11%. i know of two banks that have a combined cyber security of $1.2 billion. dhs is about 900,000,000, 75% of what two banks are spending by themselves. cybercrime costs are nations and have chilly dollars a year. if we're successfully prosecuting maybe 1% of cyber criminals. we need to spend more. two, government needs to act with greater urgency. it took congress two years -- sorry six years to pass a sharing bill. in 2009 we present to congress with detailed recommendation on cyber security. in 2011, the house gop task force embrace the recommendations but four years after the house report, we still have not seen any substantial work on the top recommendation of that report or the executive orders. for example, the gao task report, and and the executive order all call for the creation of a menu of incentives. yet aside from the information's sharonville, the president has not proposed, congress has not introduced, a single set of strategy bill. last month it was reported that 12 of 15 sectors specific agencies had not identified incentives even though it is called for. the presence executive order call for it to be more cost-effective and prioritize. three years later they have been no objective measurements of the framework effect on improving security, adoption, or its cost-effectiveness. three, the government needs to escalate, educate top leadership as the top leadership is doing. in 2014, isam ait created havoc on cyber security for corporate boards which is published by the national association of corporate directors. they recently validated the success of this approach. they said, ports appear to be listening to the nicd guidance. this year we saw double-digit increase in poor participation of cyber security leading to a 24% boost in security spending. also identification of key risk, fostering a a culture of security and better alignment of security with overall risk management goals. we believe government is a similar program to educate government boards. most sr. government officials are not sophisticated with their understanding of cyber security. if they are educated we think we could a more effective policy. four, the government needs to reorganize for the digital age. of the last several years the private sector has moved away from the it department is a central focus of cyber security and is involving a more integrative enterprise enter price approach. a bank of america study and a 2015 found that the u.s. government is still in the process of determining who will have jurisdiction in cyber space. departments, agencies and commandant are battling for funding. the result of the fragmented system, it's hindering the development of a secure system. finally, five, the government needs to be more sophisticated managing their own cyber security program. 2015 study compared federal civilian agencies with the private sector and found that the federal agencies ranked dead last in terms of understanding cyber security, fixing fixing software problems and failed to comply 75% of the time. the reason the government does so badly is that they simply evaluate by a predetermined checklist. the private sector uses a risk management approach where we anticipate what the future tax will be based on our risk and then forward looking look to adopt standards and practices. we believe the government needs to follow the private sector's lead, become more educated, sophisticated and innovative with respect to cyber cutie security. i appreciate the opportunity to speak with you today. >> i think the witnesses for their testimony. we now will move to questioning. we have five-minute question rounds. i will recognize myself for the first five minutes. thank you all so much for your expertise and your passion about this important issue. remember back in 2014 i was able to sit down with mr. wood. we spent a long afternoon identifying the problems i'm sorry to say that everything you said came true, all the problems identified were dead on. i appreciate that you are here to help us address that. is that the consumer technology conference earlier this week and we are seeing a lot of the new things that are in practice, certainly the concept of innovator die is very much a reality here. i was wondering, i think you are all interested a little bit, how do existing government contracting provisions impact the ability for the public sector to be agile and to be able to do what you do in the private sector? how i know this is maybe a little outside of our jurisdiction we have standards and practices, we need to be more risk management base instead of just a checklist, how can we all get that type of policy in the government that are as agile as what you are dealing with in the private sector? >> one suggestion i would have set i think it would be very helpful for the government to move more towards the best value approach to government contracting versus lowest price technical us up approach. the same individuals individuals that we put on assignment with the government often we will receive a much higher rate for those individuals commercially. commercial companies tend to value the tender kind of capabilities that are security professionals have. when i say much higher, often it's two to 300% higher. at% higher. at the end of the day, that's a big issue that the government needs to at least address. otherwise you tend to get what you pay for. >> s mr. clinton. >> i agree with mr. wood. i think it speaks to part of the education issue that i was speaking to. we need to have a better understanding of the breath of cyber security. what you're talking about is not an it problem, it is, it is an economic problem. that's what cyber security is. it is an economic problem. we need to find a way to move away from lowest cost items, particularly in the federal space. we have examples where federal agencies are buying equipment off of ebay from nonsecure suppliers because it is lower-cost. while we appreciate the tension and the need for economy in these times, we have to understand that there is a direct trade-off between economy and security. we are going going to have to come to grips with that. if we could educate the federal leadership and by the way we have the exact same problem a few years ago, we might might be able to get a better appreciation of the play between the economics of cyber security and the technology of cyber security. the real problem that you are speaking to in my opinion, mostly comes in the smaller business elements of cyber security. if you going to deal with the major defense contractors, frankly, you compensate them perfectly well, they have good cyber security. but good cyber security. but because of our procurement system there required to farm out a lot of the procurement to smaller firms in the smaller firms do not have the economy and scale to meet the standards. we have to find a way to provide incentives for those lower companies to come up to grade. it is is not economic from their business point of view in order to do that. we think there are number of suggestions we have made, referred to in my oral statement and my trade association paper that can talk about how we can better incentivize the smaller companies so that we can get them up closer to where the majors are. if if we can do that, we can achieve our goal which is a cyber secure system opposed to cyber secure entities. >> mr. snyder. >> i think another thing, this is a >> you had just mentioned there should be more done by the government to engage silicon valley entrepreneurs, what more could the federal government be doing right now in this area? >> i'm actually very positive about the action the government has taken of the last few years. i worked directly with government agencies, continue to fund efforts that work with startups and understand that they are risky, i think it's very beneficial. again all the work that i've done in the past eight years has been based on my experience personally in the government and it is turned into major industry initiative. i would encourage encourage you to continue the work that you're doing. >> anything that is not being done now that you think should be done. >> the problem is there great at funding at the early stage of but i think then it gets harder to evolve with the government because it's owned by number of people. i would say if you do a great job at incubating and then they find out that we can't work with the government because it's too hard or too sick sticky so he fell to the private sector. one thing you could help out his not only just get them incubated but actually give them inroads into selling to the government be in an actual government to the government. so originally we try to engage the government and it wasn't till eight years later that we could do it in a viable way. having handholding would've been hugely helpful. >> anyone else on the subject before we move on. >> are starting to see more engagement in the silicon valley, one example is that dhs has been active over the last three years. there is a new dod project called where they establish a field across from silicon valley for their able invest in startups to bring some of their technology needs to the valley. think we see more engagement over the last year. >> anyone else? >> thank you sir. i'm honored to sit on the commonwealth of virginia cyber security commission as well. one of the things i've been encouraging the commonwealth of virginia to do is to encourage closer relationships between the university ecosystem and the business ecosystem and to really promote research. i think that will help propel the startup activity that the gentleman to my left about talking about. whether it's in silicon valley where the state of virginia. at the end of the day, we need far more research than what we currently have. the reason is because when i talked about early the dollars, the difference being between being spent in the government and commercial side. we have a real scarcity of resources in terms of cyber security professionals. we need more tools being able to deal with the complex environment going out there. those tools like automation are the way forward in order to help deal with that scarcity of personnel resources. other things we can do as well but that research would really help us a lot in the cyber security perspective as a nation. >> ray quickly i want to thank you for your work on stem education, thank you for bringing up how important it is that the human behavior is critical in preventing so much of this. i think you said nearly all of these could have been avoided with better behavior i think that brings up the importance of what i talk about in understanding human behavior and funding social science research into things like this. the last thing i want to ask you is you talk about insurance. i'm very interested in how do we incentivize the private sector? is this something you think should be required or do you just think this will develop over time? i'm looking at you if you see the need of the government to require insurance against these type of attacks? >> i don't think there's a need for the government to require it. i think the lawyers at the end of the day will help corporations and other organizations understand the legal lie of ability associated with not taken. >> do companies really suffer that much who have had these data breaches. >> all i think they're beginning to. i'm seeing more and more boardroom calls being made to our company than ever before. i think the very public retail breaches that have occurred are now heading into not just the ceos office but right into the board rooms. i also believe the critical infrastructure industry that we have out there that are ready regular laded seal the pressure associated with doing something. that's why think doing the insurance companies are doing what they are in terms of trying to promote cyber insurance. there feeling is that if the corporations can provide evidence that they are doing what is important from a risk management point of view that will result in two things, one is lower premiums to the corporation who is looking to get the insurance, secondly a better legal defense to the extent that they are sued. >> thank you you'll back. >> if i could just real quickly, first vault we are big fans of insurance, we've been promoting it for over a decade. i do not think a requirement is appropriate. >> you been up promoting it over a decade but it's not that widespread, is it it. >> no that's because systemic problems within the market, in in particular the enormous risk the insurance company realized that if they insure and there is a major catastrophe, there is on the line for everything. we we face the same problem in terms of insurance in the last century with crop insurance and flood insurance. there there systemic ways we can work with federal government in order to address that problem. i be happy happy to go into those with some detail. i wanted to get to the requirement piece. i think one of peace the federal government could do is require cyber insurance for your information system in the same way that you require physical insurance when you build buildings and everything else. i think if the government did that, it would be a market leader in that regard. the other thing to point out in this vers more conversation because of that widespread misnomer of the reality when you look at the data of the economic impacts of the high-profile breaches is not what you think, if you go back and look, six months after the sony attack, their attack, their stock was up 30%. look six months after target, their their stock was up 26%. most of the high profile breach you find there is an initial reduction then there's a bounce back. i can explain why that is, because smart because smart guys on wall street say who nice distribution system, i like the price point of their product and the prices down, so the natural things we assume are going to happen, really are not happening when we look at the data. mr. what mr. what is right about the fact that corporate boards are spending more attention on this. i think that has to do more about their threat to their intellectual property which is being vacuumed out and a tremendous economic risk. >> they're not concerned about the consumers they're concerned about their own, that's a suggestion there. >> we're going to have to move on i'd appreciate you some many more information on the insurance area. i i think be very interesting. i now recognize you for your five minutes. >> thank you, after spending spending 30 years in the it industry myself, i can equate to a lot of what you're saying especially the cyber insurance. big support of cyber insurance because of the standards the insurance companies put upon these businesses. i sell my business a year ago, it was really relieved when i sold the business because while cyber security was on my mind 24 hours a day of owning the small company management, is not on the minds my customers. mr. clinton mentioned ebay, we had many incidents where we put a secure network in place of small government managing power distribution system. we engineer, we put the products and, some products that you represent from spam filters, firewalls, bandwidth managers, then we would find out that they would go and buy parts for these off of ebay that will come from somewhere overseas, we don't know the firmware that's on it. i understand what's on their mind especially when you deal with small businesses, with bottom line, doctors are being doctors, people are doing what they're doing, were supposed take care that. but when go forward and say this is what we need to do to upgrade and they say we don't want to do that right now do we have to worry your network will still function but that a high amount of risk. >> will that usually doesn't change their mindset. so having a set of standards is important. another thing that was brought up his risk-based management. there are two types of computer users, those were been hacked and those that don't know they been hacked. another part of risk management as we emphasize our count customers, don't keep what you don't need. if you don't need the data, if you don't have it, you don't have to secure. that really owes to an issue that i have great concern about here in the federal government and that is with the midas system which according to the news report is storing information on americans who access the healthcare about.gov website. not just those that got there insurance but those that shopped it. it is during personable identifiable information of americans without their knowledge in a data warehouse mr. wood, considering what is happened to the federal government, with the data breaches does it concern you that the federal government will be holding information on citizens without their knowledge even for citizens who did not get their healthcare coverage to that system? am i justified my concern over the risk of storing this data, especially dated that is not needed? so you're raising both a privacy perspective as well as cyber security issue. at the risk of being a monday morning quarterback, which is what i would be doing if i were to reflect on the opm situation because like all of you, i also received my letter that give me the good news, i think in retrospect had opm been using to factor authentication, encryption at rest, log files, we would've had a much different situation than what we ended up having with opm. as it relates to the healthcare.gov situation, i don't know how they're storing the data to reflect to you what is appropriate, i think generally speaking most people are little nervous because those of us in the know worry there is not enough resources being applied from a financial perspective to the it security issue. it's not at the federal level is at the state level two. commercial corporations on the other hand i see around the world are taking appropriate steps. i gave the example my testimony about jc j.p. morgan trip. they spent about $250 million before they got hacked. after it got out it went to the board, the board looked at it and determined that it had to increase substantially to do a few things. one was to look at what they're doing from an it security perspective but also raise the confidence of their customers. at the end of the day i would argue that while their shareholder price went up over time, they absolutely care about their customer data. >> i would like to have mr. clinton to respond to the same question but also mr. wood, part of mitigating the risk is not keeping data you don't need, would you agree that that is a good practice that if you don't need data don't store it. >> yes or. >> mr. clinton. >> also again, that's absolutely right. thank you and now i recognize mr. fire thank you. i'm fascinated by your testimony, especially, and i'm quoting you once the intruders passes security there is no simple means to stop malicious activity to propagate, this whole idea of unauthorized lateral movement and your call for zero trust, micro segmented area, interior rooms with box. is this built into the cyber security framework? >> route moving from. >> were actually working with this now, i don't believe it's currently within this, i think making it a standard would be greatly beneficial. >> sounds like it's an essential part of cyber security framework. >> i think it should be. >> i think it's rapidly becoming the best practice within the private sector. i think including it as part of a standard would be very beneficial. >> mr. snyder, you said we are well past the days when a password, even a complex one will be much more than a speedboat versus this dictated attacker. and that it's essential for any system to be secure. is this part of the cyber security framework that has been developed. >> i think it's similar in that it's best practice. it's not codified directly into the framework but in order to protect your information is becoming an industry best practice. for example in the future there should not even be password as a core element of how we access information. it's a eminently hack. we really feel like a environment with highly authenticated results are better. there's already two or three factors that says i'm supposed be in my office, i'm in my office, my device says i'm there, you then asked for a pin or additional type of authentication. it's it's really having those types of authentication supposed. >> 's about the those -- you wrote on page four of your testimony that most businesses would prefer the government impose the fewest possible requirements on them. we hear that every day in house, how many breaches will it breeches will it take before it's recognize that allowing the private sector, to choose the path of least resistance creates an opportunity that might put our citizens information at risk this is purely voluntary, when do businesses come together to recognize that this really needs to be the mandate standard across the country? >> said earlier we're talking about insurance, and the insurance industry and why it hasn't adopted more cyber insurance more quickly. the simple reason is because there was no standard, there was no agreed-upon standard until not that long ago. so think that ultimately, i look at the cyber security frame work as a. these gentlemen are talking about are back good points and there added to the baseline if you will. if we can all get to an agreement about what the baseline is and we all it here to a baseline, at least we know that the other person i'm dealing with is going to be of the evidence for me and i can do business with them because they're taking the appropriate step. >> it just thank you very much seems to me we look at some of things that affect us and we have mandated it. regulations have to be cost-effective. we did airbags and cars and 5-mile an hour, this may be, if it really is a huge that for national security that we think about managed tory standards rather than voluntary. >> with respect sir, i pushed back the the opposite direction. i point out that in my testimony i pointed to the fact that government which basically does operate on the model that you're talking about and when we evaluate them independently versus the private sector the government comes out dead last. the reason is as this is not airbags. this is not consumer product safety where there some magic standard that we can come up with aware set. the problem is not that the technologies below standard. the problem is the technology is under attack. that's a very different problem. we need to be for the look inches if we looking. if we talk about mandating standards a couple of years ago would be talking about firewalls and things like that that we now see as obsolete. all of of our companies would be spending a lot of money. complying with these outdated standards. so we need a different model. the digital age is more forward-looking, that is why the obama administration and the house republican task force, and the private sector all agree that what we need is a forward-looking incentive -based model. we need to get industries to understand that it is in their best interest to be continually advancing security. they can't be looking backward, the have to be looking forward. we can do this but it is a completely different mindset. i think we need to understand that in the digital age, the old model just is not going to work for this modern problem that include nationstates. there is no minimum standard that is going to protect them. we need a different model and we think we can develop that. >> i recognize chairman smith. >> thank you. mr. would let me direct a couple of questions to you, let me describe the scenario first. then ask you to comment on this particular situation. what's a senior government official at an executive branch approached your company to set up a private email account and server for conducting both official and personal business. these emails could include classified information about national security. in in addition all e-mails would be stored on the server located in the private residence. cyber attacks would be obvious threats among other security risk. material being transmitted on the private email account could be a matter of national security. so so two questions, could this scenario unnecessarily expose classified information to be in hat? >> yes. do you want to elaborate or is that pretty clear. >> second question is this how would your company respond to such a request. >> we would not do it. >> does any other witness want to comment on the scenario. >> for the simple reason that your putting classified data in the open. at the end of the day that would not be prudent and it would be illegal. >> and why illegal? >> because the government requirement is that all official information be used through official means, meaning through government network. >> thank you. i i don't have any other questions, you'll back. >> thank you i now recognize mr. >> all of this hearing is not focused on research. i i know mr. wood had address research as a component for growth in this region as you know, the government plays an important role in supporting cutting-edge research on all aspects of cyber security from prevention to detection to recovery. through agencies such as the national science foundation and the department of homeland security, we fund everything from basic research to testbeds for emerging technology. all of these federal investments are coordinated under the long-standing network programs. so while mr. wood did raise the issue of research, are the recommendation that any of our individuals testifying, any that you recommendations you would have about agencies and how to set research priorities, and what major research gaps may exist out there so we can better partner in a more effective manner with research opportunity? >> think every question. i agree, i think the national labs are doing a tremendous amount of work around all kinds of initiatives that regrettably many do not see the light of day. i think more can be done to make industry aware of what the national labs are up to and provide a mechanism for industry to license some of those very critical research initiatives that may have one specific customer but ultimately could have an entire industry could help sir. i think i do a few things, one it would provide an income stream back to the labs and therefore the government and it would provide more innovation without having to spend more dollars. >> anyone else? >> one area were invested is that technology will continue to be an important element of any security approach, automation underneath, but clearly it's the people on top that we need to make sure adequately trained. one of the areas we been invested in the simulation platforms to help us understand what cyber breaches look like and be able to respond to those. any companies send out fake phishing emails to their employees and see if they respond or not. also they reported to their security organization. that's one example, also simulation platforms that take real-world breaches, that's an area that is been on the dod side, it's really now coming into the private sector and i think there's potential for collaboration. >> perhaps is slightly different level of abstraction. i think we would strongly support the notion of the government doing some research on the cost-effectiveness of the framework. we are big fans of the framework, we like to think it is our idea, we publish material on this a number of years ago. the executive order says it is supposed reprioritize and put cost-effective involuntary. we believe it is properly tested we would be able to determine various elements of the framework. it is enormous and applies in different ways. i think if we did cost-effectiveness studies we could demonstrate what elements are most effective to varying sizes and sectors of industry and what you can demonstrate you don't need mandates for. companies will do what is cost-effective. when you go to a board room, you can't just say this is a great idea congress passed it. they're going to say where the numbers. show me that that is cost-effective. if we did that kind of research which is pretty easy and inexpensive, i think we we could get a lot of bang for the buck in terms of doing well what we all want which is industry to adopt these things on a voluntary basis. >> inc. you. over the last 15 years i've had experience getting research grant for the government. dhs paper my dhs fellow. i've done a number of research grants and the biggest difference in my experience between useful funds is the number of constraints on them. so more flexibility in applying funds leads to a better research. i think the more agenda that goes prior to funding the harder it is in our broader research agenda. i think it's great if uncertain areas. i don't think it's so great tovar constrained the problems that are being looked at. >> thank you very much. with with that i you'll back. >> thank you. i think think the witnesses for being here today in your testimony. when we talk about cyber security in these breaches, whether in the private sector or in the government and whether we describe them as hackers or something more sophisticated, every time this is done either in the private sector or to a government agency entity, would you you describe that as criminal behavior? is that a violation of a state or federal statute in some respect. >> i think one of the challenges that is a global phenomenon. many detectors are not in the united states or in a particular state in the u.s. the assets they are protecting may be. i think the legal consideration can be complicated. the thing is as more and more infrastructure lists cloud platforms which are did floyd globally becomes more of a challenge. in general, the answer is yes. there's a lot of complexity to the nature of cyber security. >> as a follow-up to that, if we look at traditionally when their criminal behavior that is engaged in, eventually someone is held accountable or responsible, there's a prosecution or legal process. i guess the question to you is, are you aware of a successful prosecution where someone is held accountable? where there is a turn affect. things like there's no penalty, to anybody who engages in this activity. >> i think you put your finger on what i would think is one of the number one problems in this, i would answer that it absolutely should be criminal in many instances it is, as mr. snyder points out, it's not in certain places. we need to be doing two things, we need need to be dramatically increasing our law enforcement capability. as i said we are successfully prosecuting maybe 1%, there is no deterrent. really on the criminal side so we need to be dramatically helping our law-enforcement who are doing a great job but there under resourced dramatically. we also need to be working aggressively with our international community to create an appropriate legal structure in the digital age but we don't have it. we are operating in an analog world with cyber attacks. it's unsustainable. >> is there anybody leading the way on that out there? either internationally or here domestically? where where we at with that process? >> we are not doing nearly enough. there are people who will give a speech here and there, again i'm not going to point fingers at law-enforcement i think they're doing what they can, there under resourced. i think we need leadership from congress to demonstrate that this is a priority and we are going to fund it more aggressively. >> thank you. >> thank you for your question. the issue is that from a law-enforcement perspective is first of all of mr. clint pointed out, it requires a global cooperation and the standards of prosecution have to be the same. so in other words, the standard of prosecution at the federal level might be different than that the commonwealth level or be different in paris. i think there needs to be some agreement as to what the standards are for prosecution. >> why are we waiting around for that, seems this is ongoing, there should be some standards set to do that, doesn't sound like there's a framework in place to even address that. >> we didn't analysis in the commonwealth on just that point. the great analysis which i would be happy to provide to from the commonwealth of virginia. i don't know why. all i knows is the standards even within the states are different. for prosecution. >> can you point to me in the commonwealth of virginia where there has been a successful prosecution. >> we just change the laws within the laws within the last six months. i had would have to refer to my colleagues to let you know. >> there are number of great examples where there's been cooperation between the private sector and law-enforcement to do takedowns, game over zeus is one that's been very successful for a number years. it was put out by a private public partnership. this is the botnet that actually it was propagating things like cryptologic or where it takes people's machines and encrypts all of the information and extorts you to get that information back there some successful examples but to your point a much more consistent global approach is needed. >> in your case i appreciate missing the was her actual individuals held accountable? yeah there is a particular individual in eastern europe has been prosecuted and convicted. >> and are they in the united states and prison. >> know, in europe. >> thank you thank you for holding this hearing. it's an important issue and certainly one where there is a lot of room for bipartisan cooperation. i think we've identified the challenges of policy in this area because technology changes so much faster than policy changes. that being said. i look forward to working with all my colleagues to continue to raise awareness about this important issue. >> .. explanation of benefit statements like a lot of people don't carefully review their financial statement, their credit card statement, that might alert them to something. i want to follow up on something mr. lip pin ski started the consideration about the psychological aspects and ask you, mr. snyder, in your testimony, you say -- this is put a picture in my mind -- like the lion in the wild who stalks a watering hole for unsuspecting prey, cyber criminals lie in weight 0 on legitimate web sites which the compromised and used to infect visitors. most of these attacks rely on social engineering, trying to trick people into doing something they would never do if fully cognizant of their actions. we say the most successful attacks are as much psychology as they are technology. so have this vision of a lion waiting and maybe that will help stop me from clicking on thing is shouldn't click on. mr. snyder, could you talk about whether we -- do we need to fund more of the behavioral or social science research? need to do a better job educating people about those risks and how to identify them? how do we get in -- are we adequately addressing the psychological aspect? white house when we talk about the risk -- doctor, you recommend -- brought this issue up as well, that we have to do more to prevent that. so, doctor and mr. snyder could you address that. >> ultimately social engineering is part of the security equation because we as human beings are fallible so i think systems have to be put in place to enable us to do a better job of helping to secure our own information as well as our company or agency's information, and i mean, i think some of the examples i would give you, though, are in the training area we talk about, helping all of to us think more about security and be more thoughtful about security, but secondarily, it's the kind of security architecture underneath that make is much harder for the attack arees to get the information we care moe about. all the information in the world is not created equal. medical health records are much more important, financial reports are up more important than the lunch menu so it's taken a much more granular approach to information protection, identifying the sensitive information we care the most about and putting more security investment around those kinds of assets than the generic assets out there. >> doctor? >> i'm 39 years old and when i was 37, i got an e-mail from my sister on my birthday, it was like, dear brother, and a picture when we were kids, and it was sweet, nice to see you last week, a picture of u.s. more recently and happy birthday and there was a link. i thought this is so sweet. my sister has never remembered my birthday before. and i thought, you know what? i my sister has never remembered my birthday before. so i looked at the mail headerrers and i it came from russia. so, i've got to technical background and a sister that doesn't remember my birthday, and if either of these -- >> that's now on record. >> that's right. and if either of these weren't true would i have clicks on the link and infected my computer. i think this tells me fundamentally it's very important to train users and very important to do passwords, but a determined attacker will find a way in. they got these pictures off of facebook. wasn't that hard to too. probably two hours of work to send me that e-mail and if i was anybody else i would have clicked on that link. so i think that is why -- >> can you both real quickly -- almost out of time -- i serve on education work force committee, what do be get into in terms of educating the next generation to get a step ahead? >> i think core education on security -- these factors are important if the second thing is there are technical instrument be need to put in place assuming a breach will happen buffs -- because it will happen. we need to implement a zero trust type model. >> the other point is there's a huge gap of security professionals in the country, creating the educational programs to enable returning veterans and high school and college students to choose careers in cyber security is something that is very important as well. >> my time expired, yield back. thank you. >> thank you. >> doctor, we'll have to work on the birthday issue for your sister. >> thank you, madam chairman, eye happy to report my sister does remember my birthday, but my brothers do not. on that same line, though, doctor, you can have the best technology in the world and you can have great training, but if employees are negligent in their use of it, you're still exposing yourself, and i bring this up in the context of an article that was in the "wall street journal" back june -- actually june 9th , and it relates the fact that the immigration customs enforce. agency sent a memo to employees in 2011 because that it seen an uptick in cyber attacks related to employees using the federal web site -- federal server to access their personal web sites or personal e-mail. unfortunately, the labor union filed a grievance, and prevent them from doing that and that's apparently where one of the breaches occurred later last year. and my question is -- this would be both for corporations and for the federal government -- does it make sense to prevent employees, either in the private sector or the government sector, from using their company servers or the federal servers to access personal information, their personal serverses and personal web sites and e-mails? >> so, very quickly, it seems to me i.t. goes through phases where it collapses and expands. we had main frame and then now they're expanding again, mobile, iphones, cloud, all of this other stuff. it's unrealistic for a day to day perspective from an innovation perspective to assume people at work aren't accessing outside information and people outside 0 aren't accessing work information. every time i travel i'm constantly connects whether it's vacation or not. we need to assume that this information is going to be accessed no matter where they are or what capacity we're running under. >> mr. clan ton. >> this is -- i agree with the doctor's comments, particularly with respect to millenials. if you adopt that kind of work force policy you are probablelet not have much of a work force left to deal with. i think there are things we can do and we are doing in some in the private sector. one thing we're trying to do is move out of the i.t. centric motion of cyber security, and for example, involve the human resources departments in this, and what we're advocating and seeing some success with is that we're integrating good cyber security policy into the employee evaluation systems, so that if you have downloaded things you shouldn't be downloading, you are less likely to get the step up increase or the bonus at the end of the year. we have to make this part of the overall process, and other things we can do and are seeing adapted in the private sector such as having separate rooms with separate equipment so that people can access their personal information or the data without using the corporate system. and so i think if we are little bit more inventive about this and use that incentive model, probably have more success. >> that's a great point because you can have a public access -- a separate environment where people could do that but they have to use it because, for instance, if you had been a federal employee, doctor, and you opened that e-mail from your sister through the federal main frame, would that have potentially infected -- >> yes. i've worked -- i had four computers that would measure how far -- some very comfortable in these high secure environments. i just think if you want to be competitive from a business perspective against other companies you have to assume your employees are fully connected. >> can you not create a separate environment. >> i don't think you can do that's without operational overhead you. limit the ability for the business to function. >> mr. wood, you wanted to comment. >> i would just want to follow up on what the doctor said, too. as the use of the internet increases and as the, quote, internet of things becomes more prolific, everything has an i.p. address. where do you draw the line? at some level i would almost prefer that people use my infrastructure because i know what we do from a security perspective. i don't know what they do from a security perspective. so to the extent that you make the argument that says there should be some separation, i think there are very good arguments on both sides. i'd rather have them in my infrastructure because i know what we do. >> i think the approach that makes a huge amount of sense when you think about all this connectivity is to understand and protect the information, and the identities of the folks trying to access it and that's really what we have seen in security over the last five plus years, is this move towards not just protecting systems and networks but truly understanding the information and the most sensitive information and put the right kinds of protection around that. >> my time expired but die want to thank the witnesses for the clarity of your answers. it's been an excellent hearing. thank you, madam chairman. i yield back. >> thank you. i now recognize mr. wall well. >> thank you, madam chairman, and i want to first thank each of the panel grist their service and for talking about this important issue, and i want to highlight you graduated from stanford university in the bay area and you began your career at lawrence livermore non laboratory which is in my congressional strict so i'm honored to represent the phonings there as well as -- folks there as well, and your solution for cyber security is to wall off certain segments of one's network in order to prevent cyber intruder from gaining access to particularly sensitive information you argue that such new approaches are the gold standard for commercial industry and need to become the gold standard across the federal government. how much time and resources would it take for the federal government to do this and are the costs worth the benefit? >> that's a great question. so, the technology and adoption is involved enough that we know how to do this without disruption. early on, kind of like, extremely secure environment, extremely sensitive environment, we can kind of go and retrofit things and you we have multimy software based solutions you can put in and do nondisruptively, cost benefit makes sense so much so this adoption is one of the fastest growing sectors sectorse space. we have enough experience over the last couple years to see adoption. i think that actually this stuff is absolutely worth retrofitting. >> just for all of the witnesses following up on mr. la hood's question earlier, as a former prosecutor i, too am quite frustrated it seems that individuals are able to attack networks and individuals with relative little punishment, and i understand the challenges of these attacks originating in russia, ukraine, or from state actors, but for nonstate actors, i'm just wondering, what could we do internationally to maybe have an accord or an agreement where we could make sure that we bring people to justice. i remember i asked a high-ranking cyber security official at one of our laboratories naively, i guess, well, are we going after these individuals? and this person kind of laughed, not being rude, but just saying, we're not going after them. we're just trying to defend against what they're doing, and i agree with mr. la hood that until people start paying a stiff price, i don't know if this is going to change. i know as a prosecutor, putting together a case like this is very, very difficult. just the chain of evidence and proving whose fingertips were touching the keys to carry out an attack can be difficult. what more can we do internationally? >> thank you for your question, sir. so, right after -- i'll answer your question over a period of time. right after september 11th i was sitting in a meeting with a large number of information security professionals from within the intelligence community, and the question was posed in the auditorium where there are about 250 people: when are we going to start sharing information? and the answer came back, one senior person in 50 years, and the other, another answer came back from another person, not in my lifetime. and it was very disappointing to say the least. you roll forward, 15 years, and look at where the intelligence community, at fleece my opinion, is today, it's not like that at all. today i see the intelligence community sharing information in a way like they've never shared it before from dni on down, and i think what happened is as more and more breaches or occurring g and more and more of the culture of trust is occurring, there's a willingness to work together that didn't happen before. i sit, is a mentioned earlier, on the cyber security commission in the commonwealth of virginia and we work closely with dhs and fbi and the state police, and they work closely with interpol and others and there is a spirit of cooperation i haven't seen in a long time. what is lacking, however, is the resources and the funding associated with actually prosecute can, number one, and then, number two having a common level of standards of what is prosecutorial and what is not. >> great, thank you all for your service on this issue, and i yield back. >> thank you, madam chair. aid like to commend the panel today for your informative testimony and also for the zeal you have in working in cyber security and i believe it's potentially the war of the future that we're fighting here in cyber security. i'm from arkansas and just for personal reasons, mr. clinton, too you have any arkansas ties? just out of curiosity. okay. also been listening to the testimony and the answers to the questions. i've got a 20-year-old college student and i had a fascinating conversation over christmas, and you guys were talking about how millenials are always connected, and he was telling me that that's a huge consideration where you take a job now, what the connectivity speed is, and there wasn't something we considered when i was getting out of college, but it played a big key in where they would go too work and would eventually live. so i know we're in this connective world now. to follow up on mr. wallwell residents question he was talking about being ago offense but from the technology side, is it all defensive or are there pro-active ways to prevents hackers before they make their attack? >> one example is things like honey pots. if the bad guys are attacking you and you gave them a place that looks like a legitimate part of your infrastructure they go to and spend all their time and energy attacking, you protect your real assets and able to study what they're doing at the same time. they're also things like shock absorbers where the harder an attacker liveds you with traffic, the more you slow them down and do things like tar-pitting. there's a whole set of defensive and pro-active measures that don't go directly after the attackers that are in place today and are actually very successful within the enterprise. >> congressman, i think that's of course true and there are others, and i i think i want to build off this point into having a better understanding of the multifacetted nature of the cyber problem. for example, one of the technological mechanisms that we use in the private sector is we understand that the bad guys are going to probably get in -- actually have more control over the bad guys when they're inside the network than when they're out the network. if you're dealing with a cybercrime situation you're basically dealing with theft. they have to get so the net puck, wind the data and get out. with globing round traffic rather than the inbound traffic we can solve cyber breach problem and they can look at our data but don't get to use it. from a criminal perspective that's a problem. i if you're looking at this from national security perspective, the attacker may be interested in disruption or destruction. they don't have to get back outside their network. they don't care about getting outside your network. we need to understand we are dealing with multiple different cyber problems, some of which are national security, defense, critical infrastructure, and we need a different strategy with regard to that than we may knee for a the strictly criminal or theft problem, and when we have a more sophisticated policy in this regard, i think we'll be able to make more progress. >> also, just to briefly follow up on a question that -- as far as developing new workers for the cyber security work force, are you companies seeing a work force shortage? do you see a lot of growth for the future in that? >> we do see an enormous shortfall of cyber security professionals. in the state of virginia alone, the state government has announced we have got about 17,000 unfilled cyber security professional positions just in the commonwealth of virginia. if i might go back to your other question if you don't mind, about offenses. your question that is very much near and dear to my heart. if someone were to come in my hughes uninvited and either hurt my children or my wife or take my stuff, i have the right to defend myself. but if someone were to come into the corporate house and virtually take my stuff, whether it be intellectual property or customer dat or whatever it might be, or financial information, whatever it might be, we need the ability to defend ourselves. particularly if we don't have -- if our cyber command is not going found itself in a way that gives us the comfort, the same way that we have the comfort, i think, as a nation, from a standpoint of air, land, sea, and space. >> thank you, mr. westerman. i will also join you in plugging that. i know it's on our web site and our facebook pain, and i think the tate is january 15th when things are due, right? >> unless you extend it. >> now, recognize mr. abraham. >> thank you, madam chairman for having this great hearing. i want to thank the witnesses for giving direct answers to direct questions. it's refreshing and somewhat of a novel idea in a committee hearing. so, cue doughs to you -- kudos to you guys for answering straight up. we appreciate that. some of you have espoused the value of sharing cyber security information, whether it be a cyberthreat trend trend or cyber crime with other companies or government officials. this last cyber security we passed last month, did that help or hurt in this area? >> sir, think that was a good bill. we endorsed the bill and support the bill completely. the most important thing, however is that is not the cyber security bill. that's a very useful tool to have in the toolbox. it can help but it is nowhere near sufficient. >> we need to do more is what you're saying. >> absolutely we need to do a great deal more. >> just give me your top three recommendations. what be your bullet points for the new legislation. >> we would like to see the incentive program that has been endorse by the president and the house republican task force put in place. that would include things like stimulating the cyber insurance market we talked about earlier today. it would include with providing some benefits for smaller businesses who don't have the economies of scale in order to get in here. it would include streamlining regulations so that we had an opportunity to reward entities that were doing a good job with cyber security in the way we do in other certificators of the economy. a lot of the incentives we talk about and are referred to any my testimony are things we're already doing in aviation, ground transport, agriculture, even environment etch we simply haven't applied these inventive programs to the cyber security issue. and if with did that we could do more. the third thing we need to have a much better and more creative and innovative work force development program. we have talked here about the fact that we are always in an online -- always connected now and we all know this. but the slogan that dhs uses for their work force education program is, stop, thing -- think, connect. no millenial stops and thinks before they connect. just makes no sense. we need to be leveraging espn and reaching to the millions of young people who are interested in gaming and poparrize that and use that as a bridge to get them interested in cyber security. we need too be much more aggressive, much more inventive in this space, and they are doing these things in other countries. we need to be taking a page from that. and then the final thing is we would like to see -- i'm not kidding -- we need an education program for senior government officials like we're doing for corporate boards who are just like you guys. really busy, lots of things they have to do, dedemands on their time. win we educate them we got better policy and more investment and better risk mansionment. we need to do that on the government. side... >> thank you so much. thank you all for being here. a lot has been asked and answered that as you say around here not everyone has asked the big question it so it's my turn. i'm trying to focus on a couple of different things that thank you. i think is so important i think american people are constituents are waking up and feeling some of that fear and wanting to know the right thing to do. we always want to hear from you on how we can inform our constituents of, along with their cells or families understaffed to protect important information. so much of our society so much of our financial system is based on competence of the consumers and if there is a view that this is unsafe or whatever it is i think there's going to be, we are going to lose the benefit that much of the technology has silly want to do this well. i do want to talk briefly or ask you your thoughts in response to what government can do better learning from the private sector and certainly the private sector is ahead of us in so many areas and we appreciate mr. clinton your response that for us to say this is like an airbag problem, it's completely different and so far to be prescriptive but saying you have to do this we always -- the role of technology a of technology a size too late instead as his framework of a way of thinking on how to solve this problem. the question i would have is really with impediments that government is putting up to your business or other businesses from new innovation. what would you say may be the greatest impediment that you feel from government from your business innovating or doing what you do best? is there something that several you have had to overcome? >> this will be an indirect answer to your question but i'm actually working with the government on the pic german side. flexibility and budgeting is difficult for the agencies and the departments to adopt new technology because the working capital doesn't allow them to move as quickly as possible so from the financial side more flexibility and better functioning will help them and help us be able to introduce new technology to the government. >> mr. clinton? >> i would offer two things congressman. first of all we need to really rid our government partners from playing the victim attitude that they have particularly at some of the independent agencies and the ftc and they sbc for example and we have articulated here and i think it's fairly common knowledge in congress and has been said that determined attacker is going to get in. the fact that you are subject to a breach is not evidence of malfeasance or nonfeasance. there may be instances where you are malfeasance and we should investigate those budha breach per se is not one of them and so we need to move beyond that particular notion. the second thing that i would say is that we need to, the government really needs to get it back together with respect to cybersecurity. cybersecurity you are right sir everybody, cybersecurity is really hot now so every entity in the government every state every locality are coming up with their own cybersecurity program and a lot of times these things differ a little bit. so when you try to do these things you are forced to meet with multiple different compliance regimes trying to do essentially the same thing. now we are in favor of the framework and using data center but let's have one and must make sure we are all working the same direction. as we also pointed out we do not have adequate resources in this space. frankly we have one of the big problems is they are spending all their time on compliance which means they don't have time to spend on security. i have one company that told me a story about how they were following the quarterly testingy quarter to make sure you are not inundated and they had to go from quarterly to annual testing because the security were too busy doing compliance. a 75% reduction in a key cybersecurity best practice due to overregulation coming from different elements. we need to streamline that process have a good process with one f. process that has perspective. >> sounds great. if you could both speak a mess and then i will be finished. this is really important. >> one point i would make an double-click on a guinness education. there's a gap in cybersecurity professionals available and doing work with local universities. it's not just universities, its primary education and the boys and girls that are in high school today and focusing on girls as well to think about careers in cybersecurity and the skill set that goes with it. >> sir i would echo the comments and follow on top of it. there's no question as the verizon breach report focuses on 94% roughly of those hacks could have been avoided and then you get the folks at the 6% or 8% which is a lot harder to get in. they have those tools in the standards in the approach to. the second i'd make is in this framework something we can all get behind and a something that is at least a baseline. a third thing i would say the last thing i would say is that compliance and mission are not mutually exclusive. you can make compliance work but it has to be automated and it has to be invisible to the guy that owns they mission so doesn't inhibit their ability to get the mission done. >> i am a overtime. thank you all for being here. >> thank you and i think the witnesses for their very valuable testimony and members further questions. we have had a lot of assignments for today and new issues and areas that we need to explore further so i would like to invite you all to keep an open dialogue with us and if you have a way for us to call, please provide us with any additional information or pc issues going on. as you'll said this is an exponentially growing problem. we do have a cyberwar that's being waged against us and it's a little bit like the first 9/11 when they are at war with us and we are at war with them i think. we definitely have bad actors on all kinds of fronts from individuals who are waging a cyber war on us and we need to respond in kind and have it reflected in our budget but also our sponsor this and how we plan and the 94 person we can get covered up or get the right systems in place will allow us to spend our time of the 6% we can't prevent because i think we all agree here and we'll understand no matter what we do exponentially increasing information we are going to have breaches. it's a little bit like we talked earlier when somebody reported in las vegas like asking never to get sick. in the world we are dealing with there will be breaches but what systems do we have in place to identify that so it's only 6% that we have to deal with and are creative resources and all that we need to do can be very quickly identified their and move on to solve these bigger problems. i thank you for the challenges that you have put before us and the record will remain open for two weeks for additional comments. there aren't any questions from the members but if you have questions or an opportunity for people who aren't here and i thank the witnesses very much. the hearing is adjourned. [inaudible conversations] [inaudible conversations] as president obama prepares for his date of the union address on tuesday he releases video on twitter. >> i'm working on my state of the union address. it's my last one and as i'm writing a keep thinking about the road we have traveled together these past seven years. that's what makes america greater capacity to change for the better prepare ability to come together as one american family and polar cells closer to the america we believe in. it's hard to see sometimes with the day-to-day noise of washington but it is who we are and it is what i want to focus on and the state of the union address. c-span takes you on the road to the white house and into the classroom. this year are studentcam documenter contest asks a student to tell us what issues they want to hear from the presidential candidates. follow c-span's road to the white house coverage and get all the details about our studentcam contest at c-span.org. >> with the presidential candidates in new hampshire, south carolina and iowa this weekend what is the state where those posts -- first votes will be canonized local as we are joined on the phone with steven shephard the editor of "the politico" caucus. thank you for being with us. >> good to be here. >> if you look at the realclearpolitics survey now right now hillary clinton is leaving office as a lead for senator ted cruz on his side of the aisle. could things change? >> things definitely can change. one thing about those polls you are looking at in the most part are iowa they were conducted before the holidays. pollsters take a break over the holidays. they are not paying attention and they are traveling for the holidays. they are wording about getting their christmas shopping done and worried about cooking for their families so pollsters take a break. we are going to see in the next week a bunch of new polls coming out of iowa new hampshire and nationally and even in south carolina as well as we focus later in the nominating calendar. one thing, those numbers are all from december and the other thing is things always do change. that's why we expect them to again. the candidates are working hard to make things change. candidates are not feeding iowa to ted cruz and the insiders in iowa and the other states we have talked to think that these candidates can still be challenged and three weeks and 24 days until the iowa caucuses is enough to mount a credible challenge. >> if secretary clinton and senator cruise are not sure about i walk what is the past told us about what go potentially could have been? >> one thing that's pretty clear is that things change up until the last minute. if you look back four years ago with rick santorum became basically out of nowhere and the final month of the campaign to win the iowa caucuses, he and the final "des moines register" poll conducted a week before the caucuses, you could see not only was he gaining at that point relative to his previous position but every day that poll was in the field read the three or four days that interviews were being conducted. each day rick santorum was gaining strength to the point where he had passed by the end of the survey he had surpassed mitt romney and rand paul. overall in the survey did not pass mitt romney but you could seed day by day him gaining strength. the key to winning in iowa in large part seems to be at hand which candidates are poised to do that in which candidates are hot now. that's really what it's going to come down to, that late breaking momentum that's going to be here in the last half of january as we move through the next three weeks. >> steven shephard let me take this one step further for arguments sake lets assume ted cruz and john trump command respectively first and second it seems the third place do not sure -- finisher is the one candidate that will get a lot of attention. >> that's true. the cliché is that you get free tickets usually out of iowa now. the third person is going to be interesting. the pressure in a big way is on marco rubio to be the third person. new hampshire and south carolina and nevada butcher three states in which he is made in a big push and portray himself as the sort of the compromise candidate between the establishment republicans in the conserver republicans. that said he does not necessarily have a clear path to third place. ben carson who you overcall was leading in iowa two months ago still maintains a pretty healthy share of the vote there, about 10% of the vote in the latest polls and has a pretty committed base of supporters according to our political caucus insiders we talked on the ground. they say a lot of his core supporters are still with him. he could finish in third place. chris christie, that's a name you haven't heard in iowa and you have heard in new hampshire. he ranked recently went up with this first television advertisements even though he's a 2% the average in the iowa polls, he is mounting a bit of a challenge in iowa. obviously he has taken a lot of his ads down in iowa but he has spent time there. right now he is in that conversation below cruz and trump. with carson and review and christie to try and maybe rand paul to try to do well in iowa. two finishes third and who finishes fourth and fifth, and a lot of ways will be important because everybody takes the show on the road to new hampshire and south carolina and those electors can be very different. >> governor christie is back in iowa next week. on the democratic side of the aisle they are three candidates for the maryland government martin o'malley. if he in any way making any and roads into candidacy in iowa? >> you know it's interesting because the first metric we are going to get on o'malleo'malle y and 2016 is going to come out of iowa. late this week nbc news announced the criteria for the next democratic debate which is going to be in south carolina on january 17. they have set a threshold of 5% in the polls either nationally or in one of the early states. martin o'malley is not mere 5% nationally or 5% in new hampshire or south carolina. psf 5% in iowa. that's the average of the five most recent polls. there will be a couple more polls that come out that will determine that he gets into that debate and we talked about momentum a little bit. and a possible surge of momentum like a public embarrassment being excluded from a three-person state. martin o'malley can get good polls out of iowa next week which will measure first of all his current viability in iowa. that may stop any kind of momentum before he would start for him leading up to the caucuses in iowa as the next democratic favor. heck this is the headline at "politico".com the current iowa front-runners poised to win with caucus members cautioning things could still change. steven shephard joining us on the phone washington his work available on line at taluca.com. thank you for being with us. >> thanks for having me. seven republican personnel -- presidential candidates will be in columbia south carolina to talk to voters about their vision to the country. now from exeter new hampshire bill clinton campaigned for his white democratic presidential candidate hillary clinton. this is about 50 minutes. >> wow you are on your feet great i want to see if we can do a little experiment here. there's a huge overflow crowd. can we hear you overflow crowd? we heard you. what an advantage thank you for coming out, thank you for coming to exeter town hall. this is where presidents speak. >> thank you all for coming and thank you for president clinton for coming here today to talk to us about the importance of this election. hillary clinton and her staff organizers supporters and volunteers have worked tirelessly for the last nine months that we have a crucial 36 days ahead of us, 36 days. that is just over 400 daylight hours left for all of us canvassers out knocking on doors. as the campaign enters the final stretch the stakes for new hampshire families couldn't be higher. our country faces difficult and complex challenges like sharing a broad prosperity with oliver countries people who are willing to work hard to get ahead, like the dramatic increase in substance abuse in our state and our nation and how we are going to deal with it. like inadequate mental health care for those who need it and of course guns falling into the hands of people that should not be allowed to own them. americans need a president who has what it takes to get the job done. as voters in new hampshire watched the republicans acted -- republican candidates push an agenda that's out of date. it they will be asking themselves who is tough enough to take them on and make a real difference for working families and that is hillary clinton. [applause] president clinton i was looking at a photo of you and hillary back in your law school days. [laughter] you both look so bright and hopeful just like the two of you look today. [applause] that photo got me thinking about the path you have each taken. you both could have gone anywhere. you could have followed any path thankfully the path the call to to each of you was the path of public service. [applause] you were each called to address the issues of prosperity, hope and justice through service and government at both the state and national level. you both have chosen to put your lives, your fortune and your sacred honor -- sacred honor and that thing we call government and of course that government is nothing more and nothing less than what we all agree to do together. such a choice that hillary has made and you invite me or maybe better yet rather than invite mutuality commands me to make a choice. hillary's campaign, a campaign by and for the most capable visionary and experienced candidate in many a year. her campaign beckons me to pledge my life, to pledge my fortune and to pledge my sacred honor. that is why i have been out knocking on doors and talking to my neighbors since this past june about hillary's extraordinary campaign. [applause] that is why i will continue to knock on doors for her until they were in ninth and then hopefully all the way to the general election in november. while you all join me? [applause] but no one knows all of this better than her husband. president clinton knows the stakes are higher than ever this election year. he knows that the people of new hampshire want a president who will create shared prosperity so that everyone has a chance of a brighter future and he knows hillary clinton is prepared to do that job. everyone, please welcome back to new hampshire someone who needs no introduction, our 42nd president, bill clinton. [applause] [applause] >> thank you. thank you very much. everybody sit down. first of all, thank you dan for that wonderful statement, for your support. thank you jackie weatherspoon for your service in this community and through our country. i want to thank paul hassan for being here and for his support for hillary and for being the first gentleman in new hampshire, it has a nice ring. [applause] i get nervous, people say if hillary wins the election what you want to be called? i said nobody has voted yet. [laughter] i want to thank all the organizers who are here and especially chris for the good work she has done and i want to thank all of you who came out on this cold night. it's not really to cold by new hampshire standards. in the people upstairs who gave us an overflow room, thank you. [applause] look, every time you have an election people tell you is important but if it's a directional election is important. very often the winner of an election is governed by what people decide it's about. and it seems to be clear if you look at where america is today, we went through that terrible crash in late 2008. we had come out in a sense the gross number of jobs that were lost. we avoided falling into a depression. we put a new protections against a financial crash in the future. we have made some real exciting progress and that chick challenge of climate change that creates new energy that -- but we still haven't gotten and comes back. we still have broad-based prosperity again and it is i would argue the major challenge facing the country in the next president. if everyone has a job and something to look forward two in the morning, it reduces the tensions and increases the hope in the country. [applause] it makes people more secure and less likely to disintegrate our community into separate groups of resentment. i see all these movements that i like. i like all those young people with black lives matter. i think what they are saying is important. [applause] when you see an unarmed young person gets 17 bullets in one of our cities and another mentally ill man who never had the gun in his hand running away from police and had 32 olick fired at him, and then you see the heroic performance of the police officers in the aftermath of the tragedy in san bernardino. you know we have to do something to pull it back together. i feel the same way about young immigrant dreamers who want to pursue their education here. [applause] i feel the same way about the progress the south carolina made when they took a speech by a republican woman four minutes long who is a direct descendent of the president of the confederacy. she said essentially guys, if i want to take a nap, we should take a nap. you know it's the right thing to do. why do i say this? because to have rod-based prosperity, you have to have inclusive economics and more equal opportunities for people to take advantage of it. and to make it work you have to have inclusive society, where we relished our differences but aware when the chips are down our common humanity matters more i was really proud of hillary for being the first candidate for example to propose a comprehensive plan to help all those cold communities make a transition to the new economy. those folks haven't been voting for us much lately. she basically said i don't care, you are americans and you deserve a chance so when there is discrimination against african-americans or hispanics or muslims just because of who they are, i don't like that. but we never can forget and what we have to do is unite the police in the community, united business and labor, unite this country. that's one of the things that happens when you have inclusive economics and exclusive society and in order to do that you have to have more inclusive politics. so the big job for the next president is to give us those things, inclusive economics come inclusive society, inclusive politics and to defend the national security of the country in a way that preserves our values, that keeps big bad things from happening in wages the battle in social media throughout the world or for what kind of world we are going to live in. a world where what we have in common counts more or where differences count more, a world where we will get all atomized and hunker down in our bunkers or where we still have our hands outstretched. that is what i think the election is about. if you decide that then you have to ask well who is the best person to do that job? [applause] and here is why i think this. i think it first because she has spent a lot of time traveling this country and listening to people just like she did when she was a senator from new york or traveling the world when she was secretary of state. and she has a good economic plan she says okay we have to cut our greenhouse gas emissions for our kids and grandkids. how when the world could you create more good businesses and good jobs than by changing the way you concerned -- consume energy and other local resources is the greatest opportunity we have ever had. [applause] this is not some pie in the sky deal. today iowa, minnesota and the oil capital of the country taxes get 25 to 30% of their base load electricity from wind today and it's an enormous competitive advantage for them. it's killer what our electricity is five to 8 cents. it's 13.9 in new york. that's the highest in the country. our neighbors in the caribbean are great source of future for us and them. but for the collapse of the oil prices we were paying 35 to 50 cents. because it was imported in a polluting -- we need a modern infrastructure. too many of our fellow americans live in small towns in rural areas that could make more money and generate more customers if they have access to broadband. but naturally south korea's. >> averages three or four times of ours. building that infrastructure counts along with the roads and bridges and rails and all of the rest. we have got to make sure more people have opportunities to do this. including the opportunity to start a job, start a business unlike -- i like the dodd-frank bill and hillary has proposed some things to strengthen it so that very large financial institutions that are attempting to generate more money for those the top by trading with each other instead of investing in america's future can't can take undue risks. we also have to make sure if the bank wants to make a loan to a small business that the cost of that transaction is not so high they won't loan money to the small business. we had to have a small business, a set of rules that make sense. i grew up in arkansas and i was governor there and there is a lot of difference between the amount of cash you need to protect against financial speculation that has no impact on the real economy. except if it goes bad and how much you need to make a decision whose john deere tractor breaks down right before you have to plant a crop needs a loan for a new tractor. or whether someone you know here in exeter who works to open a little restaurant or a hardware store where frame shop can get the loan necessary to do it and it's crazy for a bank to say we are not making lots of that size anymore because it costs too much to make them. we have to have a sense of what makes this economy run. if you want to raise wages and reduce income inequality you have got to raise the minimum wage but you also have to create more jobs and more jobs and more businesses in areas that have the good growth protection. we can do that. the other thing we have to do is make sure we are taking care of the workforce and some people in the other party i might add, have made somewhat disparaging comments about hillary's proposals on things like equal pay, paid family leave, universal access to pre-care and quality childcare but look here are the rules and every relatively wealthy country the richer you get and the longer you stay wealthy the smaller the family size. it holds across all societies without regard to culture or religion. now we have made up for it always before by being at the top of the world in small business formation and always in the top 10 to percentage of the workforce. when we left off is where seven and is by the fact that we were one of seven countries that didn't have it. today we are not even in the top 20 for women in the workforce. when hillary comes out for equal pay and paid family leave and access to quality childcare and prekindergarten that's an economic strategy. you have to keep young people coming into the workforce. let me tell you youth matters. it's a large determination determinant of the future the country. the other thing we have got to do is to recognize that in the aftermath of the crash states even though not governed by people who don't favor funding for education have basically underfunded higher education and limited funds to keep funding the schools. it was like a -- they had no choice to make. they could not raise taxes as bad as the economy was and you had to take care of the kids coming up but as a result college debt has spiraled and it has in new hampshire. the average debt here something like $30,000 which is higher than the average debt and that means a bunch of people are going out in the world with $100,000 worth of debt or more in jobs where they cannot sustain it. i talked to a man here today who i knew your business has an assistant that he was paying i think $110,000 which was good given the size of the business. that was a nice salary but after taxes it's about 70 and the woman's monthly payment on her college loan was $2900 a month. so you do the math. then ask yourself if you could live in manhattan on the rant. this is a story being repeated everywhere. hillary has got a plan to deal with that, to too lower they just rate and allow people to refinance and then assess where everybody who wants to go to college from any source should be able to pay it back with a fixed percentage of their income so no one is ever declined. [applause] so it's a good program. on the question of building a more united society, there's really not much more importance than preserving and continuing the health care law. the congress is about to vote again to defund the health care program and tell everybody what a terrible failure desperate that they tell you now we have 90% of our people insured. [applause] we were down headed straight to 80. the 22 states that still haven't taken medicaid would do it we would be up almost a 95. we had four years of the lowest medical inflation in history. last year we had little lump in premiums but that's because all the people who joined the health exchange by and large were older people and the older we are the more health care dollars we consume. this year yesterday, this ear 2.4 million more people, new people have entered the health exchanges overwhelmingly younger healthier people who were going to now help us build the system that will continue to universalize health care. i don't know about you but i think it would be a real mistake to weekend water down or repeal this health care law. we had to do what hillary says. [applause] i'm proud of the work she has done for years on alzheimer's, on autism and mental health in general. our policy say there should be parity for mental health treatment that you and i know it doesn't exist. and when dan was introducing me and he said what he did about access to guns, i just want to point out one of the problems with the current law is that we don't have good record-keeping for all mental health incidences and there are some places where people would have gotten mental health that were available. and so the background check law as it currently works is not always effective. i think gun owners, 85% of them support universal background checks but if they knew more about the shortcomings in the mental health system they would be willing to wait another day or two to buy a gun to ensure you didn't have people like the poor guy running down the street in los angeles holding a gun. the biggest problem we have got right now is opium and heroin. it's a problem in new hampshire and the general problem of a small-town in rural americans are singly enough. do you know what state has the highest percentage of its population suffering from an overdose? west virginia. and although smoke small towns in rural areas people get up every day and they look in the mirror and they think every single day it's going to be just like yesterday. a lot of those people are dying of a broken heart. for the first time in my lifetime the life expectancy of noncollege educators middle-aged white americans is going down. it has never happened in my life. we have got to do something about this and this is one area where i'm hopeful i -- for bipartisan projects. most people without regard to party understand that this is a public health problem, not a law enforcement rovlin. [applause] in the last four years i have lost three children of three friends of mine. who all had the same story. one was at home in the other two went out and they drank three or four beers and their partners said why don't you pop this bill. it will give you a buzz. it does give you a buzz but if you fall asleep it kills a part of your brain for a while and it tells your body to breathe while you were sleeping so in addition to the people that are addicted we have lots of people die every year because they don't understand the basic biochemistry of what is going on i applaud governor haslip and the work she has done to make the locks on. think you call it narcaine, more available. our foundations work hard to get the fda to approve a spray version of it saving $40 a dose. and we we are trying to get it out all over the country. but this is a huge problem and the next president ought to know the kinds of problems that keep america up at night. hillary does because she took those listening to her, because she had to come up with policies and figured out how -- that's a very big deal. we have got to figure out how to come back together again. just want to say this about the fear will have after paris paris and what happened in san bernardino. it was tragic but a couple of days after the san bernardino tragedy i picked up the new york daily news and i was thumbing through it and there's this little article about an immigrant who came here in 2002 leaving his wife and four children home and sending money home every month trying for more than 12 years to bring them over here. he is working at a quick stop story new york. two robbers come in with pistols and tell him to get the cash register open and clean it out and give them the money. he opened the cash register grabs the money and just as he's about to give it to him according to the article he said he not only had this job for over a year and is certainly not their money and he slapped at the government's hands who was standing close to him. the gun goes off and this is a few inches. the bullet goes into the counter and thank goodness for him the robbers were total idiots. they realize they have fired again in downtown manhattan in middle of the day and they run away. so he goes next door and uses the phone and calls the police, goes back secures the cash register and waits for the police report meanwhile the guy that owned the store gives him the afternoon off. he went home, took out his prayer book and gave thanks for his survival and said a prayer that his wife and four children now 15, 17, 19 and 2021 might be able to join him. he is far more representative of the muslim community in america than those people in san bernardino. [applause] i think her plan on this is really important. we cannot do this and heroin is now cheaper than oxycontin and vicodin because it's being grown in the sierra madre of mexico and poppies are harvested by pre-teens. they have got to do something about this. which brings me to the third thing, we have got to have conclusive politics. we actually have to get the show on the road. hillary said i'm a progressive but i'm one that likes to get things done. and i may just start with this. the next president will make between one and three appointments to the united states supreme court. i think it's important. [applause] but i think she proves she knows how to get things done. when she was secretary of state she spearheaded the development of the iran sanctions and that china and russia to sign off on it. i didn't think she could do that. [laughter]

Related Keywords

New York , United States , Arkansas , Nevada , New Hampshire , Germany , Iran , Exeter Town Hall , China , Minnesota , Virginia , Russia , Washington , District Of Columbia , Des Moines , Iowa , Ukraine , West Virginia , Mexico , South Carolina , Maryland , South Korea , Paris , Rhôalpes , France , Americans , America , German , American , Chris Christie , Ben Carson , Jackie Weatherspoon , Steven Shephard , Las Vegas , Rick Santorum , Los Angeles , Paul Hassan , Lawrence Livermore , Ted Cruz , Hillary Clinton ,