Skip to main content

tv   U.S. House of Representatives  CSPAN  February 5, 2014 10:00am-12:01pm EST

10:00 am
for its legislative session today. live coverage on c-span. the speaker pro tempore: the house will be in order. the chair lays before the house a communication from the speaker. the clerk: the speaker's room, washington, d.c., february 5, 2014. i hereby appoint the honorable reed j. ribble to act as speaker pro tempore on this day. signed, john a. boehner, speaker of the house of representatives. the speaker pro tempore: pursuant to the order of the house of january 7, 2014, the chair will now recognize
10:01 am
members from lists submitted by the majority and minority leaders for morning hour ebate. the chair will alternate recognition between the parties with each party limited to one hour and each member other than the majority and minority leaders and the minority whip , but in o five minutes no event shall debate continue beyond 11:50 a.m. the chair recognizes the gentleman from massachusetts, mr. mcgovern, for five minutes. mr. mcgovern: i ask unanimous consent to revise and extend my remarks. the speaker pro tempore: without objection. mr. speaker, yesterday, the senate passed the farm bill conference report, something the house did almost two weeks ago. i want to thank my house and senate colleagues that stood firm and voted against the conference report because of the egregious cuts to snap, formerly known as food stamps.
10:02 am
i'm especially proud and thankful that none of my massachusetts colleagues voted for the bill. unfortunately, i think many of those who voted for this bill will ultimately come to regret their vote. but now that the fight over snap funding and the farm bill is over, it's time to look forward and once again refocus on how we can end hunger now and despite the attacks on the poor that come from the republican leadership in this congress, there are good things that are happening among the anti-hunger community and there are opportunities out there that we can take advantage of as we work to end hunger now. every day millions of hungry kids are able to eat a nutritious meal because of the school lunch program. in fact, 29 million children in more than 9 -- and more -- in more than 98,000 schools and residential childcare programs are part of the program every day and they either receive it at a reduced price or free. the school lunch program is a lifeline for these kids who come from poor families. it's not their fault that their
10:03 am
parents don't earn enough for them to put food on the table. for most of these kids, it's the only nutritious meal and in some cases the only meal they will eat on a weekday. that's why this program is so important. imagine what happens to a child who goes to school hungry? it's harder for that child to pay attention in class, leading to difficulty of learning and also leading to challenges in terms of their development, mentally and physically. kids who go without food are literally at a disadvantage to those who are eating healthy meals. they are starting from a much worse position and it's because america decides not to help. but that is changing. participation in the school lunch program is strong, and the good news is that participation in the school breakfast program is rising. i want to highlight a recent report from the food research and action center, or frac, as they are commonly known. frac reports that 311,000 more kids receive school breakfast than the previous year. we all know how important
10:04 am
breakfast is. our parents told us to eat a healthy breakfast so we can learn and grow and i tell my kids the same every day even though they don't pay attention. this is making sure that kids from poor families are able to start the day off right, that they don't start the school day off hungry so they can learn properly and they can develop. unlike the school lunch program where the meal is served during the school day when kids are already in school, many of these breakfast programs take place before school starts. because of that starting times, many don't participate in the school breakfast program and that's why this report from frac is so important. they will start to offer breakfast free of charge. schools are moving breakfast out of the cafeteria and into the classroom after school starts, something that's known as breakfast at the bell. and i'm pleased that a new federal program called community eligibility, a program in seven states that allows high-poverty schools to
10:05 am
provide free breakfast and lunch to all students without the need for an application is increasing daily breakfast participation. frac found that daily breakfast participation rose by 5% in these seven stays compared to 2.5% in nonparticipating states. we can do better but this is encouraging. kids that eat nutritious meals do better in school and have fewer health problems when they grow up. school meals are a critical part in ensuring that kids eat properly and breakfast is a part of the equation. frac found that if all schools reach 74 kids for breakfast for every 100 that ate lunch 3.8 million children would have been added to the breakfast program and states would have received $964 million in added nutritional funding in 2012 and 2013. we should be proud of the work that usda and states and localities are doing to increase breakfast participation.
10:06 am
and as we move towards a re-authorization of the child nutrition act, we must remember these important programs and build on them. we must do everything we can to end hunger now and improving on the school breakfast program is just one way to do it. all of us, mr. speaker, both democrats and republicans, need to step it up in our battle to end hunger. we should all be ashamed that so many in our country, including millions of our children, go hungry. and sadly, mr. speaker, many of the actions that have been taken by this congress have made hunger worse in this country. we are the richest country in the history of the world. surely we can do better, surely we can end hunger now. thank you, mr. speaker, and i yield back the balance of my time. the speaker pro tempore: the chair recognizes the gentleman from mississippi, mr. nunnelee, for five minutes. mr. nunnelee: thank you, mr. speaker.
10:07 am
tupelo, mississippi, the town of my birth and my hometown, is known for a lot of things. birthplace of elvis presley, where the headquarters of the natchez trace parkway. but one of the things that we're also very proud of is we're the very first t.v.a. city. many people around america think of the difference between rural america and city as the difference between whether you have a shopping mall, a lot of nice restaurants, things like that. but 80 years ago the differences between rural and urban america were even more stark. that's why today it's my privilege to rise as we celebrate the 80th anniversary of the tennessee valley authority. in the 1930's, rural america
10:08 am
did not have many of the basic things of life, like electricity, running water, and a lot of the things that we consider frills today, like radio, music, news. and as a result, many americans, particularly younger generations of americans, were migrating from the small towns and farms across rural america, moving to the larger cities. seeing this shift, a couple of visionary members of the congress, including my predecessor, mississippi representative john reichan, senator george norris from meb, made it their mission to bring electricity to rural america. and on may 18, 1933, the tennessee valley authority was created by this congress in an effort to improve the living conditions and the economic conditions for seven southern
10:09 am
states, including mississippi. in 1934, president roosevelt came to tupelo, mississippi, and literally flipped the witch to turn on the lights. shortly after that, north mississippi became one of the nation's earliest regions to begin to adopt rural electrification. over the past 80 years, the tennessee valley hort has been committed, not -- authority has been committed, not only providing cleaner, low-cost energy, but also for the economic well-being of our region and across the tennessee valley. they work with local power companies, directly serve customers, regional, state and community developments, t.v.a. creates economic opportunities around our region, focusing on
10:10 am
attracting and retaining jobs, capital investment and helping our communities prepare for growth. i was once told by my friend chairman, t.v.a. glen mccullough, that the mission of t.v.a. can be summed up in three phrases. keep the lights going, keep the lights glowing, the economy going and the river flowing. well, for 80 years, t.v.a. has done just that. with current leadership like richard holworth from oxford, who is currently on the t.v.a. board of directors. t.v.a. is helping our region achieve success. the electricity provided by t.v.a. has helped attract opportunity and success for thousands of people in mississippi and throughout the valley. allowing them to show the world that we're a friendly, reliable and competitive work force. so on this day of commemoration, i say happy 80th anniversary, t.v.a., and my
10:11 am
wish for you is a prosperous and successful future. i yield back. the speaker pro tempore: the chair recognizes the gentleman from illinois, mr. gutierrez, for five minutes. mr. gutierrez: mr. speaker, there is no area of foreign policy that produces greater concern of american citizens than a nuclear armed iran. whether independent, democrat or republican, there is remarkable unity across the spectrum that we must do everything in our power to prevent that outcome. we have heard the steady drumbeat over the years that iran is moving closer and closetory achieving nuclear capabilities. we have seen the regime engage in dangerous provocations and offer support to hezbollah and other militant groups and have threatened the stability of the region and across significant concerns from our allies and friends. the obama administration worked with our international partners to improve crippling sanctions on iran. those covered iran's banking,
10:12 am
energy, shipbuilding, insurance, broadcasting and even gold and precious metals. now, after decades of tensions between the u.s. and iran and after sanctions and isolation, we've seen positive steps in relatively quick succession. after the election of iranian president hassan, i called on president obama to, quote, utilize all diplomatic tools to have the bilateral and multilateral sanctions, be calibrated in a way that they produce significant concessions. those diplomatic overtures, also on the banking sectors, between phone call president obama and president rouhani. and the signing of the joint plan of action, going towards a nuclear agreement.
10:13 am
there remained ample reason to question a long-term agreement with iran. we heard the president one week ago in this very room speak of the challenges for negotiators, cautioning, quote, they may mott succeed. we are clear about their support of terrorists like hezbollah, the mistrust between our nations cannot be simply wished away, unquote. now, colleagues in both chambers are talking about more sanctions. they're strongly in favor of peace, they're asking us how we would vote and what we should do as a congress and as a nation. i have served on the house permanent select committee on intelligence and i've had been part of classified assessments who provide a much fuller and clearer picture of the situation in iran. i cannot tell you what the information is here or anywhere else because it is appropriately classified, but based on the classified briefings i received on the situation in iran and the joint plan of action, i'm very reluctant to support any
10:14 am
additional sanctions at this time. and mr. speaker, given the importance of all members and preventing a nuclear armed iran, i think many of my colleagues would be in a much better position to evaluate the options before us if they also had access to the very classified briefing from which i regularly benefit. that is why i wrote to -- a letter to the speaker of the house, john boehner, and democratic leaders, nancy pelosi, last week asking them to convene a classified briefing of members of the house of representatives. all of us could have access to classified materials or request a briefing if we wanted one on a case-by-case basis. but the point is we're facing a crossroads as a nation and we're facing a crossroads as a congress and i want us to be informed as possible. i understand the mistrust between the u.s. and iran and some of this body seeking additional sanctions even though we're implementing the terms of the six-month agreement. we need a political informed decisionmaking so we can make the best choices on behalf of our constituents and the
10:15 am
nation. i think we can come away with greater confidence in the work of the administration and our international partners. i have been convinced that now is not the time to consider additional sanctions but i want my colleagues to make up their minds and to do so with as much information as possible. so i renew my request, mr. speaker, for classified briefings as soon as they can be arranged. i have every confidence that if talks falter or we have evidence that iran is not abiding by the terms of the joint plan of action that congress will not hesitate to take appropriate actions, including imposing new sanctions on iran. with iran at the negotiating table, taking steps to halt enrichment. it is worth giving diplomacy the chance to succeed. i yield back, mr. speaker. . the speaker pro tempore: the chair recognizes the gentleman from pennsylvania, mr. thompson, for five minutes. mr. thompson: thank you, mr. speaker.
10:16 am
yesterday, the nonpartisan congressional budget office or c.b.o., issued a reporting stating the affordable care act otherwise known as obamacare, will slow economic growth over the next decade substantially more than previously predicted. the affordable care act could lead to two million fewer workers in the work force between now and 2017, which is nearly three times as high as c.b.o.'s earlier predictions. what's even worse is this number is supposed to rise in later years to the equivalent of 2.5 million jobs by 2024. according to "the hill" newspaper and i quote, the c.b.o. also said employer penalties would decrease wages and part-time workers would be slower to return to the work force because they would seek to retain obamacare insurance
10:17 am
subsidies and i end quote. we cannot afford more blows to jobs. we cannot afford more blows to the american work force. we cannot afford more blows to our economy. we, as policy makers, should be focused on baking down barriers to employment in order to increase wages. mr. speaker, the administration better get better in explaining this law to the american people or start working with this body to repeal and fix it. the american people deserve better. the american people deserve jobs. and i yield back the speaker pro tempore: the chair recognizes the gentleman from oregon, mr. blumenauer, for ive minutes. mr. blumenauer: thank you, mr. speaker. before turning to the subject at hand, i really hope that people look at the c.b.o. report that was referenced by my good friend
10:18 am
from pennsylvania and you'll find that the two million people who would no longer be working is not going to increase unemployment. they are trapped in the work force now because they can't afford health care. affordable care act will actually enable some people to retire who want to retire or stop working a second job. read the report and find out that this is actually a very positive signal. but i'm here today to reference something else that was in the newspapers, the scandal about the nuclear weapons program. the real scandal is not the cheating or drug use, people with their finger on the nuclear button. the scandal is that these people -- they're on the job at all with these nuclear weapons. jobs and nuclear weapons that should no longer exist. don't get me wrong, the alleged drug use by the people who stand watch daily with their finger on
10:19 am
the nuclear trigger or cheating is outrageous but we are frozen in time to a nuclear cold war past and committed to wasteful spending. these are weapons that were not used in 69 years and could not help us today. they have never been used in battle since world war ii but almost used by miscalculation and mistake. in a recent book called "command and control" there are terrifying examples of broken arrows, nuclear mishaps. a bomb landed in a back yard leaving a 75-foot wide, 30-foot crater leveling his home. luckily it failed to trigger the nuclear explosion. in north carolina a b-52 went into a tailspin carrying bombs. our bomber fleet which used to
10:20 am
be on the runway i had willing on alert 24/7 were prone to catching on fire. a few years ago there was a b-52 which flew across the country unknowly carrying six armed missiles. fl intercontinental ballistic missiles on top of our missiles. we don't need a fraction of this weaponry. at most we need perhaps one scaled-down system. there is nobody left to deter. we are competing in russia in the winter olympics right now. a small portion of one of these delivery systems is all the nuclear deterrence we could ever possibly need and the larger more complex the infrastructure, it's just not more expensive but more prone to mistake. we are talking upwards of $700
10:21 am
billion over the next 10 years n operations, mornseation, new systems and new nuclear submarines, it's outrageous and dangerous. $750 billion is more than the federal government will spend on education in its entirety in the next five years. it's time for congress and the american people to put an end to this. the speaker pro tempore: the chair recognizes the gentlewoman from ohio, ms. kaptur, for five minutes. ms. kaptur: i rise today in opposition to the further outsourcing of american jobs through more unfair trade agreements. the administration, this administration, is currently working on the next executive branch job life killing, so-called free trade agreement,
10:22 am
transpacific partnership or t.p.p. the contents of this agreement have been kept secret from the american people and members of congress and of course, the general public wherever they might live. the administration is using the same old failed trade model called fast track to negotiate, which means that whatever they negotiate we don't get to see and then bring it up here, tie our hands and bring it up in one lump-sum vote and no amendments allowed and usually do it in a lame duck session afflecks and just try to ram it through, usually late in the evening and since fast track was first used, the united states has accumulated red ink, trade deficits, more imports coming in than exports going out for nearly three decades. we accumulated over $9 trillion in trade deficits.
10:23 am
if you want to know why we have a budget deficit, we have a trade deficit. we have outsourced too many jobs from this country to low-wage havens. try to go out and buy anything made in america. the american people know this inherently. nearly seven million manufacturing jobs have been lost since fast track was first passed. every poll of u.s. opinion tells this congress what the american people care about, jobs and the economy. jobs and the economy. they care about recovery. so why is this administration using the same old model that goes back to 1975? now they are looking to the pacific, the pacific region, as if we haven't had relations with some of those countries before, but every other agreement has resulted in red ink. the american people want job creation not job outsourcing. and actually, if this president were to refurbish the trade
10:24 am
model and really fix it, it would be the first time in modern history that our trade policy would yield job creation in this country and real income growth for the american people. let's look at a couple of dimensions of this. the trade deficit in 2012, last year for which we have confirmed numbers was half a trillion dollars. that resulted in over two million lost jobs in this country. that number has just been getting worse with each passing decade. more and more jobs lost. let's look at the countries. let's take china. the trade deficit in 2000 with china was about $83 billion. it's increased four times. it's gone up four times. in 2013, last year was 2012, over $315 billion in trade
10:25 am
deficits with china. every billion equals 4,000 lost jobs in this country. we are net negative with china. with japan, we have been solidly negative for decades. in 2012, our trade deficit with japan was $76 billion. with mexico, they said after nafta it's going to be debate for america and millions of jobs in the united states. wrong. our jobs were outsourced. in fact, in the year 2000, we had $24 billion deficit with mexico. 2012, that went up to $61 billion, in the red. in the red. their exports coming here, not the reverse. and korea, we had a discussion with some of the presidents vizzers and said that was the new trade model. the korean trade deal this president proposed was going to change everything. guess what? we're in the red with korea, too. in 2000, -- $12 billion.
10:26 am
after the new korean free trade deal it has doubled, $16.6 billion and 2013, it's nearly $20 billion. that's a doubling of the trade deficit with korea. if this is such a great trade model, how is on it working for the american people? it isn't. it might be working for several transnational corporations that can pay their investors because of the profits they are making off of cheap labor but it's not working for the benefit of the american economy, the american people. it's time to change. let me just put two numbers on the record here. 500,000 er 1 tchousm american people who are not unemployed. the speaker pro tempore: the gentlelady's time has expired. ms. kaptur: i will talk about
10:27 am
the costs and american degradation because of imports that are not properly regulated by the department of agriculture coming over our border and doing harm from coast to coast. i thank the speaker very much and i yield back my remaining time. the speaker pro tempore: pursuant to clause 12-a, rule
10:28 am
10:29 am
> data security as well as breach notification and i think it's time for congress to act. >> the other members of the panel agree with that statement? >> yes. >> i thought you might disagree. >> as long as you don't completely preempt us. >> from the law enforcement approach, the secret service believes any modification perhaps to law enforcement with jurisdiction would definitely assist in this effort as well. >> i come from the operational side of the department and there are things that congress can do and be helpful as we work across
10:30 am
the nation and across the globe, strengthening the ability on information sharing. it is often difficult to get companies to share information with us because there is no statutory basis and tend to be on the conservative side. promoting and establishing the standards would be very helpful to help secure federal civilian networks and critical infrastructure and the national data breach reporting. we can't understand an incident if we don't know about them. those are some of the things that would be helpful. neiman nstance with marcus and maybe with target and a criminal came into their stores and used a credit card that infected their system at the point of purchase. if we went to some sort of --
10:31 am
well, is it possible with current technology to prevent that type of data theft? i see a lot of blank looks here. >> just to clarify. the two breaches that we're marcus bout in neiman were done by people infiltrating a network. >> i thought they came in with a card. >> knows. so it's very difficult and again, these are very complex sophisticated criminals that did this, they inserted a malware code. >> did it by penetrating the system by a computer link, not by giving a card. >> and our investigation is indicating it's from transnational criminals. from criminals outside the borders of the united states. >> well, i would hope since
10:32 am
everybody agreed that this is a problem and that the federal government should legislate, we can come up with the best practices set of recommendations, present to the committee and then let us massage it only the way we can. and we will try to move on something hopefully in this congress. and with that, i'm going to yield 34 seconds to the chair. >> thank you very much, mr. barton. the chair recognizes the dean of the congress, mr. dingell of michigan. >> mr. chairman you are most courteous and i commend you for holding this important hearing. i think we can all agree that the breaches were tragic. we had a duty to protect the american consumers from events like this in the future. this committee and the house must act to pass data security and breach notification legislation. the administration has proposed
10:33 am
similar legislation. congress must act again and we must ensure that such legislation makes its way to the president's desk for signature. to that end, i'm most interested to hear any opinions of the f.t.c. and what they may wish to share to us. all my questions this morning will be addressed to chairman ramirez. now, chairman, in your written testimony, indicates that the commission enforces a variety of statutes such as gram-leach bliley and privacy protection act. do any of these acts require an f.t.c. entity whose collection of personal identification has been breached to notify customers?
10:34 am
yes or no? >> no. >> that is needed, i assume? >> yes. absolutely. >> now madam chairman, do any of hese acts require notification of the federal trade commission or law enforcement in general of such a breach, yes or no? >> no. madam chairman, should the congress enact a federal data security and breach notification law, yes or no? >> yes. >> madam chairman, under such laws, should f.t.c.-covered entities be exempted from breach notification requirements if they are already in compliance with glba and coppa? yes or no? >> no. >> madam chairman, should such a law be administered by one
10:35 am
federal agency or some kind of a collage of agencies? >> one agency. >> now, i happen to think that should be the federal trade commission because of its long expertise in these matters, do you agree? >> i would agree. madam chairman, should the federal data security breach and notification law prescribe requirements for data security practices according to the reasonableness standard already employed at the commission, yes or no? >> yes. madam chairman, should that be expanded? should that be expanded? >> yes, i think there should be a robust federal standard. >> i will ask you to contribute for the record information on that view, if you please. i ask unanimous consent that that be inserted at the appropriate time. >> without objection. >> thank you, mr. chairman.
10:36 am
now madam chairman, should such a law address notification methods, content requirement and timeliness requirements, yes or no? >> yes. >> wouldn't work very well without it, would it? >> that's right. >> madam chairman, in the event of a data breach should comprehensive strategy and breach notification law require companies to provide free credit monitoring services to the effected consumers for a time concern, yes or no? >> yes, with limited exceptions. >> do you have authority to do that now? >> no. >> do you need it? >> i think it would be appropriate to have the requirement with limited exceptions. >> madam chairman, i note -- let's ask this question, should violation of such law be treated as a violation of a federal
10:37 am
trade commission rule promulgated under the federal trade commission act, yes or no? >> yes. >> madam chairman, would you please submit some additional comments on that point for the record. >> absolutely. >> now madam chairman, should such a law be enforceable by states attorney general? >> yes. >> madam chairman should such law preempt state day data breach and security laws? >> if the standards are robust enough. >> would you submit some additional information on that point, please. >> yes. >> madam chairman given advances in criminal ingenuity which seems to be moving at the speed of light, should any statutory definition of the term personal information included in a comprehensive federal data security and breach notification
10:38 am
law be sufficiently broad so as to protect consumers best, yes or no? >> yes. >> thank you, madam chairman. mr. chairman, i want to thank you for your kindness to me this morning. i urge the committee to work with the federal trade commission to draft and pass comprehensive data security and breach notification legislation. i believe this should be done in a bipartisan fashion and i think that the democrats and the republicans can work together for this purpose. meanwhile, i would note such legislation is not a panacea for data theft and will ensure to reduce it and better protect consumers. i thank you, mr. chairman, for your courtesy to me, and i appreciate the holding of this hearing. madam chairman, thank you for your courtesy. >> well done, and actually entertaining. mrs. blackburn you are
10:39 am
recognized for five minutes. >> thank you, mr. chairman, i appreciate that. thank you all again, i think i want to start with you for a minute. you said in your testimony, never has the need for legislation been greater. and -- so taking that statement, it could mean companies who suffered the breaches did not use reasonable measures to protect consumer data. so if that is your statement then, is the f.t.c. involved in the forensic investigation regarding the target, adobe, the hotel chains, all of these breaches? >> i'm afraid i can't discuss any particular companies or discuss whether the f.t.c. is involved in any particular investigation but let me explain what i meant by that statement. i meant it as a general statement we flecting what we
10:40 am
are seeing in the marketplace and that is that companies continue to make very basic mistakes when it comes to data security and our role at the f.t.c. is to protect consumers and ensure that companies take reasonable measures to protect consumer information. >> let me stop you right there. so you're saying that not due to this group, but because of general -- so you are basically reworking your testimony. it's not that these specific breaches shows that there has never been a greater need. you may want to submit a little bit of clarification there. >> right now. >> i want to move on, three minutes and 14 seconds and five pages of questions. i would like for you to submit to us what is the reasonable
10:41 am
standard. you have referenced this several different times but i have not seen a reasonableness standard in writing. so what are you referencing? >> we take a process-based approach to this question. technology is changing rapidly. the threats that companies face are evolving very rapidly and the appropriate way to proceed is to focus on whether companies are looking very closely at the threats to which their businesses are exposed and whether they are setting reasonable security programs. if i may, it's a very fact-specific inquiry. >> i can appreciate that but i think to use that term repeatedly, what we need to know is what your definition of reasonableness would be. you know, we hear the chairman say well you're not doing this,
10:42 am
you're not doing that. how quickly do the cyber criminals' methods evolve? you have looked at this for a long time and you send out updates daily, weekly, monthly, how quickly is the evolution of this process? >> the evolution is incredibly fast and we are learning with each incident the complexity. they are moving quickly to very sophisticated -- and we are in a chase to keep up with them. >> another thing, you testified that in a number of 50 data security cases settled by the f. t.c. the companies failed to employ available cost effective security measures to minimize or to reduce the data risk. so i want you to give us some examples of the kind of measures that the companies failed to use, because you hear how
10:43 am
quickly this evolution is taking place. and the need for flexibility and anymorebleness and then we hear you saying, you have to have a standard and got to do this. and we have taken these efforts in the 50 cases we have settled. for those of us looking at what legislation would look like, we have to realize that it's got to be nimble, you are saying you want something but you are not giving us specifics or examples of what you think people have failed to do. so i hope you're understanding, we have a little bit of a gap here. go ahead. >> so let me just say that i think the approach that the f.t.c. recommends for legislation is one of reasonableness. we think that's an appropriately flexible standard that will
10:44 am
allow for nimble action and to give you an example. in our experience, companies continue to make simple mistakes when it comes to data security. we have data that corroborates that and that is the verizon data breach report that was referenced in opening remarks. just to give you a few examples, this can scan low-tech and high-tech mistakes, failures to use passwords or encrypt personal information, the failure to update security patches. these very basic mistakes that we encounter. >> so it is the consumer and not company failures? >> i'm referring to company failures. >> thank you. i yield back. >> thank you and now recognize the gentleman from vermont for his five minutes. >> thank you, mr. chairman.
10:45 am
the technology that we use is not the best, is that correct, chairman ramirez? as i understand, chip and pen technology is what is now being used in europe and it has better success in preventing fraud, is that right? >> we don't recommend any particular technology. it ought to be technology neutral. we certainly would support any steps that are taken at the payment card system and to protect or better protect consumer information. >> are we still using 1970's-era magnetic strip technology? is that your understanding? >> yes, that is accurate. and so that puts us behind virtually every other country in the world in terms of the security of our payment systems. >> there is an ability on the part of the card issuers to upgrade the card technology to meet basically standards that
10:46 am
are being employed in europe, is that correct? >> that is correct. and when you look at the amount of fraud losses that these other countries where the chip and pen technology is used, you can see their levels of fraud have decreased significantly around 50%. so chip and pen technology won't completely eliminate fraud and breaches, but it could curb the amount that we currently see. >> and what i see visa and mastercard vr announced a roadmap to chip and pen cards. do you think it would be a problem if they decided to abandon the pin? >> people can change their pins as they change pass words. >> you have front line responsibility to try to maintain the integrity of this
10:47 am
system and it is important to our merchants, to our banks and to our consumers. >> would you pull the micro tone closely. >> the secret service doesn't have a metric to measure chip and pin in the united states. but however the secret service supports any technology that would assist in the security of that particular data. >> is your understanding the same as the general that technology -- the chip and pin technology deployed in europe has been much more successful in reducing fraud? >> it could give another level of security which makes it difficult for the criminals to get at that data. i'm not saying it's the solution, there is not a 100% solution, technological solution. >> but what it is, it's a better technology from the 1970's era magnetic swipe card?
10:48 am
>> it's a 30-year technology, sir. >> how but? >> i agree with the other panelists, but there are other challenges as well. people using their phones for payment. you are using your computer and laptop, so having that extra security on the cards itself would be helpful but we have to look at other things as well. >> back to you chairwoman ramirez, it would be good to have a standard but we can't pick winners and losers on technology, so what would be a concrete step that congress could take that would be practical and effective in improving the status quo? >> number one, congress taking action alone would be a very important statement. but what we advocate is reasonableness standard being employed along the lines of what the f.t.c. has in place with the safeguards rule and i would be happy to work with the committee
10:49 am
on these issues and my staff is available to do that. >> we can as a legislative body prosecute prescribe what the technology is, the industry has to figure that out. but on the other hand, you need flexibility if steps are taken or not taken that could be that would enhance security for consumers and merchants. >> flexibility is important and that is one of the reasons requesting that the f.t.c. has rulemaking authority that would allow the agency to take into account evolution in changes when it comes to technology. >> would this be helpful in the privacy breaches as well? these are monetary value but ending up with personal information, things that can be used in identity theft. the better security, would it not only help with the economic loss but the identity theft? i'll ask you.
10:50 am
>> absolutely. what we see is when people's personal information is taken and frequently used to commit identity theft, but it can be used, not just financial identity theft but many other types of identity theft. >> i see my time is up. this is a great panel. thank you for assembling it. >> thank you and i recognize mr. lance, the vice chair. > thank you, mr. chairman. recent wall street "wall street journal" reported that the software virus couldn't be detected by any known anti-virus software, is that accurate? >> it is. >> and could you elaborate on that. >> most of our detection systems use significance in a turs, so they are known problems and there is a technical formula we put into a machine that says
10:51 am
hey, you told me to look for this and there are intrusion systems that prevent that malicious event getting to the end point. looks like the criminals modified from what is a standard attack at point of sale in such a way that it was undetectable. >> you stated that the secret service has observed a marked increase in the quality, quantity cyber crimes targeting industry and critical infrastructure. can you give us some examples of how these criminals and their tactics have evolved and i presume these criminals are not necessarily residents or citizens of the united states. >> yes, sir. we are talking about a network of transnational cybercriminals. you know, over time, we could look back at data breaches at
10:52 am
busters x and dave and and during that time they were attacking encrypted data, which is credit card payments. at got changed, in 2007, the focus instead of going to credit card processing companies, looking at ways to get at the same type of data but looking at it when it was unencrypted. encrypted modification has been made through that system and information is encrypted. today we have seen the change now, they are looking at where the fence is and how to get around that fence. where they are attacking now is at the point of sale piece. from the point of sale terminal to the back of the house server, that piece of string has not been encrypted. >> madam chairwoman, you
10:53 am
nswered representative dingell's questions regarding preemption. i didn't understand your answers, my fault. would you explain in a little more detail your views on i certainly in a robust democracy with protections both here in washington and at state capitals and if you could just elaborate briefly on the preemption issue. >> yes, i believe that preemption is appropriate but provided that the standard that is set is sufficiently strong and also provided that the states have concurrent ability to enforce. >> concurrent ability. so this would not mean that the states would not have a significant responsibility in this very complicated and difficult issue. >> the states do tremendous work in this issue and vital to have
10:54 am
them enforce the law. >> attorney general, it's a pleasure to meet you, although i "new know you, the yorker" magazine comes into our house all the time and your husband, brilliant cartoonist. >> in terms of preemption, i would concur with what the chair woman has said as long as the federal legislation has strong enough standards and states retain the ability to enforce as we do in a number of areas already. we understand that it is potentially reasonable to say ok, we are going to preempt you in a certain manner. in fact, back in 2005, congress received a letter from the national association of attorneys general requesting notification laws be put in
10:55 am
place at the national level and so as long as we still retain the ability to respond to our consumers and this is looked at in some ways potentially as a floor and not a ceiling, we understand your role. >> thank you very much. let me say, mr. chairman, i believe that this committee will in a bipartisan capacity work on this issue, work to conclusion and this is the committee in the congress that deals on these important nonpartisan or bipartisan issues and i have every confidence that we will meet the challenge working with the distinguished panel, working with the next panel and i look forward to being involved to the greatest extent possible. thank you, mr. chairman. >> thank you, i recognize the gentleman from kentucky, mr. guthrie, for five minutes. >> thank you, mr. chairman. i have a business background and
10:56 am
i know that any time you have an issue with your customers, it takes a long time to build trust back up again and incentive for businesses to protect their data, but at the same time, i worked in a retail store when i was in high school. my grandfather had a grocery store. everybody has to deal with data. right incentives and right things in place to make sure that is protected. want to talk to agent noonan, criminals' unauthorized access, are they not paying attention? >> no, sir, for law enforcement and for the secret service, result of a proactive approach to our law enforcement and we are gathering information and working with our private sector partners especially in the financial services sector when we are receiving data. what can occur, we can see a
10:57 am
point of compromise where the retailer might not necessarily see compromised data out in the world. by looking at that data, we can go to that company and advise them that they have a leak. now it doesn't necessarily mean it's that company but it could be their credit card processing company. it could be their bank, a host of other systems that are hooked into the main company. but it's a point for us to go to that potential victim and say look at your data and see if there is a problem. >> who typically notice the breach, law enforcement who may see these transactions or all of a sudden, one day retailer starts getting calls or credit card companies from their customers and saying these are charges that aren't mine and find out what's in common with
10:58 am
these people. do you find that as it's going through your monitoring or is it people reporting that they had something done to them or both? >> to answer your question, both. >> what is typical? >> i don't think there is a typical. but we work closely with the banking community. as they find those anomalies, obviously, they are getting calls from their consumers. they'll notice an anomaly. and we were out in the -- targeting different criminals and in targeting them, we are able to see different things that are happening in the criminal background and that is another effective tool that we have at our disposal to be proactive. sometimes notification but you have to realize in law enforcement under that approach, sometimes we are stopping it from occurring. we might go to a potential victim company to allow them to
10:59 am
know they have been come proposal myselfed and in doing so, we stop the company from losing a single dollar. that is a very successful method in which law enforcement is a tool for consumers. they are out there in front looking for that type of behavior. >> i appreciate that effort. and you mentioned the mitigation capabilities were leveraged to coordinate systems to prevent these attacks. >> probably the most important part of what we do, so it's not about finding the fires and putting them out but putting them out to begin with. this is another great example. these companies had a compromise. our responsibility is to assist them and let the broader community to know and see if it's on their systems to take it off and prevent it as well. >> you described a product that
11:00 am
contains detailed tech any analysis regarding recent point of sale attacks. can you describe what are mitigation recommendations and who develops those? >> we work with a cross section across the nation with the financial services sector and technical managers in the security services and canvass the nation as a whole and put out recommendations. in some cases, simple as changing your passwords. the other panelists were talk binge that. if you use the routine hygiene of cyber space you are in using fire walls, restricting access. some of these things are common sense, some of the things are new. but regardless, we want to get out as much information as we can. . .
11:01 am
11:02 am
>> yes, thank you, congressman.
11:03 am
where i try to focus our efforts at the end kick in my staff is getting at that very first phase of the adversary's actions. we do not want to be the responders. we want to be the prevention mechanisms and protection and mitigation. so -- but unfortunately a lot of time we discover challenges is that they've already happened. so what we're hoping to do is learn from experiences of one or two to hopefully protect the many. i'd like to highlight that our industrial control, we're actually doing experimentation to make sure we can crack into some boxes, sue the vulnerabilities and we work with the private sector closely to see where the vulnerabilities are and close the doors as we find them. >> law enforcement, that's your ature, just by having -- delay some future damage, to attack
11:04 am
other phases? >> so in our investigations we're pulling evidence out of the crimes that have happened in a reactive approach. but the proactive approach, the former proactive approach is we're information sharing so as we're seeing different tactics, different trends that's happening in these intrusions, we're taking that information and we're sharing that with our partners at the 33 electronic crimes task force that the secret service has signed up around the country and internationally. we're taking the information and pushing it to mr. zelvin's group and that is being pushed out to the sector. so by observing the evidence and sharing what we're finding in these different intrusions we're better protecting the bigger infrastructure, if you will. > ms. madigan, anything? >> well, what i would say in terms of the last two responses, from our perspective, there is work that needs to be done to protect the
11:05 am
public to protect themselves. and so many have adopted things so quickly that they're not monitoring their accounts and putting in transaction alerts so when these type of breaches occur they can minimize the damage that they have to their finances. >> and finally, commissioner ramirez, any comments, ma'am? >> i'll just say that i agree with attorney general madigan. this issue is a complex one that requires multifaceted solution and that includes, again, companies taking appropriate and reasonable measures to protect information and also, of course, consumers also being educated about how -- what they can do to protect information. the main point and why i believe that action is really needed today is that these breaches remind us of how important it is -- how important this issue is and given the amount of personal information that is being collected from consumers and
11:06 am
used and retained, this is truly critically important. >> thank you. one final question for you, general madigan, legal question. curiousity. went to the law school at the university of texas, passed the bar, never practiced. why did you announce publicly that you're investigating target but not neiman marcus? >> we are investigating both of them. >> thank you. >> thank you. now the chair recognizes the gentleman from kansas, mr. pompeo, for five minutes. >> thank you, mr. chairman. i'm not quite thinking we're in a place where we're ready to move down this path. i'm glad we're having this hearing but when "the new york times" gets wound up we in congress react in ways i think our inappropriate to the challenge. i want to talk about that for a second. ms. ramirez, typically we regulate when the there is a market failure. the federal government would regulate because we don't think private action ks respond to a particular concern or threat in
11:07 am
an appropriate way. i can understand a potential justification for notification because sometimes someone might not know their material had been stolen. why is it the case that consumers can't figure out that if they're not happy with target or neiman marcus or whomever it is allowed their data to be stolen they wouldn't migrate somewhere else, why is it that consumers won't analyze the risk of their data being stolen and respond appropriately without the federal government trying to step in and regulate? >> i don't think the burden should be placed on consumers. >> why is that? we do that in so many other places. if you think your material is going to be stolen from your home you can buy security. we will allow them to buy $60, $200 or $1,000 a month for their own security? >> i think consumers do have a role to play here. as i mentioned earlier, there
11:08 am
are steps consumers can take to be vigilant in this area. but i believe -- and the role of the cftc is to look at consumers. if you look at the data out there and it's also available to our -- let me cite specifically with the verizon data breach report. they have an annual report that studies what is happening in the area of data security. that information tells us that companies continue to make very fundamental mistakes when it comes to data security. they are not taking the reasonable and necessary steps that they need to in order to protect the consumer information that they collect, use and retain. >> i appreciate that. and that report is there and consumers might choose not to pick verizon as direct result of that. i think we ought to make sure we appreciate that. attorney general madigan, do you have data that tells you when folks call in how much they're prepared to pay for protection? that is, they call and say my data was stolen, do you know
11:09 am
how much they're prepared to pay per incident? will they pay 50 cents or $5 million to protect their data? do you have analysis? >> we don't. >> you say consumers are panicked and agered. you would say they would take some of their hard-earned money to protect themselves. do you have data with respect to that? >> i tell you we've had $26 million of fraudulent charges removed from illinois residents' accounts and i can tell you based on the 34,220 people we had to work through, on average these individuals have lost -- not lost but had $762 in fraudulent account amounts removed. so i haven't asked them how much they would like to pay for security. they feel as if they are having to actually pay the price simply for engaging in everyday activity. whether it's commercial activity or interacting with the government or being provided with medical services. >> do you think if we had done
11:10 am
the path that you're proposing that they ultimately won't pay for that, that these costs won't be borne by consumers? >> absolutely. >> so should they pay that directly so they can see those costs and respond appropriately as opposed to have them removed from their bills or have the federal government mask that real costs so they don't really know the risks they are presenting by a particular use of their own data? >> i'm not exactly sure the scheme you're trying to propose here. but you are correct in the sense if we are going to update, for instance, credit card technology to adopt chips and pins. obviously consumers are going to pay in increased costs. retailers, they're going to pay in terms of increased costs at their banking institutions so consumers will pay and hopefully we'll be able to improve our security. >> 30 seconds. two yes or no questions.
11:11 am
do you think there should be private rights of actions as a result of these rules? >> at this point we've been able to handle these at the state level. >> you made a statement that said -- nearly every other country in the world is ahead of us. surely you don't mean nyjer. > there may be several african countries. >> i've been back from europe. they feel very comfortable doing business across asia, europe and north america. so i actually think our system may not be in a dire successful . i yield back. >> thank you. i yield the gentleman from ohio, mr. johnson, for five minutes. >> thank you, mr. chairman. i again want to thank you, folks, for being here today. i'm very concerned about the increase and the sophistication of these cyberattacks and just to kind of get your opinion on
11:12 am
it, mr. noonan, how does the increasing level of collaboration among cybercriminals that you referenced increase the potential harm to companies and consumers? >> so the increasing collaboration between cybercriminals just increases their capabilities. so when we say there's collaboration between these groups, these are loosely affiliated organized criminal groups that are doing this. i've used the analogy of "oceans 11" of what this group and what this network does. so they have groups that will do infiltration into the system to gain access. they have other people that will design malware. they have people that go and map the different network to figure out exactly how to get through the networks. there's exfiltration of data that occurs in these situations as well and there's monitorization so the data that
11:13 am
is stolen -- of course there's money laundering. the movement of money. so when you bring together a coordinated group of sophisticated criminals, it does. it's a -- you know, they will find the edge of the fence and perpetrate our system. >> now, once we identify who these folks are that are perpetrating these attacks -- well, first of all, are they stateside, are they overseas? >> the majority of the criminals we're looking at are transnational criminals. >> ok. so outside of the united states? >> yes, sir. >> ok. to what degree do we have the authority to go after those folks when we identify them? >> sure. >> do you know of any ongoing actions to shut them down? >> sure. the secret service has a unique success in this area. we have brought many perpetrators to justice. we go back and talk about the
11:14 am
t.j. investigation as well as many others. but in the t.j. investigation we were successful. we arrested domestically, in this case, albert gonzalez. he is sentenced to 20 years in prison here in the united states. we also in the summer of 2012 we arrested demetri, vladimir, responsible also in that investigation. over in the netherlands. we were able to bring to justice alexander in the dave and busters case where he was sentenced to seven years in prison here domestically. we also were able to pick up three different romanian hackers that were responsible for the subway sandwich shop intrusions that occurred in 2008. we brought them to justice where the main leader was sentenced to 15 years in prison. we have a rich history of being able to effectively identify
11:15 am
who these targets are, have them arrested and work with other international partners. we have a host of international offices, international working groups. i think it comes back to the relationships we build internationally that are assisting us in bringing these different actors to justice. >> well, obviously most developed nations that have a high degree of sophistication within their networks, they're vulnerable to these things as well. so do we have -- how robust are our agreements with other nations to go after the criminals that might reside in their countries? >> absolutely. so we do. we have many different agreements with numerous other countries over in europe, and we have been working successfully in partnering with those. we worked very closely with the british, with the national crime agency, with the -- in the netherlands with the dutch
11:16 am
high-tech crime unit. in approximate germany with the b.k.a. we have working groups in the ukraine as well as an office we established not too long ago in estonia. it's through the host of relationships and the laws we're enforcing with them that we're able to gather some success in those areas. >> good. that vin, you testified no country, industry, community or individual is immune to a threat of a cyberattack. does this mean, in your opinion, that you believe no one can be impervious to cyberattacks? >> sir, i think it's one of those challenges, it's like trying to prevent automobile deaths. you can do a lot of things but ultimate unfortunately people will still pass. there are things we can do but i believe the vulnerabilities exploited by bad actors. >> at this time i recognize the gentleman from mississippi, mr.
11:17 am
harper. >> thank you, everyone, for being here. mr. noonan, do you have an early indication without revealing anything you shouldn't as to how you think his might have been prevented? >> again, i don't think it comes back to how it could have been potentially prevented. i think what -- the important part here is that we know that this is a sophisticated criminal group. the different companies, they had a plan, i think, is what is the important takeaway here. the response plan is something that every company should also think of. we shouldn't think of if this is going to happen. they should potentially think when this potentially may happen to them. so a response plan is when it is when you incorporate law enforcement into your response plan. if you don't incorporate law enforcement in your plan to help you find and mitigate the
11:18 am
problem and then share that information with the whole of government, with the infrastructure to better protect other infrastructure, that's not necessarily a good plan. we obviously want -- would like to see companies have robust forensic companies assigned to them so that when an intrusion does happen they're able to go in and effectively quickly mitigate it so there's no longer any bleeding that were to occur. additionally, counsel is important for them to have. and also a plan for notification to victims. again, those are the important takeaways that we see in this case. >> are you satisfied in these cases that the response has been satisfactory? >> yes, sir. >> ok. ms. ramirez, is there overlapping between f.t.c. safeguard rules and the data security standards and do the p.c.i. standards incorporate provisions of the safety guards rule or do they go beyond the
11:19 am
safeguards rule? can you shed a little light on that. >> sure. i'm happy to speak to that. the way the f.t.c. approaches its data security enforcement work, again, we impose a reasonable standard so we don't mandate or prescribe any specific standard or technology , but we think that as a matter of course the company should of course look to relevant industry standards, best practices in evaluating what measures they should have in place. >> ok. would the p.c.i. data security standards meet the reasonable standards for purposes of section 5 of the f.t.c. act? >> every case that we look at is really specific ones so i really can't comment on hypotheticals, but what i can tell you is a company should of course be looking to industry standards that can be very valuable and that would be certainly one factor that we would examine in looking at any matter. >> you make the look that
11:20 am
breaches that occur doesn't mean that companies violate the law and companies doesn't need to have perfect security but it's been told that it's unlikely that any company that suffers a breach would be 100% compliant at the time of the breach. while the p.c.i. standards provide an admirable and needed push to keep companies relevant, would there be problems of making the federal standard enforceable by the f.t.c. if it is setting up businesses to fail because it is often possible to find some violation of the standards? >> again, we're going to be looking at each situation in a fact-specific way. we certainly understand that there is no perfect solutions. security will not be perfect. we have many more investigations than we do actual enforcement cases. >> ok. how many cases has the commission brought for violation of safeguards rule? >> of the safeguards rule, specifically we brought approximately a dozen cases. >> has industry compliance improved over time as the rule
11:21 am
becomes more mature and industry becomes more familiar with it? >> generally speaking, and i'm speaking broadly, we continue to see basic failures when it comes to data security. and the data that we have available to us suggests that companies do need to do more in this area. >> i yield back. >> thank you. at this time we recognize the gentleman from florida, mr. bilirakis, for five minutes. >> thank you, mr. chairman. i appreciate it very much and i thank the panel for their testimony. this is for the entire panel. data often moves without respect to borders, as you know. mr. russo notes in his testimony that championing stronger law enforcement efforts worldwide can improve payment data security. mr. noonan, in your testimony you mentioned successful cooperation with law enforcement institutes during investigations into these cybercrimes. would you, as well as mr.
11:22 am
zelvin, expand on what you believe they can do to enhance those international efforts going forward? is there a row for examination of this issue such as the trans-atlantic trade and investment part moreship? >> i would recommend the continued support for efforts in our international field offices as well as the other working groups within which we are placing strategically around the world. we've had a lot of great success in some of those eastern european countries. within the last two years, we've had some great successes. we had an extradition of a romanian citizen from romania to the united states based on the collaboration that we've made here between romanian authorities and u.s. authorities. a big part of that is the relationships that the d.o.j. has also expanded in those
11:23 am
different countries. the computer crimes, splectual property sections as well as the office of international affairs have helped us in strategically working with those different countries to bring criminals that are affecting us here domestically to justice. >> thank you. mr. zelvin. >> yes, sir. my organization is neither a law enforcement nor an intelligence organization. we're purely civilian and we have a relationship with over companies around the world. i got to see firsthand where our counterparts are. they're making extraordinary progress but in many cases we in the united states is leading the way, especially in government's role in cybersecurity. so i think the continued engagement. as mr. noonan had said, many of these threats are coming from overseas. many come from within our own
11:24 am
country but it will be far better if we can engage with our international partners and have them use their legal means to go after these threats. and then also provide an ability to cooperate with us such as when we find an intrusion in their country to get them to shut it down if they have the legal ability. >> thank you. anyone else that would like to comment on that? >> just briefly if i may. i think the international cooperation is a very important dimension of this issue and we engage with international counterparts in all of the work -- all of the enforcement work that we do, and this would be among them. >> thank you. thank you very much. next question for chairwoman ramirez. i represent florida's 12th congressional district. while more and more seniors are coming technologically adapted, how would you if mend notifying seniors
11:25 am
they are not reachable by email? >> i think it's an issue we're happy to work with you on. i think seniors are coming more adepartment to email. if email is not an option then mail will be it. we'll be happy to work with the committee on this and other issues. we have held a workshop on issues relating to senior i.d. theft and understand that this population can be particularly vulnerable to these type of issues. i think mail notification will be one option but there may be other ideas and we'd be happy to discuss those with you. >> yeah, i'd like to work with you on that. thank you and i'd yield back. >> thank you. at this time the gentleman from west virginia is recognized for five minutes. >> thank you, mr. chairman. i think we're going to have to go through an awful lot of information that's been shared here today. so i want to switch horses.
11:26 am
we got something we can chew on for a little bit. i want to switch horse a little bit to understand a little bit what's happening with security with regard to the affordable care act. mr. zelvin and mr. noonan, if you could participate. in december the h.h.s. reported there were 32 security incidents, may you can say slash breaches that have where.d with obamacare were the individuals notified? do you know if the individuals were notified? >> congressman, i apologize. if we can take that for the record we can get back to you. >> mr. noonan, do you know about those breaches? >> the same with me, sir. i don't have knowledge of those breaches right now. >> ok. if they were, given the standard that we imposed on the private sector, should individuals be notified if
11:27 am
there are breaches with the federal -- with federal health care? just your opinion. >> yes, sir. if there are breaches they should be reported and people should have the opportunity to know about that and also take the adequate precautions. >> mr. noonan? >> yes, sir. i would concur with that as well. >> you would agree with that. there was also a report that came out that the -- some of the software that was developed for the obamacare was developed in belarus and there are reports there may be some concern for malware being included in that. where are we in that evaluation, because obviously the people are still signing up and we may have something that's contaminated in our system? can any of you share what's going on internationally? >> i can tell you from last night to this morning, things have changed. the intelligence product on that reportes that been
11:28 am
withdrawn and is being re-evaluated. i believe the white house ask a statement last night saying there is no evidence that there has been any belarusan software development in the h.h.s. but h.h.s. is looking at this carefully and varyfying that. so it's my pleef that's where we are right now. >> it may have been someone just -- >> well, there was somebody -- did a report that's being re-evaluated. i think there is more investigation that will be done before we come to conclusions. >> can you get back to us? i don't know why there is software being developed in belarus. can you get back to me? >> yes. congressman, there was no software developed in belarus and h.h.s. is looking at that carefully. >> i can't see your nametag from here, from illinois. ma'am, has the state of illinois had a data breach? >> yes, in fact, in our law there is a requirement that
11:29 am
state agencies notify individuals when their personal information has been compromised. >> do you use some kind of encryption extensively? do you have encryption that you use for your data? >> different agencies handle it different ways. there are requirements in terms of how data is handled for state agencies. >> ok. thank you very much. i yield back the balance of my time. >> thank you for yielding back. no other members are here, therefore, that ends panel number one. i do want to follow-up. criminal about the syndicate, there was a story that there was an 18-year-old russian boy that developed this in his basement, this malware, is that accurate? >> sir, don't believe everything you see in the media, please. >> i've learned that too. all right. thank you. the first panel is dismissed. and we thank you.
11:30 am
we may have questions submitted to you. we'll have those to you within about 14 days, if there are any. and we'd appreciate about a 14-day turnaround in answers. thank you. ' will give a few minutes break here so we can water -- get some water or something and then we'll be ready for our panel, second panel.
11:31 am
11:32 am
>> so a short break as the house energy and commerce subcommittee is meeting today, holding a hearing on consumer information protection. this is one of several hearings that will be held this week on this very topic. this is the second panel that is about to begin. the whole thing got under way at about 10:00 eastern. we'll continue in just a moment when members continue. the house will be gaveling in about noon eastern, about half an hour from now. they'll continue work on a bill
11:33 am
that will expand fishing and hunting rights on federal lands. there will be several votes coming up. final passage on that vote on that measure is expected today. also, members will discuss and debate legislation that would modify water allocation practices in california's central valley, providing additional water for municipal and agricultural uses. that area right now facing severe water shortages and drought. again, you can see the house live when members return today at noon eastern right here on c-span. the senate is not in session today. members gaveled out yesterday. they are holding a one-day policy retreat. members of both parties, republicans and democrats, holding retreats today. they'll be back tomorrow. you can see the senate when they return tomorrow at 2:00 p.m. actually at noon eastern on c-span2.
11:34 am
>> if everyone's seated, let's go. so i apologize. i was hopeful that that first panel would not last this long, but it did. so thank you and i hope that doesn't impact your rest of the
11:35 am
schedule for the day, but appreciate you staying around. so our second panel of the day is the nongovernment panel. we have michael kingston, senior vice president and chief information officer of neiman marcus group. then john mulligan, executive vice president and chief financial officer, target brands, incorporated. bob russo, general manager of p.c.i. security standards council. and phillip smith, senior vice president for trustware. we appreciate you being here today. as we did with the first panel, we'll go from my left. so mr. mulligan, you will start and you will have five minutes. >> good morning, chairman terry, ranking member schakowsky and members of the subcommittee. my name is john mulligan and i'm the executive vice president and chief financial
11:36 am
officer of target. i appreciate the opportunity to be here today to discuss important issues regarding data breaches and cybercrime. as you know target recently experienced a security breach resulting from a criminal attack on our systems. to begin with, let me say how deeply sorry we are it's had on our guests and your constituents. we know it's shakened their confidence in target and we are determined to work very hard to get it back. at target, this attack has strengthened our resolve. we will learn from this incident and as a result we hope to make target and our industry more secure for consumers in the future. i'd now like to explain the events of the breach as i currently understand them. please recognize i may not be able to provide specifics on certain matters because the criminal and forensic investigations remain active and ongoing. we are working closely with the secret service and the department of justice on the investigation to help them bring to justice the criminals who committed this wide scale
11:37 am
attack on target, american business and consumers. on the evening of december 12, we were notified by the justice department of suspicious activity involvement payment cards used at target stores. we immediately started an internal investigation. on december 13, we met with the justice department and secret service. on december 14, we hired an independent team of experts to lead a thorough forensics investigation. on december 15, we confirmed that criminals had infiltrated our system, had installed malware on our point of sale network and had potentially stolen guest payment card data. that same day we removed the malware from virtually all registers in our stores. over the next two days we began notifying them, preparing to notify our guests and equipping them with the necessary information and resources to address the concerns of our guests. our actions leading up to our public announcement on december 19 and since, having guided by the principle of serving our
11:38 am
guests, and we have been moving as quickly as possible to share accurate and actionable information with the public. what we know today is that the breach affected two types of data. payment card data which affected approximately 40 million guests and certain personal data which affected up to 70 million guests. we believe the payment card data was accessed through malware placed on our point of sale registers. the malware was designed to capture the payment card data that resides on the magnetic strip prior to our encryption in our systems. from the outset, our response to the breach has been focused on supporting our guests and strengthening our security. in addition to the immediate steps i already described, we're taking the following concrete actions. first, we are undertaking an end-to-end forensic review of our entire network and will make security enhancements as appropriate. second, we increase fraud detection for our target red card guests. to date we have not seen any fraud on our proprietary credit and debit cards due to this
11:39 am
breach and we've seen a low amount of additional fraud on our target visa card. third, we are reissuing target -- debit and credit cards immediately to any guest that requests one. fourth, we're offering one year of free credit monitoring and identity theft protection to anyone that's ever shopped in our u.s. target stores. fifth, we informed our guests they have zero liability for any fraudulent charges on their cards resulting from this incident. target is accelerating chip technology for our target red cards and our point of sale terminals. for many years target has invested a lot on personnel, processees. e've placed multiple layers of firewall, data loss prevention tools. but the unfortunate reality is that we suffered a breach. all businesses and their customers are facing increasingly sophisticated threats from cybercriminals.
11:40 am
in fact, news reports have indicated that several other companies have been subjected to similar attacks. to prevent this from happening again, none of us can go at it alone. we need to work together. updating payment card technology and strengthening protections for american consumers is a shared responsibility and requires a collective and coordinated response. on behalf of target, i am committing that we will be an active part of the solution. members of the subcommittee, i want to once again reiterate how sorry we are for the impact of this incident has had on your constituents, our guests, and how committed we are to making it right. thank you for your time today. >> thank you. mr. kingston, you are now recognized for five minutes. >> chairman terry, ranking member schakowsky, members of the subcommittee, good morning. my name is michael kingston and i am the chief information officer at neiman marcus group. i want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal cybersecurity incident at our
11:41 am
company. i've submitted a longer written statement and appreciate the opportunity to make some brief opening remarks. we are in the midst of an ongoing forensic investigation that has revealed a cyberattack using very sophisticated malware. from the moment i learned there might be compromise of payment card information involving our company, i have personally led the effort to ensure that we were acting swiftly, thoroughly and responseably to determine whether such a compromise had occurred to protect our customers and the security of our systems and to assist law enforcement in capturing the criminals. because our investigation is ongoing, i may be limited in my ability to speak definitively or with specificity on some issues, and there may be some questions to which i don't have the answers. nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist you and your important work. our company was founded 107
11:42 am
years ago. one of our founding principles is based on delivering exceptional service to our customers in building long-lasting relationships with them that have spanned generations. we take this commitment to our customers very seriously. it is part of who we are and what we do daily to distinguish ourselves from other retailers. we've never before been subjected to any sort of significant cybersecurity intrusion so we have been particularly disturbed by this incident. through our ongoing forensic investigation, we have learned that the malware which penetrated our system was exceedingly sophisticated, a conclusion the secret service has confirmed. a recent report prepared by the secret service crystallized the problem when they concluded that a specific type of malware, comparable and perhaps even less sophisticated than the one in our case, according to our investigators had a 0% detection rate by anti-virus software. the malware was evidently able to capture payment card data in
11:43 am
real time after a card was swiped and has sophisticated features that made it particularly difficult to detect, including some that was specifically customized to evade our multilayered architecture that provided protection of our systems and data. because of the malware sophisticated anti-detection devices, we did not learn we had an actual problem in our computer system until january 2 and it was not until january 6 when the malware and its outputs had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. then, dess abling it to ensure -- disabling it to ensure it was not operating took until january 10. we sent our first letters to customers and made widely eported information out. despite our immediate efforts to have two separate firms of
11:44 am
investigators to dig into our systems to find any data security compromise, no data security compromise in our systems had been identified. based on current state of evidence and the ongoing investigation, one, it now appears that the customer information that was potentially exposed to the malware was payment card information from transactions in 77 of our 85 stores between july 15 and october 30, 2013, at different periods of time within this date range in each store. two, the number of payment cards used at all stores used during this period was approximately 1.1 million. this is the maximum number of accounts potentially exposed to the malware. although the actual number appears to be lower since the malware was not active every day at every store during this period. three, we have no identification that transactions on our websites or at our restaurants were compromised. four, pin data was not
11:45 am
compromised as we do not have pin pads and we do not request pins. five, there is no evidence that social security or personal information was exposed in any way. we have also offered to any customer who shopped with us in the last year at either neiman marcus group stores or websites, whether their card was exposed to the malware or not, one year of free credit monitoring and identity theft insurance. we will continue to provide the excellent service to our customers that is our hallmark, and i know that the way we responded to this situation is consistent with that commitment. thank you for your invitation to testify today, and i look forward to answering your questions. >> thank you. mr. russo, you are recognized for five minutes. >> thank you. my name is bob russo and i'm the general manager of the p.c.i. security -- >> can you pull the microphone a little closer to you? >> sorry. it's on now. >> and a little closer. >> as i said, my name is bob russo and i'm the general manager of the p.c.i. security
11:46 am
standards council, a global industry initiative and membership organization focused on securing payment card data. our approach to an effective security program combines people, process and technology askey parts of payment card data protection. we believe the development of standards to protect payment card data is something the private sector and in particular p.c.i. is uniquely qualified to do. the global reach, expertise, flexibility of p.c.i. make it extremely effective. our community of over 1,000 of the world's businesses is tackling data security challenges from simple issues like password, in fact password is still the most commonly used password out there to really complicated issues like encryption. we understand that consumers are upset when their payment card data is put at risk and we know the harm caused by data breaches.
11:47 am
the council was created to proactively protect consumers' payment card data. our standards represent a solid foundation for a multilayered security approach. we focus on removing card data, if it is no longer needed. simply put, if you don't need it don't store it. and if it is needed, then protect it and reduce incentives for criminals to steal it. let me tell you how we do that. the data security standard is built on 12 principles. capturing everything from everything from physical security to logical security. this standard is updated regularly through feedback from our global community. in addition, we've developed other standards that cover software, point of sale devices, secure manufacturing of cards and much, much more. we work on technologies like tokenization and point-to-point encryption. they work in concert with p.c.i. standards to offer additional protections.
11:48 am
another technology, e.n.v. chip is an extremely effective method in a face-to-face environment. that's why the council supports its adoption in the u.s. through organizations such as the e.m.v. migration forum and our standards support e.m.v. today in other worldwide markets. however, m. -- e.m.v. chip is one piece of the puzzle. to do e.m.v. and do no more would not solve the problem. additional controls are needed to protect the integrity of payments, online and in other channels. these include encryption, tamper-resistant devices, malware protection, network monitoring and much, much more. these are all addressed in the p.c.i. standards. used together, e.m.v. chip and p.c.i. can provide strong protections for payment card data but effective security requires more than just standards. standards without supporting
11:49 am
programs are only tools and not solutions. the council's training and certification programs have educated tens of thousands of individuals and make it easy for businesses to choose products that have been lab tested and certified as secure. finally, we conduct global campaigns to raise awareness of payment card security. we welcome the committee's attention to this critical issue. the recent compromises underscore the importance of a multilayered approach to payment card security and there are clear ways we think the government can help. for example, leading stronger law enforcement efforts worldwide by encouraging stiff penalties for these crimes. promoting information sharing between the public and private sector also merits attention. the council is an active collaborator with government. we work with nist, with d.h.s., with many government organizations. we're ready and willing to do
11:50 am
much more. the recent breaches underscore the complex nature of the payment card security. a multifaceted program cannot be solved by a single technology, standard, mandate or regulation. it cannot be solved by a single sector of society. we must work together to protect the financial and privacy interests of consumers. today, as this committee focuses on recent breaches, we know that the criminals are focusing on inventing the next attack. there's no time to waste. the p.c.i. security standards council and business must continue to provide a multilayered security protection while congress leads the efforts to combat global cybercrimes that threaten us. we thank the committee for taking a leadership role in seeking solutions to one of the largest security concerns of our time. >> thank you, mr. russo. mr. smith, you are now recognized for five minutes.
11:51 am
>> good morning, chairman terry, ranking member schakowsky, subcommittee members, staff, ladies and gentlemen. i want to thank you for the opportunity on behalf of trustwave to provide witness testimony on this important issue related to data breaches. i'm part of the -- a former part of the violent crimes section. my law enforcement part includes prosecution of credit card fraud, access device craud and counterfeiting. i left the justice department in 200to join trustwave and now compliant services and technology service. i serve on the team as senior vice president and i was general counsel for 12 years. businesses and government agencies hire trustwave to protect their sensitive data and reduce risk. trustwave have customers ranging from the world's largest businesses and small and medium sized companies in many countries.
11:52 am
we deal with ethical hacking, security research and we also train law enforcement on how to investigate network intrusion and data breach cases. today i will offer my recommendations on broader information security trends. it's important, i note, as a company we do not comment or speculate on specific data breaches and as such we will not be offering testimony today related to companies involved in the latest string of data breaches. however, i believe our company's experience in investigating thousands of data breaches over the past several years are advancing security research will be a value to you and the industry as a whole. my submitted written testimony discusses how card data is stolen and why businesses must go beyond p.c.i. for increased security and technologies and process that can help. what i don't have time -- while i don't have time to discuss the topic in depth, i want to highlight a few items.
11:53 am
we have real-world data breaches. the focus of the report is around cybercrime. states that are carried out by professional professionals and many follow logical patterns as described by the secret service. the 2013 global security report highlights data, our experts analyzed from more than 450 data responses. -- incidents, thousands of penetration -- tens of billions of events. the report states the retail industry was the top target in 2012, making up 45% of our investigation. food and beverage industry was second followed by the hospitality industry. those did not change in 2013. cardholder data was the primary target. mobile malware increased 400% in 2012. 73% of the victims were located in the united states. almost all of the point of sale breach investigations involved targeted malware. remote access made up 73% of the infiltration methods used by criminals. took businesses an average of
11:54 am
210 days to detect a breach. most took more than 90 days. 5% took more than three years. only 24% detected the intrusion themselves. most were informed by law enforcement. web applications emerged the most popular attack sector. e commerce being the most targeted asset. weak password being password1 as the most password of choice. i talk about many different security areas as part of a defense in depth strategy, recommending multiple layers of defense, ongoing training. would however make the following observations. p.c.i. data security standard plays a critical control as it has increased awareness of securing data in the payment industry. the threat landscape is more complex than ever and keeping up with complying with the standards simply isn't enough. common misperception is that p.c.i. was designed to be a catchal for security. we believe -- catch-all for security. we believe it gives businesses
11:55 am
guidelines for basic security controls to protect cardholder data. we heard today about chip and pin and end-to-end encryption and these are all good. but there's no silver bullet. a multilayered approach involves people, process, technology and innovation. i would take these few minutes to highlight three particular ones. businesses implemented a response plan that includes advanced techniques, containment strategies and response technologies. web applications are a high-valued target for attackers because they are easily accessible over the net. web applications are often at businesses front doors and contain systems that have private data. while monitoring over 200,000 websites, we had 16,000 attacks occur on web applications per day. this is why businesses need to adopt protections that include the ability to detect vulnerabilities and prevent web applications. obviously anti-malware is a big issue here and what companies need to do is to defend against this is to deploy gaitways and
11:56 am
i -- gateways. this is gateway specifically helped to protect business in real time from threats like malware and data loss. i want to thank the chairman and ranking member schakowsky for the opportunity to be here and happy to answer any questions. >> thank you, mr. smith. and that does conclude the testimony of our panel and now it's time for us to ask you questions. i get to go first. so i recognize myself for five minutes. mr. smith, based on your professional opinion in this united are we, the states, suffering an increased slaught of data breaches and attacks, or is it just simply we' paying more attention in the media? >> no, we are suffering more attacks, that's nor sure.
11:57 am
>> can you quantify it that in any way? >> the number of attacks? i can only speak for our company and how many we're involved in each year which involves a number of different investigations as well as multinational locations within -- >> do you have an opinion why that's increased, the number of attacks have increased? >> i think anytime there is something of value and the web how gives the ability for these multimall attacks to occur from anywhere in the world, so as the technology increases, so will the attacks, so will the value of that tatea that people are after. >> thank you. appreciate that. and for mr. mulligan and for mr. kingston, i appreciate your invitation. you don't have to accept that invitation. you don't have to be here. but you agreed to be here. and a, i think that speaks well for both of the companies that you work for and your respect for the consumer to go on the
11:58 am
record about what occurred and what you're offering to your customers. i want to thank you for that. doesn't mean we don't ask you tough questions. so let me start off the same igan ion to both mr. mull and mr. kingston. both of you suffered point of sale attacks. and least with target, there was a portion of that that was uncrypted and they were able to get the information in plain language. plain text. is that a shortcoming? is that standard? how much of a surprise to you or not surprised there was that vulnerability at the point of sale, mr. mulligan? >> mr. chairman, we know -- >> and pull your microphone a little closer. >> we know today in the u.s. that credit card information, payment card information comes
11:59 am
into point of sale systems from the magnetic strip unencrypted. in our case that data was captured prior to us encrypting it. we've seen in other geographies around the world where chip and pin or technology is deployed. the fraud related to credit cards have come down dramatically and that's why we've been supporters of that technology for a long period of time. >> mr. kingston. >> what we learned in our investigation, mr. chairman, is that the information was scraped at a time immediately following the swipe as well. and basically -- >> so in essence, co--- >> you can continue watching this hearing on our website, we'll leave it now to go live to the u.s. house for the start of the legislative day today. after some opening speeches, members are scheduled to consider debate roles for two bills. one dealing with california water resources and the other with public lands use. the public lands bill will be
12:00 pm
formerly -- also, amendment and final passage votes on a bill encouraging hunting and fishing on federal lands. first votes expected in about an hour and a half from now. live coverage now of the u.s. house here on c-span. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014]


info Stream Only

Uploaded by TV Archive on