[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] PROMOTING SECURITY IN WIRELESS TECHNOLOGY ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ JUNE 13, 2017 __________ Serial No. 115-38 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 26-576 PDF WASHINGTON : 2017 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND COMMERCE GREG WALDEN, Oregon Chairman JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey Vice Chairman Ranking Member FRED UPTON, Michigan BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California TIM MURPHY, Pennsylvania ELIOT L. ENGEL, New York MICHAEL C. BURGESS, Texas GENE GREEN, Texas MARSHA BLACKBURN, Tennessee DIANA DeGETTE, Colorado STEVE SCALISE, Louisiana MICHAEL F. DOYLE, Pennsylvania ROBERT E. LATTA, Ohio JANICE D. SCHAKOWSKY, Illinois CATHY McMORRIS RODGERS, Washington G.K. BUTTERFIELD, North Carolina GREGG HARPER, Mississippi DORIS O. MATSUI, California LEONARD LANCE, New Jersey KATHY CASTOR, Florida BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland PETE OLSON, Texas JERRY McNERNEY, California DAVID B. McKINLEY, West Virginia PETER WELCH, Vermont ADAM KINZINGER, Illinois BEN RAY LUJAN, New Mexico H. MORGAN GRIFFITH, Virginia PAUL TONKO, New York GUS M. BILIRAKIS, Florida YVETTE D. CLARKE, New York BILL JOHNSON, Ohio DAVID LOEBSACK, Iowa BILLY LONG, Missouri KURT SCHRADER, Oregon LARRY BUCSHON, Indiana JOSEPH P. KENNEDY, III, BILL FLORES, Texas Massachusetts SUSAN W. BROOKS, Indiana TONY CARDENAS, California MARKWAYNE MULLIN, Oklahoma RAUL RUIZ, California RICHARD HUDSON, North Carolina SCOTT H. PETERS, California CHRIS COLLINS, New York DEBBIE DINGELL, Michigan KEVIN CRAMER, North Dakota TIM WALBERG, Michigan MIMI WALTERS, California RYAN A. COSTELLO, Pennsylvania EARL L. ``BUDDY'' CARTER, Georgia 7_____ Subcommittee on Communications and Technology MARSHA BLACKBURN, Tennessee Chairman LEONARD LANCE, New Jersey MICHAEL F. DOYLE, Pennsylvania Vice Chairman Ranking Member JOHN SHIMKUS, Illinois PETER WELCH, Vermont STEVE SCALISE, Louisiana YVETTE D. CLARKE, New York ROBERT E. LATTA, Ohio DAVID LOEBSACK, Iowa BRETT GUTHRIE, Kentucky RAUL RUIZ, California PETE OLSON, Texas DEBBIE DINGELL, Michigan ADAM KINZINGER, Illinois BOBBY L. RUSH, Illinois GUS M. BILIRAKIS, Florida ANNA G. ESHOO, California BILL JOHNSON, Ohio ELIOT L. ENGEL, New York BILLY LONG, Missouri G.K. BUTTERFIELD, North Carolina BILL FLORES, Texas DORIS O. MATSUI, California SUSAN W. BROOKS, Tennessee JERRY McNERNEY, California CHRIS COLLINS, New York FRANK PALLONE, Jr., New Jersey (ex KEVIN CRAMER, North Dakota officio) MIMI WALTERS, California RYAN A. COSTELLO, Pennsylvania GREG WALDEN, Oregon (ex officio) (ii) C O N T E N T S ---------- Page Hon. Marsha Blackburn, a Representative in Congress from the State of Tennessee, opening statement.......................... 1 Prepared statement........................................... 3 Hon. Michael F. Doyle, a Representative in Congress from the Commonwealth of Pennsylvania, opening statement................ 3 Hon. Leonard Lance, a Representative in Congress from the State of New Jersey, opening statement............................... 5 Hon. Frank Pallone, Jr., a Representative in Congress from the State of New Jersey, opening statement......................... 6 Prepared statement........................................... 7 Witnesses Bill Wright, Director, Government Affairs, and Senior Policy Counsel, Symantec.............................................. 9 Prepared statement........................................... 11 Answers to submitted questions............................... 68 Amit Yoran, Chairman and Chief Executive Officer, Tenable........ 18 Prepared statement........................................... 20 Answers to submitted questions............................... 71 Charles Clancy, Ph.D., Director, Hume Center for National Security and Technology, and Professor of Electrical and Computer Engineering, Virgina Tech............................. 28 Prepared statement........................................... 30 Answers to submitted questions............................... 74 Kiersten E. Todt, Former Executive Director, Commission on Enhancing National Cybersecurity; Managing Partner, Liberty Group Ventures, LLC; and Resident Scholar, University of Pittsburgh Institute for Cyber Law, Policy, and Security....... 34 Prepared statement........................................... 36 Answers to submitted questions............................... 77 PROMOTING SECURITY IN WIRELESS TECHNOLOGY ---------- TUESDAY, JUNE 13, 2017 House of Representatives, Subcommittee on Communications and Technology, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 10:00 a.m., in Room 2322, Rayburn House Office Building, Hon. Marsha Blackburn (chairman of the subcommittee) presiding. Members present: Representatives Blackburn, Lance, Shimkus, Olson, Kinzinger, Bilirakis, Johnson, Flores, Brooks, Collins, Cramer, Walters, Costello, Doyle, Welch, Clarke, Loebsack, Ruiz, Dingell, Rush, Eshoo, Butterfield, Matsui, McNerney, and Pallone (ex officio). Staff present: Kelly Collins, Staff Assistant; Blair Ellis, Press Secretary/Digital Coordinator; Chuck Flint, Policy Coordinator, Communications and Technology; Gene Fullano, Detailee, Communications and Technology; Jay Gulshen, Legislative Clerk, Health; Kelsey Guyselman, Counsel, Communications and Technology; Lauren McCarty, Counsel, Communications and Technology; Paul Nagle, Chief Counsel, Digital Commerce and Consumer Protection; John Ohly, Professional Staff, Oversight and Investigations; Dan Schneider, Press Secretary; Jeff Carroll, Minority Staff Director; Alex Debianchi, Minority Telecom Fellow; David Goldman, Minority Chief Counsel, Communications and Technology; Jerry Leverich, Minority Counsel; Lori Maarbjerg, Minority FCC Detailee; Jessica Martinez, Minority Outreach and Member Services Coordinator; and Dan Miller, Minority Policy Analyst. OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TENNESSEE Mrs. Blackburn. Go ahead and call our subcommittee to order. And I will begin by thanking Mr. Doyle's Penguins for a very fine hockey series against my Nashville Preds. I told him I thought about bringing him a little bit of catfish today, but we were sorry we didn't win but we think it was just a fantastic series and we congratulate. Mr. Doyle. Well, thank you. Mrs. Blackburn. Yes. And now I recognize myself for 5 minutes for an opening statement. And I welcome each of you to the subcommittee's hearing titled, Promoting Security in Wireless Technology, and thank you to our witnesses for appearing and for offering your testimony on this important issue and thank you for submitting that testimony on time. We appreciate that. Mobile connectivity has become essential to our daily lives as a result of technology and consumer demand. Unfortunately, increasing reliance on wireless devices and networks has provided more avenues for cybercriminals to compromise our security and harm consumers. According to the 2017 Hiscox Cyber Readiness Report, cybercrimes cost the global economy approximately 450 billion, and over 100 million Americans had their medical records stolen in 2016. I think that is such an important stat. 100 million Americans had their medical records stolen in 2016. Threats to mobile devices and networks can run the gamut from the use of ransomware and phishing schemes to packet sniffing and attacks on encryption protocols used to protect information sent over WiFi. These incidents have been occurring with alarming frequency on scales large and small. The Harvard Business Review wrote last September 22nd that--and I am quoting--``Mobile devices are one of the weakest links in corporate security,'' and that ``if mobile security isn't a problem for your company yet, it will be.'' Hackers are smart. They are adapting. McAfee's 2016 Mobile Threat Report notes mobile devices are quickly becoming the cybercriminal's target of choice because of the abundance of sensitive information individuals store on them. This is corroborated by a Newsweek report from March that stated mobile ransomware attacks had already grown over 250 percent in 2017. The sophistication and frequency of cyber attacks against mobile devices continues to escalate and we must meet this challenge head-on. Our hearing will also examine threats to wireless networks. As the Majority Memorandum notes, mobile devices generate numerous air interfaces to transmit data, with each interface creating unique security vulnerabilities and attack methods. Threats include packet sniffing, rogue access points, jamming, and locating flawed encryption algorithms. These attacks can be initiated by hackers to obtain financial information, user passwords, and block legitimate network traffic. A recent example of this was the DDOS attack against Dyn which disrupted websites such as Twitter, Netflix, and Etsy last November. We all remember that one. I have often said that cyberspace is the battlefield of the 21st century. It is time to act. Hardworking taxpayers are demanding leadership from Washington in the cyber arena and it is our duty to provide it. Enhanced defensive capabilities should be developed by promoting greater collaboration between public and private entities. CTIA has shown leadership through its Cybersecurity Working Group. Their efforts have brought Federal agencies such as the FCC and DHS together with the private sector to develop solutions to the dilemma. Whether it is encryption, the use of authentication standards, updating operating systems, or rigorous implementation of antivirus software, we must have an all-of-the-above approach when it comes to forging defensive strategies against cybercriminals. [The prepared statement of Mrs. Blackburn follows:] Prepared statement of Hon. Marsha Blackburn Welcome to the Communications and Technology Subcommittee's hearing titled ``Promoting Security in Wireless Technology.'' Thank you to the witnesses for appearing to offer your testimony on this important issue. Mobile connectivity has become essential to our daily lives as a result of advances in technology and consumer demand. Unfortunately, increasing reliance on wireless devices and networks has provided more avenues for cyber criminals to compromise our security and harm consumers. According to the 2017 Hiscox Cyber Readiness Report, cybercrimes cost the global economy approximately $450 billion and over 100 million Americans had their medical records stolen in 2016. Threats to mobile devices and networks can run the gamut from the use of ransomware and phishing schemes to packet sniffing and attacks on encryption protocols used to protect information sent over wi-fi. These incidents have been occurring with alarming frequency on scales large and small. The Harvard Business Review wrote last September 22nd that ``mobile devices are one of the weakest links in corporate security'' and that ``if mobile security isn't a problem for your company yet, it will be''. Hackers are smart and they are adapting. McAffee's 2016 Mobile Threat Report notes mobile devices are quickly becoming the cybercriminals target of choice because of the abundance of sensitive information individuals store on them. This is corroborated by a Newsweek report from March that stated mobile ransomware attacks have already grown over 250 percent in 2017. The sophistication and frequency of cyberattacks against mobile devices continues to escalate and we must meet this challenge head on. Our hearing will also examine threats to wireless networks. As the Majority Memorandum notes, mobile devices generate numerous air interfaces to transmit data, with each interface creating unique security vulnerabilities and attack methods. Threats include packet sniffing, rogue access points, jamming, and locating flawed encryption algorithms. These attacks can be initiated by hackers to obtain financial information, user passwords, and block legitimate network traffic. A recent example of this was the DDOS attack against Dyn which disrupted websites such as Twitter, Netflix, and Etsy last November. I have often said that cyberspace is the battlefield of the 21st century. We must act now. Hard-working taxpayers are demanding leadership from Washington in the cyber arena and it is our duty to provide it. Enhanced defensive capabilities should be developed by promoting greater collaboration between public and private entities. CTIA has shown leadership through its Cybersecurity Working Group. Their efforts have brought Federal agencies such as the FCC and DHS together with the private sector to develop solutions to the cybersecurity dilemma. Whether it is encryption, the use of authentication standards, updating operating systems, or rigorous implementation of antivirus software--we must have an ``all of the above'' approach when it comes to forging defensive strategies that will defeat and deter cyber criminals. Thank you and I look forward to the testimony of our witnesses. Mrs. Blackburn. I thank you all for being here, and at this time I yield 5 minutes to the ranking member, Mr. Doyle. OPENING STATEMENT OF HON. MICHAEL F. DOYLE, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA Mr. Doyle. I thank you, Madam Chair, for holding this hearing and for the witnesses for appearing today. Before I get started I just want to reiterate a momentous occasion in our city. The Pittsburgh Penguins have brought the Stanley Cup back to Pittsburgh for the second year in a row. We beat back broken bones and sideline starters and some ferocious play from the Nashville Predators. I know the Predators aren't squarely in the gentlelady from Tennessee's district, but I want to congratulate her and their team on a hard-fought series. Mr. McNerney. Will the gentleman yield to someone from the Golden State? Mr. Doyle. No. No, I will not. But I have time at the end. You know, in Pittsburgh we could throw Primanti Bros. sandwiches on the ice, but they taste so good we prefer to eat them. So anyways, go Pens and congratulations to the Predators. I also want to mark another milestone. As of today, there are just under five million comments in the FCC's proceeding to repeal net neutrality rules. With still months to go, we have already far eclipsed the record-breaking 3.7 million comments that were filed in 2015. The vast majority of these comments are overwhelmingly in support of the current rules and opposed to the Trump administration's effort. And I would once again urge the chairman to bring the Commission before this committee for oversight hearings so that Congress can do its job and provide much needed oversight and public scrutiny. I think it would be a dereliction of duty not to provide oversight of an agency whose actions risk upending the internet ecosystem, one of the primary drivers of our economy. Considering the number of oversight hearings held during the previous administration, I am sure my colleagues on the other side of the aisle appreciate this fact all too well and will see fit to schedule oversight hearings of the Commission as soon as possible. Now, on to the topic before us today, promoting online security. Security is an absolutely critical issue. It enables an environment where commerce, communication, and innovation can flourish. However, increasingly, organizations are facing mounting threats and greater challenges particularly as more sectors of our economy come to depend on the digital infrastructure. These challenges are being compounded by highly sophisticated online threats that are increasingly funded and supported by hostile nations. As the witnesses point out in their testimony, attacks we face today are highly sophisticated and increasingly destructive, from Crash Override to Mirai botnet, from the hacks of the DNC and the Russian meddling in the U.S. election to WannaCry ransomware, these issues are only escalating in their severity. My colleagues, Representatives Clarke, Engel, and McNerney have all introduced legislation in this committee to address the threats we face. I would encourage the chairman to hold legislative hearings on these bills. I would also add that we need to use every tool in our toolbox to address cyber threats we are facing. In repealing the FCC's privacy rules using the CRA, Congress also repealed data security protections contained in those rules. While these rules were not a panacea, they required reasonable steps to protect data and were a meaningful step towards addressing this issue. With that I would yield the remaining minute and 35 seconds of my time to any one of my colleagues that desires to use it. Mr. McNerney? Mr. McNerney. Well, I thank the ranking member. And I don't want to say too much more about the Golden State Warriors, so I will move on. But I want to thank the Chair for today's hearing. The security is important. Last October we witnessed a catastrophic attack that used the insecure Internet of Things devices to cripple the internet. A weak device security poses serious threats to our national security and to the economy. That is why I introduced the Securing IoT Act which would require that cybersecurity standards be established for IoT devices and that these devices be certified to meet those standards. I am also disappointed that my Republican colleagues have not shown any interest in this bill especially since 20 to 50 billion connected devices are expected to be in use by the year 2020. Meanwhile, my Republican colleagues passed the privacy CRA, which leaves consumers more vulnerable to cybersecurity attacks, and that is why I introduced MY DATA Act so that consumers can have strong, data security protections. I hope my colleagues can get behind these two important bills, and I yield back to the ranking member. Mr. Doyle. And Ms. Eshoo, would you like the remaining time? Ms. Eshoo. Well, you are nice, but there are 11 seconds left, so I will weave my comments in later on. Thank you very much. I appreciate it. Mr. Doyle. OK, thank you. I will yield back. Thank you. Ms. Eshoo. Thank you. Mrs. Blackburn. The gentleman yields back. Mr. Lance, you are recognized for 5 minutes. OPENING STATEMENT OF HON. LEONARD LANCE, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW JERSEY Mr. Lance. Thank you, Chair Blackburn. And welcome to our distinguished panel, thank you for appearing before us today. Since the advent of the smart phone and network innovations such as 4G LTE, consumers have become increasingly less constrained by location when using the internet. Mobile technology has changed the way consumers interact, freeing them to conduct business, to shop, to have access to health and financial records, to study and participate in countless other activities almost anywhere in the country. As more and more technological innovations such as 5G and Internet of Things devices come to market, billions more devices will become connected and continue to revolutionize the way consumers and businesses behave. And we have just participated downstairs in a forum regarding the Internet of Things with many of the great companies in this country, including Qualcomm and Panasonic and Siemens and Honeywell and others. However, with increased ease of access and reliance on connected devices comes increased security risks as the Chair has already indicated. We have already seen bad actors take advantage of the flood of internet-connected devices in the DDOS botnet attacks last year, and an increase of phishing and malware attacks on mobile devices. Threats are constantly evolving and increasing in sophistication and scope. Cybersecurity needs to be a priority as we become more dependent on connected devices. A large part of this is educating consumers and businesses on how best to protect themselves and their devices on the internet such as recognizing an attempt to invade the internet and regularly to change passwords. There is also a responsibility for the Government and industry to work together in making sure that networks and consumers are protected without mandating innovation-stifling technology or security standards that will become obsolete quickly. And we have seen this across the last 20 years that technology outstrips what we do here in Washington. I thank our panel for your efforts in this important field and look forward to the testimony. And I apologize. I will be moving in and out. There are two subcommittees of importance today from the Energy and Commerce Committee. Certainly this is an incredibly important issue and I will certainly be here to the greatest extent possible. Welcome again to our distinguished panel, and I would yield 2 minutes, 20 seconds to any of our colleagues who wish to be recognized. Mrs. Blackburn. Anyone seeking time for an opening statement? If not, the gentleman yields back. Mr. Lance. I yield back, Madam Chair. Mrs. Blackburn. Mr. Pallone, the ranking member of the full committee, you are recognized for 5 minutes. OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW JERSEY Mr. Pallone. Thank you, Madam Chairman. Cyber attacks are one of the most serious threats to our national security today. Every day, new information comes out about how the Russians and other foreign actors are hacking our institutions and our democracy. Just last week, former FBI Director Comey testified, and I am quoting, ``The Russians interfered in our election during the 2016 cycle. They did it with purpose. They did it with sophistication. They did it with overwhelming technical efforts. It was an active measures campaign driven from the top of that government. There is no fuzz on that.'' Unquote. This committee has primary jurisdiction over the communications networks that were used by the Russians to commit these attacks. We should be focused like a laser on how to stop them from happening again, but this committee has yet to hold a single hearing on these Russian hacks. Worse still, the only legislation House Republicans have pushed and supported within this subcommittee's jurisdiction actually makes us less safe, in my opinion. With no hearings or advance notice, the leadership of this committee led the charge to strip away Americans' privacy rights and throw out some of the only protections on the books to secure our data. These safeguards simply said that broadband providers needed to take reasonable measures to secure Americans' data. But despite the Russian hacks, congressional Republicans eliminated those protections under the absurd pretext that asking companies to act reasonably was Government overreach. This hearing today is another example of committee Republicans simply not taking these issues seriously. Democrats tried to invite another cybersecurity expert to testify here today who could have helped us better understand the threats to our country like the Russian hacks, but the majority made up arbitrary and partisan reasons, in my opinion, to effectively block us. This decision shortchanges our members' ability to hear from the experts in this area. These games have to stop because these issues are just too serious to keep playing politics with our national security. Now Democrats are trying to address these issues head on in a nonpartisan way. We have put forward three bills--from Mr. Engel, Mr. McNerney, and Ms. Clarke--to help fix some of these problems. These are good bills that were introduced more than 3 months ago and every day that goes by with no action is another day that the American people are at risk. Republicans, as I said before, should stop playing political games with national security because the risks are too great. [The prepared statement of Mr. Pallone follows:] Prepared statement of Hon. Frank Pallone, Jr. Thank you, Madam Chairman. Cyberattacks are one of the most serious threats to our national security today. Every day new information comes out about how the Russians and other foreign actors are hacking our institutions and our democracy. Just last week former FBI Director Comey testified, and I'm quoting: ``The Russians interfered in our election during the 2016 cycle. They did with purpose. They did it with sophistication. They did it with overwhelming technical efforts. It was an active measures campaign driven from the top of that government. There is no fuzz on that.'' This committee has primary jurisdiction over the communications networks that were used by the Russians to commit these attacks. We should be focused like a laser on how to stop them from happening again, but this committee has yet to hold a single hearing on these Russian hacks. Worse still, the only legislation House Republicans have pushed and supported within this subcommittee's jurisdiction actually makes us less safe. With no hearings or advance notice, the leadership of this committee led the charge to strip away Americans' privacy rights and throw out some of the only protections on the books to secure our data. Those safeguards simply said that broadband providers needed to take ``reasonable measures'' to secure Americans' data. But despite the Russian hacks, Congressional Republicans eliminated those protections under the absurd pretext that asking companies to act reasonably was Government overreach. This hearing today is another example of committee Republicans simply not taking these issues seriously. Democrats tried to invite another cybersecurity expert to testify here today who could have helped us better understand the threats to our country, like the Russian hacks. But the majority made up arbitrary and partisan reasons to effectively block us. This decision shortchanges our members' ability to hear from the experts in this area. These games have to stop because these issues are just too serious to keep playing politics with our national security. Democrats are trying to address these issues head on in a nonpartisan way. We have put forward three bills--from Mr. Engel, Mr. McNerney, and Ms. Clarke--to help fix some of these problems. These are good bills that were introduced more than three months ago. Every day that goes by with no action is another day that the American people are at risk. Republicans must stop playing political games with national security. The risks are just too great. Mr. Pallone. And with that, I would like to yield the time that I have left to Ms. Clarke and Ms. Eshoo. I guess we will split it evenly. We will start, I yield to Ms. Clarke. Ms. Clarke. First, I would like to thank our ranking member, Mr. Pallone, for yielding his time to me and thank Ranking Member Doyle and Chairwoman Blackburn for holding this important hearing. And I welcome our witnesses today for their expert testimony, I look forward to hearing from today's panelists. Many of my constituents in the 9th congressional district of New York have voiced their concerns on cybersecurity and have asked that I and my colleagues what we can do to lessen their vulnerability to cyber attacks which is why I introduced the Cybersecurity Responsibility Act of 2017. The Cybersecurity Responsibility Act of 2017 calls on the Federal Communications Commission to take an active role in protecting communications networks by carefully arranging, organizing, and supervising cybersecurity risks to prevent cyber attacks. As technology continues to develop and grow, so must our rules and regulations on internet safety. It is our duty not only as Members of Congress but as members of the committee to protect Americans against cyber attacks by ensuring that there are sufficient rules in place. With that, Mr. Chairman, I yield back to you. Mr. Pallone. I yield the remaining of the time to Ms. Eshoo. Ms. Eshoo. I thank the ranking member, and I thank all the witnesses. Some of you have been here before, welcome back, and to those who haven't, welcome. It has been said but it needs to be restated, cybersecurity, I think, is really one of the most pressing national security issues, challenges for our country. Almost everything that we do here in Congress relative to cybersecurity is after there has been a breach, and I think that we need to really drill down on prevention. I have spoken to countless people in my Silicon Valley district. Almost to a person they tell me that we need to concentrate on prevention. Up to 90 percent of the breaches, both Government and private sector--and 95 percent of this is private sector, 5 percent is the Federal Government as important as it is--say that there are two pillars to this. One is cyber hygiene and the other is consistent security management, so I am shortly going to be introducing legislation that reflects that. I think that NIST can set the standards and I think that companies should have a set of good housekeeping seal of approval and that as important as it is to take steps after something has happened, I think that we need to start focusing on prevention. So we will talk more about it with our distinguished panel, but I want to thank the ranking member for giving me some time to make this brief statement. Thank you. Mrs. Blackburn. The gentlelady yields back. The gentleman yields back, and this concludes our opening statements. I will remind all Members that their opening statements will be made a part of the record. And we do thank our witnesses for being here with us today. We are going to give each of you the opportunity to make a 5- minute opening statement. And our witnesses: Mr. Bill Wright who is the director of Government Affairs and Senior Policy Counsel, and we welcome you; Mr. Amit Yoran, who is the chairman and CEO of Tenable; Ms. Kiersten Todt, who is the managing partner at Liberty Group Ventures and a resident scholar at the University of Pittsburgh--I guess you are celebrating too--Institute for Cyber Law, Policy, and Security; and Mr. Charles Clancy, who is the director and professor at Hume Center for National Security and Technology at Virginia Tech. So we appreciate that you are each here. We will begin, Mr. Wright, with you. You are recognized for 5 minutes for your opening statement. STATEMENTS OF BILL WRIGHT, DIRECTOR, GOVERNMENT AFFAIRS, AND SENIOR POLICY COUNSEL, SYMANTEC; AMIT YORAN, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, TENABLE; CHARLES CLANCY, PH.D., DIRECTOR, HUME CENTER FOR NATIONAL SECURITY AND TECHNOLOGY, AND PROFESSOR OF ELECTRICAL AND COMPUTER ENGINEERING, VIRGINIA TECH; AND, KIERSTEN E. TODT, FORMER EXECUTIVE DIRECTOR, COMMISSION ON ENHANCING NATIONAL CYBERSECURITY; MANAGING PARTNER, LIBERTY GROUP VENTURES, LLC; AND RESIDENT SCHOLAR, UNIVERSITY OF PITTSBURGH INSTITUTE FOR CYBER LAW, POLICY, AND SECURITY STATEMENT OF BILL WRIGHT Mr. Wright. Chairman Blackburn, Ranking Member Doyle, members of the subcommittee thank you for the opportunity to testify today. The cyber threats that we face today and every day are growing both in numbers and in sophistication. As the chairman pointed out in her opening statement, cyberspace truly is the battlefield of the 21st century. And while global ransomware attacks and destructive malware attacks tend to steal the headlines, it is other threats-- threats to mobile, threats to wireless, threats to IoT--that are quickly gaining prominence. And no wonder, today more than half of the world's web traffic originates from mobile phones and nearly half of the people on the planet own a smart phone today. But I think calling it a phone doesn't quite do this justice. This isn't a phone. It is a powerful, connected, handheld computer and from time to time you can use it to call your wife. We need to start viewing these as computers and we need to protect them as computers. Our web searches, our banking, our personal health information is all being transmitted and stored on mobile devices. Our smart phones are becoming an extension of ourselves and our identity. We are also seeing a blurring of the lines between work- issued devices and personal devices. Employees can and often expect to be able to work from anywhere. Workers can unwittingly introduce virus into an entire network system from a single download of a malicious app. IT security is no longer about just protecting the perimeter from attack because that perimeter now covers the entire planet. As we all rush and rush to connect more and more devices to the internet we will undoubtedly improve our lives in many, many ways, but we will also be greatly increasing the attack surface. Last year's Mirai botnet DDOS attack was a sobering wake-up call for how powerful IoT-based botnet could be. And it was also a chilling reminder for what could happen if those bot masters had trained their sights elsewhere, say on an industrial control system. Attackers are continuing to evolve their criminal tools and getting better at avoiding detection and obfuscating their actions. The incentives for criminals is very strong. Cybercrime is more lucrative than ever. There is very little risk in getting caught and the underground cybercrime marketplace is booming, allowing even an art history major to conduct highly sophisticated cyber attacks by renting crime as a service by the hour or buying ransomware tool kits or mobile banking trojans. Mobile device manufacturers, particularly Apple, have done a pretty good job at putting security into their products and keeping malicious apps out of their stores. Android also has made some great strides over the last year. However, the very attributes that make mobile phones so attractive to consumers also make them a very tempting target for cybercriminals because unlike your desktop computer, your mobile device is always active, always receiving and used for every aspect of your life. Increasingly, smart phones are used for authentication purposes in various online accounts. A hacker only needs to steal or access your mobile device to get past all the other defenses that have been set up on the network side. Unfortunately, the public's attitude towards securing their devices has not kept pace with the potential threat. More than a quarter of smart phone users do not even use the most basic security feature, the screen lock, let alone applying timely software updates. And the criminals are following their victims onto these new platforms. Over the last few years we have seen a dramatic rise in malicious activity related to mobile devices driven by cybercriminals using tried and true methods to monetize attacks such as premium text messages, click fraud, and ransomware. Last year, Symantec detected more than 18 million mobile threats, an increase in 105 percent from the prior year. This trend will only be exacerbated over the next few years when tens of billions of connected devices are added to the internet. Cybercriminals are only bound by their own imagination and if there is a way to steal valuable data and monetize it, they will find it. As this subcommittee knows, we face significant challenges in our efforts to secure wireless networks and mobile devices and while there remains much work to be done we have made some progress in some areas, for instance, how we share threat information and when we share threat information with our Government partners. At Symantec we are committed to improving online security across the globe, including wireless and mobile security, and will continue to work collaboratively with our customers, industry, and governments to do so. Thank you again for the opportunity to testify and happy to answer any questions. [The prepared statement of Mr. Wright follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. I thank you for the testimony. Mr. Yoran, you are recognized for 5 minutes. STATEMENT OF AMIT YORAN Mr. Yoran. Chairman Blackburn, Ranking Member Doyle, and members of the subcommittee thank you for the opportunity to testify today in what promises to be the most exciting hearing of the day. I am chairman and CEO of Tenable, the world's most widely deployed vulnerability management solution including in the Federal Government where the majority of Government agencies use our technology to assess and manage their cyber risk. It is important to put mobility and wireless in the context of modern computing enterprise environments which are dynamic and borderless and virtually unlimited in connectivity. Mobile devices, wireless networks, transient user populations, cloud- based infrastructure, web applications, and the shift to DevOps go hand in glove with the Internet of Things in invading our computing environments. Today's complex mix of computer platforms and applications combine to represent the modern attack surface where the assets themselves and their associated vulnerabilities are constantly expanding, contracting, and evolving, almost like a living organism, creating gaps in overall system understanding, security coverage, and resulting in underestimated exposure. Therefore, it is important that any approach to cybersecurity for mobile devices or wireless networks not be done in isolation but, rather, viewed as part of a holistic ecosystem. In over 20 years practicing information security, the following axiom proves true time and again. You cannot secure what you don't know about. If there are elements of your computing environment that are invisible or unknown to you, chances are that they represent unaccounted-for risk. Both the NIST Cybersecurity Framework and DHS's Continuous Diagnostics and Mitigation program call for identifying assets and vulnerabilities as the first step in cybersecurity. Identifying assets not just once but continually is foundation to assessing risk and developing effective security programs. My written testimony includes policy recommendations, a few of which I will highlight. First, we need a bold, new cyber workforce strategy that develops and advances the ranks of all people from different walks of life. Only through increased inclusion and diversity in perspective and thought can our industry achieve the greater creativity, innovation, and develop new solutions to our most vexing challenges. At Tenable we have implemented a Rooney Rule to set an example of greater diversity in our leadership ranks. I do want to state, however, that our efforts to expand the workforce will inevitably fall short of the insatiable demand for cyber talent and we have to prepare for that with a complementary focus on technology and automation. Second, the Government should encourage the private-sector companies to continually and fully assess their cybersecurity risk just as the Federal agencies will be doing and many regulatory requirements and best practices already mandate. Today, all organizations are part of a global ecosystem with a cyber hygiene responsibility to one another. Simple malware like WannaCry demonstrated what a very crippling cyber attack might do. The infection was spread company to company, many of which simply failed to adequately assess their cyber risk and act accordingly. Third, the Federal Government should continue to promote the NIST Cybersecurity Framework which, according to Gartner, will be adopted by 50 percent of organizations by 2020. In closing, I want to emphasize the importance of taking an agile, continuous, and holistic approach to cybersecurity and technology policy. As we all know, IT is changing quickly across so many different dimensions. Prudence would have us look at mobile devices, wireless networks, and other technologies gaining great adoption in the broader context of our IT environments rather than in isolation. I would like to thank Chairman Blackburn, Ranking Member Doyle, and all the members of the subcommittee for their attention to this important issue and I will be happy to respond to your questions. [The prepared statement of Mr. Yoran follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. I thank the gentleman and he yields back and, Dr. Clancy, you are recognized for 5 minutes. STATEMENT OF CHARLES CLANCY Dr. Clancy. Thank you, Chairman Blackburn, Ranking Member Doyle, and subcommittee members. I think we can all agree that there are major vulnerabilities in the larger ecosystem of wireless security that we have reason to be concerned about. I would like to focus my opening remarks a bit on the wireless infrastructure that underpins those networks. Over the last decade we have seen a fundamental shift of the DNA of the internet from the internet that connected stationary computers to fixed server infrastructure to one that is the social mobile internet. It is ubiquitous mobile broadband that connects smart phones and users to social media and the internet as a whole. This has again fundamentally changed the makeup of the traffic on the internet and the nature of the cybersecurity threat to the internet. Over the next decade we will see another titanic shift of the internet with the so-called Internet of Things which has been referred by several others so far, but the idea here is that we could see an increase of 20 billion devices connected to the internet; again another fundamental titanic shift of the DNA of the internet. The wireless industry is working aggressively to address the needs of IoT with 5G wireless technology and is seeking to make sure that there are security components that are built into the infrastructure to address those needs. If you look at our cellular infrastructure today, the majority of us have 4G LTE coverage. And 4G LTE learned from the mistakes of 3G, which learned from the mistakes of 2G, which learned from the mistakes of 1G, and for the most part has the needed building blocks to develop and manage a secure, wireless, mobile broadband infrastructure. The key challenge we have though is that while 4G LTE is ubiquitously deployed, we still have 2G and 3G infrastructure that is operating, and much of the rest of the world has 2G and 3G infrastructure operating that remains vulnerable to a wide range of different attacks. And in particular, in the last 12 months we have seen press around IMSI catchers or so-called StingRays that are able to compromise user privacy and the SS7 attacks that were able to impact user privacy as well. And the big challenge is not that 4G LTE is insecure, it is just that we still have this legacy 2G infrastructure deployed that remains insecure. Additionally, we have unlicensed bands, unlicensed technology, wireless technology-fueled innovation over the last decade or two, right. WiFi fundamentally transformed many aspects of how we connect to the internet and how internet is available to us. However, in the early days of WiFi there were rampant security vulnerabilities. My Ph.D. dissertation was studying those vulnerabilities and looking to address them in the standards that ultimately became WPA and WPA2, which ultimately shored up many of those vulnerabilities. And while home users and residential WiFi networks are for the most part secure through deployment of these new technologies, hotspots at everywhere from your coffee shop to airplanes remain insecure and are vulnerable to attacks that we have known about for 2 decades. So that remains, I think, a challenge as we look at the wireless ecosystem as a whole. Third, I would look at the services that operate over these networks, right. We have a very complex tapestry of members of this ecosystem. We have the device manufacturers, we have the operating system vendors, we have the people who write and develop apps that run on these systems. We have the cellular operators. We have the OEMs who build equipment for the cellular operators. We have the cloud providers and we have the median service entities that sit over top of all of it. And each of one of these different groups has a different regulatory focal point within the U.S. Government, whether it be the Federal Communications Commission or the Federal Trade Commission or DHS, and this creates a very complex ecosystem when seeking to achieve cybersecurity because no one entity across that entire continuum has enough control of the ecosystem to achieve unilateral security. So as a result, I think it is imperative that we look at cybersecurity as a partnership where we need stakeholders across all the, both Government and industry to be working together on developing solutions and deploying those solutions. And lastly, as a member of the academic community, I will reinforce the points that have been made earlier around workforce. There are over a million cybersecurity jobs here in the United States of which 31 percent are vacant. The number of new jobs in cybersecurity each year that become open exceeds the total volume of computer scientists graduating across the entire United States. So we need to think more broadly about how we fill these cybersecurity gaps, and we need to think of cybersecurity not just as a subdiscipline of computer science, but something that is fundamentally intrinsic to technology overall. And with that I will thank the chairman and conclude my remarks. [The prepared statement of Mr. Clancy follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. The gentleman yields back and we thank you. Ms. Todt, you are recognized for 5 minutes. STATEMENT OF KIERSTEN E. TODT Ms. Todt. Good morning, Chairman Blackburn and Ranking Member Doyle and members of the subcommittee. Thank you for the opportunity to present my testimony on the promotion of security in wireless technology. I am currently the managing partner of Liberty Group Ventures and a resident scholar in Washington, DC, at the University of Pittsburgh Institute for Cyber Law Policy and Security. I also serve on the Federal Advisory Board of Lookout, Incorporated, and most recently served from March 2016 to March 2017 as the executive director of the presidential Commission on Enhancing National Cybersecurity. This Commission was bipartisan independent and was charged with developing actionable recommendations for growing and securing the digital economy as well as for creating a road map for the incoming administration. I appreciate this subcommittee's awareness of the need to focus on the security of wireless and mobile technology. In a world where first-to-market overrides secure-to-market and every enterprise is seeking to make operations move more quickly and be more convenient, addressing the security of these innovations is critical and absolutely necessary. In response to the questions posed by this hearing, my testimony will primarily focus on mobile security and addressing the growing threat around interdependencies in IoT. Mobile devices are an attack vector that cannot be ignored and they are increasingly targeted for access to sensitive information or financial gain, as we have heard thoughtfully from our other panelists. But mobility should not be at odds with security and the reality is that cloud and mobile adoption in the enterprise is just beginning. Mobile devices are a part of every supply chain in your home and in your office, and mobile devices have become much more than communications devices. They are the access point to our work and our personal lives. Additionally, with the rise of two-factor authentication--an important step in ensuring security, but not the ultimate solution--the smart phone has become even more important than the password. A compromised device could hand over to an attacker an authentication code and thus access to an individual's most personal information as well as any work related sensitive information. All mobile products have latent security vulnerabilities that could be exploited by bad actors and many users ignore security policies and download apps from unofficial sources. According to a recent Ponemon study, 67 percent of the Global 2000 reported that a data breach occurred as a result of employees using mobile devices to access the company's sensitive and confidential information. Last summer, Lookout and Citizen Lab detected the Pegasus spyware. Pegasus took advantage of three zero-day vulnerabilities in the iOS devices to take complete control of a device. The attack was capable of getting messages, calls, emails, logs, et cetera from apps including Facetime, Facebook, WhatsApp, Viber, Skype, Gmail and others. This threat represents the first time anyone has seen a remote jailbreak of an Apple device in the wild and shows us that highly resourced actors see the mobile platform as a fertile platform for gathering information. Historically, Government agencies have been restrictive about the use of mobile devices in the workplace. Perhaps because agencies now recognize that mobility is happening with or without their permission, we are beginning to see a shift towards prioritizing mobility initiatives in the Federal Government. The bottom line is that smart phones are essentially a super computer, as my colleague Mr. Wright noted, and today most have absolutely no security software on them. Mandates or policies stipulating that mobile devices must have an agent on the device that does predictive analytics should be considered. I would like to take this opportunity to commend John Ramsey the CISO of the U.S. House of Representatives for his focus and recent action on mobile security. This example is one where Congress is ahead of the executive branch in implementing a cybersecurity best practice, and I encourage this committee, perhaps in collaboration with the House Homeland Security Committee, to hold a hearing on and to examine how Federal agencies can do a better job to defend against mobile security risks and to take a page from the U.S. House of Representatives. Our interconnections and interdependencies are becoming more complex and now extend well beyond critical infrastructure. These interconnections reduce the importance of the critical infrastructure label because by association all dependencies may be critical as we saw with the Dyn/Mirai attack last fall. The proliferation of IoT devices is a growing challenge, and for the purpose of this hearing I offer the automobile as an example of interconnected devices. A Tesla is really a giant phone and battery on wheels. The base technology for connected cars originates from the smart phone revolution. And IoT and all of the technology that goes into connected cars, for example, is based on open source code that is genetically related to smart phones. We need to recognize that neither the Government nor the private sector can capably protect systems and networks without close and extensive cooperation. The mobile environment only adds to the challenge and urgency to develop an approach that emphasizes pre-event collaboration, which I describe in my written testimony, to more effectively manage our collective cybersecurity risk. As Representative Eshoo noted, Government does instant response well, but we need to be doing more to focus on prevention and collaboration before an event actually occurs. Information sharing is a byproduct of trust that develops through that type of collaboration. We now recognize mobile security as one of the greatest risks affecting all enterprises and we therefore need to treat mobile devices as an endpoint priority equal to, if not more important than, traditional endpoints such as desktops and laptops. Thank you for the opportunity to testify in front of you today. I look forward to answering your questions. [The prepared statement of Ms. Todt follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. Thank you so much. That was wonderful testimony, zipping right through it. And so we will begin with questions and I will yield myself 5 minutes and begin the questions. Mr. Wright, I am going to start right there with you. We know and you all have referenced some of the public-private partnership, the Government-industry partnerships that have moved forward and attempted to look at best practices in the mobile cyberspace. NIST, we have mentioned that a couple of times their framework and CTIA Cyber Working Group. So is standard setting enough, is best practices enough, or do we still need to have a statutorial legislative solution? Mr. Wright. I think it might be a little early to tell. Right now following some of the NIST and cybersecurity framework guidelines I think is working. I think there are a lot of private sector that are currently adopting part of the executive order. It is going to get more of the Government using the NIST Cybersecurity Framework, but there is a lot of other cooperation going on between public and private sector as well. I think if WannaCry had happened 2 years ago, it would have been a much different story. Today, this time you had Government and the private sector coming together immediately within hours of the outbreak starting, sharing information, sharing indicators of compromise, and you ended up getting sort of a much, much better result. At Symantec, I know we take our Government and our private- sector relationships very seriously, most oftentimes focused on law enforcement. But that sort of private-sector industry and Government partnering, I think, really is the key to this. There is no government around that is going to be able to fight this problem alone and there certainly is no private company that is going to be able to fight this alone. Mrs. Blackburn. OK. Anyone else want to add something? Ms. Todt? Ms. Todt. If I may. So I had the privilege of working with NIST on the development of the Cybersecurity Framework, and one of the reasons why it continues to be so successful is it was developed by industry for industry, so then there is an approach that industry is then allowed to take to understand how to manage its risks. And I think one of the strong points to the executive order that President Trump released was the focus on risk management, and I think when you are looking for industry and Government to come together having that focus on risk management from a collaboration perspective helps to develop those standards. What we concluded in the Commission report was that private and public sector they should work together. When they don't work together we should create incentives and when those incentives don't work then we should interfere with regulation and other types of official standards. Mrs. Blackburn. OK, anyone else? Dr. Clancy, let me ask you. You talked a little bit about the Internet of Things and the connected devices. And of course we have a forum going on today, a showcase dealing with some of that. I want you to expand a little bit on the challenges of securing the IoT devices, especially the wearable technologies, and what would be some of the consequences of our failing to adequately secure IoT devices if you have 20 billion such devices connected to the internet in a few years, and what do you see that framework, those challenges? Dr. Clancy. Well, I think that IoT represents a breadth of different products and technologies. You have your internet- connected---- Mrs. Blackburn. Right, let's focus on the wearable technologies. Dr. Clancy. OK. So with respect to wearable, I think some of the chief concerns are privacy of individual users. And we want to make sure that data that is collected from those devices and ingested into the cloud and used as part of whether it is some health app or some other service to consumers that that data remains private and isn't used to compromise the privacy that use that information. I think some of the challenges we have are that much of the devices are manufactured overseas. We have supply chain challenges and code quality challenges with the software that is in those devices and that results in devices that we don't know if are robust or not. Many times they connect through unlicensed WiFi devices and there is no strong credentials or authentication that can be used to provide real governance over those devices. There is no way to push out software updates, for example, in a deterministic way if there are vulnerabilities that are discovered. So I think those are some of the challenges that we face and particularly in the wearable space of IoT. Mrs. Blackburn. Thank you. Before I yield back my time I will, my colleagues across the aisle have mentioned Russia a couple of times. And I would just like to highlight that we have in times past tried to raise Russia and our concerns there is an issue and indeed with items manufactured offshore, I think Huawei. We did a hearing on cyber and Huawei and concerns with Russia and then even in the 2012 Presidential Mr. Romney raised Russia as a concern. I would also highlight with my colleagues we have privacy and data security legislation we would love to move forward on. We look forward to having them join us in working on these issues. And with that I yield back my time and recognize the gentleman from Pennsylvania for 5 minutes for questions. Mr. Doyle. Thank you, Madam Chair. So as the threats we face continue to evolve and grow it seems that we not only need to step up our basic practices of cyber hygiene and best practices, but we need to look to the future. And the witnesses, all of you in your testimony, refer to the shortfall in the workforce for cybersecurity positions. I know that DARPA in 2016 had the Cyber Grand Challenge and they challenged researchers to create autonomous systems that could defend against cyber attacks. Actually, a team from Carnegie Mellon won that challenge, a victory that we are proud of in Pittsburgh. But I am curious. How does the panel see autonomous defensive systems addressing this escalation in threats in our workforce shortfalls? And we can just start at Mr. Wright and go down. Please. Mr. Wright. Certainly the shortage in qualified cyber personnel is a problem today. It is going to be a problem in the future. I think the more that we can move toward autonomous defenses the better off we are going to be. I don't think the technology is there today, but it is getting better every day. That type of innovation I know is a huge focus for not just for Symantec but for other vendors as well. Mr. Doyle. Thank you. Mr. Yoran? Mr. Yoran. I think that there is great promise and certainly progress being made in autonomous defenses, a lot of work going on in the cyber domain around artificial intelligence. From my perspective, the key to success is to scale the talent that we have asymmetrically. Part of that would be through autonomous defense, part of it would be through other technologies which provide the limited number of network defenders to cover more ground. Dr. Clancy. I would agree with that. I think the major opportunity with autonomous defense is to act as a force multiplier for those human analysts who ultimately are making decisions about what defenses to deploy and how to manage them. We are seeing a renaissance of artificial intelligence right now with deep learning and early research. Applying that to cybersecurity looks very, very promising. But that will help make existing analysts and cyber defenders more efficient, but they will always still need to be part of the equation. Mr. Doyle. Sure. Ms. Todt. I would like to just approach it from a little bit of a different perspective in the sense that from the workforce we look at the fact--what we heard on the Commission particularly is that there are two issues. The current workforce that we have isn't trained effectively for the skill sets that are needed and we also need to be bringing in additional individuals into the workforce. But this needs to happen while automation, AI, big data machine learning, are all being developed and so what we have to understand is that the culture of cybersecurity that is being created covers everything. And arguably, everybody is a part of the cyber workforce, so while developing that workforce we are also being able to invest in the innovation that can contribute to the autonomous defense that you mentioned. Mr. Doyle. Thank you. Let me ask the panel this also. You know, as we look to the range of threats by government, industry, institution to individuals, we acknowledge we all have a shared responsibility to defend and protect this infrastructure. So what role do you think ISPs can play in mitigating cyber threats whether it be a botnet, malware, or some other threat, do you think Federal agencies should have more authority to mandate either concrete steps or risk mitigation frameworks to ensure that these companies take sufficient steps to protect these networks if they are not doing it on their own? And for anyone on the panel. Mr. Yoran. Sounds like a dangerous question. I will take a stab at it. I think that there is an opportunity for service providers to differentiate themselves based on security service levels and we have seen a number of service providers take a very proactive approach to their security programs and offer security services and protective services as part of these packages and using it as a differentiation. When you get to a point of mandating security, I think you are on a very slippery slope and potentially dangerous scenario where the service providers don't necessarily own the applications. They don't understand the ways the systems are being used and what impact might occur if they choose to block certain types of traffic or not. So there is merit in further investigating the concept, I just think it should be done very cautiously. Ms. Todt. And I just would like to add, from the executive order this was one of the key issues that was raised and it was also something that created a lot of initial tension with the Commission to understand whose role, who is responsible for what. As Amit said, I mean this is dangerous territory and there was a lot of discussion and debate. But what the executive order lays out and I think what industry has said is essentially we need to come together to understand where the responsibilities lie and how to create a road map for moving forward. This is clearly an issue for collaboration between industry and Government. Mr. Doyle. Thank you. Thank you, Madam Chair. I yield back. Mrs. Blackburn. The gentleman yields back. Mr. Lance, for 5 minutes. Mr. Lance. Thank you. I promise no dangerous questions and you have all answered them very beautifully and very adeptly in my judgment. Dr. Clancy, you mentioned in your testimony that 5G technologies have the opportunity to close current cybersecurity gaps. Can you please expand on what these cybersecurity gaps are and how the industry 5G innovations can help close the gaps? Dr. Clancy. I think that as you look at the shift, the technology shift that has happened as we move from the 3G and 2G core network infrastructure to the 4G core network infrastructure, we have moved away from the old circuit switch technology and into all IP-based cell phone backhaul and backbone. This is creating a range of new opportunities for new technologies and new services that can be provided through this infrastructure and it also exposes much of the cellular infrastructure to the same sorts of risks that you face on the internet. Before, we had a closed circuit switch network that was isolated from the internet; now the barrier between the internet and the cell phone core infrastructure begins to get blurry because of the structure of the 4G infrastructure. 5G actually blurs the line even further with technologies like edge computing, a cloud-based Radio Access Network technology. However, these are new tools in the toolbox that could be used to construct a better set of layered cyber defenses on behalf of subscribers, but we still haven't yet from a research and standards perspective really figured out how all of that will fit together. Mr. Lance. Thank you. Mr. Yoran, as we saw with the attack last year, unsecured Internet of Things devices, can pose a threat to the other areas of the internet ecosystem. With billions of IoT devices expected to come to market in the coming years, it is essential that this vulnerability be addressed. Do you see the NIST Cybersecurity Framework as the best approach to address Internet of Things security? Mr. Yoran. I think the NIST Cybersecurity Framework is probably the best place to begin the dialogue around Internet of Things security. At the end of the day, we have to take a holistic approach to cybersecurity. We can't look at multiple devices independently, we can't look at wireless networks independently or Internet of Things independently. These things are completely intertwined. Internet of Things most frequently rely on wireless networks for their communications so they have to be looked at. And I think the most important thing from my perspective that the Cybersecurity Framework pushed toward was taking a risk-based approach, because no use of technology is risk-free so understanding it from a risk perspective is really helpful. Mr. Lance. Would anyone else on the panel like to comment? Ms. Todt. Just a quick comment. That is one of the issues that was brought up also in the executive order and from the Commission which is to bring together, as Amit said, bringing together industry and Government based off of the platform. So I think there is motion already in place at NIST to move forward with this to be able to create a set of standards that industry creates for itself. Mr. Lance. I couldn't agree with that more in that industry is often ahead of us in Government and we want to work in a cooperative way. But my belief, based upon the last 20 years, is that we are innovative because of the way we have approached this and certainly we want the United States to continue to be the innovative center of the world regarding these matters. I represent a district that is very heavily involved in technology and in the internet and we want that to continue. We don't want to lose leadership to some other place around the globe. Thank you, Chair, and I yield back a minute. Mrs. Blackburn. And we will take it. And Mr. McNerney, 5 minutes. Mr. McNerney. I thank the chairwoman. Ms. Todt, in your written testimony you talked about the world where first to market overrides secure to market. Would you agree that we are currently faced with a market failure since those who buy and sell insecure devices now have to bear the full cost of those devices? Ms. Todt. So I think you have asked a question that is really at the crux of the IoT debate, because as long as we are pushing out innovation without any security guidelines or boundaries we are in this second phase. A colleague of Mr. Wright's at Symantec was part of the NSTAC report who talked about this first 18-month window that we have passed on the proliferation of IoT devices. And where we are now is that we heard from, in one of our Commission hearings, the CIO of Intel who said we want regulations and standards around IoT devices because we can't possibly compete in this realm where you have small businesses pushing out the innovation. So we have to think thoughtfully about incentives, penalties, and being able to truly develop secure by design, which is unfortunately becoming one of those terms that is losing its meaning because it is such a common term. But the idea of building security in and having to build software and hardware to certain standards around security has to be a priority right now with, as we have heard, all of the statistics the proliferation of IoT devices that is only going to increase. Mr. McNerney. Well, you sort of answered my follow-up question already which was I proposed legislation that would require cybersecurity standards to be developed for the devices and for the devices to be certified to meet those standards. Would that help decrease the threat? Ms. Todt. So I think it actually connects back to an earlier question which is how do we build out the IoT standards? And I would offer that where we have seen such success with the NIST Framework is the fact that industry and Government have worked together and so really looking at that collaboration first and foremost and then being able to inform any legislation. I think the sequence of that is important because we learn from what industry has done and we have to come together to then develop the standards that you reference. Mr. McNerney. OK, thank you. Mr. Wright, Symantec's Internet Security Threat Report points to a growing number of attacks on IoT devices. Would requiring the IoT devices to meet baseline cybersecurity standards help decrease that threat? Is your microphone on? Mr. Wright. It certainly would be something to look into. I also agree that the NIST Cybersecurity Framework is a good place to begin a lot of those discussions. IoT is a little bit strange. The consumer isn't really playing the role of demanding secure products at this point. Some of that could be around awareness. Thirty six percent of the devices that are being manufactured and pushed out there right now have a default password of ADMIN. Some of these are very simple fixes. I think when the consumers are armed and aware of the dangers they have a better chance of driving some of those markets. Mr. McNerney. Well, although the WannaCry ransomware attack was not the result of insecure IoT devices, I am curious about what lessons we can apply from the attack to IoT device security. How susceptible are IoT devices to ransomware attacks? Mr. Wright. So we have seen some preliminary more like research around IoT. We did a research project where a smart TV was hacked in ransomware. Like I said earlier in my testimony, criminals are looking for ways to monetize these attacks. They are only bound by their imagination and it is a matter of time before they are able to figure out how to monetize ransomware attacks on devices, on IoT devices. Mr. McNerney. Well, are there a way that an IoT security or insecurity could result in physical harm? Mr. Wright. Certainly. IoT devices that are infected can have real-world consequences, absolutely. Mr. McNerney. And just to explain, how come it is difficult to patch IoT devices? Mr. Wright. Well, a lot of times these are being shipped out without any possibility of sending out firmware changes. In fact, most of them cannot receive patches or updates. Mr. McNerney. So could we, in your opinion, rely on voluntary IoT device security from the manufacturers? Mr. Wright. Well, I do think this needs to be sort of a consensus-driven standard. We need to have private sector involved. We need to have Government involved and sort of find that middle ground, otherwise it is not going to work. I will point out one thing. The Mirai botnet that we were discussing today, those devices were not manufactured in the U.S. but rather the vast majority of them were manufactured overseas, specifically in China. Mr. McNerney. OK. Before I yield I just want to say I appreciate Ms. Todt's remark that Government does respond well but needs to do prevention better. Thank you. I yield back. Mrs. Blackburn. Mr. Shimkus, you are recognized for 5 minutes. Mr. Shimkus. Thank you, Madam Chair. And this is an excellent hearing. I do want to thank you all for coming. This is like an arms race. And the reason why I have always enjoyed this committee is that, you know, technology moves faster than we can regulate, hence it is very successful. Well, and that is part of this debate. I mean, do we do Federal standards and really almost slow up the ability for expansion and new applications or, and so that is why I think most people are talking about consensus base working with the sector, because if we don't we will trip over ourselves and we will slow applications, we will slow development. And that is why I think you see us kind of doing this little kabuki dance between the sides because it is just a very exciting, but there is a lot of dangers out there and people are going to take as was just said, you can't control what the bad actors are going to try to do to get access. But I also appreciated the comment that for a manufacturer or a provider they can, having secure information is marketable and should be, they could market it as a premium for the services they are providing and I think we have some businesses here that wrap around this. I think the average individual, we understand having a security office in a corporate setting and probably a sub under the security is data security and obviously, you know, this wireless technology and all these things as a subsection. So when we hire, when you are looking for a computer programmer to go in cyber, in the cyber world, what is a new engineering computer programmer, what are they going to be doing? I am sure there is a plethora of things, but I mean are they just going to be sitting at a screen watching interactions and trying to pick out and identify an attack? I mean we have all been in, I have been in nuclear, you know, power plants. I have been in data centers. I have been with screens all over the place. Is that what they are doing? Is that what a computer programmer in cybersecurity ends up doing? Mr. Yoran, do you want to answer that? Mr. Yoran. I will take a crack at it. In my experience, the best cybersecurity professionals are the ones that just show a tremendous amount of intellectual curiosity in what they are looking at, and sometimes it comes through formal training and discipline and frequently it doesn't. It is usually not the analyst who is sitting behind a screen watching logs go by and trying to pick and choose which one to dig into that is going to make the difference or that is going to scale our industry. If I could, I think the comment that you made and the Congressman from California are, I won't say two sides of the same coin, but they point to this foundational question of, you know, is there a market failure and what can and should Congress do about it. And from my experience, I think it would be hard to argue that a market, you know, we are not at a point of market failure, everything from, you know, the election to the hack that you see in every newspaper or news distribution point, even real news distribution point on a daily basis. In order for free markets to work you have to have an educated populous and you have to have a high degree of transparency and I think in the cyber domain we lack that transparency. There is a general lack of appreciation for what the threat environment looks like. There isn't a consistent understanding of what good cybersecurity looks like, what is working in our domain. There is a lack of transparency when breaches occur outside of ones that impact PII. And so there isn't a common appreciation for what is not working and also I think what is at stake and what is at risk in using various products. So I think that there is a role for Congress to play around helping to raise awareness and create greater transparency. Mr. Shimkus. Let me go to just Dr. Clancy real quick because my time is running out. When we travel, which we as Members get a chance to do, we are visiting troops, many times we are asked to leave our computer at home and we are given a little dinky one to be able to continue to communicate. How are we, how secure is the U.S. wireless system versus places else around the world? Dr. Clancy. I would say the United States has the most secure wireless infrastructure in the world. I think the things that lead to insecurity in other countries' networks have to do with deployment and use of old technology, a workforce that is managing those networks that is not aware of the latest threats, and the influence of authoritarian regimes over state- owned telecom infrastructure providers in many of those countries. Mr. Shimkus. Thank you very much. Thank you, Madam Chairman. Mrs. Blackburn. Ms. Matsui, you are recognized for 5 minutes. Ms. Matsui. Thank you, Madam Chair, for having this hearing and I thank the witnesses for being here today. Wireless technology and connectedness and of data and information have huge potential to move us forward in a variety of industries. Ms. Todt, you mentioned in your testimony that you recently had blood work done and were told the only way you could access the results was by downloading an app on your smart phone. I see both potential for good and for danger in this situation. It may be much more convenient for you to receive your test results visually on your phone rather than via snail mail or fax or a phone call. This could result in you acting on that information in a more timely or consistent manner, potentially improving your health. However, that also means that your data is potentially vulnerable. We saw the risk with the recent malware attacks that brought down hospital systems. Without access to the information that the doctors and nurses relied on to treat their patients they could no longer do so effectively. Our healthcare system is uniquely at risk of attacks. Most professionals who go into the healthcare field often including administrators don't have a cybersecurity background. We need to work to ensure that our healthcare providers have the technological infrastructure and workforce to manage the complex data that they need to best serve patients. Last week, the Department of Health and Human Services released its Healthcare Industry Cybersecurity Task Force Report. Among other things, the report recommended executive education about the importance of cybersecurity. Ms. Todt and any of the other witnesses, what recommendations do you have for developing cybersecurity leadership in industries such as health care? Ms. Todt. Thank you. I am now convinced given what the chairman said that I was one of the 100 million that got my healthcare records breached last year, but that is something else for me to figure out. I think that what you ask is a great question in relation to also the other questions that have been posed around IoT and workforce, because we tend to think of cybersecurity workforce as those with the engineering degrees. But what we have to understand in the workforce that we are creating is that everybody has to be educated on cybersecurity. This is not an expertise; it crosses every enterprise. And arguably, I would think that human resources professionals, those who are hiring, have to have a baseline level of knowledge. The other issue is that when you are a manager you have to be trained in cybersecurity so that you know what you are doing regardless of whether or not your function is cyber related. And I think enterprises need to be looking at cybersecurity education the way, as an onboarding process, the way they look at ethics and integrity and basic company protocols and procedures. We have to be incorporating cybersecurity awareness and education from the ground up to create this culture and I think that this is something as we move forward to emphasize. The other issue that this is more of a technical response but we talk about the education of user awareness. From a technology perspective while we are educating the consumers and the individuals and industries and enterprises, we also need to be thinking about moving security away from the end user from an innovation perspective. Ms. Matsui. OK. Thank you very much and let me move on to Dr. Clancy. Dr. Clancy, according to one study, none of America's top-10 computer science programs as ranked by the U.S. News and World Report in 2015 required graduates to take one cybersecurity course. Three of the top 10 programs didn't offer an elective in cybersecurity. But with the rise of cyber attacks and security breaches in our networks and the shortage of cybersecurity professionals, it is imperative that our students graduate with the course work needed to be able to tackle security issues. Dr. Clancy, how can Congress encourage our colleges and universities to prepare students either through expanding courses, hiring more faculty, or other innovative solutions for careers in cybersecurity? Dr. Clancy. So I think the reason you may see that in some of the top-ranked programs is it is the traditional academic culture that cybersecurity is a buzz word and is a fad, and myself and others in academia are working very hard to convince them otherwise that this is a fundamental problem that is going to be with us indefinitely. I think there are a number of programs that are very positively impacting this ecosystem to include NSA's Centers of Academic Excellence program and the CyberCorps Scholarship for Service program. While the CyberCorps program provides scholarship money for students to pursue careers in Government upon graduation like a cyber ROTC program, the funding helps the university establish a platform that can educate students in cybersecurity who go into many different careers, not just into Federal Government. We saw that directly at Virginia Tech as part of our receipt of a CyberCorps grant. I think more initiatives and further investment in programs like that is a great place to start. Ms. Matsui. OK, thank you. And I have run out of time, I yield back. Mrs. Blackburn. Mr. Olson, you are recognized. Mr. Olson. I thank the Chair and welcome to all of our witnesses. Mr. Yoran, thank you, sir, for your service to our country in our United States Army, West Point graduate. Heartfelt congratulations as well, because with assist from Temple for the first time in 15 years your Navy beat my Army in football. Bravo Zulu. Your testimony talks about elastic attack surface that includes a growing number of information technology devices. Being the vice chairman of the Energy Subcommittee, I worry about cyber attacks on our power grid. December 23rd, 2015, 230,000 people in the Ukraine were without power for 1 to 6 hours, a cyber attack likely coming from Comrade Putin in Russia. It was very low tech. They simply remotely flipped some switches. What kind of advice does your company provide to critical infrastructure companies in our electric grid regarding how to best protect their systems for cyber attack? Mr. Yoran. Thank you, Congressman. I think that is an ongoing challenge. As early as last night, the US-CERT program issued additional warning and guidance to energy and critical infrastructure companies around the Crash Override piece of malware which is affecting power companies around the world. From a security perspective there is a great challenge in that industry in that the systems are incapable of being updated or there is tremendous risk in updating those systems which, unlike our mobile phones or desktop PCs, have a life span measured in decades. From a best practices perspective these organizations have historically left those critical networks in the standalone state, but increasingly they are interconnected. We offer technologies and other companies offer technologies that help monitor these networks on a passive basis, so without introducing additional risk, additional packets, or probing those networks you can see what they are vulnerable to and you can create a series of compensating controls to protect those systems from internet compromise. Mr. Olson. Also you brought up artificial intelligence. And as a co-chair of the recently launched Artificial Intelligence Caucus, I believe it is important that we use cybersecurity technology to complement the work of the talented human brains that make this happen. We know that technology alone won't solve the cybersecurity issues we have, but can you elaborate on how leveraging this technology for the growing AI field will work do you think, cybersecurity in the AI field--or Mr. Wright, Dr. Clancy, Ms. Todt? Somebody want to take that? It is not bomb, not a grenade. Dr. Clancy. I am happy to take a stab at that. I think the DARPA Cyber Grand Challenge that we saw last year is an example of a first step in being able to accomplish that. As I mentioned earlier, I think that AI will become initially a tool that helps analysts do their job more effectively and more scalably to deal with the growing threat and larger and larger amounts of data. There is an AI renaissance that is happening, right. There are fundamental advancements that are happening that are completely changing the world of image processing and search that Google and others are leading. And I think there are many in the cybersecurity community that are hoping that those technologies can be applied to the cyber problem, but that is still an early research area that many people are sort of feverishly working on right now in academia. Mr. Olson. Ms. Todt, you look like you are chomping at the bit to comment. Am I reading that wrong? Ms. Todt. Just in support I think that we need to be investing obviously in innovation. I was on a panel with somebody who used to work at DARPA who essentially talked about the fact that there are functions that really aren't meant for humans and that our ability to automate and make those functions more capable through super-computing will help our systems work more effectively. Mr. Olson. One final question for you, Mr. Yoran. We are seeing an explosion of free WiFi hotspots all around the country, whether they are there at the corner coffeehouse, the Starbucks, the airport, the airplanes you mentioned; heck, the Mr. Carwash right down the street from my house. My daughter and wife go there all the time. It has a free hotspot just for the 20 minutes you are there. Do they offer unique challenges to safeguard? If so, what should be done on the network side as opposed to the user side? Mr. Yoran. Well, I think the most important thing is to recognize that whether you are going to a public hotspot or you get fooled into connecting to a rogue hotspot or you are connected to a corporate network which is already compromised and frequently is, the most important thing that you can do and that organizations can do is better assess the vulnerability and exposure of their systems and make sure that they are applying the latest patches and they don't fall victim. A vast majority of the attacks that we see come from well-known, well established vulnerabilities to which patches are readily available. Mr. Olson. Good luck, Army. I yield back. Mrs. Blackburn. Mrs. Dingell, you are recognized. Mrs. Dingell. Thank you, Madam Chair, and thank you for doing this hearing and to all of the witnesses. There are so many questions. Cybersecurity is something that should concern all of us. And as somebody who has been hacked more than anybody would want to be I can tell you it is a pain to have to change your password and switch to two-factor authentication and worry about personal information being compromised. I think what--and not even what I prepared--what is really worrying me is some of the factoids that you have raised here today. I think one of the issues is training people. Even when you have trained IT people and you go to them and you ask a question--ask John Podesta, myself have done this--``Should I do this?'' And they say, ``Oh yes,'' and then it turns out not to be the right thing. I think I got one last night that I have now been burnt so much I was smart enough to wait and talk to somebody today. And I really worry about, as we start to talk about autonomous vehicles, as an example, if people don't--how are we going to make sure patches that need to occur occur, and when they don't, even when we look at the health care, what happened on the health care situation, there were simple patches available that users aren't using. How do you legislate that? These are real issues. But for these 5 minutes, which are now down to 3 minutes and 45 seconds, let's talk about mobile phones, which as you said, Mr. Wright, are basically super computers we have in our pockets. Our phones are always by our sides. We store our most intimate and personal details in them. And it is happening now and in the near future people are going to be locked out of their phones and in turn will be locked out of personal, social, financial information. That is a new experience for everyone. We are going to see this high level of hysteria, and we have got to pay attention to it. So this question is for the entire panel. Ransomware is now available as a service making it incredibly easy for criminals to carry out an attack. What can Government do from a policy perspective to increase barriers to entry and the cost of carrying out ransomware attacks, and do you think the threat of a ransomware attack on a mobile device will only continue to increase if the Government doesn't do something, any of the panel? Mr. Wright. I can start out here. Starting with your last question I think that mobile ransomware will probably increase no matter what is done. Again the criminals follow the money and right now your handheld computer is where that money or where that data is. When they can figure out how to monetize locking up that phone or encrypting that data on your phone enough to the point where you will pay to get it back, then in that case mostly not get the data back, they will exploit that. Mr. Yoran. I don't think any of us are comfortable with the state of security on mobile phones, but I think a lot of progress has been made. A lot of lessons have been learned in the--some have not, but a lot of lessons have been learned in the mobile domain from decades of mistakes and accidents in operating systems and in compute platforms from the desktop paradigm. So I am confident that we will see an increase in ransomware no matter what is done on mobile platforms given how attractive they are as a target, but I think the industry is making progress to make that more and more challenging over time. Dr. Clancy. I think that if you look at ransomware it is leveraging the same vulnerabilities that people have used to exploit mobile devices for the last decade. So continued work to make sure patches are deployed and apps are updated is critical to closing the front door, if you will, to ransomware. I think other areas that are somewhat unique to ransomware have to do with educating users about the importance of backing up their data so if they are a victim of ransomware attack they are able to recover their data. Many cellular providers offer free services to back up your data on your phone to the cloud and consumers need to take advantage of that. Secondly, I think there is really the forensic and law enforcement side of being able to follow the money and be able to take down the ransomware networks which is increasingly difficult with the rise of bitcoin and other crypto currencies, but that is perhaps a larger question. Ms. Todt. I think ransomware represents sometimes a little bit of the flavor of the day in that we have these problems that continue to evolve, but the solutions for them are the same when we look at WannaCry which was, you know, essentially not updating with patches that are there. So it is a lot of the cyber hygiene that we have talked about and the regular download. I think it is also important, you raise an interesting element to this which it is often important to remember that attacks and when data is compromised or manipulated it is not usually because there is some engineering expertise or genius, it is really about opportunism and being able to access and exploit that opportunism. And so that is why education, backing up, all of those very basic actions can really cover about 80 percent of the solution. Mrs. Dingell. I had more questions, but I am out of time. Thank you, Madam Chair. Mrs. Blackburn. And we will give the opportunity to submit those questions in writing. Mr. Johnson, you are recognized, 5 minutes. Mr. Johnson. Thank you, Madam Chairman. Mr. Yoran, in your testimony you note that there is a shortage of skilled labor in the cybersecurity workforce. How acute is that shortage? Has it manifested itself in your company? Do you have a problem hiring those kind of people in your own business? Mr. Yoran. That is a great question. It is extremely competitive to hire experienced cybersecurity professionals. The compensation is great and as they continue to gain experience, you know, their expectations continue to rise. Mr. Johnson. On the technical or the strategic side, because I mean there is a big difference between people that understand what cybersecurity is and those people that can get down to the ones and zeros and kind of do the technical wherewithal to find out who the bad guys are. Mr. Yoran. I think there is really a shortage on both fronts, which is why I think the importance of Dr. Clancy's comments around the multidisciplinary approach to cybersecurity. What we found is in addition to compensation there is two other critical aspects to attracting and retaining cybersecurity talent. One is in providing them intellectually stimulating work. It is an exciting field and if you don't give them exciting problems they will go elsewhere to find them. And the other is in creating a culture that is dynamic and one that is enjoyable to be part of. Mr. Johnson. OK. Do you think we have the same level of expertise shortage in finding skilled workforce in Government agencies or departments? Is it worse, the same? Mr. Yoran. I don't know that I have the data in front of me to comment whether it is worse or the same. I do know that a tremendous amount of expertise in the private sector starts out getting its experience in public service which is costly to the Government in terms of losing that talent, but I think it provides tremendous value to the private sector in terms of the level of maturity and understanding of very sophisticated cyber threats. Mr. Johnson. OK, all right. Thank you. Dr. Clancy, what a name for a topic like cybersecurity. And if your first name was Tom you would be---- Dr. Clancy. It actually is. Mr. Johnson. Yes. I would consider changing it if I were you. Dr. Clancy. No, no, seriously, my name is Tom Clancy. Mr. Johnson. OK, all right. Will the real Tom Clancy please stand up? Dr. Clancy. I go by my middle name Charles. It causes too much confusion. Mr. Johnson. Well, Dr. Clancy, how soon should we expect biometric tools to supplant the traditional pin and password approach to device security? Dr. Clancy. So biometrics have offered a tremendous opportunity to fundamentally change how we authenticate people. I think there are still challenges. The joke in the biometrics community is that if I am using a fingerprint as my password I can only change my password nine times before I run out of fingers. So there are some challenges there. If your fingerprint data is compromised because it is stored in a database then your credential is sort of irrevocably lost and you can't change it like you can change a password. Mr. Johnson. So in that regard then, in that vein do you think biometric tools are going to make us more secure or are we going to happen upon the same kinds of problems that we have now if we file them away? Dr. Clancy. I believe that biometrics will be a critical part of multifactor authentication. If combined with a password and a mobile device, right, you can fuse these things together in order to significantly improve the security of a particular authentication to some online service. Mr. Johnson. All right. Secondary question, do you think it is right to think of every connected device as a potential vulnerability and, if so, what freedom or flexibility should network operators have to promote security when device owners fail to do so? And I guess we are sort of getting into the Internet of Things, you know. Dr. Clancy. Certainly. So the internet service providers have an increasingly challenging time. Because of the rise of technologies like end-to-end encryption, it is very difficult for internet service providers to tell the difference between a botnet command and control packet or a standard IoT web service traffic just because they don't have the visibility that they would otherwise have. So I think that that creates problems for them that makes it a challenge for the entire ecosystem, where you need the IoT service providers and the device manufacturers and all of them to come together to come up with a common solution for securing IoT. Mr. Johnson. OK. Ms. Todt, I apologize. I had a question for you but I have run out of time. Madam Chair, I yield back. Mrs. Blackburn. Well, we will also let you submit that question in writing. OK, Ms. Clarke, you are recognized for 5 minutes. Ms. Clarke. Well, thank you, Madam Chair. The FCC just announced the newest members of the Communications Security, Reliability and Interoperability Council, a council established to make recommendations about the security, reliability, and resiliency of our communications systems. But as I have reviewed the names of the new members, I am disappointed to see a lack of cybersecurity expertise on the council. As the author of the Cybersecurity Responsibility Act, my bill makes it clear that the FCC has a role in ensuring our commercial sector has protections in place to secure our communication networks from malicious cyber attacks. So Ms. Todt, what role do you believe the Federal Government, in particular the FCC, has in protecting our Nation's communication networks? Ms. Todt. Well, I think again we can look to the executive order that was released by President Trump in May which specifically calls out the FCC as having a role in protecting the communications infrastructure and working with the secretary of commerce and the secretary of the Department of Homeland Security to initially look at that botnet mitigation, but then also looking at clean pipes and where that goes. And so clearly, I think the Government, the executive office as well as industry, believes that there is a role that it needs to play. Ms. Clarke. So then it would be prudent to have some cybersecurity expertise on this council, wouldn't it? Ms. Todt. That would appear to be the case, absolutely. I don't know who those individuals are, so I don't know if they have them in any---- Ms. Clarke. Just generally speaking. Ms. Todt. But I would say, I mean, this is the issue, the broader issue, is that we have to be bringing cybersecurity expertise into all of these areas and that we have to be looking for that because that knowledge and that expertise has to be informing our policies, because they don't even have to be cybersecurity policies but they have an impact. Ms. Clarke. Absolutely, thank you. Dr. Clancy, as part of Congress' resolution of disapproval that overturned the FCC's privacy protections, Congress also stripped away consumers' data security protections. As I noted before, my bill, the Cybersecurity Responsibility Act, would ask the FCC to take some action, any action to protect our networks. Did Congress' rollback of these data security rules do anything to make America's personal information more secure? Dr. Clancy. So I think the rollback of the cybersecurity provisions in the FCC rulemaking from 2018 was, actually happened before Congress acted, right. The FCC removed those provisions and stayed those portions of the regulation, and then ultimately Congress rescinded the entire order which was focused more on the privacy aspects of that rulemaking. Of course the state of rationale was that it was inconsistent with the Federal Trade Commission's view of privacy and opt-in versus opt-out when it comes to consumer privacy. I don't know that I am in a position to declare whether opt-in or opt-out is a more appropriate way to protect consumer privacy, but I think it represents some of the regulatory challenges we have in asserting that one particular regulator has authority over a very complex ecosystem. Ms. Clarke. Or the question was more about security. And just looking at the ecosystem, if you sort of strip those or rollback those security rules, we are trying to figure out whether people's personal information it becomes, did we open up vulnerabilities? Let's put it that way. Dr. Clancy. So based on my experience working with the cellular industry and some of the major internet service providers, the big companies are already doing those best practices. The large ISPs, the large wireless carriers are already doing that. Where the gap is is the smaller and more rural internet service providers and the more niche wireless carriers who don't have as much infrastructure or resources themselves to deploy those best practices. Ms. Clarke. Yes. So when there is a vulnerability even in the smallest of these providers, doesn't that open up opportunities to get at grander---- Dr. Clancy. Certainly, it does given the interconnectedness of the different telecom providers. I think what we are seeing in industry is strong collaboration though, with the big guys looking out for the small guys and doing what they can to help quickly remediate through information sharing that was really accelerated by the past---- Ms. Clarke. Anyone else have any thoughts on that? Ms. Todt. I think the supply chain is a huge issue and even if you are sharing those practices we have to be looking at baseline level of standards. And I think that you are, oh, it is always going to be the weakest link and we have to do a better job within our sectors of actually informing and helping to share those best practices and lessons learned. One of the things that we have learned is that small businesses across sector have a lot more in common with each other than the small businesses and the large businesses within their sector and there is a lot of evidence right now around that. And so being able to look at this more thoughtfully and I think it goes again to this issue of collaboration and pre- event planning would be the actions that we need to be taking. Ms. Clarke. Very well. Madam Chair, I yield back. Thank you. Mrs. Blackburn. And Mr. Bilirakis, you are recognized for 5 minutes. Mr. Bilirakis. Thank you, Madam Chair. I appreciate it so much. And I appreciate your testimony today. As more IoT devices enter the market industry has seen a rise in tech support scams, unfortunately. Symantec's 2016 Threat Report found a 200 percent rise in tech support scams in a 2-year period. With these types of threats the best defense is with the end user. Mr. Wright, how can an end user distinguish between a legitimate help desk and a tech support scam and can you describe how Symantec has responded to the increased threat? Mr. Wright. Yes. So these types of social engineering attacks as you just mentioned the tech support are particularly vexing. They depend on the consumer to somehow be able to intuit or to understand whether or not they are being, whether they are being scammed. There is not a lot of sort of technology that can fix that. A lot of it comes back to raising awareness of the user of what those threats could be, those users being more careful and perhaps having a more keen eye on to pick up signs. But it is a very, very difficult problem when it comes down to the user themselves. Mr. Bilirakis. Yes, thank you. For years people have been told to check for the https identifier in their browser before accessing personal websites such as for banking or health care. Mr. Wright again, your 2016 Threat Report states that relying on the https marking provides a false sense of security. Can you expand upon that? Mr. Wright. I am sorry? Mr. Bilirakis. Your findings. No, let me say it again. Your 2016 Threat Report states that relying on the https marking provides a false sense of security. Can you expand on that finding? Mr. Wright. I know that https is more protected, but I am sorry I cannot sort of expand on the Internet Security Threat Report piece there. I am not prepared for that. Anybody on the panel have---- Mr. Bilirakis. OK. Can maybe anyone else on the panel? Yes, please. Dr. Clancy. So https implies that the session is authenticated and encrypted, but the concern is to whom you are authenticated. There are many scams that can change a letter in the name of the domain name such that you wouldn't notice the difference but could still present a secure credential to you as a user. So I think https is a first step, and if you don't have that then you definitely need to be concerned. You need to look at the spelling of the domain name to make sure that it is spelled accurately and there aren't strange characters in there, that those are the sorts of things that undermine the security of simply looking for the https. Mr. Bilirakis. Any other suggestions? OK, thank you very much. Let's see, I still have a little time. Mr. Wright, according to Symantec 2016 Threat Report, the Apple iOS system faced its first widespread threat with the XcodeGhost attack. This malware has infected over 4,000 apps which leaves unsuspecting devices vulnerable. In response to cyber threats success largely depends on speed of response. How has industry responded to threats via apps since it first took hold in 2015 and have efforts met the success? Mr. Wright. Yes, good question. So apps certainly represent a potential threat vector especially for mobile devices. I would say that Apple has done a pretty good job making sure that malicious apps are not included in their app store. Android is doing a better job at trying to ensure that their apps aren't malicious. So those two providers I think have come a long way. Apple has always been pretty good, but the other provider has come a long way. In addition, there is some security solutions to this. Not plugging Symantec, but we do produce technology that can scan for apps and look for possible malicious apps or grayware apps which sometimes can leak information. So there is a technology solution, and then also the providers are doing a lot of work in that area as well. Mr. Bilirakis. Anyone else want to add something? I know I only have 15 seconds. OK, very good. Thank you, Madam Chair. It is a very informative hearing. Thanks for calling the hearing. Thank you. Mrs. Blackburn. Thank you. Ms. Eshoo, 5 minutes. Ms. Eshoo. I thank the chairwoman and I thank all the witnesses. I think you have given very important testimony. First of all, to Mr. Wright, I am very proud to represent Symantec. Mr. Wright. Thank you. Ms. Eshoo. I have had a long, long, long-term relationship going back to the days of John and how he really helped build a new Symantec and you keep going and you are a real asset to the country. And to Mr. Yoran, you get the prize for the best dressed before this subcommittee every time you come. One of the members said, do you think he lost his suitcase? I said, no, he hasn't lost his suitcase. That is his tuxedo for this committee. There has been a lot of discussion about a lot of things here. The title of the hearing is Cybersecurity Risks to Wireless Networks, but this is an entire ecosystem. And I think we have made real progress in many areas and I think that obviously we are lacking in others. I want to thank Symantec for working with me on the legislation that I mentioned in my brief opening statement. But I want to go to something else first and then a question to each one of you. Last year the FCC put into place data security rules that apply to wireless carriers as part of its privacy proceeding. And Dr. Clancy, you just gave some kind of, I don't know really what it was, but I am going to find out more, press you for more. These rules asked ISPs, really, something very simple and that is to take, quote, reasonable measures, reasonable measures to protect consumer data. Now there was the monetization of information and the monetization of attacks that has been brought up by more than one panel member this morning. Do any of you think that the FCC went too far in asking ISPs to act reasonably to protect consumer data? There is a little bit of, if I might suggest this, politically cross-dressing that is going on here, because the Congress ripped away all privacy protections on the internet and that is on the computer that I have in my purse. That is for everyone in the country. So we are talking about, I think cybersecurity is all about privacy. It brings about privacy. So maybe a yes or no to each one of you, and if you don't know, then say that. Do you think the FCC went too far in asking for reasonable measures to protect consumer data? I am going to start with---- Mr. Wright. So I will have to say I don't know too much about that---- Ms. Eshoo. OK. Mr. Wright [continuing]. Specifically, but I will say, you know, it appears to be reasonable to protect user data. Mr. Yoran. I can't comment specifically to FCC's issue, but reasonable does sound reasonable. Dr. Clancy. Indeed. I mean it was a complicated set of circumstances, but---- Ms. Eshoo. What is so complicated about it? What is complicated about it? I have it right here what they put forward. They are really simple things. Dr. Clancy. Reasonable is reasonable. Ms. Todt. I will ditto my colleagues. I mean, reasonable protections are reasonable. Ms. Eshoo. I think what I would like to do in writing, because I don't have time for it, is to ask each one of you so you can be prepared for it, what is your top line recommendation to the subcommittee relative to cybersecurity in our country? Just one thing, top line, from each one of you. You are all experts and I will look forward to sending that to you and getting your responses. Thank you for what you are doing for the American people. I appreciate it. Mrs. Blackburn. All right. Let's see, Mr. Flores, you are recognized. Mr. Flores. Thank you, Madam Chair, and I want to thank the panel for being here today. Ms. Todt, unlike other types of crimes, when we talk about cybercrime we always seem to focus on the need to protect against the attacks rather than prosecute the bad actors. And can you tell us what the Federal Government is doing to actively work on cybercrime attribution and also what are the limitations of trying to track down our cyber adversaries? Ms. Todt. So right now I believe the executive order has laid out--I am not as familiar with the criminal angle. I know we worked with the Department of Justice with the Commission on being able to look at malicious actors and where the crime plays a role, and I think one of the key things that a lot of the commissioners talked about is you have to have penalties for those bad actors. But I apologize, I can't talk extensively, but I am happy to get back to you with an answer in writing. Mr. Flores. OK, yes. If you could do that, that would be great. Dr. Clancy, in your testimony today and from testimony across the panel it sounds like we have got a skills gap when it comes to protecting ourselves from cybercrime. And of course in order to fill the pipeline we are going to have to be able to get our educational institutions to produce the people resources to be able to do with this. I represent three world-class universities back in my district, Texas A&M University, Baylor University, and the University of Texas. What could the Federal Government be doing to help ensure that pipeline is filled with quality skilled individuals? Dr. Clancy. I think that most of the efforts to date have focused on the tail end of the pipeline. Mr. Flores. Right. Dr. Clancy. Getting students out of college and into jobs, I think the pipeline starts much earlier than that. Mr. Flores. Exactly. Dr. Clancy. When students are coming into college they need to want to major in cybersecurity and more broadly in STEM fields, so I think additional initiatives that are focused on the K-12 outreach and engagement to bring cybersecurity down to the middle school level or even sooner, just basic digital hygiene at the elementary school level would be a great starting point and build up from there. If you want to build a pipeline you need to start at the beginning. Mr. Flores. OK. Now Mr. Yoran, you and I both have business backgrounds and I mean you hire a lot of these types of individuals. What would your key recommendations be? Mr. Yoran. I think it is important for employers to look for the intellectual curiosity around cyber. And as Dr. Clancy said earlier, you know, I think you have to start at an earlier age and part of it may be through cyber hygiene. I know I could talk to my kids about cyber hygiene and they still don't apply their patches, so I think we have to find things that are more interesting, more intriguing ways of creating excitement and creativity around cybersecurity education. Mr. Flores. OK, thank you. Dr. Clancy, you mentioned the need for the Federal Government to continue to act as a convener and to set priorities based on its unique knowledge of cyber threats, but for national security reasons the Government doesn't always share the full extent of its knowledge of those threats. How significant is this limitation and how can Congress be helpful in encouraging more transparent threat intelligence sharing? Dr. Clancy. So I think from a convening perspective, groups like the FCC CSRIC organization is a great way for the Government, for the Federal Communications Commission, to sort of set priorities and identify areas of concern and work collaboratively with industry to identify solutions. I think that that goes to a certain extent hand in hand with the challenges of cyber information sharing. You have the national security agencies who are generating detailed information on cyber threat, but that is due to the sources and methods involved. It is held at a classified level and can't be shared and that creates a barrier to sharing. The thought is that if we have sufficiently large cyber threat brokerage houses sort of emerging that there can be enough data that the Federal Government could anonymously share data that would obscure sources and methods with those brokerages and it wouldn't be attributable to specific sensitive aspects of how that data was arrived at. Now we are not there yet, but I think there is some hope that that may be a solution moving forward long term. Mr. Flores. OK, thank you. If any of you have any supplemental comments on any of these questions and you could submit those, that would be great. Thank you, and I yield back the balance of my time. Mrs. Blackburn. Mr. Rush, you are recognized for 5 minutes. Mr. Rush. I want to thank you, Madam Chair, and I want to commend you for holding this hearing. Dr. Clancy, Tom, you are concerned that the Internet of Things, the IoT, where everything from home appliance to industrial infrastructure devices connected to the internet is not secure enough to withstand a cyber attack. What is the biggest challenge you see in securing this complex mobile ecosystem? Dr. Clancy. Well, I think that just the breadth, as you stated, is part of the challenge. The threats to an internet- connected home appliance are very different than the threats to an internet-connected nuclear reactor and the technologies involved are very different. So at one end of the spectrum in the consumer technology space we have the key challenge, I think, is supply chain and inexpensive goods, inexpensive IoT devices coming from overseas that were not designed with security as part of the fundamental component. I think at the other end of the spectrum you have industrial infrastructure, industrial control systems. There the challenge is more that the desire to gain efficiencies from aging infrastructure and be able to support more users with the same power grid and more peak demand requires us to use artificial intelligence to orchestrate much of our infrastructure which necessitates connecting that infrastructure to the cloud in order to do the needed big data processing on the data. So you end up drawing this sort of series of events that necessitates for business reasons connecting this industrial infrastructure to the cloud, which then fundamentally exposes it to risks it had never faced before. And that is a whole separate set of challenges that requires the key components of that industry to figure out how to work together to solve those challenges. Mr. Rush. Are you concerned that the Federal Government is inadequate and then presently is organized that we are, are we prepared to deal with this broad threat, a cybersecurity threat? I mean we have different centers of responsibility or authority and power located in many different places from Homeland Security to the FCC. Are we prepared in a streamlined way to respond to a cyber attack using these IoTs? Dr. Clancy. I think we are never going to be as prepared as we would like to be, but I think our level of preparedness is steadily increasing. I think the NIST Cybersecurity Framework that many have referenced throughout this hearing is a great example of a tool that we can use to develop a common understanding of how to respond to these threats and we need more things like that to help improve our ability to respond. Mr. Rush. I want to thank you. I want to move to Mr. Wright. Mr. Wright, how vulnerable is the U.S. power grid to a similar power grid attack that Ukraine suffered last year? Mr. Wright. Excuse me. Yes, you are referring to what we have called Sandworm threat. It attacked the Ukraine two different times over the last year shutting down power. Interestingly, they got back online relatively fast because they went back to manual movements. Here in the U.S. I think we are probably more advanced on our security of those power grids. More than that, I think that our people are trained to be able to get back online manually because of threats in storms and natural disasters that they have trained to be able to get back online and to be able to do that manually. That said, there is always going to be susceptibility, and with the latest Ellen Nakashima article that came out yesterday advising of a new more advanced threat, I am sure that our power grid operators and Government are looking at how to protect against those. Mr. Rush. I want to thank you, Madam Chair, and I yield back. Mrs. Blackburn. I thank the gentleman. Mrs. Brooks, you are recognized for 5 minutes. Mrs. Brooks. Thank you, Madam Chairman, and thank you to all of our panelists for sharing your background and your wisdom with us. It seems that part of the problem we face is that cyber attacks when we talk about cybersecurity it is moving far faster, it seems, than our cyber defenses and the bad guys only have to be right once while the good guys have to be right all of the time. I am a former U.S. attorney and but from '01 to '07 when we were really standing up cyber teams and I certainly know the FBI and obviously NSA and others have really beefed up their cybersecurity, but yet I am a bit troubled that--because I was just, you know, Googling big cyber cases and so forth and they seem to be happening more in other countries than they are happening in our country. And I am just curious how much cooperation is there with the private sector lending your advice to the Government sector in prosecuting and enforcing our cyber laws. And I am concerned that your expertise and the expertise of those in your industry, it is hard for Government to bring folks in. As you said, I believe, Mr. Yoran that often it goes the other way. They start in Government and then go out to the private sector. But yet if we aren't cooperating and I think at a very different level than we currently are, and I appreciate your work and what the commissions have done and recommendations and so forth, but I think we need to accelerate it in a much greater way of how we can prevent, not just prevent because you are all focused on preventing, but if we don't actually prosecute. And Mr. Wright, would you like to start us out? Mr. Wright. Sure. Mrs. Brooks. And I really need to hear what your thoughts are about the level of Government's willingness to bring your expertise to the table to help us, you know, stop these people by actually prosecuting. Mr. Wright. Yes, I think you are making an absolute, excellent point there. There is a focus on protection, whereas rarely do we speak about deterrents. One of the main deterrents is prosecuting. I would say that the FBI in particular has gotten much better. In fact, I would put them at very good at this point. They are recruiting the right people. They are going after the cybercriminals. And maybe if you don't read about it as much here in the United States it is because a lot of our adversaries, cybercrime adversaries, are sitting overseas; very tough to prosecute in those cases. But I will tell you one good story that happened right at the beginning of this year. Symantec partnered with the FBI and worked on a case we referred to as Bayrob. It went on for 9 years. We had finally culminated in the arrest and extradition of three Romanian citizens that are currently sitting here in the U.S. awaiting trial. Those connections that private-sector companies are making with law enforcement are getting better every day. They are getting more and more trusted. I actually think that is a good news story for us now. But I think focusing on some sort of deterrents is really important because today cybercrime has all upside and no downside. There are no risks, very few risks involved in being in cybercrime. Mrs. Brooks. Thank you. Mr. Yoran, any comments you might have and should we be looking at a different model of how Government is working with the private sector to bring people to justice? Because 9 years and three defendants doesn't sound like enough to me, but I applaud it--but 9 years and three defendants. Mr. Yoran. And I am sure there is a lot of detail to that case and will point to many follow-on cases and other investigations. I think you bring up a very important point. There are many cooperative efforts between law enforcement and private industry. A few areas where private industry has really augmented what has been traditional Government function is in the area of attack attribution and threat intelligence of which Symantec, you know, is a very active participant. And that can aid and assist law enforcement and also help create deterrents whether it is through naming and shaming or other means. There also remains, I think, a reasonable gap between the interest of law enforcement and those trying to defend networks where there are instances where, you know, law enforcement officials would like to, for the purposes of prosecuting a crime, leave systems open and to continue to monitor how a crime is unfolding, whereas those trying to defend networks frequently care a little bit less about who is doing it and more about cleaning up their systems. Mrs. Brooks. My time is up, but if any of you would have any other comments you would like to make, I would certainly appreciate any written comments on it. Thank you. I yield back. Mrs. Blackburn. Thank you, gentlelady, and Mr. Costello for 5 minutes. Mr. Costello. Thank you. Mr. Wright, from your experience working on both the Federal side and industry sides of cybersecurity, I want to ask you this question. And this comes from a conversation I had with somebody pretty high up the food chain on this issue. Mobile device hardware, how serious of a problem is it that DOD and the U.S. Government rely on foreign IT hardware as well as just the consumer products that we utilize in that space? Many of it is foreign manufactured or foreign designed and specifically I have heard that there are times when the capacity or capability of a particular device far exceeds, the potential for it far exceeds what the realization of that device is actually for. Does that make sense? Mr. Wright. So I think the capacity and capability---- Mr. Costello. In other words you can have more with---- Mr. Wright. Far exceeds, I am sorry? What---- Mr. Costello. Far exceeds what a consumer is actually intending to utilize it for. Mr. Wright. Well, I think that certainly on this side, mobile phone consumers are sort of just hitting the beginning of what they eventually are going to do with mobile devices. As far as concern about where those mobile devices are being built, you know, I think that some of these supply chains are always going to be important and can open up some possible vulnerabilities. So we need to be able to have an understanding of where not only the device is put together but where those individual pieces are manufactured and pulled into the device, because they can certainly open yourself up to vulnerabilities. Mr. Costello. I want to pick up on the line of inquiry that Mrs. Brooks was pursuing and that is, it seems to me distinguishing between lawful legitimate activity and unlawful activity, someone engaged in a cybersecurity crime is often difficult to discern until it is too late. And whether it is the cloud, whether it is wireless access points, I was reading a little bit in the testimony about the mobile device management solutions. The question I have here is, is our criminal code, does it reflect the technological capacity of cybercrime as it stands today or are we sort of, is it antiquated? Does it need to evolve or does it need to be, does it need to reflect the way that criminal activity occurs, because often times a crime could be happening and yet we are not able to call it a crime because the actual malware or the actual money hasn't been stolen or the last piece of the crime which would actually make it criminal hasn't yet occurred. Does that make sense? And so my question to any of you is, be it with wireless access points, be it with just how often we use the cloud, do you see certain types of cybercriminal activity where our criminal code does not properly reflect what is happening day in and day out in such a manner that we are able to go and prevent crimes from happening because our criminal code does not have the elements to be able to have us sufficiently charge them with a crime early enough before it is too late, anyone? Ms. Todt. I think the industry, obviously industry has a thoughtful perspective on this and I know Symantec has done some tremendous work in this space. There is an entity called the National Cyber-Forensics & Training Alliance center which works with the FBI with consumers with law enforcement to understand where the criminal code is aligned with cybercrime. And I know that they are working on revising it where necessary, because I think, you know, to the point that was made, rightly, it is this deterrents effort. But updating just as we need to do across all elements of cybersecurity we tend to have a physical approach to cybercrime sometimes and understanding that the NCFTA, I believe, is looking at that specifically. Mr. Costello. Yes. Mr. Wright. I would just say, yes, I agree there are some sort of unique things about pursuing and prosecuting a cyber case, chain of custody of evidence is one of them. Mr. Costello. Right. Mr. Wright. I can't think of sort of specific incidences where we are crosswise with the laws, but that is certainly something I think they could look into. There is one area, the way that we share information, prosecutorial information with other countries, our MLAT process, our Mutual Legal Assistance Treaties, I believe are outdated. They need to be, they probably need to be revised so that we can share information, we could have information shared with us so that we can prosecute better. Mr. Costello. The concern I have--and my time is over--is, just given the lack or small number of instances where we are able to prosecute on this, tells me that there is just too much, there is no risk. I think that was the term you used. There is no risk to not engage in cybersecurity crimes when you are these actors. And that is terribly concerning, and it just raises the question to me on the criminal side of it: Is there more that we can do to enable the prosecution of this more easily? I yield back. Mrs. Blackburn. The gentleman yields back, and there are no further Members seeking time for questions. Pursuant to committee rules, I remind Members that they have 10 business days to submit additional questions. And I think you all are probably aware you have got written questions coming to you. We would ask that you respond to those written questions within 10 business days, and get that back to us. It is a hearing where there is a good bit of interest, and we look forward to moving forward on this issue this year. So, seeing no further business to come to the subcommittee today, the committee is adjourned. [Whereupon, at 12:04 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]