Environments. The ncic is comprised of four branches. The United States computer emergency readiness seem, the industrial control system, the National Coordinating center for communications and an integration component. In response to the recent retailer compromises the ncic Whose Mission focuses specifically on Computer Network defense, prevention, protection, mitigation, response and recovery activities seventivities. The ncic and u. S. Cert publishes technical and nontechnical products and improving the ability of organizations and individuals to reduce that risk. When appropriate, all ncic components have onsite response camabilities to assist at facilities. In addition, u. S. Sert Global Partnership allowed the team to work directly with analysts from across International Borders to develop a comprehensive picture of malicious sire activity and mitigation options. Using structured threat information. In. So recent point of sale incidents we analyzed mal ware and used findings in part to create a number of information sharing products. The first product which is publicly available can be found on the u. S. Web side provides nontechnical overview to risk to point of sale systems along with recommendations for how businesses and individuals can protect themselves and mitigate losses in the event an incident already occurred. Other products have been more limited in distribution in that they are meant for Cyber Security professionals in that they provide detailed Technical Analysis and mitigation recommendations to better enable experts to protect, discover, respond and recover from its events. As a matter of strategic intent, the goal is always to share information as broadly as possible which includes delivering products tailored to specific audiences. These efforts ensure that actual details are shared with the patriot partners so protect themselves, their families, businesses and organizations quickly and accurately. In the case of the point of sale compromises, the Financial Services information sharing and analysis center. In particular, the fsi Payment ProcessingInformation Sharing Council has been use envelope that they provide a sharing information about fraud, threats. In conclusion, i want to again highlight that we in d. H. S. Strive every day to enhance the security and resilience across cyber space and for Information Technology enterprise. We accomplish using voluntary means. I truly appreciate the opportunity to speak with you today and look forward to your questions. Thank you. And that begins our questions with the end of your testimony. It is now the start of our questions. Each member has five minutes for questions. And i get to go first. Jan is second. So, mr. Noonan. You had mentioned that part of secret services job is to investigate when a breach has occurred like this. Is the secret service or are you involved in an investigation into what happened at both target and Neiman Marcus and other entities . Yes, sir. So we are involved in the criminal investigation of the target breach as well as the Neiman Marcus case. And so far what have you been able to find out that you can communicate to us . What we can determine at this point is that the criminal organizations that we are looking at and pursuing are highly technical sophisticated criminal organizations that study their targets and use sophisticated tools to be able to compromise those various systems. And the breach at target and Neiman Marcus, we have read through the news reports, was from a sophisticated criminal entity, as you mentioned your investigation. Does your investigation also then go into how they exploited each of those major retailers data . Yes, sir. And what did you find out . It is still an ongoing coordination, investigation in which we are working on right now. However, we do know that the malware at this point in our investigation is not the same criminal tools being used at either one of those locations. So they are separate distinct separate attacks . Yes, sir. By separate distinct different criminal organizations . We are working on that part right now, sir. Okay. In your investigations, do you assess whether each of the, say, target and Neiman Marcus cyber standards or their cyber plans were adequate or inadequate or vulnerable . The secret service does a crim fall investigation and again we are continuing to go after the criminal organization perpetrating these. Both Neiman Marcus and target do use a robust security plans in their protection of their environment. And it comes back to the criminal actors and going after the pot of gold or the whatever they can monetize. As good as security factors are, these criminal organizations are look at ways to go around whatever security has been set up. These were very sophisticated coornated events. It was not necessarily from a singular actor. It is a coordination of okay. Pieces that were used. Mr. Zellman, you also have is your organization ncic, have you looked at or assessed the Cyber Security at the entities that have been hacked . Mr. Chairman, we have not. We have been working closely with the secret service on identifying the malware used in the incidents, doing the analysis and sharing that with our partners across both the public and private sector. I can tell you that the malware as bill has said is incredibly sophisticated and could be challenging. What specifically makes it more sophisticated than what we have seen before . What we have seen in the development of the malware is is not off the shelf type utilized. What makes the attacks unique is that the criminals are modifying and molding specific times of malware to fit whatever network or intrusion set they are going after. It was specifically designed for that for target . For whichever and the other one specifically designed for Neiman Marcus. To get around the security platforms, yes, sir. That is interesting. In future prevention, how important is an isac . And would it help if there was a retailerspecific isac . Mr. Chairman, the isacs have been critical in our ability to share information with the broadest communities possible. They are in all 16 Critical Infrastructure. Certain groups in aviation and transportation made isacs that are a subset of the larger isac. I would be a proponent of having a retailer isac but it is for the retailers to decide if it is useful for them. We have been using the Financial Services in this case but we look forward if the Business Community wants to go that way we would work for them. And you would be the Umbrella Organization to help . These are publicprivate partnerships and d. H. S. Has worked with them for quite some time. A model we are accustomed to using. There may be a few people in the audience that doesnt know what an isac is. Tell what is the advantage and just quickly what it is . An information sharing and Analysis Centers are predominantly around the 16 Critical Infrastructures. Transportation, energy, finance, health, obviously a number of them and allows us both in a pub live and private way to get out to thousands of companies and share information in both directions. So, it is a growing community but it allows us to get to the Cyber Security professionals and talk to the people that do the network, the fence and have a conversation with those experts on a very robust scale. Thank you. Now, it is my pleasure to recognize the Ranking Member of our subcommittee for five minutes. Let me just say to mr. Zellman, im sure that the chairman would agree we appreciate our visit to ncic that we did this week in preparation for the hearing and the impressive work that you are doing. I wanted to ask attorney general madigan a couple of questions. You alluded to the illinois law, the personal information protection act that followed the choicepoint breach in 2005. I believe you were here talking about that as well. It was a different privacy matter. But that is really when all of the states started looking at it seriously. So our law in illinois requires corporations financial institutions, retail operators, government agencies, universities, other covered entities to discuss data breaches and the law says in the most expedient time possible and without unreasonable delay. How does your office determine what that is . First of all, in every circumstance we will look at what has taken place. But we are also going to be very cognizant of what that company or that entity needs to do in terms of ensuring that they have maintained the integrity of their system, put the security in place, and if they are ongoing Law Enforcement investigations we certainly dont want to compromise those and so we will wait in terms of requiring notification. But as we have learned over the years and there are studies and reports out there that demonstrate it, the sooner an individual is notified that their information has been compromised, the less likely they are to actually face any sort of unauthorized charges or even a full account takeover which will cost them a lot more money. So it is a casebycase basis and obviously the sooner that we can make sure that consumers are notified, the better off everybody is in terms of the damage that is going to be done to them individually and the loss to the economy. So the language is kind of general, but you would make the decision on a casebycase basis in terms of notification . Correct. We work with the companies to see where they are in the process once we are alerted to the fact that there has been a breach that has taken place. And obviously we are always supportive of the work that the secret service and other Law Enforcement agencies are doing in terms of the criminal investigation really the investigation that we do are civil side to make sure that our law is actually have you found companies that have not used the most expedient time possible or unreasonable delay . We always look at it and there is always questions particularly on the really on any side because i think there is a great concern that Many Companies legitimately have about the hit it going to take to their public image if they have to reveal this. There have been times that we think people could move faster and we work with them to make sure that they actually get out that notice. We have not fined anybody for that. You mentioned a couple of times about preemption and i wanted to just ask you how important it is that illinois and i guess other states as well, maintain the right to require the disclosure of data breaches as quickly as possible and other Enforcement Mechanisms . I think probably every state official who would sit in front of you would say it is very important. Obviously over the last ten years the states have really been able to be, you know, as we like to say and i thank you also can appreciate, the laboratories of innovation. When we started seeing people coming to us because they have been victims of Identity Theft we needed to respond. And we needed to be able to respond to make sure that companies were actually going to be putting in place Stronger Security measures. So we i want to ask you about that because the illinois law doesnt explicitly require minimum standards of protection for personal data. And yet you cited that as a problem. Should who should do that then . You have a growing number of states that are actually putting the requirements in place in terms of security and i would have to say that looking back over the investigations that we have done into data breaches it is clear that that has to be done because there really is you know we like to talk about best practices in place. The reality is often times doing the investigations we repeatedly see situations where information that is personal, sensitive, Financial Information is being maintained unencrypted, we have seen, you know, situations where literally the information is obtained because documentation with Sensitive Information is being thrown into a dumpster and people have gotten it out and used that for elicit purposes. There is a minimum standard and then i think that as chairman ramirez did a nice job of explaining, on a casebycase basis with companies considering the types of information the volume of information, the sensitivity of information we have to have increasing standards required. My time is up, but i look forward to working with all of you to figure out what is the appropriate federal response. Congressional response. Thank you. I yield back. Thank you. And now recognize chairman emeritus mr. Burton for five minutes. Thank you for holding this hearing. H is potentially very important because this is one of the few things that republicans and democrats both agree on is a problem and we may be able with your leadership to Reach Agreement on a solution. One of those rare days that something might actually happen as a result of the congressional hearing. Im the cochairman of the privacy caucus in the house along with Congress Woman diane deget and most of the republicans on this subcommittee are members. The gentle lady to my right is the chair woman of a task force that mr. Terry and upton have put together on privacy. So we have got a lot of people here that earliesenning very closely to here that are listening to what you folks say. My question is a general question. I start with the chair woman of the federal trade commission. Do you think it is possible to legislatively eliminate or at least severely restrict data theft . There is certainly no perfect solution to the issue but it is clear to me that congressional action is necessary. I think it would be helpful if there were a robust federal standard when it comes to Data Security as well as a robust standard when it comes to breach notification and i think it is time for congress to act. Do the other members of the panel agree with that statement . Yes. You do . Good. I thought you might disagree actually . As long as you dont completely preempt us. Okay. Mr. Noonan and mr. Zellman . The secret service believes any notification perhapses to Law Enforcement with jurisdiction would assist in the effort as well. Mr. Chairman, i will come from the operational side of the department and there are things that congress could do that could be helpful as we work across the nation or across the globe. You know, strengthening the ability on information sharing. I will tell you it is often difficult to get sometimes companies to share information with us because there is no statutory basis and they tend to be on the conservative side. Promoting and establishing the adoption of Cyber Security standards would be very helpful. Codifying the authorities to help secure federal civilian Agency Networks and assist Critical Infrastructure and then data Breach Reporting. Those are just some of the things that would be helpful. Okay. The instance with Neiman Marcus and i believe with target also occurred when a criminal came into their stores and used a credit card that infected their system at the point of purchase. The instance with Neiman Marcus and maybe with target and a criminal came into their stores and used a credit card that infected their system at the point of purchase. If we went to some sort of well, is it possible with Current Technology to prevent that type of data theft . I see a lot of blank looks here. Just to clarify. The two breaches that were talking about in Neiman Marcus were done by people infiltrating a network. I thought they came in with a card. Knows. So its very difficult and again, these are very complex sophisticated criminals that did this, they inserted a malware code. Did it by penetrating the system by a computer link, not by giving a card. And our investigation is indicating its from transnational criminals. From criminals outside the borders of the United States. Well, i would hope since everybody agreed that this is a problem and that the federal government should legislate, we can come up with the best practices set of recommendations, present to the committee and then let us massage it only the way we can. And we will try to move on something hopefully in this congress. And with that, im going to yield 34 seconds to the chair. Thank you very much, mr. Barton. The chair recognizes the dean of the congress, mr. Dingell of michigan. Mr. Chairman you are most courteous and i commend you for holding this important hearing. I think we can all agree that the breaches were tragic. We had a duty to protect the American Consumers from events like this in the future. This committee and the house must act to pass Data Security and breach notification legislation. The administration has proposed similar legislation. Congress must act again and we must ensure that such legislation makes its way to the president s desk for signature. To that end, im most interested to hear any opinions of the f. T. C. And what they may wish to share to us. All my questions this morning will be addressed to chairman ramirez. Now, chairman, in your written tes