11 . I know of two banks that have a combined Cyber Security of 1. 2 billion. Dhs is about 900,000,000, 75 of what two banks are spending by themselves. Cybercrime costs are nations and have chilly dollars a year. If were successfully prosecuting maybe 1 of cyber criminals. We need to spend more. Two, government needs to act with greater urgency. It took congress two years sorry six years to pass a sharing bill. In 2009 we present to congress with detailed recommendation on Cyber Security. In 2011, the house gop task force embrace the recommendations but four years after the house report, we still have not seen any substantial work on the top recommendation of that report or the executive orders. For example, the gao task report, and and the executive order all call for the creation of a menu of incentives. Yet aside from the informations sharonville, the president has not proposed, congress has not introduced, a single set of strategy bill. Last month it was reported that 12 of 15 sectors specific agencies had not identified incentives even though it is called for. The presence executive order call for it to be more costeffective and prioritize. Three years later they have been no objective measurements of the framework effect on improving security, adoption, or its costeffectiveness. Three, the government needs to escalate, educate top leadership as the top leadership is doing. In 2014, isam ait created havoc on Cyber Security for corporate boards which is published by the National Association of corporate directors. They recently validated the success of this approach. They said, ports appear to be listening to the nicd guidance. This year we saw doubledigit increase in poor participation of Cyber Security leading to a 24 boost in security spending. Also identification of key risk, fostering a a culture of security and better alignment of security with overall Risk Management goals. We believe government is a Similar Program to educate government boards. Most sr. Government officials are not sophisticated with their understanding of Cyber Security. If they are educated we think we could a more effective policy. Four, the government needs to reorganize for the digital age. Of the last several years the private sector has moved away from the it department is a central focus of Cyber Security and is involving a more integrative enterprise enter price approach. A bank of america study and a 2015 found that the u. S. Government is still in the process of determining who will have jurisdiction in cyber space. Departments, agencies and commandant are battling for funding. The result of the fragmented system, its hindering the development of a secure system. Finally, five, the government needs to be more sophisticated managing their own Cyber Security program. 2015 study compared federal civilian agencies with the private sector and found that the federal agencies ranked dead last in terms of understanding Cyber Security, fixing fixing Software Problems and failed to comply 75 of the time. The reason the government does so badly is that they simply evaluate by a predetermined checklist. The private sector uses a Risk Management approach where we anticipate what the future tax will be based on our risk and then forward looking look to adopt standards and practices. We believe the government needs to follow the private sectors lead, become more educated, sophisticated and innovative with respect to cyber cutie security. I appreciate the opportunity to speak with you today. I think the witnesses for their testimony. We now will move to questioning. We have fiveminute question rounds. I will recognize myself for the first five minutes. Thank you all so much for your expertise and your passion about this important issue. Remember back in 2014 i was able to sit down with mr. Wood. We spent a long afternoon identifying the problems im sorry to say that everything you said came true, all the problems identified were dead on. I appreciate that you are here to help us address that. Is that the Consumer Technology conference earlier this week and we are seeing a lot of the new things that are in practice, certainly the concept of innovator die is very much a reality here. I was wondering, i think you are all interested a little bit, how do existing Government Contracting provisions impact the ability for the Public Sector to be agile and to be able to do what you do in the private sector . How i know this is maybe a little outside of our jurisdiction we have standards and practices, we need to be more Risk Management base instead of just a checklist, how can we all get that type of policy in the government that are as agile as what you are dealing with in the private sector . One suggestion i would have set i think it would be very helpful for the government to move more towards the best value approach to Government Contracting versus lowest price technical us up approach. The same individuals individuals that we put on assignment with the government often we will receive a much higher rate for those individuals commercially. Commercial companies tend to value the tender kind of capabilities that are Security Professionals have. When i say much higher, often its two to 300 higher. At higher. At the end of the day, thats a big issue that the government needs to at least address. Otherwise you tend to get what you pay for. S mr. Clinton. I agree with mr. Wood. I think it speaks to part of the education issue that i was speaking to. We need to have a better understanding of the breath of Cyber Security. What youre talking about is not an it problem, it is, it is an economic problem. Thats what Cyber Security is. It is an economic problem. We need to find a way to move away from lowest cost items, particularly in the federal space. We have examples where federal agencies are buying equipment off of ebay from nonsecure suppliers because it is lowercost. While we appreciate the tension and the need for economy in these times, we have to understand that there is a direct tradeoff between economy and security. We are going going to have to come to grips with that. If we could educate the federal leadership and by the way we have the exact same problem a few years ago, we might might be able to get a better appreciation of the play between the economics of Cyber Security and the technology of Cyber Security. The real problem that you are speaking to in my opinion, mostly comes in the smaller business elements of Cyber Security. If you going to deal with the major defense contractors, frankly, you compensate them perfectly well, they have good Cyber Security. But good Cyber Security. But because of our procurement system there required to farm out a lot of the procurement to smaller firms in the smaller firms do not have the economy and scale to meet the standards. We have to find a way to provide incentives for those lower companies to come up to grade. It is is not economic from their business point of view in order to do that. We think there are number of suggestions we have made, referred to in my oral statement and my trade association paper that can talk about how we can better incentivize the Smaller Companies so that we can get them up closer to where the majors are. If if we can do that, we can achieve our goal which is a cyber secure system opposed to cyber secure entities. Mr. Snyder. I think another thing, this is a you had just mentioned there should be more done by the government to engage Silicon Valley entrepreneurs, what more could the federal government be doing right now in this area . Im actually very positive about the action the government has taken of the last few years. I worked directly with government agencies, continue to fund efforts that work with startups and understand that they are risky, i think its very beneficial. Again all the work that ive done in the past eight years has been based on my experience personally in the government and it is turned into major industry initiative. I would encourage encourage you to continue the work that youre doing. Anything that is not being done now that you think should be done. The problem is there great at funding at the early stage of but i think then it gets harder to evolve with the government because its owned by number of people. I would say if you do a great job at incubating and then they find out that we cant work with the government because its too hard or too sick sticky so he fell to the private sector. One thing you could help out his not only just get them incubated but actually give them inroads into selling to the government be in an actual government to the government. So originally we try to engage the government and it wasnt till eight years later that we could do it in a viable way. Having handholding wouldve been hugely helpful. Anyone else on the subject before we move on. Are starting to see more engagement in the Silicon Valley, one example is that dhs has been active over the last three years. There is a new dod project called where they establish a field across from Silicon Valley for their able invest in startups to bring some of their Technology Needs to the valley. Think we see more engagement over the last year. Anyone else . Thank you sir. Im honored to sit on the commonwealth of virginia Cyber Security commission as well. One of the things ive been encouraging the commonwealth of virginia to do is to encourage closer relationships between the University Ecosystem and the Business Ecosystem and to really promote research. I think that will help propel the startup activity that the gentleman to my left about talking about. Whether its in Silicon Valley where the state of virginia. At the end of the day, we need far more research than what we currently have. The reason is because when i talked about early the dollars, the difference being between being spent in the government and commercial side. We have a real scarcity of resources in terms of Cyber Security professionals. We need more tools being able to deal with the complex environment going out there. Those tools like automation are the way forward in order to help deal with that scarcity of personnel resources. Other things we can do as well but that research would really help us a lot in the Cyber Security perspective as a nation. Ray quickly i want to thank you for your work on stem education, thank you for bringing up how important it is that the Human Behavior is critical in preventing so much of this. I think you said nearly all of these could have been avoided with better behavior i think that brings up the importance of what i talk about in understanding Human Behavior and funding social Science Research into things like this. The last thing i want to ask you is you talk about insurance. Im very interested in how do we incentivize the private sector . Is this something you think should be required or do you just think this will develop over time . Im looking at you if you see the need of the government to require insurance against these type of attacks . I dont think theres a need for the government to require it. I think the lawyers at the end of the day will help corporations and other organizations understand the legal lie of ability associated with not taken. Do Companies Really suffer that much who have had these data breaches. All i think theyre beginning to. Im seeing more and more boardroom calls being made to our company than ever before. I think the very public retail breaches that have occurred are now heading into not just the ceos office but right into the board rooms. I also believe the Critical Infrastructure industry that we have out there that are ready regular laded seal the pressure associated with doing something. Thats why think doing the Insurance Companies are doing what they are in terms of trying to promote Cyber Insurance. There feeling is that if the corporations can provide evidence that they are doing what is important from a Risk Management point of view that will result in two things, one is lower premiums to the corporation who is looking to get the insurance, secondly a better Legal Defense to the extent that they are sued. Thank you youll back. If i could just real quickly, first vault we are big fans of insurance, weve been promoting it for over a decade. I do not think a requirement is appropriate. You been up promoting it over a decade but its not that widespread, is it it. No thats because systemic problems within the market, in in particular the enormous risk the Insurance Company realized that if they insure and there is a major catastrophe, there is on the line for everything. We we face the same problem in terms of insurance in the last century with Crop Insurance and flood insurance. There there systemic ways we can work with federal government in order to address that problem. I be happy happy to go into those with some detail. I wanted to get to the requirement piece. I think one of peace the federal government could do is require Cyber Insurance for your Information System in the same way that you require physical insurance when you build buildings and everything else. I think if the government did that, it would be a Market Leader in that regard. The other thing to point out in this vers more conversation because of that widespread misnomer of the reality when you look at the data of the Economic Impacts of the highprofile breaches is not what you think, if you go back and look, six months after the sony attack, their attack, their stock was up 30 . Look six months after target, their their stock was up 26 . Most of the high profile breach you find there is an initial reduction then theres a bounce back. I can explain why that is, because smart because smart guys on wall street say who nice distribution system, i like the price point of their product and the prices down, so the natural things we assume are going to happen, really are not happening when we look at the data. Mr. What mr. What is right about the fact that corporate boards are spending more attention on this. I think that has to do more about their threat to their intellectual property which is being vacuumed out and a tremendous economic risk. Theyre not concerned about the consumers theyre concerned about their own, thats a suggestion there. Were going to have to move on id appreciate you some many more information on the insurance area. I i think be very interesting. I now recognize you for your five minutes. Thank you, after spending spending 30 years in the it industry myself, i can equate to a lot of what youre saying especially the Cyber Insurance. Big support of Cyber Insurance because of the standards the Insurance Companies put upon these businesses. I sell my business a year ago, it was really relieved when i sold the business because while Cyber Security was on my mind 24 hours a day of owning the Small Company management, is not on the minds my customers. Mr. Clinton mentioned ebay, we had many incidents where we put a secure network in place of small government managing Power Distribution system. We engineer, we put the products and, some products that you represent from spam filters, firewalls, bandwidth managers, then we would find out that they would go and buy parts for these off of ebay that will come from somewhere overseas, we dont know the firmware thats on it. I understand whats on their mind especially when you deal with Small Businesses, with bottom line, doctors are being doctors, people are doing what theyre doing, were supposed take care that. But when go forward and say this is what we need to do to upgrade and they say we dont want to do that right now do we have to worry your network will still function but that a high amount of risk. Will that usually doesnt change their mindset. So having a set of standards is important. Another thing that was brought up his riskbased management. There are two types of computer users, those were been hacked and those that dont know they been hacked. Another part of Risk Management as we emphasize our count customers, dont keep what you dont need. If you dont need the data, if you dont have it, you dont have to secure. That really owes to an issue that i have great concern about here in the federal government and that is with the midas system which according to the news report is storing information on americans who access the healthcare about. Gov website. Not just those that got there insurance but those that shopp