr. Lewis. In private they are they aren't disavowing it 
anymore. So it is interesting to see that their public posture 
and their private posture has changed.
    We went through something like this with China before 
regarding nonproliferation, and the steps we used there 
probably will work in this case. You need to engage the Chinese 
directly and tell them, this isn't what responsible nations do. 
You need some kind of agreement on what is responsible 
behavior, and the U.S. is helping to build that. You need your 
allies and partners to come in and say the same thing. That was 
very helpful before.
    And it is going to be a long process. It is going to be 
hard. You will need to think of measures that will help 
encourage the Chinese to think the right way, and some of the 
things that do this could include putting people on Treasury 
lists to prevent them from banking in the U.S., putting them on 
no-fly lists, sanctioning Chinese companies.
    I always found the Hill very helpful when I had to 
negotiate with them, because what I would say is, you have got 
to help me out here, you got to give me something, because I 
can't control those crazy people on the Hill. And that was a 
good tactic, because they know our system, and they know that 
the Congress is going to be a little more assertive.
    And so putting together a package of engagement, allies, 
and possibly some kind of sanctions, including information or 
sanctions like were you talking about, I think that will get us 
there. It will take a number of years, but I don't see an 
alternate path.
    Mr. Rauscher. I think the Internet is going to win. First, 
the power of the devices in the system that we have, so to 
speak, is their connectivity. And so if you limit the 
connectivity, you are not going to be as competitive in 
research or in business. So at the global level, countries are 
going to want to be connected to the Internet to be 
competitive. Once they do that, there is going to be the free 
flow of information.
    No matter how good you are, its just simple mathematics, 
once you are connected, if you think of that as a 1, your 
filtering can only be something less than 1. Perfect filtering 
would be a 1. So if you are at 95 percent, and you are really 
good at filtering, that 5 percent of information on the 
Internet is a vast amount of information, incomparable to 
anything that, you know, we dealt with like in the Cold War in 
the 1950s and such.
    So I think with that amount of information that the 
Internet delivers, the Internet will win. And so if we are able 
to keep the Internet as it is now, as a robust place for the 
marketplace and for education and learning, it is going to be a 
powerful force, even more so in the future than it has been to 
date.
    Mr. Perry. So the Budapest agreement says that retaliation 
by, let us say, U.S. companies, retaliation against cyber 
crimes is disallowed, right?
    Mr. Lewis. Yes.
    Mr. Perry. What are United States companies supposed to do 
to proactively protect themselves as opposed--understanding 
they buy McAfee, right? That is a great line for you. But, you 
know, to me I feel like we are dealing with something on a 
higher level, and once all your information is gone, or your 
proprietary information or your employee information has been 
compromised, it is too late, and you can't unring the bell. So 
what proactively can they do? Is there some method of some type 
of retaliation that would be authorized?
    Ms. Schneck. So I think--look, this is about making 
everybody more secure and more resilient and safer, because the 
Internet is a wonderful thing, and it is not going anywhere. It 
makes life better.
    What we need to do is reduce the profit model. Right now 
the adversaries are doing very well, and we are not putting 
anything in between that. But yet we look at bank robbery, and 
that has pretty much stopped because it is not worth it, you 
know you are going to get caught. And I think what companies 
can do is work with government to make it harder for the 
adversaries to win this. We keep our Internet, but we also 
build in better controls.
    It is not about products; it is about how you assess your 
risk, how you make boardroom-level decisions to make things 
safer whatever you buy and whatever you do. But that is a 
global private-to-government discussion that needs to be had 
very powerfully right now.
    Mr. Chabot. The gentleman's time has expired.
    The gentleman from California Mr. Bera is recognized for 5 
minutes.
    Mr. Bera. Thank you, Mr. Chairman.
    The problem with bank robbery, though, is the penalties are 
pretty stiff if you get caught. I think that goes to my 
colleague's concern.
    I have got two questions, first for Dr. Schneck. McAfee's 
perspective is really one of protection, how do you protect 
your customers, how do you identify those vulnerabilities and 
threats and proactively protect as opposed to seek out who the 
person who is threatening you are.
    What steps should this body take to strike that right 
balance of, you know, having a thriving, open marketplace where 
we are open for business, but at the same time knowing that we 
want to keep the Internet open, and we are seeing these 
threats? Are there some specific actions that you would like to 
see us discuss here in Congress?
    Ms. Schneck. I think it is so important to, number one, as 
I mentioned before, have the protections for companies to be 
able to share information with each other about what we are 
learning and what we are seeing. We have seen before, worried 
about the threat of a lawsuit the next day, we were not able to 
share information about certain oil and gas companies and the 
fact they are being targeted. Our lawyers didn't let us because 
they worried we would get sued the next day if the stock prices 
of the energy sector went down. And there is legislation in 
Congress, or had been, that looked at how do you protect 
companies, all companies, in that situation.
    I think the second is incentivizing the private sector to 
really look at how do you do a risk-based assessment of cyber 
security and consider your network as a critical asset, because 
the Internet is so important, and how do you invest in that 
from the boardroom? This is not necessarily a technology 
discussion. It doesn't even have to do with technology 
providers. This is about how does business protect themselves, 
and how does the government--what you can do is help 
incentivize that, and that will actually foster creative 
innovation for new and better and less expensive methods.
    Mr. Lewis. We did a report about 6 months ago that found 
that most corporate networks are tremendously insecure, and it 
actually doesn't take very much effort to break in. In fact, 
when we did the research, I was feeling sorry that I had gone 
into the wrong line of business.
    Here is a good example we came up with this morning in our 
discussion with DOD. When you buy equipment, the password 
default is ``password,'' and 90 percent of the time people 
remember to change the password. That is great, except the 
remaining 10 percent you are in. So finding a way to get 
companies to do more--and it is not rocket science--do more to 
secure their networks is crucial.
    Mr. Bera. I have got a follow-up question, Dr. Lewis. If we 
use the example of the World Trade Organization, you know, with 
regards to trade, their norms of trade and their treaties that 
have been negotiated, and there is mechanisms if we feel 
someone is engaging in unfair trade practices where we can take 
a country and have a system of an arbiter.
    Now, you have already commented that you don't think a 
treaty is doable at this juncture at the international level, 
but you talked in terms of creating norms and confidence 
builders. Can you talk about some of those norms and confidence 
builders and then a mechanism, though, still if bad actors or 
bad state actors act out of those norms and confidence 
builders, there does--you know, again, using the bank robber 
analogy, there has to be some system of penalty to incentivize 
good behavior.
    Mr. Lewis. True, that is a good question. And you might 
want to look at the Budapest Convention as an example of why a 
treaty won't work. About 80 nations, I think, have signed up to 
it. The pace of getting more signatories is slow.
    But what you could do is think of ways to agree on what 
responsible behavior is, and one of them would be that the 
international commitments you have in the physical world also 
apply in cyberspace, and you exchange information on what you 
are doing, military white papers, for example. And if people 
don't observe those norms, then we need to think about 
penalties. And an organization you might want to look at, it is 
called the Financial Action Task Force. That is an example. If 
you do money laundering and you are a country, guess what? It 
is going to be harder for you to change money. It is going to 
be a little harder for your central bank. We may have to think 
about measures like that, making it harder to do business on 
the Internet if you don't play by the rules.
    Mr. Rauscher. The malicious actors are taking advantage of 
the lack of cooperation in this space. As an engineer I think 
of policy in this arena as the ability for entities to 
anticipate the behavior of other entities, whether they be 
machines, or governments, or individuals, or enterprises. And 
we just don't have the tight coordination that we need, and so 
there is a gap, and that is what is being taken advantage of.
    What we have been doing at the institute is convening some 
40 countries or more annually at an international summit. Our 
next one this year in November is hosted by Stanford, in 
Silicon Valley. We will be convening government and business 
leaders from 40 countries and going head on addressing these 
issues to try to tighten up that coordination.
    Mr. Chabot. Thank you.
    The gentleman's time has expired.
    The gentleman from Indiana, Mr. Messer, is recognized for 5 
minutes.
    Mr. Messer. Thank you, Mr. Chairman. Thank you to members 
of the panel.
    I think you are getting close to the end of your 
presentation. I think there is at least a question or two more, 
but obviously, this is a very important issue. The cost to the 
American economy is billions of dollars. The national security 
threats are large and growing. You--there is little doubt--
there is no doubt that rogue nation states are participating in 
these attacks, and that it is a complex problem that is going 
to complex solutions that require a lot of cooperation.
    You have talked a little bit, each of you in the panel, 
about the role of business and the role of government in 
solving this problem. Is it more business or more government?
    Mr. Rauscher. Well, I guess I will start. You know, for 
traditional issues like security and trade, for military 
issues, that has to be the government, and part of the reason 
for that is that other countries expect it to be the 
government. The Chinese once told me there is really no such 
thing as the private sector, you know, it is all government. So 
for those issues, trade, security, armed conflict, it has got 
to be government.
    For other issues it is not so clear. When we talk about 
innovation or technical standards or business relationships, 
that probably should be a private-sector lead.
    Mr. Messer. And as you answer, you cited the need for 
cooperation. Could you cite any examples of where cooperation 
has occurred, because I think some of those examples might be 
illustrative of the question.
    Mr. Rauscher. I can cite an example. As I mentioned earlier 
in my testimony, we have a Track 2 bilateral that we have done 
with the Chinese on fighting spam, and we have many individuals 
and corporations supporting this with their contributions of 
mind share, and very rigorous analysis in their actions with 
the Chinese on this. And this was able to be the result, I 
think, because of the trusted facilitation that a third party 
could do.
    I actually did an analysis of how we were successful over 
the last couple of years. I mentioned earlier that we had 27 
recommendations, and over half are implemented. And the 
comparative benchmark really is zero percent, because these are 
really hard issues that, if you look at what we have taken on, 
these are issues people aren't trying to address because they 
think they are impossible. And in the analysis, why these 
issues were stuck was governments have a difficulty at the 
international level because they are appropriately representing 
the national security interests that they have of their 
individual countries, and so every other country is a little 
suspect of what is happening. And then commercial entities are 
appropriately protecting the fiduciary responsibilities that 
they have toward their share owners, and so there is a little 
suspicion sometimes about the commercial interests they may 
have.
    Now, both of these entities, governments and the private-
sector, companies that are commercially oriented are capable, 
in many ways, of solving most of their problems. But there are 
niches where there are really intractable problems that you 
can't get into, and that is where a third-party entity that is 
philanthropic and internationally overseen is able to create 
the necessary trust to get over that hump. And so for the 
really difficult problems, I think using NGOs that are oriented 
toward action in trying to get breakthroughs is the right 
solution and approach.
    Ms. Schneck. So to this point on the NGOs, I have been 
running these partnerships most of my adult life as a 
volunteer, and one of them that I chair now, the National 
Cyber-Forensics and Training Alliance, brings in the top-flight 
analysts from banks, pharmaceutical companies, telecoms, et 
cetera, and teams with other governments, and is anchored by 
our U.S. Federal Bureau of Investigation.
    So with all the legal agreements finally worked out over 10 
years, it helped arrest over 400 cyber criminals worldwide, and 
I think that is an example of how when you get the right 
partnership, you get the expertise that each side brings, and 
you maintain the swim lanes, from the points earlier. There are 
things that government is better trained and better able to do, 
and there are a lot of things, such as innovation, that are 
going to survive quickly in the private sector.
    Mr. Messer. One other question, a bit of a hot potato, but 
I am going to go ahead and throw it out, which is just to what 
extent, if any, do you think the recent revelations on the NSA 
online surveillance activities have impacted and complicated 
negotiations on these topics?
    Mr. Lewis. With the bilateral negotiations with China, they 
haven't had that much effect, largely because the U.S. has 
previously told the Chinese, espionage is a two-way street, all 
big countries do it; what we object to is the commercial 
espionage. So the Chinese weren't particularly surprised or 
didn't learn much from Snowden.
    We don't know how it will play out internationally. It has 
gotten a considerable reaction in Europe, less of a reaction in 
Asia. One thing to bear in mind is most countries do things 
like this, so it is not--it is a little--some of our European 
friends are a bit hypocritical, and I hope they will calm down 
a little bit and think about what their own agencies do.
    So far not that much effect.
    Mr. Chabot. The gentleman's time is expired.
    The gentleman from Virginia, Mr. Connolly, is recognized 
for 5 minutes.
    Mr. Connolly. Thank you, Mr. Chairman.
    Thank you to our panelists for being here.
    I happen to believe cyber security probably is one of the 
most important challenges, maybe the biggest threat, we face, 
tied in with terrorism and superseding it.
    Let me ask, Mr. Lewis, I read your testimony, and you said 
in your testimony, cyber security as an issue for international 
security is best addressed using diplomatic and trade tools. It 
shouldn't be an item that leads to armed clash. And I think in 
an ideal world, that is true. But it seems to me, dealing both 
with the Russians and with the Chinese, there have to be some 
understandings about red lines.
    Red lines are dangerous things because sometimes they get 
crossed, and we still don't react. But take the Cold War as a 
parallel. I mean, during the Cold War both sides tested each 
other as to the limits. So when the Soviets blocked surface 
transportation to and from West Berlin, President Truman 
launched the Berlin airlift and outlasted the Soviets. Now, 
what the Soviets understood was they could buzz, they could try 
to jam aircraft flying into Berlin, but they could not attempt 
to shoot them down. That would be casus belli. So with respect 
of that, back when we had planes that crashed, they even 
returned the bodies of our airmen in the midst of this clash 
between the two powers. So, there were unwritten rules, there 
was always testing, but there was respect for something even 
ill-defined that was a red line.
    Clearly I think you would agree that if, for example, 
organized cyber security attacks by a foreign government or 
agents of a foreign government were to detonate a nuclear 
weapon here in the United States by manipulating technology, 
that would be a cause of war. That is not okay, and that is not 
going to be solved by diplomatic means.
    If you shut down--now, so where is that line? What are the 
examples--we don't want to be too specific by implying that 
everything else is okay, but I guess I am worried that maybe 
the Chinese and, for that matter, the Russians, in testing us 
and in exploiting the vulnerability of technology, they are 
perhaps underestimating the backlash that can occur here that 
can most certainly lead to armed conflict, and, by the way, in 
some cases will.
    I wonder if you would comment on that, because I know you 
didn't mean forever, no matter what, and under all 
circumstances.
    Mr. Lewis. Three quick points. We do have red lines. Then-
Secretary Panetta laid them out in a speech last October. If a 
cyber attack looks like it will cause the death of American 
citizens or do significant economic harm to the U.S., we will 
use military force preemptively. So those are our red lines: 
Death, significant economic harm. Everybody knows that.
    China, Russia, and others have been very, very careful not 
to cross that line, not to use force, and we have the best 
cyber offensive capability in the world. It has zero ability to 
deter espionage or crime, zero. We are--zero to deter espionage 
or crime, right. So we can keep people from attacking the U.S. 
in a military sense, but we can't keep them from doing other 
things.
    The country that is testing us, and this is the worrisome--
this is the part I worry about. The country that is testing us 
is Iran, and so Secretary Panetta's speech was aimed at Iran. 
They backed down. And it was funny because the Iranian 
activities went down for a couple of weeks, and they went right 
back up, and they continue to this day. So we are being tested, 
but it is by a country that is not as stable in its 
decisionmaking as Russia and China. They know the rules. They 
are not going to do anything that----
    Mr. Connolly. One quick question, any of you. Do we need 
some kind of international regime comparable to the WTO on 
trade or the International Court of Justice in the Hague to 
help govern the rules of engagement with respect to this 
subject and--or not? Would that help or not?
    Mr. Rauscher?
    Mr. Rauscher. I see three spheres. I see humanitarian, 
national security, and commercial. I think that the first two 
have rules that can pretty much be aligned, and I think the 
commercial one does need more cooperation. I am not sure if--
the type of entity, what it should look like, whether it is 
intergovernmental or otherwise.
    Mr. Connolly. Mr. Chairman, would you allow the other two 
panelists to be able to respond, and I am done?
    Mr. Chabot. Yes. Without objection, we will give them an 
additional minute.
    Mr. Connolly. I thank the chair.
    Mr. Lewis. Well, the official U.S. position is that we 
don't need a new institution, and it is already the case that 
we use some of the existing institutions, the ASEAN Regional 
Forum, the Organization for Security and Co-operation in 
Europe, the U.N., as a way to address this. But one of the 
things you see from other countries, including a lot of 
countries in Asia is, yeah, maybe we will need some kind of 
institution to deal with this, probably anchored in the U.N.
    So it is sort of an open question. I think the U.S. 
approach is right. First, let us agree on the rules, the 
general rules, and then let us figure out how we want to 
enforce them.
    Ms. Schneck. So, we believe in global conversation. We 
think there needs to be more conversation and commend some of 
the recent efforts like those in the U.N. But these four, like 
that mentioned by Dr. Rauscher and others, these are good 
starts to that global forum, and we are committed to the 
opportunity to participate in those and think that there is a 
place for government and industry across the world, and this is 
a conversation that is just beginning and really needs to 
happen.
    Mr. Connolly. Thank you.
    Thank you, Mr. Chairman.
    Mr. Chabot. Okay. Thank you. And the gentleman's time has 
expired.
    We will go into a second round of questions. I will 
recognize myself for 5 minutes.
    We spend a great deal of time talking about cyber threats 
in East Asia, but as we are all aware, South Asia plays an 
important role. In some cases it is not very positive. Pakistan 
has joined with China and Turkey and Malaysia to counter cyber 
threats posed by Western nations. The terrorism angle adds a 
different perspective to this cooperation. My question is, 
should we be worried about these nations, Pakistan, China, and 
Turkey, for example, coordinating their cyber policies with 
each other? Anyone may answer the question.
    Mr. Lewis. Well, if the--the Malaysian effort you are 
referring to is an organization called IMPACT. That hasn't 
developed quite as much as you--they might have hoped, so I 
don't think we have to worry about that.
    It is interesting to ask whether the Pakistanis, the Turks, 
the Chinese will come up with some competitive model that will 
compete with the U.S. and its allies in how we should order 
cyberspace. That is unlikely, but it is something certainly 
that the Chinese are interested in.
    The Indians are more likely to end up on our side. They are 
a democracy, they like free speech, we have close commercial 
ties.
    So very complex diplomatic landscape, but I think that when 
you look at places like Turkey, Pakistan, India, these are 
countries whose views we do have to take into account now, that 
we do have to find an arrangement with.
    Mr. Chabot. Let me focus on India. They have been quite 
active of late establishing its National Cyber Coordination 
Center last month and releasing its National Cyber Security 
Policy earlier this month. It calls the U.S. one of its biggest 
threats, next to China, after the information revealed by Mr. 
Snowden. However, India maintains a wide-ranging surveillance 
program of its own that monitors its citizens' emails, phone 
calls, social media activity, and Web searches without judicial 
oversight.
    Cooperation with India is an important aspect of U.S. 
efforts to rebalance toward Asia, especially in regards to 
trade and military cooperation. How do you think disagreements 
on cyber will affect the overall U.S.-India relationship? What 
is your opinion of the way India is handling cyber security? Do 
you think these recent initiatives or policies could possibly 
negatively affect its already hostile bilateral relationship 
with Pakistan?
    Yes, Mr. Rauscher.
    Mr. Rauscher. I have some insights that might be useful on 
some of this. We held our annual summit last year in New Delhi, 
so I spent a lot of time in New Delhi working with government 
leaders and the industry there, and certainly the step you 
cite, this National Cyber Coordination Center, is in the right 
direction.
    A key word there is ``coordination.'' There is a lot of 
coordinating to do, but there are also limitations in the 
capacity. As I mentioned earlier, the penetration rate, it is 
still fairly early in that country, about 10 percent, and so 
there is a lot of capacity to be built to coordinate both in 
the government and in the private sector.
    Whether or not this is a role model for other countries in 
the region is unclear yet, but what is a role model is a highly 
functioning CERT, the Computer Emergency Readiness Team, that 
is a model that works consistently effectively, and also the 
MAAWG.
    There is a private-sector organization being set up in 
Mumbai to deal proactively with botnets that are being set up 
there by external actors of the country. Spam is identified as 
the leading producer of international spam. India is recognized 
as the leading producer of international spam. And, again, as I 
mentioned earlier, it is a vehicle for malicious code, and 
their coordination with external experts to root out these 
botnets and sources of spam is really critical not only for 
India, but the rest of the world, particularly in English-
speaking countries.
    Mr. Chabot. Thank you.
    I have about 1 minute left if either of the other panel 
members want to weigh in on either issue.
    Mr. Lewis. Sure.
    Mr. Chabot. Mr. Lewis?
    Mr. Lewis. The Indians' primary concern in cyber security 
is with Pakistan and Pakistani nonstate actors or state-
sponsored actors launching some kind of attack against India.
    Their second concern is Chinese espionage, and one of the 
things that works in our favor is they aren't particularly 
friends with the Chinese all the time, and they worry a lot 
about it, so we have an opportunity to work with India. The 
thing we have to avoid in doing that is giving the impression 
that we are trying to contain China. The Chinese worry about 
this a lot. We do need to build a partnership with India, but 
we have to do it in a way that doesn't appear to be 
deliberately trying to contain China.
    Mr. Chabot. Thank you very much.
    The gentleman from American Samoa, Mr. Faleomavaega, is 
recognized for 5 minutes.
    Mr. Faleomavaega. Thank you, Mr. Chairman.
    We are in a dilemma here, and maybe I am not on the right 
track, and somewhat of an irony here that we are concerned 
about our national security. At the same time how do we go 
about making sure that government does not intrude into 
fundamental, basic constitutional rights and freedom?
    And I guess you know where I am headed at. Right now before 
us is a situation where an American citizen has decided that 
total violation of the right of the American people to know 
what is going on. I am talking about Mr. Snowden. How do we put 
Snowden's situation here with what we are talking about as far 
as cyber security, intelligence, the spying, the espionage, and 
all that is going on? And by the way, it seems that it is not 
just toward China, but our own allies. And, of course, our own 
allies spy on us, too. So, where do we--where do we measure the 
sense of balance in what was raised earlier when we talk about 
cyber security in that regard? Please.
    Mr. Rauscher. Well, I think it has been humbling for us as 
Americans who travel abroad and talk about these issues--what 
is happening in our own country. And I am proud when I go 
anywhere in the world to talk about our ideals. I think we have 
the best country that has been set up in history. And I think 
if we look back to our Founding Fathers and the challenges they 
have given us in the Constitution, we could get some direction 
to answer your question.
    I know when we look at this issue, we are often looking at 
the Fourth Amendment. But this is a bit bold, and pardon me a 
little bit, I am an electrical engineer here, but I actually 
think that information is power, and when I look at the Second 
Amendment, that is the place where our Founding Fathers boldly, 
you know, set up this power balance with the people. And I 
think that we should look for the analogy from the Second 
Amendment to say, as the government seeks to use technology to 
enhance its ability to protect national security legitimately, 
that it needs to look at how it affects the balance with the 
power that the people have--not independent courts that are 
kind of private, but actual people, the public--have in terms 
of information regarding what the government's activities are.
    So I think there is some insight. It is not a completely 
traced proposal, but I think that there is something--a 
principle there in our Bill of Rights that gives us some 
insight about how we should handle that.
    I think it is important for us to continue to carry the 
mantle of freedom. We have done that for generations now in our 
country, and we need to continue to do that for the rest of the 
world.
    Mr. Faleomavaega. The only thing that disturbs me about Mr. 
Snowden's situation is the fact that when you are in this kind 
of a relationship in terms of your employment with the national 
government, and you are given an oath to swear as far as 
security interests of the country, and especially putting the 
lives of our men and women at risk in terms of when you get 
into the intelligence, when you get into espionage, when you 
get into the kind of activity the National Security Agency is 
involved--and by the way, this administration simply followed 
what the PATRIOT Act provisions provide, allowing the President 
to do what he is doing, and there is nothing illegal in what 
the President in this administration has done as far as putting 
out these feelers, if you want to call it, whether it be in our 
European Union country allies or any other country in the 
world.
    But what--again, it goes back again, does Mr. Snowden 
really believe that what our Government has done is beyond the 
rights that have been given under the Constitution of our 
country as far as the freedom to know?
    Mr. Lewis. Mr. Snowden is kind of a naive child. I mean, if 
he had a brain, he would have gone to Brazil, right, where they 
don't have an extradition treaty. But he did bring us to a 
debate that maybe we should have had, and it has to be an open 
debate over the balance between surveillance and privacy.
    It would hurt--it wouldn't hurt to have greater 
transparency, you know, where you could publish FISA findings 
with things blacked out, but we have to recognize--and this is 
getting lost--there is a trade-off between privacy and 
security. And what I worry is that we will overreact to 
Snowden's foolish revelations and constrain our ability to 
protect American citizens. We need that debate, greater 
transparency would be good, but let us not forget this is what 
it is protecting us.
    Mr. Faleomavaega. Dr. Schneck.
    Ms. Schneck. Yes. There is nothing more important than that 
balance of privacy and security for our national security and 
for our country. All the other stuff aside, information 
protects information, and we need security and privacy to 
protect each other. That is what we are here to protect is our 
way of life and our way of life as global citizens and as 
Americans, and that takes data, and it takes data to protect 
data, and we need to find the right way to make sure that we 
maintain that in an electronic world.
    Mr. Faleomavaega. Again, Mr. Chairman, I truly want to 
thank our panel of experts here this afternoon. They have been 
a most entertaining and educational experience for me in 
understanding more about cyber security. Thank you, Mr. 
Chairman, and I want to thank the panel as well.
    Mr. Chabot. Thank you very much.
    We will conclude with the gentleman from Virginia for 5 
minutes.
    Mr. Connolly. Hello again.
    Mr. Lewis, let me pick up on something you said and play 
devil's advocate, and I do genuinely mean devil's advocate.
    You said that, yeah, we need to work with India, but we 
have to be very careful that the perception is not that we are 
somehow tilting against the Chinese or ganging up on them. 
Chinese are very sensitive about that. Devil's advocate 
question: Why should we care?
    I mean, here is a country that is cheating. They are 
cheating on intellectual content, they are cheating on 
protections of intellectual property, I mean, from Starbucks 
coffee to software. It is breathtaking. Rather than invent 
their own, they just steal it from us, let us do the R&D 
investment. They are stealing military secrets using cyber 
security hacking attacks. It is systematic. It is not rogue 
elements running around in China who can control them. This is 
actually headquartered in the military compound, run by 
elements of the Chinese People's Liberation Army.
    It is wholesale, state-supported theft, and a direct threat 
to the national security of this country as well as some 
others. So why wouldn't we openly cooperate with India to send 
a message that we are prepared to protect our interests and 
work with those who want to work with us, and, yeah, it is at 
your expense. You have been engaged in all kinds of things at 
our expense. Why should we be so sensitive to China?
    Mr. Lewis. No, that is a good point, and the Chinese would 
probably say--I am starting to play devil's advocate--is you 
guys don't care about our feelings, and you are trampling over 
them anyhow, and you are trying to contain us.
    I think I look at it from the perspective of, you know, we 
are in the phase now where we need to persuade the Chinese to 
change their behavior. We cannot coerce them. They are too big 
a country. The only way you are going to coerce them is if we 
go to a war. That is in no one's interest.
    So we need to persuade them, we need to avoid conflict. And 
the Chinese are paranoid. One of the things, I think, that 
would be useful is if the Chinese, especially the PLA, moved 
away from the sort of Maoist heritage of everyone is trying to 
get out--everyone is trying to get us.
    So in thinking about how to shape the Chinese internal 
politics, I think that, you know, this open approach, we have 
just started to try it, we have just started engagement, let us 
see how it works. There are factions in China that want to work 
with the U.S., that want to move in the right direction. Let us 
encourage them. Three years from now, 4 years from now, if it 
hasn't worked, then we can think about stronger measures.
    Mr. Connolly. I guess I would suggest to you that my own 
observation over four decades is the Chinese respect power and 
sometimes little else, so the ``there, there, now, now, let's 
try to work this out, and my, my, try not to do that again'' 
approach is not one that is very efficacious, and not one that 
is respected in Beijing. And at some point, it seems to me, we 
have to protect our own interests, economic, political, 
military.
    I am not arguing for a forceful, you know, armed conflict, 
but I am arguing for much tougher enforcement and teeth with it 
than has occurred heretofore.
    Mr. Lewis. No, I think that is right. I think we will get 
to the point where we will need to use punitive measures to 
encourage the Chinese, but we want to do it in a careful 
fashion. They are afraid of us, right? They look at us, and 
they know we are infinitely more capable than them.
    We are all over their networks, right? Their networks can't 
be defended. So we are ready. We don't have to send the 
message, we are mad at you, and we could overpower you. They 
already know it. So I want to find a way to work with them. If 
that doesn't pan out, you know, give it a few years, and if we 
get into a harder place, sure, think of harder measures. But we 
don't have to scare them; they are already afraid.
    Mr. Connolly. Final question: What is your assessment of 
the talks between the new President of China and President 
Obama on this subject?
    Mr. Lewis. Well, the State Department says the talks went 
very well, so I know that comes as a news flash. And I think 
actually they did. In some of the preparatory meetings, Chinese 
officials told us that China is reconsidering its position in 
light of the changes in the international environment. The 
Chinese know they have a problem; they know they have to 
change. How much they will change will depend on how 
consistently and persistently we press them.
    Overall I am confident if we can maintain this effort for 3 
or 4 years, we will be in a different place. If we back off, 
you are right, the Chinese will just revert to their normal 
behavior. But they are interested in saying, how do we get to a 
deal with U.S., what does a deal mean? It is true that their 
first thing was, okay, we agreed to a working group, doesn't 
that make you happy, right? And I think that Americans thought 
it was good in saying, no, it is nice that we have a working 
group, but we need to do more. And they agreed to more talks, 
they agreed to work on norms. So we are on the right path.
    It is a big country. It is going to take a while to talk 
them out of it. When we did this in proliferation, it took 4 or 
5 years to get them to change.
    Mr. Connolly. You know, Mr. Chairman, Mr. Lewis' answer to 
me at the beginning, the State Department said the talks went 
very well, reminded me of that famous incident with Ronald 
Reagan when he was President. He was on the White House lawn, 
and a scrum of reporters were shouting out questions. He either 
couldn't or feigned he couldn't hear, and he was with Nancy 
Reagan at one point, and so she says in his ear, but it gets 
picked up, ``We are doing the best we can,'' and he goes, ``We 
are doing the best we can.''
    Mr. Chabot. I remember that.
    Mr. Connolly. The talks went very well.
    Thank you very much.
    Mr. Chabot. God bless Ronald Reagan.
    I want to thank the panel for their testimonies this 
afternoon. It has been very helpful to the committee. Without 
objection, members will have 5 days to submit questions or 
revise remarks.
    If there is no further business to come before the 
subcommittee, we are adjourned. Thank you.
    [Whereupon, at 3:45 p.m., the subcommittee was adjourned.]
                                     

                                     

                            A P P E N D I X

                              ----------                              


     Material Submitted for the Hearing RecordNotice deg.



               \\ts\



                                 
