Environments. The ncic is comprised of four branches. The United States computer emergency readiness seem, the industrial control system, the National Coordinating center for communications and an integration component. In response to the recent retailer compromises the ncic Whose Mission focuses specifically on Computer Network defense, prevention, protection, mitigation, response and recovery activities seventivities. The ncic and u. S. Cert publishes technical and nontechnical products and improving the ability of organizations and individuals to reduce that risk. When appropriate, all ncic components have onsite response camabilities to assist at facilities. In addition, u. S. Sert Global Partnership allowed the team to work directly with analysts from across International Borders to develop a comprehensive picture of malicious sire activity and mitigation options. Using structured threat information. In. So recent point of sale incidents we analyzed mal ware and used findings in part to create a number of information sharing products. The first product which is publicly available can be found on the u. S. Web side provides nontechnical overview to risk to point of sale systems along with recommendations for how businesses and individuals can protect themselves and mitigate losses in the event an incident already occurred. Other products have been more limited in distribution in that they are meant for Cyber Security professionals in that they provide detailed Technical Analysis and mitigation recommendations to better enable experts to protect, discover, respond and recover from its events. As a matter of strategic intent, the goal is always to share information as broadly as possible which includes delivering products tailored to specific audiences. These efforts ensure that actual details are shared with the patriot partners so protect themselves, their families, businesses and organizations quickly and accurately. In the case of the point of sale compromises, the Financial Services information sharing and analysis center. In particular, the fsi Payment ProcessingInformation Sharing Council has been use envelope that they provide a sharing information about fraud, threats. In conclusion, i want to again highlight that we in d. H. S. Strive every day to enhance the security and resilience across cyber space and for Information Technology enterprise. We accomplish using voluntary means. I truly appreciate the opportunity to speak with you today and look forward to your questions. Thank you. And that begins our questions with the end of your testimony. It is now the start of our questions. Each member has five minutes for questions. And i get to go first. Jan is second. So, mr. Noonan. You had mentioned that part of secret services job is to investigate when a breach has occurred like this. Is the secret service or are you involved in an investigation into what happened at both target and Neiman Marcus and other entities . Yes, sir. So we are involved in the criminal investigation of the target breach as well as the Neiman Marcus case. And so far what have you been able to find out that you can communicate to us . What we can determine at this point is that the criminal organizations that we are looking at and pursuing are highly technical sophisticated criminal organizations that study their targets and use sophisticated tools to be able to compromise those various systems. And the breach at target and Neiman Marcus, we have read through the news reports, was from a sophisticated criminal entity, as you mentioned your investigation. Does your investigation also then go into how they exploited each of those major retailers data . Yes, sir. And what did you find out . It is still an ongoing coordination, investigation in which we are working on right now. However, we do know that the malware at this point in our investigation is not the same criminal tools being used at either one of those locations. So they are separate distinct separate attacks . Yes, sir. By separate distinct different criminal organizations . We are working on that part right now, sir. Okay. In your investigations, do you assess whether each of the, say, target and Neiman Marcus cyber standards or their cyber plans were adequate or inadequate or vulnerable . The secret service does a crim fall investigation and again we are continuing to go after the criminal organization perpetrating these. Both Neiman Marcus and target do use a robust security plans in their protection of their environment. And it comes back to the criminal actors and going after the pot of gold or the whatever they can monetize. As good as security factors are, these criminal organizations are look at ways to go around whatever security has been set up. These were very sophisticated coornated events. It was not necessarily from a singular actor. It is a coordination of okay. Pieces that were used. Mr. Zellman, you also have is your organization ncic, have you looked at or assessed the Cyber Security at the entities that have been hacked . Mr. Chairman, we have not. We have been working closely with the secret service on identifying the malware used in the incidents, doing the analysis and sharing that with our partners across both the public and private sector. I can tell you that the malware as bill has said is incredibly sophisticated and could be challenging. What specifically makes it more sophisticated than what we have seen before . What we have seen in the development of the malware is is not off the shelf type utilized. What makes the attacks unique is that the criminals are modifying and molding specific times of malware to fit whatever network or intrusion set they are going after. It was specifically designed for that for target . For whichever and the other one specifically designed for Neiman Marcus. To get around the security platforms, yes, sir. That is interesting. In future prevention, how important is an isac . And would it help if there was a retailerspecific isac . Mr. Chairman, the isacs have been critical in our ability to share information with the broadest communities possible. They are in all 16 Critical Infrastructure. Certain groups in aviation and transportation made isacs that are a subset of the larger isac. I would be a proponent of having a retailer isac but it is for the retailers to decide if it is useful for them. We have been using the Financial Services in this case but we look forward if the Business Community wants to go that way we would work for them. And you would be the Umbrella Organization to help . These are publicprivate partnerships and d. H. S. Has worked with them for quite some time. A model we are accustomed to using. There may be a few people in the audience that doesnt know what an isac is. Tell what is the advantage and just quickly what it is . An information sharing and Analysis Centers are predominantly around the 16 Critical Infrastructures. Transportation, energy, finance, health, obviously a number of them and allows us both in a pub live and private way to get out to thousands of companies and share information in both directions. So, it is a growing community but it allows us to get to the Cyber Security professionals and talk to the people that do the network, the fence and have a conversation with those experts on a very robust scale. Thank you. Now, it is my pleasure to recognize the Ranking Member of our subcommittee for five minutes. Let me just say to mr. Zellman, im sure that the chairman would agree we appreciate our visit to ncic that we did this week in preparation for the hearing and the impressive work that you are doing. I wanted to ask attorney general madigan a couple of questions. You alluded to the illinois law, the personal information protection act that followed the choicepoint breach in 2005. I believe you were here talking about that as well. It was a different privacy matter. But that is really when all of the states started looking at it seriously. So our law in illinois requires corporations financial institutions, retail operators, government agencies, universities, other covered entities to discuss data breaches and the law says in the most expedient time possible and without unreasonable delay. How does your office determine what that is . First of all, in every circumstance we will look at what has taken place. But we are also going to be very cognizant of what that company or that entity needs to do in terms of ensuring that they have maintained the integrity of their system, put the security in place, and if they are ongoing Law Enforcement investigations we certainly dont want to compromise those and so we will wait in terms of requiring notification. But as we have learned over the years and there are studies and reports out there that demonstrate it, the sooner an individual is notified that their information has been compromised, the less likely they are to actually face any sort of unauthorized charges or even a full account takeover which will cost them a lot more money. So it is a casebycase basis and obviously the sooner that we can make sure that consumers are notified, the better off everybody is in terms of the damage that is going to be done to them individually and the loss to the economy. So the language is kind of general, but you would make the decision on a casebycase basis in terms of notification . Correct. We work with the companies to see where they are in the process once we are alerted to the fact that there has been a breach that has taken place. And obviously we are always supportive of the work that the secret service and other Law Enforcement agencies are doing in terms of the criminal investigation really the investigation that we do are civil side to make sure that our law is actually have you found companies that have not used the most expedient time possible or unreasonable delay . We always look at it and there is always questions particularly on the really on any side because i think there is a great concern that Many Companies legitimately have about the hit it going to take to their public image if they have to reveal this. There have been times that we think people could move faster and we work with them to make sure that they actually get out that notice. We have not fined anybody for that. You mentioned a couple of times about preemption and i wanted to just ask you how important it is that illinois and i guess other states as well, maintain the right to require the disclosure of data breaches as quickly as possible and other Enforcement Mechanisms . I think probably every state official who would sit in front of you would say it is very important. Obviously over the last ten years the states have really been able to be, you know, as we like to say and i thank you also can appreciate, the laboratories of innovation. When we started seeing people coming to us because they have been victims of Identity Theft we needed to respond. And we needed to be able to respond to make sure that companies were actually going to be putting in place Stronger Security measures. So we i want to ask you about that because the illinois law doesnt explicitly require minimum standards of protection for personal data. And yet you cited that as a problem. Should who should do that then . You have a growing number of states that are actually putting the requirements in place in terms of security and i would have to say that looking back over the investigations that we have done into data breaches it is clear that that has to be done because there really is you know we like to talk about best practices in place. The reality is often times doing the investigations we repeatedly see situations where information that is personal, sensitive, Financial Information is being maintained unencrypted, we have seen, you know, situations where literally the information is obtained because documentation with Sensitive Information is being thrown into a dumpster and people have gotten it out and used that for elicit purposes. There is a minimum standard and then i think that as chairman ramirez did a nice job of explaining, on a casebycase basis with companies considering the types of information the volume of information, the sensitivity of information we have to have increasing standards required. My time is up, but i look forward to working with all of you to figure out what is the appropriate federal response. Congressional response. Thank you. I yield back. Thank you. And now recognize chairman emeritus mr. Burton for five minutes. Thank you for holding this hearing. H is potentially very important because this is one of the few things that republicans and democrats both agree on is a problem and we may be able with your leadership to Reach Agreement on a solution. One of those rare days that something might actually happen as a result of the congressional hearing. Im the cochairman of the privacy caucus in the house along with Congress Woman diane deget and most of the republicans on this subcommittee are members. The gentle lady to my right is the chair woman of a task force that mr. Terry and upton have put together on privacy. So we have got a lot of people here that earliesenning very closely to here that are listening to what you folks say. My question is a general question. I start with the chair woman of the federal trade commission. Do you think it is possible to legislatively eliminate or at least severely restrict data theft . There is certainly no perfect solution to the issue but it is clear to me that congressional action is necessary. I think it would be helpful if there were a robust federal standard when it comes to Data Security as well as a robust standard when it comes to breach notification and i think it is time for congress to act. Do the other members of the panel agree with that statement . Yes. You do . Good. I thought you might disagree actually . As long as you dont completely preempt us. Okay. Mr. Noonan and mr. Zellman . The secret service believes any notification perhapses to Law Enforcement with jurisdiction would assist in the effort as well. Mr. Chairman, i will come from the operational side of the department and there are things that congress could do that could be helpful as we work across the nation or across the globe. You know, strengthening the ability on information sharing. I will tell you it is often difficult to get sometimes companies to share information with us because there is no statutory basis and they tend to be on the conservative side. Promoting and establishing the adoption of Cyber Security standards would be very helpful. Codifying the authorities to help secure federal civilian Agency Networks and assist Critical Infrastructure and then data Breach Reporting. Those are just some of the things that would be helpful. Okay. The instance with Neiman Marcus and i believe with target also occurred when a criminal came into their stores and used a credit card that infected their system at the point of purchase. The instance with Neiman Marcus and maybe with target and a criminal came into their stores and used a credit card that infected their system at the point of purchase. If we went to some sort of well, is it possible with Current Technology to prevent that type of data theft . I see a lot of blank looks here. Just to clarify. The two breaches that were talking about in Neiman Marcus were done by people infiltrating a network. I thought they came in with a card. Knows. So its very difficult and again, these are very complex sophisticated criminals that did this, they inserted a malware code. Did it by penetrating the system by a computer link, not by giving a card. And our investigation is indicating its from transnational criminals. From criminals outside the borders of the United States. Well, i would hope since everybody agreed that this is a problem and that the federal government should legislate, we can come up with the best practices set of recommendations, present to the committee and then let us massage it only the way we can. And we will try to move on something hopefully in this congress. And with that, im going to yield 34 seconds to the chair. Thank you very much, mr. Barton. The chair recognizes the dean of the congress, mr. Dingell of michigan. Mr. Chairman you are most courteous and i commend you for holding this important hearing. I think we can all agree that the breaches were tragic. We had a duty to protect the American Consumers from events like this in the future. This committee and the house must act to pass Data Security and breach notification legislation. The administration has proposed similar legislation. Congress must act again and we must ensure that such legislation makes its way to the president s desk for signature. To that end, im most interested to hear any opinions of the f. T. C. And what they may wish to share to us. All my questions this morning will be addressed to chairman ramirez. Now, chairman, in your written testimony, indicates that the commission enforces a variety of statutes such as gramleach bliley and Privacy Protection act. Do any of these acts require an f. T. C. Entity whose collection of personal identification has been breached to notify customers . Yes or no . No. That is needed, i assume . Yes. Absolutely. Now madam chairman, do any of these acts require notification of the federal trade commission or Law Enforcement in general of such a breach, yes or no . No. Madam chairman, should the Congress Enact a federal Data Security and breach notification law, yes or no . Yes. Madam chairman, under such laws, should f. T. C. Covered entities be exempted from breach notification requirements if they are already in compliance with glba and coppa . Yes or no . No. Madam chairman, should such a law be administered by one federal agency or some kind of a collage of agencies . One agency. Now, i happen to think that should be the federal trade commission because of its long expertise in these matters, do you agree . I would agree. Madam chairman, should the federal Data Security breach and notification law prescribe requirements for Data Security practices according to the reasonableness standard already employed at the commission, yes or no . Yes. Madam chairman, should that be expanded . Should that be expanded . Yes, i think there should be a robust federal standard. I will ask you to contribute for the record information on that view, if you please. I ask unanimous consent that that be inserted at the appropriate time. Without objection. Thank you, mr. Chairman. Now madam chairman, should such a law address notification methods, content requirement and timeliness requirements, yes or no . Yes. Wouldnt work very well without it, would it . Thats right. Madam chairman, in the event of a data breach should comprehensive strategy and breach notification law require companies to provide Free Credit Monitoring Services to the effected consumers for a time concern, yes or no . Yes, with limited exceptions. Do you have authority to do that now . No. Do you need it . I think it would be appropriate to have the requirement with limited exceptions. Madam chairman, i note lets ask this question, should violation of such law be treated as a violation of a federal trade Commission Rule promulgated under the federal trade commission act, yes or no . Yes. Madam chairman, would you please submit some additional comments on that point for the record. Absolutely. Now madam chairman, should such a law be enforceable by states attorney general . Yes. Madam chairman should such law preempt state day data breach and security laws . If the standards are robust enough. Would you submit some Additional Information on that point, please. Yes. Madam chairman given advances in criminal ingenuity which seems to be moving at the speed of light, should any statutory definition of the term personal information included in a comprehensive federal Data Security and breach notification law be sufficiently broad so as to protect consumers best, yes or no . Yes. Thank you, madam chairman. Mr. Chairman, i want to thank you for your kindness to me this morning. I urge the committee to work with the federal trade commission to draft and pass comprehensive Data Security and breach notification legislation. I believe this should be done in a bipartisan fashion and i think that the democrats and the republicans can Work Together for this purpose. Meanwhile, i would note such legislation is not a panacea for data theft and will ensure to reduce it and better protect consumers. I thank you, mr. Chairman, for your courtesy to me, and i appreciate the holding of this hearing. Madam chairman, thank you for your courtesy. Well done, and actually entertaining. Mrs. Blackburn you are recognized for five minutes. Thank you, mr. Chairman, i appreciate that. Thank you all again, i think i want to start with you for a minute. You said in your testimony, never has the need for legislation been greater. And so taking that statement, it could Mean Companies who suffered the breaches did not use reasonable measures to protect consumer data. So if that is your statement then, is the f. T. C. Involved in the forensic investigation regarding the target, adobe, the hotel chains, all of these breaches . Im afraid i cant discuss any particular companies or discuss whether the f. T. C. Is involved in any particular investigation but let me explain what i meant by that statement. I meant it as a general statement we flecting what we are seeing in the marketplace and that is that Companies Continue to make very basic mistakes when it comes to Data Security and our role at the f. T. C. Is to protect consumers and ensure that Companies Take reasonable measures to protect consumer information. Let me stop you right there. So youre saying that not due to this group, but because of general so you are basically reworking your testimony. Its not that these specific breaches shows that there has never been a greater need. You may want to submit a little bit of clarification there. Right now. I want to move on, three minutes and 14 seconds and five pages of questions. I would like for you to submit to us what is the reasonable standard. You have referenced this several different times but i have not seen a reasonableness standard in writing. So what are you referencing . We take a processbased approach to this question. Technology is changing rapidly. The threats that Companies Face are evolving very rapidly and the appropriate way to proceed is to focus on whether companies are looking very closely at the threats to which their businesses are exposed and whether they are setting reasonable security programs. If i may, its a very fact specific inquiry. I can appreciate that but i think to use that term repeatedly, what we need to know is what your definition of reasonableness would be. You know, we hear the chairman say well youre not doing this, youre not doing that. How quickly do the cyber criminals methods evolve . You have looked at this for a long time and you send out updates daily, weekly, monthly, how quickly is the evolution of this process . The evolution is incredibly fast and we are learning with each incident the complexity. They are moving quickly to very sophisticated and we are in a chase to keep up with them. Another thing, you testified that in a number of 50 Data Security cases settled by the f. T. C. The companies failed to employ available Cost Effective security measures to minimize or to reduce the data risk. So i want you to give us some examples of the kind of measures that the companies failed to use, because you hear how quickly this evolution is taking place. And the need for flexibility and nimbleness and then we hear you saying, you have to have a standard and got to do this. And we have taken these efforts in the 50 cases we have settled. For those of us looking at what legislation would look like, we have to realize that its got to be nimble, you are saying you want something but you are not giving us specifics or examples of what you think people have failed to do. So i hope youre understanding, we have a little bit of a gap here. Go ahead. So let me just say that i think the approach that the f. T. C. Recommends for legislation is one of reasonableness. We think thats an appropriately flexible standard that will allow for nimble action and to give you an example. In our experience, Companies Continue to make simple mistakes when it comes to Data Security. We have data that corroborates that and that is the verizon data Breach Report that was referenced in opening remarks. Just to give you a few examples, this can scan lowtech and high tech mistakes, failures to use passwords or encrypt personal information, the failure to update security patches. These very basic mistakes that we encounter. So it is the consumer and not Company Failures . Im referring to Company Failures. Thank you. I yield back. Thank you and now recognize the gentleman from vermont for his five minutes. Thank you, mr. Chairman. The technology that we use is not the best, is that correct, chairman ramirez . As i understand, chip and Pen Technology is what is now being used in europe and it has Better Success in preventing fraud, is that right . We dont recommend any particular technology. It ought to be technology neutral. We certainly would support any steps that are taken at the payment card system and to protect or better protect consumer information. Are we still using 1970sera Magnetic Strip Technology . Is that your understanding . Yes, that is accurate. And so that puts us behind virtually every other country in the world in terms of the security of our payment systems. There is an ability on the part of the card issuers to upgrade the Card Technology to meet basically standards that are being employed in europe, is that correct . That is correct. And when you look at the amount of fraud losses that these other countries where the chip and Pin Technology is used, you can see their levels of fraud have decreased significantly around 50 . So chip and Pen Technology wont completely eliminate fraud and breaches, but it could curb the amount that we currently see. And what i see visa and mastercard have announced a roadmap to chip and pin cards. Do you think it would be a problem if they decided to abandon the pin . People can change their pins as they change pass words. You have front line responsibility to try to maintain the integrity of this system and it is important to our merchants, to our banks and to our consumers. Would you pull the microphone closely. The secret service doesnt have a metric to measure chip and pin in the United States. But however the secret service supports any technology that would assist in the security of that particular data. Is your understanding the same as the general that technology the chip and Pin Technology deployed in europe has been much more successful in reducing fraud . It could give another level of security which makes it difficult for the criminals to get at that data. Im not saying its the solution, there is not a 100 solution, technological solution. But what it is, its a Better Technology from the 1970s era magnetic swipe card . Its a 30year technology, sir. How but . I agree with the other panelists, but there are other challenges as well. People using their phones for payment. You are using your computer and laptop, so having that extra security on the cards itself would be helpful but we have to look at other things as well. Back to you chairwoman ramirez, it would be good to have a standard but we cant pick winners and losers on technology, so what would be a concrete step that congress could take that would be practical and effective in improving the status quo . Number one, Congress Taking action alone would be a very important statement. But what we advocate is reasonableness standard being employed along the lines of what the f. T. C. Has in place with the safeguards rule and i would be happy to work with the committee on these issues and my staff is available to do that. We can as a legislative body prosecute prescribe what the technology is, the industry has to figure that out. But on the other hand, you need flexibility if steps are taken or not taken that could be that would enhance security for consumers and merchants. Flexibility is important and that is one of the reasons requesting that the f. T. C. Has Rulemaking Authority that would allow the agency to take into account evolution in changes when it comes to technology. Would this be helpful in the privacy breaches as well . These are monetary value but ending up with personal information, things that can be used in Identity Theft. The better security, would it not only help with the Economic Loss but the Identity Theft . Ill ask you. Absolutely. What we see is when peoples personal information is taken and frequently used to commit Identity Theft, but it can be used, not just financial Identity Theft but many other types of Identity Theft. I see my time is up. This is a great panel. Thank you for assembling it. Thank you and i recognize mr. Lance, the vice chair. Thank you, mr. Chairman. Recent wall street wall street journal reported that the Software Virus couldnt be detected by any known antivirus software, is that accurate . It is. And could you elaborate on that. Most of our detection systems use significance in a turs, so they are known problems and there is a technical formula we put into a machine that says hey, you told me to look for this and there are intrusion systems that prevent that malicious event getting to the end point. Looks like the criminals modified from what is a standard attack at point of sale in such a way that it was undetectable. You stated that the secret service has observed a marked increase in the quality, quantity cyber crimes targeting industry and Critical Infrastructure. Can you give us some examples of how these criminals and their tactics have evolved and i presume these criminals are not necessarily residents or citizens of the United States. Yes, sir. We are talking about a network of transnational cybercriminals. You know, over time, we could look back at data breaches at t. J. Max x and dave and busters and during that time they were attacking encrypted data, which is credit card payments. That got changed, in 2007, the focus instead of going to credit card processing companies, looking at ways to get at the same type of data but looking at it when it was unencrypted. Encrypted modification has been made through that system and information is encrypted. Today we have seen the change now, they are looking at where the fence is and how to get around that fence. Where they are attacking now is at the point of sale piece. From the point of sale terminal to the back of the house server, that piece of string has not been encrypted. Madam chairwoman, you answered representative dingells questions regarding preemption. I didnt understand your answers, my fault. Would you explain in a little more detail your views on preemption and i certainly in a robust democracy with protections both here in washington and at state capitals and if you could just elaborate briefly on the preemption issue. Yes, i believe that preemption is appropriate but provided that the standard that is set is sufficiently strong and also provided that the states have concurrent ability to enforce. Concurrent ability. So this would not mean that the states would not have a significant responsibility in this very complicated and difficult issue. The states do tremendous work in this issue and vital to have them enforce the law. Attorney general, its a pleasure to meet you, although i do not know you, the new yorker magazine comes into our house all the time and your husband, brilliant cartoonist. In terms of preemption, i would concur with what the chair woman has said as long as the federal legislation has Strong Enough standards and states retain the ability to enforce as we do in a number of areas already. We understand that it is potentially reasonable to say ok, we are going to preempt you in a certain manner. In fact, back in 2005, congress received a letter from the National Association of attorneys general requesting notification laws be put in place at the National Level and so as long as we still retain the ability to respond to our consumers and this is looked at in some ways potentially as a floor and not a ceiling, we understand your role. Thank you very much. Let me say, mr. Chairman, i believe that this committee will in a bipartisan capacity work on this issue, work to conclusion and this is the committee in the congress that deals on these important nonpartisan or bipartisan issues and i have every confidence that we will meet the challenge working with the distinguished panel, working with the next panel and i look forward to being involved to the greatest extent possible. Thank you, mr. Chairman. Thank you, i recognize the gentleman from kentucky, mr. Guthrie, for five minutes. Thank you, mr. Chairman. I have a business background and i know that any time you have an issue with your customers, it takes a long time to build trust back up again and incentive for businesses to protect their data, but at the same time, i worked in a retail store when i was in high school. My grandfather had a grocery store. Everybody has to deal with data. Right incentives and right things in place to make sure that is protected. I want to talk to agent noonan, criminals unauthorized access, are they not paying attention . No, sir, for Law Enforcement and for the secret service, result of a proactive approach to our Law Enforcement and we are gathering information and working with our private sector partners especially in the Financial Services sector when we are receiving data. What can occur, we can see a point of compromise where the retailer might not necessarily see compromised data out in the world. By looking at that data, we can go to that company and advise them that they have a leak. Now it doesnt necessarily mean its that company but it could be their credit card processing company. It could be their bank, a host of other systems that are hooked into the main company. But its a point for us to go to that potential victim and say look at your data and see if there is a problem. Who typically notice the breach, Law Enforcement who may see these transactions or all of a sudden, one day retailer starts getting calls or Credit Card Companies from their customers and saying these are charges that arent mine and find out whats in common with these people. Do you find that as its going through your monitoring or is it people reporting that they had something done to them or both . To answer your question, both. What is typical . I dont think there is a typical. But we work closely with the banking community. As they find those anomalies, obviously, they are getting calls from their consumers. Theyll notice an anomaly. And we were out in the targeting different criminals and in targeting them, we are able to see Different Things that are happening in the criminal background and that is another effective tool that we have at our disposal to be proactive. Sometimes notification but you have to realize in Law Enforcement under that approach, sometimes we are stopping it from occurring. We might go to a potential Victim Company to allow them to know they have been come proposal myselfed and in doing so, we stop the company from losing a single dollar. That is a very successful method in which Law Enforcement is a tool for consumers. They are out there in front looking for that type of behavior. I appreciate that effort. And you mentioned the mitigation capabilities were leveraged to coordinate systems to prevent these attacks. Probably the most important part of what we do, so its not about finding the fires and putting them out but putting them out to begin with. This is another great example. These companies had a compromise. Our responsibility is to assist them and let the Broader Community to know and see if its on their systems to take it off and prevent it as well. You described a product that contains detailed tech any analysis regarding recent point of sale attacks. Can you describe what are mitigation recommendations and who develops those . We work with a Cross Section across the nation with the Financial Services sector and technical managers in the Security Services and canvass the nation as a whole and put out recommendations. In some cases, simple as changing your passwords. The other panelists were talk binge that. If you use the routine hygiene of cyber space you are in using fire walls, restricting access. Some of these things are common sense, some of the things are new. But regardless, we want to get out as much information as we can. The place that i buy gas often has strips that say if it is rogan, please notify the key people at pay at the pump. One thing i want to point out, you say that note country everybody has to be vigilant and nobody is impervious to cyber threats. Right . That would be correct. The gentlemans time is expired. I think the chair and welcome the witnesses. Combining that information with my career, we are engaged in combat here. It is warfare. In combat, we get the lay of the battlefield. From the second panel, there are four separate phases of attacks. Access to data, propagation. Aggregation for the big package and excellent trait and. Exfiltration. It is important for the Public Sector to focus on the last step. The private sector had the first step. If we get there, were closing the barn door after the cars the cows of gotten out. Not an effective way to fight this battle. How can we be part of the publicsector and help with all four phases of an attack . Not just exfiltration. Try to focus our efforts, getting at that first phase of the adversaries actions. We do not want to be the responders, we want to be the prevention mechanisms. Where we discover challenges are that they have already happened. I would like to highlight that our industrial control, we are doing in spearman tatian experimentation. We work with the private sector very closely to see where the vulnerabilities are. We close those doors as we find them. Just by having some doubt, there are future damages. The proactive approach is that we are information sharing. As we see different tactics and trends happening in these intrusions, we are taking that information and sharing it with our partners at the Electronic Crimes Task force and the secret service set up. We are taking that information and pushing it. That means it is being pushed out to the sector. By observing the evidence and sharing what we are finding, we are better protecting the bigger infrastructure, if you will. Any comments . One of the things i would say in terms of the last two responses, from our perspective, there is an enormous amount of work that needs to be done to educate the public as to how to protect themselves. So many people have adopted technology so quickly, a are not necessarily putting place putting in place to safeguard and monitoring accounts. This issue is a complex one that requires a multifaceted solution that includes Companies Taking appropriate and reasonable measures and consumers also being educated to protect information. And why i believe action is really needed today, these breaches remind us how important this issue is. This is truly critically important. I went to law school at the university of texas, never practiced. Why did you announce publicly you are investigating target but not Neiman Marcus . We announced both of them. Thank you. I dont think we are ready to move down this path. We are i am glad we are having this hearing. We sometimes react in ways that i think are inappropriate to the true challenge. Typically, we regulate when there is market failure. We dont think private actions can respond to a particular concern or threat. I understand the justification for notification. Why is it the case that the consumers cant figure out that if they are not happy with them, that they couldnt migrate some way. I do not believe the burden should be placed on consumers. If you think it will be stolen, you can buy a Home Security system. We allow consumers to step in and decide if they want to pay 60, 200, or 1000 for their own security. I think consumers do have a role to play here. When you look back at the data that is available and is out there, it is also consistent with our experience. The rise in Breach Report, an annual report that studies what is happening. Companies continue to make fundamental mistakes. They are not taking the reasonable and necessary steps i appreciate that the report is there. I think we appreciate that. Do you have data that tells you how much people are prepared up pay for protection . Do you have an analysis . I can tell you that we have 26 million of fraudulent with accounts. Of the people we have had to work with, on average, they lost 762 in fraudulent accounts removed. I have not asked them how much they would like to pay. They feel as if they are having to pay the price simply for engaging in everyday activity. If we head down the path you are proposing that they ultimately wont pay for that, the cost will be borne by consumers . Might it not be an idea that we consider that they pay for that directly the vacancy those costs and respond appropriately as opposed to have them remove i am not exactly sure the scheme you are trying to propose here. You are correct in the sense that if we are going to update credit Card Technology to adopt chips and pins, they will pay an increased cost at retailers and fees at their banking institution. Consumers will pay and hopefully we will be able to improve security. Do you think there should be private rights of action associated with these rules . At this point, we have been able to handle these at the state level. Nearly every other country in the world is ahead of us . You dont mean niger. There may be a few in africa. I just came back from europe and they think that we are doing pretty good. I am not exactly sure the scheme you are trying to propose here. You are correct in the sense that if we are going to update credit Card Technology to adopt chips and pins, they will pay an increased cost at retailers and fees at their banking institution. Consumers will pay and hopefully we will be able to improve security. Do you think there should be private rights of action associated with these rules . At this point, we have been able to handle these at the state level. Theyre not taking the steps needed. I appreciate that. That is there. Consumers might not choose to pick verizon is a direct result of that. Do you have data that tells you how much people are willing to pay for protection . Do you know how much theyre willing to pay per incident . Do you have an analysis . You say the consumers are panicked and angered. Do you have data with respect to that . We have had 45,000 in charges taken from those accounts. On average these individuals 762 in fraudulent amounts removed. I have not asked them how much they would like to pay. They feel as if they are having to pay the price simply for engaging in everyday activity. If we head down the path you are proposing that they ultimately wont pay for that, the cost will be borne by consumers . Might it not be an idea that we consider that they pay for that directly the vacancy those costs and respond appropriately as opposed to have them remove i am not exactly sure the scheme you are trying to propose here. You are correct in the sense that if we are going to update credit Card Technology to adopt chips and pins, they will pay an increased cost at retailers and fees at their banking institution. Consumers will pay and hopefully we will be able to improve security. Do you think there should be private rights of action associated with these rules . At this point, we have been able to handle these at the state level. Nearly every other country in the world is ahead of us . You dont mean niger. There may be a few in africa. I just came back from europe and they think that we are doing pretty good. Our system may not be in as dire situation acid then suggest this morning as has been suggested this morning. Thank you, mr. Chairman. I want to thank you folks for being here today. I am very concerned about the increase and sophistication of these Cyber Attacks. And just to get your opinion on it. How does the increasing level of collaboration among cyber criminals that you referenced increase the potential harm to companies and consumers . The collaboration, it just increases their capabilities. When we said there is collaboration between these groups, they are loosely affiliated organized criminal groups that are doing this. I used the analogy of oceans 11 of what this group and what the network does. They have groups that will do infiltration to gain access. They have other people that will design malware. It will go and map the Different Networks to figure out how to get through the networks. There is excellent ration of data that occurs. There is monetization. And there is money laundering. When you bring together a corrugated group of sophisticated criminals bring together a group of sophisticated criminals, they will find a way to get into the system. Are they stateside or overseas . The criminals we are looking at are transnational criminals. To what degree do we have the authority to go after those folks . Do you know of ongoing actions to shut them down . The secret service has a unique history of success in this area. We talk about the t. J. Maxx investigation as well as many others. In that investigation, we were successful. We arrested our Gonzalez Albert gonzalez. In the summer of 2012, we arrested two people responsible responsible in the netherlands. We were able to bring to Justice Alexander in the dave and busters case. And we were able to pick up three different romanian hackers responsible for the Subway Sandwich shop intrusions into thousand eight. We brought them to justice where the main leader was sentenced to 15 years in prison. We have a rich history of being able to effectively identify who these targets are, have them arrested, and work with International Partners. I think it comes back to the relationships we build internationally bringing these actors to justice. The most developed nations that have a high degree of sophistication in their networks, they are vulnerable to these things as well. How robust are our agreements with other nations to go after the criminals that might reside in their countries . We have agreements with numerous countries in europe. We have been working successfully, very closely with the british in the netherlands. We have working groups in the ukraine and in office that we established in estonia. It is through those relationships and the laws we are enforcing that we are able to gather some success. You testified that no country industry or community or individual is immune to threat. Does this mean that no one can be impervious to Cyber Attacks . I think it is one of those challenges like trying to prevent automobile deaths. You can do a lot of things but people may still pass. Ultimately, i think there will be vulnerabilities that are exploited by very sophisticated actors. You testified that no country industry or community or individual is immune to threat. Does this mean that no one can be impervious to Cyber Attacks . I think it is one of those challenges like trying to prevent automobile deaths. You can do a lot of things but people may still pass. Ultimately, i think there will be vulnerabilities that are exploited by very sophisticated actors. Thank each of you for being here. I know this is obviously an ongoing investigation, but do you have an early indication without revealing anything you should not as to how this might have been prevented . I think the important part here is that we know that this is a sophisticated criminal group. Different companies, they had a plan. It is something that every company should also think of. They should potentially think when this happens to them. It brought back the information helping you find and mitigate the problem with Law Enforcement and share the information with government and the infrastructure to better protect the infrastructure is not necessarily a good plan. We would like to see companies have robust Forensic Companies assigned to them so that when an intrusion does happen, they can effectively mitigate it so there is no longer any bleeding. Additionally, counsel is important for them to have. Those are the important takeaways that we see in this case. Are you satisfied that the response has been satisfactory . Chairman ramirez, if i may ask you a few questions. Is there overlap with the safeguards rule and the pci Data Security standards . And do the standards incorporate provisions of the safeguard rule or do they go beyond the safeguard rule . The way the ftc approaches its Data Security enforcement work it is a reasonableness standard. We dont mandate or prescribe any specific standard or technology. But we think that as a matter of course, they should look to industry standards and best practices evaluating what they should have in place. Every case that we look at affects specific ones so i cant comment on hypotheticals. Companies should be looking to industry standards and looking very valuable. It would be one factor that we would examine looking at antimatter. Any matter. The companies did not have perfect security. It is unlikely that the company would be found to be compliant. A needed push to keep a federal standard enforcement because it is often impossible to find a violation of the standard . We will be looking at each situation in a specific way and we certainly understand that there is no perfect solutions. Security will not be perfect. We have many more investigations than we do enforcement cases. How many has been brought for the violations safeguards rule . Has industry compliance improved over time as industry becomes more familiar with it . Generally speaking, i am speaking broadly, we continue to see basic failures when it comes to Data Security. The data we have available suggests Companies Need to do more in this area. At this time, we recognize the gentleman from florida for five minutes. I appreciate it very much. This is for the entire panel. Data often moves without respect the borders, as you know. Stronger Law Enforcement efforts worldwide can improve Data Security. In your testimony, you mention successful cooperation with Law Enforcement into these cyber crimes. Would you expand on what you believe congress can do to enhance the International EffortsGoing Forward . A future trade discussion such as the transatlantic trade and Investment Partnership . I would recommend the continued support for our efforts in International Field offices as well as working groups where they are placing strategically around the world. We had a lot of Great Success in some of those Eastern European countries within the last two years. We have had some Great Successes and an expedition of a romanian citizen to the United States based on the collaboration that weve made here. The doj has also expanded in those countries. As well as the office of international affairs, they have helped us in strategically working with those Different Countries to bring criminals that are affecting us here to justice. My organization is neither Law Enforcement or intelligence. We are a civilian organization and we have a relationship with 200 around the world. It is a technical exchange. I was in tel aviv and london. It was interesting to see our counterparts making extraordinary progress. We are leading the way in governments role of Cyber Security. Many of these threats are coming from overseas. Many come from within our own countries. It would be better if we can engage with our International Partners and use their legal means to go after these threats. And provide the ability to cooperate with us. If they had the legal ability. Just briefly, if i may. I believe the International Corporation is an important dimension. We engage in International Counterparts in all of the enforcement work that we do. This would be among them. The next question for chairwoman ramirez. I represent the 12th congressional district. While more and more seniors are becoming technologically adept, how would you recommend notifying seniors of a data breach in a timely manner if they are not reachable by e mail . I think it is an issue we are happy to work with you on. Seniors are becoming more adept at email but if it is not an option, mail notification would be appropriate. We are happy to work with the committee. We have recently held a workshop on issues related to senior id theft and understand that this population can be particularly evil verbal. It might be one option and there would be other ideas that we would be happy to discuss with you. I would be that happy to work with you on that. The gentleman from West Virginia is recognized for five minutes. I think we are going to have to go through a lot of the information that has been shared today. I think weve got something we can chew on for a little bit. I want to understand a little bit of what is happening with Data Security and the Affordable Care act, if i could. If you could participate with this, maybe you can help me. It was reported there were 32 security incidents that have occurred with obamacare. Were the individuals notified . I am not familiar with that. If you would get back to us, please. Do you know anything about those breaches . I do not have any knowledge of those breaches right now. Given the standard that we have imposed on the private sector, should individuals be notified if there are breaches within the federal system . Yes, breaches should be reported and people should have the opportunity to know about that and take the adequate precautions. I concur as well. There is also a report that came out that some of the software that was developed for obamacare was developed in belarus. There are reports that there might be some concern for malware being included in that. Where are we in that evaluation . People are still signing up and we may have something that is contaminating our system. Can any of you share with us what is going on internationally . Things may have changed but the intelligence product on that report has been withdrawn and is being reevaluated. There is no evidence that there has been any Software Development in the hhs. They are looking carefully and verifying that. It may have been someone it is a report that is being evaluated. If there is something you can share with us hhs is looking at it closely. I cant see your name tag from here. In our law, there is a requirement that state agencies notify individuals when their personal information has been compromised. Do you use some kind of encryption extensively . As the state of illinois ever had a datum reach . Agency needs to notify individuals when their personal information has been compromised. Do you use some kind of extensive encryption for your data . Handle itnt agencies different ways. They are all required, in terms of how data is handled. Thank you very much. For yielding back. No other members are here. That is the end of panel member one. I do want to follow up. In the talk about the criminal syndicate, there was a story that there was an 18yearold russian boy that developed this malware in his basement. Is that accurate . Do not believe that you do not believe everything you see in the media, please. I have learned that. Thank you. The first panel is dismissed. Thank you. We may have questions submitted to you in the next 14 days, if there are any. We would appreciate a 14 day turnaround for answers. Thank you. Lee will give a few minutes break here so that we can water, get some water or something. Then we will be what ready for our panel. [captioning performed by national captioning institute] [captions copyright nationalp j cable satellite corp. 2014] mccaul talked about security at the Winter Olympics in russia. And the possibility of a terror attack there. His remarks are from fox news sunday. Listen. This particular olympics, i have never seen a greater threat. When we olympics was had those threat warnings. We have already had two suicide bombers go up outside the Olympic Village in december. The train station and the bus station, it is really the soft targets outside. What poses the greatest damage, or threat, if you will, in my judgment, is the proximity and location of where these games are being held. They are being held dead center in the middle of what was a historic battleground between russia and the chechen rebels that has now spun off into a radical islamic group. The leader of the chechen rebels is calling for attacks on the olympics, attacks on civilians, including women and children. The leader of the outside is reinforcing that threat. That is a whole new ballgame. These olympics are very different. There is a high degree of probability that something, something is going to detonate. Something is going to go off. It is most likely to happen outside the ring of steel. I have to pick up on this. You are saying that as the chairman of the House Homeland Security that there is a high probability that there will be some sort of explosion outside the ring of steel . About an areaking of the world where suicide bombers go off all the time. Cspan radio rebroadcasts sunday morning talk shows in their entirety. Underway now, you can tune in and listen every sunday, starting at noon. Earlier today we heard about global threat to the u. S. This is about 50 minutes. Host we want to welcome back the former governor of pennsylvania and first Homeland Security secretary tom ridge. Limit the get with the headline from the New York Times. I want to read a portion of foot david echo sanger and and eric schmidt wrote. I guess the operative word might be disturbing and potentially preventable. Those who are into attacks they were kircher mulley they were commercially available tools and one would have thought several years after wiki leaks that the notion that those tools would be available to hack into an essays treasure trove of information was somehow would somehow be prevented. I will let them explain why they didnt take fairly basic fundamental protection against attackers using commercially available tools. The new fbi director sat down with reporters. Your name came up in the conversation priya did you have written extensively about the fact that a lot of silos were in place that allowed information to stay in place. He said it is Getting Better but it is not perfect. Why have we not perfected this problem . Guest i am grateful for his protection against attackers using commercially available tools. The new fbi director sat down with reporters. Your name came up in the conversation priya did you have written extensively about the fact that a lot of silos were in place that allowed information to stay in place. He said it is Getting Better but it is not perfect. Why have we not perfected this problem . Guest i am grateful for his candor. Theres still institutional resistance within agencies. I think sometimes information is overly classified. Folks will put secret or top secret on it so they do not have to share. That cannot be possibly anything there cant possibly be anything not worth disclosing. One of the challenges right after 9 11, we go from the need to know where need to know cold war mentality to the post 9 11 need to share mentality. It is about trust. We still dont have the elemental trust necessary in the federal government. That is the governors and state police and mayors and local police. Last week in a conversation for cspan radio, asked about the operation in sochi russia. Here is what he said. Cutin has a desperate and has age medicine ego. There has been more communication. We have close to 10,000 americans. We are really focused on our athletes, the security with our athletes, and i think they should be protected. Intelligence is the best defense against terrorism. We can communicate anything we see or hear. Intelligence is relevant to protecting peoples lives. Are you saying he is not doing enough . Cutin has a desperate and has age medicine ego. There has been more communication. We have close to 10,000 americans. We are really focused on our athletes, the security with our athletes, and i think they should be protected. Intelligence is the best defense against terrorism. We can communicate anything we see or hear. Intelligence is relevant to protecting peoples lives. Are you saying he is not doing enough . , i say he is doing some. Can you go any host can you go any further . Guest he has more timely and Accurate Information than i do. After 9 11 you have six months later, five months later the United States is hosting the world. We have five to six months to prepare for the new threat of al qaeda and the like. Russia has had seven years to compare for the indigenous threat they have from the north caucasus. And yet it seems over the past couple of years the conversations ive had with people they have been reluctant to share. The Broader Community acted in concert. We are doing and anxious and critical time. Not only in our history but American History as well. I dont think putin has been very forthcoming. At the end of it at the epicenter of dealing with terrorist information, you cannot pretend to know or pretend to think that the information you need as the leader of the nation state gives you total situational awareness. You are much better served if you just share the information from friend and foe. Dont think putin has been very forthcoming. At the end of it at the epicenter of dealing with terrorist information, you cannot pretend to know or pretend to think that the information you need as the leader of the nation state gives you total situational awareness. You are much better served if you just share the information and seek information from friend and foe. At the end of the day any leader would presumably want to make sure that particularly with light of those challenges. One would think youd be forthcoming. Host is it good to host his games in an area known for terrorism in the past couple of years . Guest they make their decision for a number of reasons. There may have been a thought, a change when they made the decision seven years ago. A if that was one of the justifications it certainly went in the other direction. Everyone knew there had been a horrible poodle fiveyear war. Everyone knew that it will be 300 or 400 miles away. Regardless of that, they chose to give it to pretend to make sure it is safe and secure. You write competitive intelligence should always be encouraged. One of the differences between our two departments one the differences the between are two departments came to the attention of the white house can you explain . Guest competitive intelligence is a term that i learned once i got into the department of Homeland Security. You have the different sets of eyes looking at the same information. From time to time, based on the experience and assessment, they draw different conclusions. It is a very healthy he took a look at it and compared it with the assessment we were getting from the cia. His assessment was different. This is a couple of days before president bush ashley to it down and it turns out competitive intelligence modified the initial sis the initial assessment. Host our guest is tom ridge who served in the first four years of the administration. We will be talking about sochi and the security there. There is another hearing scheduled this week. This is from john brennan and was asked about groups affiliated without qaeda with al qaeda. [video clip] there are three groups of particular concern. It is the latter two that are most dedicated to the terrorist agenda. We are concerned about the use of syrian territory by the Al Qaeda Organization. By the Al Qaeda Organization to recruit individuals and develop the capability to not just carry out attacks inside of syria but use syria as a launching pad. It is those elements that i am concerned about. Especially the ability of these groups to be able to attract individuals from other countries, both from the west and throughout the middle east and asia. Do believe there are Training Camps that have been established on either side of the iraq he or Syrian Border for the purposes of training al qaeda operatives . There are camps inside both iraq and syria that are used by al qaeda to develop capabilities applicable to develop applicable capabilities. Host you coined the phrase, whack a mole, you stop the terrorists in one part and they pop up somewhere else. Guest you can add that to the list of formal affiliations. You can add somalia, yemen, west africa, there is an emerging group in libya. These are known affiliated there is a formal network and i think he identified a couple of the countries. There is a Loose Network of semiaffiliated groups in those five or six countries. Not only in those in virtual countries but more globally. Host kyle is joining us, republican line, alder creek, new york. Caller thank you for letting me join the conversation. I just hope he will let me to my question out. Several tons of small spears of molten iron were found near the world trade center. Independent scientists have the same composition found it had the same position as thermite. What congressional basis to investors have in failing to test for the presence of incendiaries or explosives years after 9 11 . Guest my answer would be that if there is a notion that there were if there what is a notion that there was a conspiracy i would reject the completely. Host i want to ask you about this headline from the wall street journal. The nsa only gets 20 of phone records. Does this figure surprise you . Guest yes and no. When they start using percentages it is still somewhat unclear, a percentage of what. I think one of the challenges the administration has is that the relationship of the Intelligence Community and the nsa and how they go about accessing information, the extent of that access is still very unclear. One of the challenges associated with these recent revelations is there still has not been a statement by the white house about how frequently they gain access. I am troubled by the fact that they have access to legal records and phone records. Notwithstanding the fact they dont have the content. The white house has not been transparent about the entire program. Host this story talks about the fact that he worked for Booz Allen Hamilton holding. That was one of the reasons why the government was not able to track what he was doing, the socalled scraping of information that is now the subject of a new book and partnership with the New York Times and the guardian. The fact he was a subcontractor does not justify the kind of precautionary measures that any commercial or Government Agency needs to take to ensure that the information, be it proprietary or government sensitive, is protected from commercially available software. There arent countermeasures in place that could have detected that kind of conduct or activity. Host our next caller is on. Good morning. Caller let me thank governor ridge for his services and all the great work he has done. How much is the lack of confidence to get things changed or approved or updated and responsible for some of the security lapses we have. We keep hearing about how computers are outdated. What is mr. Ridges take on what can be done to improve the technological capability . Guest it has application not just in the i. T. World but the broader world of the operation of the federal government. When you think back to the capabilities that we have in the private sector and corporate sector, the notion that it is very difficult i dont care if it was in the i. T. Area, logistics, or anything else. Clearly there is a challenge for procurement reform. President roosevelt had a lot of individuals helping to run the war and deal with the many many challenges associated with world war ii. But see the congress of the United Statess that always regulates to the aberrant behavior. It is very difficult to attract people from the private sector. They could probably have dealt of the website of obamacare. Most of the people try to work hard. It is a minor matter compared to the need to integrate i. T. Give ability of the government. An investment is not particularly or politically important. We need several billion dollars to reform our i. T. System dramatically and bring it up to speed. Then and only then might there be some significant change. It will be every agency trying to do their own thing. No overall Strategic Plan to develop an integrated system. Until we have those changes more expertise from outside government and more revenue will continue. Unfortunately we will have more and more of this kind of story. Host the situation is different from the 1960s. Gone back to the comments of the c. I. A. Director, how much of a tinderbox is this . Guest there are a lot of challenges with syria and getting the world engaged. One of the challenges has been the moral ambiguity with which this country has taken a look the moral ambiguity around the notion that we are going to be upset and will take action if you use michael weapons was use chemical weapons, which an unintended consequence. One could interpret that as we could use whatever weapons we want to do with the rebels. By the way, there are hundreds of thousands of casualties, let alone deaths. You start with moral ambiguity. There were lots of opportunities years ago when there were just two rebel groups, which i believe our Intelligence Community and several members on the hill had some confidence. We couldve been much more helpful in terms of arms and munitions. I frankly dont think that these negotiations are going to go very far. Host jeh johnson talked about syria on friday. Heres a portion of what he said in washington. We will go next to cindy. We will get to jeh johnson in a moment. We will go to cindy. Caller i am concerned it is a nowin situation if the security situation arises. The rest of the world might suspect we are behind it as punishment for russia allowing snowden to stay there temporarily. Guest a good comment. Syria is fascinating to me with the material that i read. The country that is as involved in syria as russia happens as involved in syria as russia happens to be iran. In the discussion of how we deal with syria, it seems nobody a all raises the basic question is the iranian involvement. Moral ambiguity around you can kill as many people as you want but just dont use chemical weapons. At the same time we enter into negotiations with syria and we say to them we will give you over 4 billion but you have to promise not to enrich uranium at a higher level. Basically what it says to me is that the rest of the world takes a look at our situation with syria and iran and says america has declared handsoff. I think that is a mistake. It is difficult rally the rest of the world behind something other than geneva talks if you have projected basic are have projected basic indifference to the whole that situation. Host let me get your reaction to jeh johnson at the Wilson Center on friday. [video clip] i return from poland were the attorney general and i met with my six counterparts from the u. K. , france germany, italy and poland. Syria was the number one topic of conversation for them and for us. Syria has become a matter of Homeland Security. Dhs, the fbi, and the Intelligence Community will continue to work closely to identify those foreign fighters that were present a threat to the homeland. Host how do you identify those individuals . Guest we will be relying perhaps on the rebels that we didnt trust you will of years ago to arm and we trust not to get some information. There may be some thirdparty information that we secure. At the end of the day i think the secretary is right as john brennan has said. This is now become a Training Ground for al qaeda. It is a globalization of their capability. Im not sure there is an immediate threat to the United States. If they have a safe haven to train and arm and from which they can move around the globe to spread terrorism, it is just another venue for them. At the end of the day, even if you secure the information, what are we going to do about it . I understand what hes trying to do. It is necessary we try to identify them. We havent had a major attack on the homeland since not since 9 11. How big of a concern is that when you have the semiof brothers have the tsarnaev brothers, one facing the death penalty. We heard from the justice department. How big of a threat are these isolated incidents . These are just two brothers in communication with each other in no other network. Guest obviously they were converted along the way. It hadnt been turned to jihadist at the time. I do think that one off, the lone wolf, the individual or small group of individuals who have been pulled in and acknowledged, i think that is an one of the two major challenges the rest of the world are sadly the United States is going have to endure it. Furthermore the threat of global terrorism is something that should be on the minds of just about every leader of every country. The Second Global threats are these Cyber Attacks. The 21st century should look forward to centuries ahead. I think were still going to be dealing with these phenomenon on a permanent basis. Host our guests spent four years in congress before being reelected as governor. 12 years in commerce before being elected as pennsylvania governor. He was a Senior Advisor and later the Homeland Security secretary in the Bush Administration. Republican line from from new republican line from new mexico. Good morning. Caller thank you for taking my call. The reason i call is when mister ridge said that the nsa is collecting the data on where phone calls come from, i really believe they are taping and making a record of tweets and all that nonsense. They are actually taking this phone call right now. President obama was asked by a reporter a while back whether he had anybody is listening to our phone calls and he said, no they are not. I believe they are not. I believe they are taping them so they can go back and listen to them later. You have to watch every word clinton said. Guest im going to take the president at his word. I know some of the people involved in the Intelligence Community. The metadata they have is just the notion that my number is connected with yours and they are not taping that conversation. As far as that goes until , demonstrated otherwise, i am comfortable with that being the him arrangement the nsa has made. The question becomes, the broader question, whether or not the federal government should be doing it at all. It would still be worthy of public scrutiny and debate and it is something we will have to Pay Attention to again forever more due to the flow of electrons, basically involved in every social, political, economic, and personal thing we do. But there needs to be continued public scrutiny and discussion. It is not even a balance, about private liberty. Host now available at a university of pennsylvania. For those who want to look at what you did, what can they find . Guest well, in my hometown, it was kind enough to allow me to archive my record as governor. He loved my job. And time as assistant to the president. We go through hardworking people however historians choose to examine during the course of my time as governor. I am grateful to the university for accepting the responsibility and i look forward to working to make sure it is as open and complete as possible. Host any surprises . Guest i wrote one book, but i always said to my friends, there are two books that could be written. Host we will go to anna in florida. Caller good morning. President obama has done more to secure our borders than the Bush Administration ever did. After we were attacked on 9 11, a competent president would have immediately secured open borders. National security 101. But the Bush Administration did nothing, even after the 9 11 Commission Report had warned about al qaeda being very interested in our open borders. Homeland security was so underfunded, illegals will illegals are being let go at our borders. Guest you are right in part and i want to correct you in part. Under president bush, there was a massive infusion of additional dollars for more Border Patrol agent. That number has continued to grow under president obama. The notion that president bush knew anything about the southern border is generally false. It is frustrating for the administration and take other for the board of protection. We had a program, catch and release. If you are a fisherman, you can appreciate the term. They did not have the capabilities building over the past several years. At the end of the day, it speaks to a bigger question nobody in this town wants to discuss. The broader implications of having an overall comprehensive immigration plan and, one of these days, we will find leadership on the hill where we decide were not going to extradite a 11 million people. We will figure out a way to legitimize. We will build up a system to protect employers and employees and get on get on with it instead of political football kicking around washington dc, as we have done for the past 10 years. Host can you give insight as to how the National Security briefing occurs . It is something the president gets seven days a week and how him the various apartments and agencies gather the information overnight and what the president gets daily . Guest the first couple of years i served president bush, the whole notion of intelligence gathering and analysis was elevated to a level unheard of before. Cooperation and to medication between United States and Law Enforcement intelligence agencies was secured at the highest possible level. People never appreciate about president bush and the Intelligence Community is it is a constant turning. 24 7. Sometimes we are data rich and knowledge poor. A lot of information, but how do you sort through it . This pattern of activity, we wait outside the oval Office Every Day during my tenure as secretary of Home Security. When the president concluded his briefing from george down, running the cia, with Vice President bush and the National Security advisor, they would go in. President bush himself was focused in the Vice President focused for that time every single day on a potential attack either against the United States or our interest overseas. Notwithstanding the broader goal about the relationship with the rest of the world. I have a sense that is not quite the same focus. I do not think the secretary any president can do what they want. During my tenure, president bush and Vice President cheney were focused on it every day. Host let me go back in your book. You talk about information and what you know and do not know. You say, there is a cautionary expression that surfaces occasionally during oval office or situation room briefings. Guest the Intelligence Community is charged with framing a huge picture. One of those monster jigsaw puzzles. People do not appreciate the complexity and sophistication of how difficult it is. Different languages and different sources. You have to know whether it is credible and corroborated. The first time i heard someone say that, i thought, what does that mean . It is a statement of fact. You can deal with the present or the secretary of Homeland Security or whether the Prime Minister whatever it is