Information people are putting onto these web sites to begin with. And secondly then, we need to customers themselves need to be educated to make sure that they understand what their rights are and that they ask the hard questions before just giving very personal information. Host well, joining our conversation is dustin foltz of the national journal. You joined a few lawmakers earlier this week in introducing or writing a letter to the Government AccountabilityOffice Asking them to take a look at what the government and the private sector are doing to, after data breaches, how theyre helping and responding and helping customers. It seems as though the sense of the letter is more needs to be done. Is it your sense that both the government and the private sector are really not responding to data breaches the way they need to effectively . Guest well, the government and the private companies theyre saying that theyre giving protection to customers. I think in opms case, it was 18 months. But the problem is, number one, it may not well be long enough. And number two, in the case of minors, for example it actually may be counterproductive. What were saying is what could opm and these private companies be doing that would really do a better job of protecting customers privacy and also, of course monitoring the breaches. Opm is now saying that because the hacks on their systems are so massive and theyre going to be so expensive, theyre asking other federal agencies to share the cost of providing those services to the affected people. Is that a fair approach that opm sort of allowed this to happen in a way, but all these federal agencies might have to share in footing the cost for that bill . Guest well, you know, to me, im not so concerned about whos paying the bill, im concerned that we give the protection to folks. Because there were massive, there was massive amounts of data that was stolen, and much of this data was highly comfortable data; Social Security numbers, other kinds of data that hackers could use to really get very private information about people. So im not so concerned about whos paying for it as to make sure that people get robust protection. Data breach legislation is something that is pretty popular in congress. Theres some support on both sides, democrats and republicans, of making sort of one notifying standard for companies to notify their customers after a breach. Guest yeah. But still we havent really seen that legislation go very far. It doesnt seem like its on leaderships radar right now. Is that legislation something we could still see happen this congress . Guest well, i think given the events of this spring and summer with opm added to the breaches that we saw last year with so many large corporations, i really think the urgency is increasing, and i think perhaps this fall when Congress Comes back from the august recess, you may see more of a inclination to bring this legislation, certainly, to committee. Weve had some hearings in my committee, but to bring it up for a markup and then, ultimately for passage. Many of these bills are pretty common sense and it would seem to me theyd be easy to pass. Host well, representative degette, you represent a pretty hightech area out in the Denver Colorado region. What are you hearing from some of the companies . Why do they feel a need to have all this information about users of their products such as access to all their contacts, access to their photos whenever they download an app or use a service . Guest you know, i think what happened is people obviously, from a marketing standpoint a lot of private companies have wanted to get access to as much data as they could in the past. But i think what people are now realizing is when theres a breach, then people who you really dont want in possession of that data will get it. And so both consumer groups and also companies are beginning to recognize that maybe they need to stand back a little bit and say what data do we need before we will give a credit card or before we will give access to our sites or so on. I think this is just sort of a recent phenomenon. In the past people sort of thought, well, if theres a breach, then well just give people credit monitoring and other types of services. But now people are realizing that that may not be a remedy and they really need to look at it at the front end. I want to shift gears a little bit and talk about the white house framework for sort of a Consumer Privacy bill they released earlier year. It was introduced in kind of poor reception all around, privacy experts had concerns with it, Tech Companies had concerns, not great fanfare. Is it something that could gain some traction in congress and potentially what would that look like . Guest well, i think that people do want to look at a Consumer Privacy bill, but on the other hand, theres a balancing that needs to be made. Ive been in congress a long time and technology has changed over the time that ive been here and the ability of more and more sophisticated hackers to get customer information has changed. So its really a challenge for us as legislators to try to put a Regulatory Framework in place that will both protect customers, but also allow the free flow of data for corporations and also for government. We saw some movement earlier this year on a similar topic with government surveillance. The Congress Passed the usa freedom act to really limit some of what the nsa spying programs are doing. Is it hard to get the momentum and attention for sort of these corporate or Consumer Privacy issues with, you know, talking about Companies Like facebook and google and your privacy there . Is it hard to get the attention and the focus there when you dont have sort of this yearslong scandal that weve seen with government surveillance . Guest what happens, i think, is you get some shocking data breach of millions of customers data either in the government or else in private industry, and then people sort of have a hard time figuring out what would a legislative fix look like. And so then it kind of drifts away. So i think it is hard to get the momentum up to come up with a Regulatory Framework that would actually prevent type of breach from happening. Host congresswoman, you serve on the investigations subcommittee on the energy and Commerce Committee, and one of the things that youre looking at is icann, the Internet Corporation for the assignment of names and numbers. Do you agree with the president s approach to make it more of an International Body that governs the internet or do you agree with what congress did and pulled back on that issue a little bit . Guest i think that as we see these increasing breaches by countries like china and other countries, its really important to have a Robust International regulatory body that can regulate internet numbers and so on. So i would i think i would agree more with the president s approach. But, again, this is an issue thats really worth continuing oversight to see what if any changes we need to make to the regulatory process we have now. Earlier this year as well the house passed two similar bills for information sharing. The senate is still figuring out what they want to do with this, you know, increasing the sharing of cyber threat data with government and the private sector. There are still many privacy concerns with that as well. Is that something that you ultimately think is going to happen in this congress as well, and is that going to have to be conferenced out with the senate . Guest well, you know i never predict what the senate will do. They have a very different pace than the house has. But i think that the fact we were able to pass this legislation in the house shows that theres a need, and i would really hope that the senate would take this up later in the fall and that we could go to conference. Host congresswoman degette, as a member of the energy and Commerce CommitteeNet Neutrality has been an issue that you have looked at. Now that its the law of the land how is it proceeding . Guest well, of course, with the court ruling on Net Neutrality, it is the law of the land, and this is an issue we often joke and say Everybody Knows what Net Neutrality is, but nobody can quite define it in the same way. So the courts ruling really helped give us a sense of what the law would be. There are still a lot of concerns in congress about Net Neutrality and, of course, a lot of the companies are completely opposed to the courts ruling particularly with title ii. And so, and so theres going to be litigation lawsuits have already been filed. They were filed the next day, actually. I think it would really be wise for congress to sit down in a bipartisan fashion and try to give certainty to what the interpretation of title ii is going to mean by coming up with a bipartisan bill. I know theres been some interest expressed in doing that, but so far that ball hasnt moved very far down the road. Host would you support it . Guest well, i it would depend on what it looked like because i think that Net Neutrality is a very important concept, and i agree in general with what the court said. But i do think that theres some benefit to consumers as well as to the industry to have certainty in legislation to back up the court decision. So again, it would depend on what it looked like, but ive, ive told my colleagues on the other side of the aisle i would be happy to discuss getting some kind of legislation together. Congresswoman, you mentioned china a bit earlier with the opm hack. The administration has not publicly blamed them, but certainly, officials have privately linked china to that hack. Theres a Washington Post story saying the administration has decided to not publicly blame them at all, and theres not going to be a direct retaliation. Is that an appropriate response, to have a nationstate hack 22 million, the personal information of 22 Million People and have no really direct response at all . Guest well, i cant, unfortunately, really comment about that because a lot of that is classified information. You concerned that are you concerned that countries might see the u. S. Not responding as a way to open up and perhaps be more aggressive with their Cyber Attacks . Guest well, let me just say that even though the government is saying theyre not responding publicly, i know that there are efforts to, to clearly identify and respond to those who were participating in those Cyber Attacks. Host representative guest part of it, i think is making sure that we can do this in a way that will be effective for those who were, whose security was breached. Host representative diana degette, cochair of the privacy caucus in congress and a member of the energy and Commerce Committee, thank you for your time this morning. Guest thanks a lot. Great being with you. Host and up next well talk to the cochair of the congressional cybersecurity caucus. And rhode island representative jim langevin is the can cochair of the congressional cybersecurity caucus. Representative langevin, whats the purpose of this caucus . Guest well, like any caucus, its about bringing a group of likeminded members together that are concerned about a particular issue, in this case cybersecurity. And we collaborate together, but we also offer provide a forum to both groups on the hill or off the hill to come in and do presentations, educate members and staff about a particular topic, again, cybersecurity. So its a great method and way for members and staff to collaborate. Host and this is an issue, though, that youve worked on for quite a while. Whyd you get an interest in in this . Guest so i kind of fell into this back around the 2007 time frame or so. I was chairing the subcommittee on the Homeland Security committee that had jurisdiction over cyber, and we started doing a deep dive into cyber vulnerabilities. One of the big things that came to my attention was a vulnerability whats called Safety Systems that govern pumps and valves on things like regulating turbines, on the electric grid or water and Sewage Treatment facilities. And Idaho National labs found a significant vulnerability that allowed a hacker to take control of the systems, these Safety Systems, and cause them to do things that would cause, could cause harm to the equipment. So, for example, in Idaho National labs found a way to cause a generator a turbine to basically spin up out of control and blow itself up. They actually demonstrated that on video that i and the committee saw and then later was released to a news publication and it showed how generator blew itself up. So that obviously got our attention very quickly, and we started doing a deep dive to see how significant are these vulnerabilities and, unfortunately, we found that they were significant then theyre senate now and significant now, and the challenges are growing in cyberspace. Its not a problem thats ever going to go away, unfortunately. Host and im sure youve seen the news reports recently about the cars that have been hacked while on the road driving. Guest i have. Host is the congress, is the administration, are private businesses doing enough to protect us from hacking from cybersecurity threats . Guest in my opinion, no, not enough. And i would put it in context of this, this problem is never going to go away. Its a its a challenge that we are going to have to deal with for the long haul. Its the internet was never built or made with security in p mind. It was a free and open architecture and unfortunately our enemies, our adversaries hackers have exploited these vulnerabilities for their own purposes, and its made our society, our country that is more dependent than almost any other country in the world on the internet made us incredibly vulnerable. So i often say that the aperture of vulnerability is wide open and what we need to do is collapse it down to something that is much more manageable. Unfortunately, the congress which could be doing more, should be doing more, and ive been pushing us to do more isnt doing enough because we havent passed anything thats really meaningful that would make us safer. Most important of which is the informationsharing legislation that has passed the house now a couple of times, but were still waiting for the senate to get their act together, quite frankly, and pass their own informationsharing bill and get something on the president s desk. Host dustin foltz. Speaking of information sharing, the senate has indicated Majority Whip John Cornyn has said they would like to do it before they break for recess next month. It might come up in the coming weeks. Still, the differences in the senate bill are different than what the house passed, the cap onbills, earlier this year. Is there going to have to be some sort of conference . How do you see that proceeding . Guest well, thats what generally would happen. The house passed a bill, the Senate Passed a bill, then they meet in Conference Committee work out the differences and an identical bill is voted up or down in this case. Both houses pass it, then it goes to the president for a signature. So i look forward to getting to a conference. We havent even gotten that far yet because the senate hasnt even passed an informationsharing bill. And for your viewers just so they understand what the reason why information sharing is so important is that it allows us to communicate the threats back and forth, what government knows what the private sector knows and allows us to patch systems or to prevent hacks before they actually could be carried out. Right now there are legal prohibitions from the government sharing classified threat information with the private sector, and theres legal prohibitions from the private sector sharing information threat information back with the government, otherwise theyd be termed as acting as agents of the government, and thats not allowed. What we want to do is allow those barriers to be removed so that you could share information on threat signatures, very narrowly defined so youre talking about 1s and 0s, very technical type of information. But, you know, for example, of the various hacks that have taken place out there, if we could broadly share that information, then when one hack occurs at one place hopefully at Network Speed we could widely share that vulnerability and so more broadly protect everyone. Again can, unfortunately, we havent passed that legislation yet. Thats why we need to pass it. Host are there privacy or liability concerns with that . Guest sure. Anytime youre dealing with, obviously, network security, cybersecurity we have to be mindful of protecting privacy and Civil Liberties. We place great value on that. We all should as american citizens. I believe, very confident, that the house bills there was one out of the House Intelligence Committee and one that passed the Homeland Security committee both of which have passed the floor with strong bipartisan support had very strong privacy and Civil Liberties protections in there. They were involved with the drafting, and for the most part have signed off. Nothings ever perfect, but this is i think its almost as close as we can get to perfect. And im very proud to support it and very confident that there are strong privacy and Civil Liberties protections in there as well, and im sure that the senates going to be just as concerned. When we meet in conference, were going to make sure those privacy and Civil Liberties protections are in there. Still some of the criticism from security researchers and privacy advocates is the government is sort of increasing its share of data, it actually could backfire as we saw with the opm hack when you have so much data in one repository thats allowing these places to hold more data and information sharing wouldnt actually have prevented that hack. Guest well, i dont believe that and, again its ant the threat its about the threat signatures or the zero exploits or the root kit malware that would be used in the hack. Those are the things that we want to try to prevent in the first place, if not the malware itself. And by sharing that information not the bulk data, but its about the threat signatures. Thats what we want to share more broadly. Does the senate bill need to do more to assuage privacy concerns . Guest i havent seen the draft of the senate bill yet, it hasnt been voted on on the floor. Once theyve voted on it, i can comment on it. It seems like theyre a long way to actually passing something on the floor. Theyve got to bring it up first, and they havent they tried to do it in the Defense Authorization bill as an amendment but unfortunately democrats didnt support it because it wouldnt offer any amendment to that bill or had it been taken on as an amendment in the ndaa. So they need to bring up a standalone bill but amended where necessary to make it stronger better protect privacy and Civil Liberties concerns. Lets get something to conference, work it out and get it to the president. Id like to turn to the opm hack more centrally. Reports are coming out now that the government the government has sort of privately linked this to china. They havent publicly condemned them, but now it appears officials are saying they are not going to publicly blame china at all, and they are not going to directly retaliate for these two massive hacks on the opm servers that led to the personal Data Information of 22 Million People 1. 1 million fingerprints and there is going to be no direct response or public blaming. Is that okay with you that a country can hack so much data and not get blamed guest its not okay with me. Im outraged that the attack happened in the first place that it was so successful, and yet no ones going to be held accountable, it seems, no ones going to be prosecuted for it. The problem is, of course, and the real challenge in all of this is attribution. It can be very difficult to prove in an ironclad way whos responsible, who carried it out. So hypothetically, realistically, if the hack had came from china the question is was it a individual hacker, was it the government, was it a proxy for the government that, you know looks like an individual but was really acting at the behest of the government . Those are very hard things to prove. And so when youre talking about retaliation, this is the thing you have to have a very strong case. And sometimes there are strong indicators or fingerprints ostensibly because of specific code that we know, weve been able to trace back to a particular entity. But those cases can sometimes be hard to prove. So no, its not okay with me, but the problem is, you know, who do you hold responsible . And thats why we have to to better on the defense side, on the informationsharing side so we prevent these kinds of attacks from happening in the first place. The opm hack, as far as im concerned, could very well have been prevented. At least we could have been doing much more. Opm was asleep at the switch. I was outraged when it happened both because of the federal employees data that was compromised, but also you get to these sf86 forms that were hacked, that were stolen with all the security clearance information of individuals and their contacts, family members, past associates, all of that puts National Security at risk. And as you know i called for the resignation of the director of opm at the time because opm had been warned for years through ig investigations that they were materially deficient one of the worst grades you can get for doing enough on cyber and they should have been doing more. Now, granted one of the problems is that nobodys in charge os ostensibly on cyber. Compelling Department Agency toss comply with cybersecurity measures but thats not excuse for the director not speaking up and demanding more spanx assistance. Not like more assistance. Not like the director was coming to the hill saying we need more help, more resources and they just werent getting it. That never happened. They were just asleep at the switch. Host is this a dhs issue or government wide . Who is in charge when it come toss the government . Who can you turn to when you want information . Guest so the answer is right now you have a cybersecurity coordinator, michael daniel, in the white house. Hes the special assistant to the president for cyber and i give michael high marks. I had the opportunity to speak with him several times, hes briefed me several times, and i have a lot of respect for him. But he is a coordinator and he doesnt have policy and Budgetary Authority to reach across government and compel different departments and agencies to step it up and do more in cyber. The department of Homeland Security is the agency that is ostensibly charged with carrying out cybersecurity for the theyre the point agency for dot. Gov domain but even they do not have Budgetary Authority to compel departments and agencies to do more. Ive argued and have actually introduced legislation to fix that problem to create a directors position in the white house that would have this policy and Budgetary Authority to compel departments and agencies to do what they need to do, stepping up their game and doing more in cyber. Unfortunately, that bill has not passed. We did pass it once as an amendment to the national Defense Authorization act that came out of the Armed Services committee where i sit and it did pass the house. But, again senate failed to act on it, so it died and, unfortunately, this Congress Last several congresses under republican leadership, unfortunately, has not taken it up, has not passed it. Im hoping we can do more. Host so is there any continuity among Government Agencies and how they protect Information Online . Is there any continuity in the congress . Guest the answer is some but not enough. Now, the department of Homeland Security is putting they do have protocols in place that they are methodically trying to deploy government wide. Einstein iii, for example, is the tool thats ostensibly the tool that will do a better job of protecting the dot. Gov domain, but right now theres such a small percentage of the dot. Gov domain that einstein iiis actually deployed on. Some of that you have to negotiate with the Internet Service proid providers and the agency, and theyre slowly working on that. As time goes on, well have more and more departments and agencies actually protected by ion tine iii. But einstein iii. And it has to happen more aggressively. Again, if the department or agency isnt taking it seriously enough look cybersecurity for the different departments and agencies isnt necessarily going to be their primary mission, and so theyre busy doing, you know, whether its department of treasury or commerce or state theyre doing their primary mission, and are the top people actually going to get cybersecurity that we need to take this more seriously . Probably not. Perhaps the resignation of Department Agency heads are going to wake up and take this more seriously, again, until we can compel them to do more, some may lag behind. When discussing defense in cyberspace, is part of the problem there the effect of the opm hack and blaming china or responding or whoever it may be, is part of the issue also that the u. S. Is very aggressive in cyberspace and we sort of lost a moral high ground with our own you know, espionage through nsa surveillance . Weve had some intelligence officials almost express jealousy at how effective the hackers were. Is it hard for us to respond when were also n many ways, doing the same things . Guest we have very impressive capabilities in cyberspace, and so as the range of Government Entities around the world. But i can tell you the type of hacking thats occurring right now by nations like china, quite frankly, represent an unprecedented new method of operation especially when youre talking about the type of information that theyre stealing and corporations, for example, that theyre hacking and taking data. Its the largest wholesale transfer of wealth in human history, whats going on with the type of cyber attack. And i can tell you we dont hack into Different Companies and corporations, businesses around the world steal their data and then exploit it. The United States does not do that. Because the question is, you know, who would you give it to, first of all . The government doesnt pick favorites. China is doing it. Its outrageous, and its got to stop. This is one of the reasons why of course, we need International Rules of the road about whats allowed and whats not allowed and china russia are way out of bounds on a lot of these things and we need to have these International Rules of the road that will prevent it. But it will also impose consequences for the nations that do it. I want to host i apologize but we are out of time, dust p. Well have to have you back to ask that question. Jim langevin is a member of the Armed Services and Homeland Security committees and cochair of the congressional cybersecurity caucus. Thanks for being with us. Guest thank you. Great to be here. Last week Veterans Affairs secretary Robert Mcdonald talk about the administrations efforts to reduce claims backlogs and improve services for the nations veterans at