IATC - IATC Mock Congressional Hearing - John Costello, Jay Healey & Jessica Wilkerson
Show transcript [en]
good afternoon we are now gonna call the committee to order I will recognize myself now for five minutes for an opening statement we are here today to talk about the incident that happened last week with the hospitals in Phoenix Arizona that were hit by the what I'm told is now being called extortion we're campaign I'm sure everyone now knows about this incident but for those of you who are not this did affect patient care in the larger Phoenix area while we do not have solid numbers yet it is anticipated that this did lead to fatalities the government of Nevada was forced from state the government of Arizona the government of Arizona was forced to call
a state of emergency and FEMA DHS HHS were forced to respond to this incident we are especially disturbed by reports that this incident was caused by known vulnerabilities within the hospital's Network we are we have several questions about why these vulnerabilities persisted and why they were able to infect the hospital network and what should have been done while we did in extend invitations to the administrators of the affected hospitals to come and explain to us and to the American people exactly what happened and how they plan to restore services and restore the faith of their patients they declined so instead we will hear today from mr. Jay Healy he will talk to us about cyber
security concerns and how we could have better prevented this how we can prevent these things in the future we're also gonna hear from Trey whose last name I don't know at the moment to talk about nine one one concerns since as you know the 9-1-1 system was also affected i am will now recognize my ranking member alex crying for five minutes for an opening statement i'd like to thank the chair for her presiding over this committee hearing it's been a it's been a tough few weeks very concerned about what we heard coming out of arizona a couple of reasons first of all one of our own members of this most agust body senator john mccain was involved in this
which is itself very concerning I'd also though echo the statements of the the chairwoman for the concerns that these vulnerabilities were known yet still untreated more than this I think it's separately concerning that any threat actor or any organization or group was able to not only simply attack and decimate clearly the infrastructure security systems of hospitals but also take 9-1-1 networks and infrastructure offline these as I understand it from my my my staffers who are all 19 to 24 years old and underpaid are that that that these are homeland security and public safety networks which I think begs a particularly specific question as to the responsibility for the operation and the security of these networks in an
ongoing fashion I think more than this though we have separate questions about the you know criminal conspiracy that obviously had to be undertaken by foreign actors or Americans we still don't know as to their intentions if this was an act of war if this was a declaration of another kind and this is really what this committee is attempting to provide some sort of level of scrutiny and oversight more than this though I think it's also a separate question as to the responsibility of not just the hospitals but to the inner workings of state local governments and organizations as to what their appropriate role would be moving forward so these are the types of things that we
would like to try and investigate in this hearing I'd like to yield my time back to the chair so that we can take an opportunity to ask questions of these individuals I ask unanimous consent that the members written opening statements be introduced into the record without objection the documents will be inserted into the record I would now like to introduce our panel of witnesses for today's hearing mr. J Healey and history forward Troy Fogarty thank you all for being here today and providing testimony we look forward to hearing about the incident that happened last week and how we can do better all right mr. Jay Healy you are now recognized for five minutes to provide your testimony
Thank You chairman Wilkinson ranking member there was a committee thank you for the time to testify you in front of you today especially in light of the recent extortion where attacks on hospitals in Arizona my comments were prepared beforehand on cybersecurity generally but I will include points relative to that incident well I've not yet fully determined who was responsible there has been speculation this was a nation-state perhaps in response to US policies or even past us cyberattacks my experience in research at Columbia University is leading me to believe that cyber conflict may be the most escalatory kind of conflict ever much of this is tied to the tactical technical dynamics of cyber conflict themselves rooted in the fundamental properties of
the internet my colleague at Columbia University Bob Dervis argued many many years ago a security dilemma we're competing nations compete in a spiraling escalation is doubly dangerous if the offense is dominant over defense and it is hard to distinguish the two if this were the case he wrote arms races could easily occur and incentives to strike first could turn crises into war unfortunately the internet and connected systems are not only distinguished by those two characteristics of offense dominance and difficulty of distinguished offense and dominance cyber conflict is even more escalatory than that as it was also hard to distinguish offense from either espionage or intelligence preparation of the battles field cyber conflict also has low barrier to entry and perhaps
most importantly capabilities are not just stockpiled but actually used all the time an unattributed covert gray zone attacks as it appears that we saw recently in Arizona cyberspace may not just be double doubly dangerous as he wrote but perhaps quintuple e dangerous or worse pushing militarized ideas like deterrence might only escalate things far farther rather than being a starting point for stability indeed it is very hard to find any examples of nations being deterred when they see other nations building or employing cyber capabilities but there are mounds of evidence that they instead watch learn build their own capabilities and count when they can so I believe that in part because of the fundamental properties of
the Internet cyber conflict may be the most escalatory kind of conflict that warfare has ever invented since we first picked up stone and stick against one another fortunately those fundamental properties may not all be so fundamental and I think that does give us hope in the face of what we've been facing recently of course it is true that some properties the internet could never change we cannot imagine some alternate internet that did not for example operate at the speed of light or was not a scale-free Network however we can imagine one where attribution is far easier and indeed many have worked patiently for years to help bring this about this is not built into the physics
of the internet just an emergent property of the network as it exists today so it also does not have to be the case that the internet by way of physics must inevitably give the bulk of the advantage to the offense we can in an aidid we must work towards a more defensible Internet to give the defender and not the attacker the high ground I'm executive director of a New York cyber task force that has just convened on this topic our task force is now finalizing our report and in front of you I've given a small booklet of our findings so far I'm sure our co-chair is Phil Venable of Goldman Sachs and Greg Rattray of JP Morgan and my Dean at
Columbia marina will be happy for me to share our draft report with you and your staff so you can see our thinking in detail I think our report covers much of the same ground as your committee is first why hasn't cyberspace more defensible why is it that hospitals and others have so many unpatched territory every cybersecurity professional has their own reason on why cyberspace is not more defensible we've compiled 13 from the internet was never designed designed for security to persistent software weaknesses and the lack of a cohesive strategy second the task force looked at what past innovations have made the most impact at least cost and these are on the inside two pages of
your booklet do two research interviews and the expert opinions of our task force members we've identified dozens of important innovations since the 1960s critically we collected not just technological innovations such as far award but operational and policy innovations as well and distinguish between those that were appoint solutions such as firewalls that might protect a single company to those that work across all cyberspace such as Windows Update or the Budapest convention or London process third reified a number of common factors and lessons from these but they can be both summarized in a single word leverage the best innovations of the past 50 years gave the defenders the most advantage over attackers and did so easily or
automatically across the entire Internet fourth applying these lessons we've identified several promising future innovations and recommendations personally I have to say how surprised I was with the very strong consensus that we have not yet begun to see the full security benefits of further cloud development I was not surprised to see the recommendations to push for more transparency to better live market incentives I think given that what we've seen in Arizona both of those kinds of recommendations about leverage that are also tied to potential more cloud development and transparency to help align market intent those will make a much more significant difference the task force believes a defensible Internet is possible by applying leverage perhaps a cyber moonshot or
Manhattan Project could help but let us not underestimate the patient application of the right kind of innovation following a strategy of leverage thank you very much I look forward to any comments or questions gentleman yields back his time we now recognize mr. Trey for over t2 for five minutes to enter his Thank You chairwoman Wilkerson and ranking member cry line I appreciate your holding this hearing today submitted my written testimony for the record and so if it please the committee I'd like to just briefly summarize this morning first anytime we have an incident like what we faced last week in the 9:1 community there is not a question about whether there exists a potential for harm our
business is life and death on every call when an enemy a criminal enterprise or an adversary whether foreign or domestic launches an attack against our nation's 911 infrastructure there can be no question that the impact will be extraordinary I appreciate your bringing attention to this issue because our nation's none infrastructure is aging and as it does so vulnerabilities that previously were protected by virtue of legacy infrastructure are becoming exposed to attackers on the internet and on other networks that interface directly or indirectly with our 9-1-1 systems the old structures that have protected us for a long period of time are simply no longer good enough and we have to begin to work begin work now to empower our
state local territorial and tribal personnel to defend their networks and systems against these emerging threats I'd like to briefly mention the important work going on at the Department of Commerce and the National Highway Transportation the national 9 1 office with the Department of Commerce their efforts around firstnet and other public safety communications particularly with the department of homeland security in their office of emergency communications and i would like to just point out that as our infrastructure ages it's going to become more and more imperative that we transition to an all IP base next generation not on one system while there are certainly those who will say that making this transition will open us up to new Internet age vulnerabilities the
reality is it also gives us the ability to leverage new types of defense that in the legacy telephone network we simply do not have madam chair I appreciate your holding this hearing and I invite your questions and I yield back the balance of my time the gentleman yields back his time I will now recognize myself for five minutes for questions mr. Perotti I'm a little confused because you were just saying that it's imperative that we move to an IP based network but it seems like too what happened in Arizona that moving to a more connected infrastructure actually puts us in a worse position to be able to handle incidents like this so how do you how do you explain moving to
a more IP based connected I 9-1-1 system with what happened in arizona i think the most important thing madam chair is the ability that we have to defend against attacks the legacy telephone network when we have an attacker launching a distributed denial of service attack against telephone infrastructure our ability to absorb or deflect that traffic is essentially zero the average not on one Center has fewer than two dozen trunks these are basically telephone lines that allow us to handle 9-1-1 calls when we reach a queue depth or a number of waiting calls that goes beyond about 23 or 24 in a well provisioned center we simply cannot accept any more calls and it's not like
there is another layer of the network in advance of that to handle that in the IP world while we certainly will have new and different types of vulnerabilities we'll also have the ability to do things like dns black holing traffic diversion traffic cleaning and even traffic marking so we can say look this traffic appears to be suspicious because of where it came from who it came from and whether or not we have an authentication for it and then we can divert that potentially to nonhuman resources to determine before we handle the call is this legitimate okay mr. Healy you know in in in your testimony to us I didn't hear a lot of focus on on
figuring out who was responsible it seems to me that that would be a very important part of this this conversation so you know with what happened in Arizona I think we were still talking to the FBI obviously we're still talking to DHS we're talking to our intelligence community and we're not sure yet but but why wouldn't we want to focus more on finding and punishing those responsible wouldn't that actually make us safer I think that I think that is correct and one of the things that we've found is we've been doing our research is the operation of policy responses such as attribution and holding people responsible are harder for the attackers to circumvent when you put a new device
on the network and we expect to get the protection from that that becomes relatively easy for the bad guys to bypass the operational and policy tools that we put in place we tend to get longer leverage out of because the attackers can't circumvent that so easily where I think we've done poorly in the past and I think much testimony to this committee has been talking more generally about deterrence and when we have something like this where we say if this for example what is confirmed to be tied to a specific country looking like we did for China in commercial espionage and having specific remedies tied to specific active that way that we want to see stopped and
we've tended to see more more success from from those kinds of policy and operational interventions okay well then I'll open this up to the the panel how how could we have possibly had this happen how could something like a known vulnerability actually shut down patient care this seems completely unacceptable that these kinds of events could take place I mean I just don't understand and I don't think the the members of my the other members sitting on the dais with me would really understand how this could possibly have occurred so what happened how did we get here so if I can take that first madam chair I think the the thing I would like to emphasize is
in the abstract you're absolutely correct a known vulnerability with an available patch should be patched the reality when you start getting into systems that affect the real world and particularly I don't want to speak for mr. Healy but particularly in our business in the non one space or I assume in the hospital space where you have devices that interact with patients or other systems patching is not always as as simple as a do it immediately sort of thing in in many cases you have to deal with what is the potential impact on an operating system that may be attached to a human or some other device we certainly see this in the physical infrastructure world
having said that we certainly believe in the number one space that there is more we can do to encourage number one vendors to support high cost capital items that have lifetimes measured in years or tens of years to continue to support those devices over the full lifecycle that they have and number two to put in place policy responses that can encourage that encourage both vendors and users to apply available patches when that becomes necessary mr. Healy I'm going to run out of time but but please respond yeah thank you I I see two two general areas that we came through in our New York cyber task force first comes down to complexity and the system is becoming so absolutely complex
and our adverse are so advanced that it becomes difficult for any normal sized organization to be able to try and keep them out especially if it turns out in this case it was terrorists or a nation-state also if I can quote to two colleagues here one Dan Gere who said the enemy of security the opposite of security is an insecurity its convenience and that's what we've seen in many many cases of it improves patient care it simplifies our lives when we end up adding more to the network that we can if I could quote another one of my colleagues dr. McCormick's if you can't protect don't connect and we've done for so often just connecting these systems in and we see
places where smart regulation or other rules can come in to align the market incentives in such cases for example the SEC guidance where if a company has a materially significant breach they have to tell their shareholders that's a transparency measure that then allows a lot of other market market incentives to come into place shareholder lawsuits reporting in the 10 Q insurance and that's all allowed by transparency and so I'd like to see what we can do out of this wake-up call to see what we can more transparency my time is expired I now recognize my ranking member for five minutes to ask questions before I begin I'd like to ask unanimous consent for this report to be
entered into the record thank you so ordered I have a number of questions that I'd like to go through with you these are in the form of yes or no statements I'm not a ah so mr. Healy for you I have five questions the first one is were these vulnerabilities no and prior to the exploitation to the hospitals that were affected that's my understanding yes okay were the vulnerabilities introduced in software that had been previously used in bedded by said hospitals I'm not trying to the question but I'll say yes okay how is it possible then this is not a yes or no question that these were systems that were used in production and high availability networks for critical
circumstances that were knowingly vulnerable that had not been patched and separately from that how is it possible that a hospital is allowed to pure infrastructure without any requirements for software development lifecycle security I I wish the hospital executives were here to answer that own question and what they're able and what they're able to handle from my perspective in seeing this in finance sector in other places there's certainly issue of both cost and patient care a lot of times you get better outcomes by connecting these and you would be negligent not to connect them if it is going to lead to better outcomes and lower costs especially when they're being squeezed however as you note it brought up critical insecurity
is that they ended up paying for in the long run so back to some yes or no questions do we know who the actual attackers were no we do not is my understanding okay and are you aware of any organizations who are taking any sort of extenuating measures to ensure that we don't have the same type of attack on what was a United States Senator I'm still not sure if we've confirmed if confirmed we know that of the the senator was affected by this I don't believe from from having what we've seen in the reporting that that was confirmed yet I can only assume that the National Security Council Homeland Security Council I would assume Tom Bossard would be in
the lead on that as the assistant to the president for Homeland Security and counterterrorism he's leading an interagency process with the NSA NHSC members I believe that's coming up to a principals committee in the coming week we will have the secretaries of the HSE and the NSC coming up with recommendations for the president now Sherwin I think that we should we should move that in the very near future we have a convening meeting either on the record or off the record with us at the individuals that were mentioned by mr. Healey mr. Fogarty I'd like to turn to you for a few questions did any of the systems that were affected in the 9-1-1 infrastructure received public money yes
as a matter of fact nearly every not on one system around the country including those that were affected receive funding from the state and local 911 fees that are collected for these purposes now I will mention in the state of Arizona's case there is a lengthy history of diverting not on one face to other purposes and in fact Arizona it has been one of the states that has used ten of millions of 9/11 dollars to fill gaps in their general fund so following question of that so just be clear we're taking public money or providing that to infrastructure for an a public safety and homeland security purpose and is it my understanding that we're doing that without the requirement
that they follow security best practices it is correct congressman there are no requirements that how is it possible that that's that that's the case so historically 9/11 a state and exclusively state and local function the federal government has had a very limited role in our nation's emergency response infrastructure and in general the states and localities have not necessarily had in part because of the sort of telephone network history that I mentioned in my opening statement have not had a need to secure there or at least have not believed that they had a need to secure their infrastructure in the way other critical infrastructure providers have the other thing I would mention is our nation faces a critical
cyber workforce gap at the state and local level in particular we do not have an availability of trained competent people to manage and secure these networks and I would also add in the commercial sector we do not have menders selling into that marketplace if my members want to buy security products tomorrow they would have a very difficult time doing so so is there any funding that comes from any federal government organizations like the Department of Homeland Security or others the federal government has provided funding to nominal one centers on only two occasions for their 911 one related purposes it once was forty million dollars in the early 2000s timeframe there is a hundred and fifteen
million dollars currently pending we have we are in the record set so - but there's no requirement that any of that money be spent on infrastructure that is somehow inherently secure or not is that an evaluative criteria and the ability to make these grants and receive these money are we just taking money and setting it on fire and giving it to the Russians that is naca that is not that is not currently a criteria congressman however we would certainly support the inclusion of the security criteria because of this incident so you would support cutting off funding to organizations who aren't secure then yes yield my time gentleman yields back the remainder is time are there other members wishing to
receive recognition to ask questions the gentleman from Pennsylvania is recognized I don't know any of the syntax here but I thank you madam chairwoman for recognizing my questions this question is directed towards I think anyone really so these sorry no it's not it's directed mr. Healy the hospitals in question that the extortion where is extortion where was attacking so it sounds like there were there were questions that they knew there were vulnerable ities they knew there were patches they were not mitigated before the extortion we're hit what role do the providers of the medical equipment play in in securing the equipment that the hospitals are operating is it the hospitals or the HDS responsibility or where is the boundary
between the device vendor and manufacturer's responsibility congressman I do have to apologize that I'm not I'm not an expert on on hospital hospital IT systems so I'm afraid I'm unable to answer your question yeah okay I thought I was just someone in the audience sorry mr. Trey for getting do you have an answer to that question for any reason so while I certainly wouldn't want to speak for the hospital space because I don't have experience there what I can tell you is within the 9-1-1 space deciding exactly where responsibility for security and patching lies can be a devilishly tricky thing just the cause one of my members has in there Center a five million dollar piece
of equipment that handles none of one calls made by a company let's say Airbus that device might be attached to a network sold to the to the 9-1-1 center the piece app by AT&T it might be serviced by a software vendor and the contract that deals with all of it maybe with a systems integrator and so the the thing that we've run into repeatedly whether it's been on you know naturally caused outages or man-made outages is we often get into a circular firing squad situation where everyone claims it's someone else's responsibility and the contract documents don't specify who's correct and so that's something where we've been working with the FCC and others to try and develop some sort of
framework to sort out who's on first and what's on second when we have an outage so we our members at least know who to call about okay how do we fix it now the second step of that is okay how do we patch it in the first place and I don't think we're there yet but it is something that we're starting to think about and if I can congressman I'd be very curious if I if I were looking as we look more deeply into this event you've got a trade-off between convenience Patient Safety cost and and the the negative implications that can happen when you do have a security incident like this that's okay board directors CEOs executives they're
getting paid to make these trade-offs between how we look at these and so what I like to see in an enterprise is do they have that risk structure that looks at gump you know that's picking up these governance questions in exam room and go in going through them and those that do not do that it is perhaps more more acceptable to if you don't mind the phrase blame-the-victim because they didn't even have the governance process in place to say we have this patch but if we but if we patch this then it might put our patients in short term short risk if they are going through that process and they're making those kinds of decisions and saying well we'll
budget for this and we'll take care of this and they have a structure that makes me feel much better that they have they've got this under control and I think it would be interesting as we see more reporting from those hospital executives and others on where they came down in addressing those conversations between the board the executives in the United staff the gentleman yields back his time are there other members seeking recognition to ask questions the gentleman from New Jersey is recognized Pennsylvania grew up in New Jersey living on spending so regarding the 911 system what I'm hearing is there are major issues with patching systems we know are vulnerable and fixing them there are issues with hiring or even
finding staff to support security what are we doing to solve these challenges so I keep hearing about all the problems we're facing but what are we actually gonna do to fix them so we don't have the same conversation five years from now I appreciate the question congressman to answer I'll take those if I can in the reverse order first off we have been advocating consistently for several years now that we need a major injection of federal capital to move our nation over to next generation not on one systems now rather than later the commercial networks that our 9-1-1 systems depend upon are making that transition quickly most plan to have it completed by the end of the year 2020 or
20 21 if we don't get this done now the ability of attackers to originate more traffic than we can ever possibly absorb in our mountain on one systems is only going to grow and it's going to grow to a point where there's simply no way to defend at all anymore so that that's number one we need that injection of federal capital and we need federal assistance with securing these networks frankly to address the workforce workforce problem I'm a member of the FCC's communications security reliability and inter durability counsel and in last year's report we actually addressed the workforce issues facing our state local territorial and tribal governments with hiring security personnel one thing that III think it's sort of low-hanging fruit
that we ought to look at is how can we identify IT and security talent early and provide pathways to careers that are not necessarily dependent upon four-year degrees we have lots of very talented and capable security professionals that do not have degrees and who nonetheless go on to great careers those are exactly the kinds of folks that we're looking for in state local territorial tribal governments and it's something that the federal government can work to encourage and if I may this has been the central question our New York cyber task force has been focusing on in our answer again if I can repeat the word comes down to leverage right so many of our security
solutions have focused on here's a new attack type let us develop a new device and on the other side of town here we have many people that are they're going to be there and that will help you to have one of those devices that they will sell you to deal with this specific attack and that's led to this incredible complexity that leads to situations like we saw in the hospitals where you've got a bit patch everything you've got all these more complexities you can handle so we need to do what we can to subtract that complexity out so we've been looking at a different range of these kinds of solutions that for example take the user out of the solution so that
we're not depending on someone and a user doing the right thing or doing the wrong thing we're not doing the wrong thing to get through taking away into our classes of attacks we've been fascinated to see that for example things like formal methods are coming back that DARPA and Microsoft are looking for provably secure software that when I was studying was only something in the lab and they're now bringing in to secure things like HTTP using these formal methods and by doing that you're taking out entire classes of attacks so we're really interested in these places where vendors can MIT can themselves make a solution I'm Jeff Moss one of my colleagues he's on the new
year cyber task force and he talks about there's probably maybe 20 vendors and if you can get them the trans just a couple of defaults each that we have fundamentally transformed where we are in cybersecurity gentleman yields back are there other members wishing to seek recognition to ask questions um in one of your previous responses you had discussed the trade off for patient safety I was wondering when you're not in wartime situation what is an acceptable level to trade off patient safety and currents would have to Sam I have not been in the health care space and that's such a difficult conversation and really that's much of what we're seeing now in in the healthcare debate
is is how much is how much are we spending on patients my background was on financially in a government and finance sector and so there we had a very different risk governance model where we have for example if a managing director and the fixed-income division wanted to keep running Sunnis the CSO could say that is okay you need to run that you're making five million dollars on that that is absolutely okay with me sign this waiver approving this and this is going to go to the Risk Committee and it will get signed off by the CEO no problem and what do you know all of a sudden it wasn't critical anymore and they spent the money to upgrade that software
because they didn't want to be the one to go to the CEO to have sign off on their on their waiver and why they were imposing that risk on the rest on the rest of the firm and that's what I mean I want to see those those governance structures that tackle these tough questions that are imposed we're having these tough tough choices and it's it's much tougher in in healthcare and and I don't envy them those choices but their healthcare executives and they have to deal with those kinds of questions day in day out I'm sure gentlelady yields back the gentleman is recognized thank you mrs. chairwoman I would like to ask the members of the panel to
elaborate a bit on our earlier statement you express support for tying federal funding Hospital in 9-1-1 systems to the implementation of security best practices if this were to be done what would be like the over the who would have regulatory control of it would that be the FDA HHS who who in your imported proposed scenario would actually be controlling the flow of funds so I appreciate your question congressman we have consistently advocated for grant based oversight and not regulation as I stated previously we have a strong history of state local territorial and tribal governments managing their own 9-1-1 systems with little to no actual federal regulatory authority over them other than in the case of some labor
related issues we're very comfortable with that model our state and local members are certainly very comfortable with that model what we do have also a successful history of however our grant programs that use a carrot approach rather than a stick so historically when we've been looking to do things like encourage the adoption of wireless anandam one capability so basically the ability to locate people when they call not on one from a mobile device we have seen the department's of Commerce and transportation condition grant funding on recipients use it prioritizing that money for deployment of that capability so I could certainly envision a grant scenario where grant funding was conditioned upon or prioritized for the deployment of security capabilities the
improvement of security capabilities and to address the previous congressman's question I think one thing we certainly should consider how to include is support for workforce development when it comes to our security needs and if I can if I may add on to that excellent answer on how you're looking at that in general within my conversations with with trump administration officials as well as the the current executive order anything they're looking to do on security standards whether it's in government through the regulatory agencies is aligning on the NIST service purity framework they're really doubling down on the cybersecurity framework within the finance sector they were looking to do harmonization across regulators so they'll be more strictly a
on what NIST is put out and if I might just mention very briefly because it is relevant in the number one space we actually do have a security standard called next-generation security for next generation having one systems it's known as ng SEC even though it talks about next generation systems that standard can be applied today it was actually completed in its initial form before the NIST framework was first published the FCC did a review of that subsequently and determined that even though our standards developers didn't know what the NIST framework would be they the two documents were extraordinarily well aligned so they actually asked us if we got an advanced copy of it and the
answer is no but I think that's a good thing to say that we have a pathway that tells us in a form that is more familiar to the non one profession what to do the gentleman yields back are there other members wishing to ask questions
the gentleman from New Hampshire is recognized so I have two questions one is it true that the Internet is a series of tubes and separately I find the testimonies quite Cavalier in concerning this is a public safety issue that took out hospitals crisis confidence our phones are ringing off the hook if this is gonna happen to us this sounds like normal risk management mumbo-jumbo volunteer stuff from the private sector this is a matter of public safety this is a matter of national security when is what is he gonna take for us to stop rolling the dice and gambling with one-sixth of our economy in healthcare to some degree I think that's up to this chamber I think
the advice from the experts has been relatively consistent over the past 15 years as a matter of fact was in front of the one of the House subcommittees in 1991 June 25th or so in 1991 that one of my colleagues when Swart au 65th birthday party tonight first talked about a coming digital Pearl Harbor and so that has been 26 of the 76 years since the actual Pearl Harbor so I do agree with you congressman that the warning has been ample and we do look forward to working with you on solutions so that so that this is the last time we talk about what we will do and we're talking about more about what we have done the
gentleman yields back there other members seeking recognition
the gentleman is recognized so you mentioned in your opening statement that that offense has the upper hand always but I've yet to hear a good solution to how we flip the switch and not otherwise seems like we're just playing whack-a-mole and chasing our own tails so what are the word of that what are the first biggest bang for bucks that we could do to start actually giving hospitals which I see is symptomatic of the accrual of technical the accrual of technical debt how do we start alleviating the burden at the hospital level as opposed to burdening them with becoming security experts yeah thank you very much congressman and I wouldn't necessarily if I just disclosed
a flu and say oh the offense always has there's many many cases I was just talking with a colleague today that talked about for example if your there are many hard targets he gave the example he was of a military targeted adversary air defense where the defenders have all sorts of advantages but if they usually have the advantage especially for for general internet-connected systems and so what we've been doing as far as our New York's armored task force and you know I'm happy to leave a copy of our booklet with you is as we've been going through we've been saying we need to get the market incentives to better aligned and I've spoken to that some of my comments
for example if we're going to regulate rather than regulating for security regulating for transparency the SEC guidance I think is an excellent example of this if I could convince one person in the world to take security seriously our name I only mean this part tongue-in-cheek it wouldn't be any current or past president it's not any anyone in Silicon Valley I would start with Warren Buffett because if we got Warren Buffett to say I will use the NIST cybersecurity framework in all of my companies and I will not invest in a company if I think the intellectual property is walked out the door we will be on the front page of every financial newspaper for for ages and every board
director of every public we traded company in the world and that's hardly an exaggeration is going to be saying what the [ __ ] is in a cybersecurity framework but we're forcing them to pay attention to it and that's getting the market incentives to work if I could follow up with some another group I would might go to the California pension system CalPERS continues through Omaha right to Sacramento before y2k the California pension system which runs trillions went to all of the companies that they invest in and said what are you doing for y2k if we can get activist investors such as CalPERS to go and say to their companies at their shareholder meetings what are
you doing to protect us so that we're not another Yahoo what do you do are you using the NIST cybersecurity framework that scales better than what we're doing and it's getting these markets and incentives to a lot in the rest of our report which is going to be part of the record we have other ideas where we did not get consensus as part of the cyber task force and Frank is an executive director I did not even try and push in some of these ideas like transparency they're easy to propose because we at the end of the day we're not saying who pays we're not creating winners and losers there's another set of solutions such as liabilities for software vendors
for not allowing ISPs to pass the trash for more extreme transparency measures where you're really going to take significant hits on innovation where you're going to be creating winners and losers based on the policies and in those places I don't think that on our side as researchers we've done a good enough job to say all right if we're going to take a hit on innovation in the United States are we going to get more security bang for the buck if we do software liability or if we have ISPs crack down and I think until we do that it's tougher to try and figure out where best to do that although I understand some other members of the of this
chamber might have their own ideas on that the gentleman yields back are there other members seeking recognition the gentleman is recognized thank you thank you panelists you've been very patient and during our very what must be for you very very simple questions the question I have is let's suppose that this is a nation-state I've got one that I like to pick on but I won't name them what options do we have to retaliate against them and how will that deter them if I may if I can just start with say one country I'll say Russia the the options are probably a little bit better than for some other countries with North Korea we have very
few good options left the toolbox is only the policy toolbox is only so big and we've used just about every tool that's in there with Russia we have a little bit wider set of tools that we can use it's worth considering that it is possible I don't think it's probable but it's at least possible that the Russian election interference of 2016 was Putin's payback for the release of the Panama papers which he believes was perhaps correctly with the u.s. covert action so we need to be very careful when we're talking about cyber deterrence and what we're going to do back deterrence works very differently when your adversary is certain that they're punching you back not punching
you first that said with with Putin it's clear that that he respects strengths and in this case some brush back brush back pitches are certainly called for with Congress just can in the midst of passing sanctions we take that as a very good sign and we hope that the EU sanctions which are in place now until June 2018 I believe are held in place personally I know this is not necessarily germane to this body I'm very curious of what about Angela Merkel the Chancellor of Germany is going to do next her own elections are coming up in September of 2017 and she has to assume that Putin would be willing to spend an awful lot of money to try and get her
out of power I recommend that we have a NATO article for consultation this isn't the self defense article of NATO this is a consultation to say that we are facing an external threat to our security which certainly Putin has done other things for the United States again against Putin range from everything from sanctions to more kinetic I certainly mail more military exercise generating our more force with our NATO allies reinforcing the Baltics and the like so that Putin knows that that we are not intimidated and we will not allow this if I can add just two things congressman I think from the perspective of the broader international community there are two problems that that have to be confronted at some point
one is the problem of proportionality in cyberspace I don't think we yet have a global consensus on how proportionality principles that are relatively well understood in the kinetic space transfer to the non-physical world of the Internet now there are cases where that may be a little bit more certain where we are dealing with you know cyber events that have kinetic effects so an attack on a power grid for example that destroys rotating equipment would be one example I do think there are thing there are steps that the international community can take and there are steps that the United States can take as a prominent member of the international community much the way we stated specific reservations to the law of the
sea treaty but nonetheless made enforceable commitments about how we would behave under certain certain circumstances when we refused to sign on to lost we could certainly make unilateral declarations about how we intend to behave and how we will regard the behavior of other states this is one way that we can start to relatively quickly build a body of customary international law with respect to norms in cyberspace the other thing that I would say is there may be a role for the World Court I raised that very hesitantly but we do have one case you know from 1996 in the legality of use or threat of use case with respect to nuclear weapons in which the Security
Council referred a specific narrow question to the court for resolution and that question their answer to that has guided international policy with respect to the use of nuclear weapons for some decades now I that is an option it is not necessarily the first option that I would encourage us to pursue but it is certainly one that can be thought about and if I can follow up on my previous answer congressman and I agree very much with my colleagues a much will depend as we continue get to get their party from this incident and how many deaths that we had we'd found there'd been many deaths from the failure of industrial control systems and the like but from my
research no one had ever died directly from a cyberattack yet so if deaths are confirmed from these they will be the first that we can tell that have come from a hack if you will and that puts us in extremely different territory especially when it comes to international law and what other nations will see as valuable for this so I think it's incumbent on the executive branch to help determine how many people had been killed and to not be shy about D classic evidence about who was behind this especially if this does turn out to a been a nation-state I think declassification for other things that that nation state has done Russia has been pointed out on the press
if for example not just doing hacks against for example do the email of their own chiefs of staff but actually putting implants into nuclear power plants in the United States and Europe citizens that might be blase about hacking an election are probably going to be less blase about knowing that Russian agents have burrowed into the system to the nuclear plant that's just upriver it gives us a lot of additional options not just the one that my colleague talked about but for example the Department of Justice has already indicted Russian hackers but for hacking actually but not just Russian hackers but Russian intelligence officers but they were under hacking rules now if if it looks like the worst does
come out they now have indictments under homicide and that puts us in a very different position when it covers Eve's and I think it strengthens the president's hand considerably should he choose to use it the gentleman yields back there other members seeking recognition yes yes we did in conclusion I'd like to thank all of the witnesses and members that participated in today's hearing I remind members that they have ten day ten business days to submit questions for the record and I ask that all witnesses agreed to respond promptly to the questions with that this committee hearing is adjourned so I wasn't entirely sure how I'm the cavalry wanted to wrap up this particular talk but if it wasn't clear I am actually a
congressional staffer I do these kinds of things for a living so if anybody had alex is making fun of me I'm knowing if anyone has any questions about this process what happened what was going on I'm having to answer any of them or these guys can can instruct what what comes next or not all right everyone gets how Congress works so I wonder just I wondered just quickly going around the room how would you how do you think you would have responded if you were in the hot seat does anyone anybody wanted to volunteer for this that didn't get a chance to be in the hot seat how do you think Jay and Trey did I mean it's it's tough
and that's not by accident they've both been in front of a much tougher audience than this friendly relatively friendly group answering some very hard questions about cybersecurity issues on the actual hill Doug do you have a question or a point you're anything yeah so I don't know if I'm on yes um I've never testified but I've worked with and for a bunch of people have testified the sort of question is a lot of times the hearing something will come out which seems an obvious yes there is a problem and there is some sort of a solution what are the cogs and wheels that turn after we get off the stage that are why things do or do not happen from this
point on when you have that sort of a set up and slam dunk and yet still I mean I'm not going to get it's like why we can't make forward progress but like I soon we were going to try and do something what happens after this is the scene is closed how does progress then come from this so there are a couple of different ways that progress can be made it depends on whether or not it needs a legislative fix so if you need a bill if you need a new law that's obviously a lot more complicated and usually what happens then is you've you've brought in experts to testify to kind of give you an idea
of what that bill language should say to to get to the policy that you want so then theoretically speaking the next process is that you're gonna go and you're gonna work with Legislative Council who are lawyers who specialized in writing legislative language and you're gonna draft it and you're gonna work you're gonna talk to all the the members who involved you're gonna have a legislative hearing you're gonna have a markup you're gonna get it to a subcommittee then you go to the committee so the legislative process is a whole big long thing and very complicated legislation is a piece that I don't usually deal with because it is so so so hard to get right there are
other ways that that Congress can effect change with oversight hearings usually what you're doing is you're not necessarily going out to try and and do legislation you're you're trying to identify a problem and try and sort of get to the bottom of what happened in the kind of situation so for if we having a hearing in response to the cyber crisis and simulation that we had before it would likely be an oversight hearing not a legislative hearing so you'd have people testifying under oath and it essentially would be in interrogation you meet you'd be sitting there and you'll be saying either what happened what went wrong and you know if you're under oath and you and you say
something that isn't correct I mean you've just committed a federal crime so that the oversight investigations kitten can be pretty intense um and in those cases you know sometimes it was a crime committed then what happens and sometimes though investigations oversight and investigations hearings the goal is to then identify an issue and sometimes it moves to legislation sometimes it doesn't but you know it cars is a pretty tough beast a lot of times you can have you usually will try to have as many meetings as you can with as many people as you can to try and explain your view of the world and see if there's there's ways to make progress but it's it's hard so it can if I can
like just mention a couple of practical things that I usually like to think about so if I'm walking into a hearing I generally want to know like two things that I want to come out of it so one example might be if I want the chair and ranking member to write a letter to an agency head or a component head or something like that to say you know how are you doing you know explain to us how you're doing X and how you're going to prioritize Y and how you're going to fix C the agency heads do actually read those they feel very strongly that they have to comply and and an answer yeah you usually have two other things that I
could think about doing is you know at change potentially if it's something small if an agency's up for reauthorization a language tweak or maybe in their annual approach appropriation statute I want something prioritize differently I can go after it that way if it's something smaller I might even just want a committee staffer or a member staffer to call somebody up and say hey what are you guys doing about this because sometimes that's enough to fix you know a small thing if that's if that's all you're after yeah I say so I just gonna have different experiences because I worked in a personal office for about four four enough years and she works on committee and so quite frankly people take her
more seriously than they took me for all sorts of reasons but the part of the part of the issue is you want to be able to get the members of Congress themselves somewhat incentivized to do things the challenge though is Congress is to a very large extent binary either you did or you didn't pass something then there's like the convening power of Congress and the public shaming power of Congress which can be very powerful but ultimately most the decision-making that influences outcomes is Congress telling other departments and agencies what to do right so they usually do that through the federal budget process or through an appropriations process but it's really different when it's a private company
right there's the Congress has almost zero authority over private companies now what they can do unless they broke the law and and they can't change the law and then say we change the law now and so you broke the you broken the law we change now two years ago you can't retroactively lis do that it's unconstitutional but one of the the other pieces that they that they can do and that they on occasion will do is they will work with federal departments and agencies to pressure those companies to make certain types of decisions and outcomes but it's really uncertain whether that's effective or not it's totally a non transparent process if I could add one thing because you said
something that I certainly didn't understand when I came to DC at first and I don't know what just to level sit here I don't know how much experience everybody has with this but in Congress there are really there are sort of four types of staff you have a members personal office staff so if I'm the gentleman from Tennessee I have you know X number of people who work for me who staff me a committee has a professional staff that works that committee actually has two one for each party and and they sort of represent the interests of the committee they work on you know the legislation's markups things like that research etc then you have leadership offices so for
example Paul Ryan's a Speaker of the House the speaker has an office with a staff that is not the gentleman from Wisconsin's staff there they're separate I mean they do report to him they're his they change with the office but like it's another sort of thing and then you have congressional agencies like the Library of Congress obviously that's another sort of thing it's very important to know who's the right person at the right time so if you're talking about like a markup I know you want to be talking with committee staff because they're probably circulating memos about like okay here's how we you know the party wants you to vote here's how internally what the issues are etc for
some things you may want to be dealing like if I want a question asked in a hearing I want to go to a staffer for a member that I know is friendly to that issue so that they'll put it in front of their boss and say hey here's a great question you should ask in the in this hearing and if I'm down to the point of like I want something past and I need to get it through the Rules Committee in a particular way then I want to deal with like either the Rules Committee staffer or leadership staff to try and and do that so it's important to hit the right people at the right time so one thing
that I wanted to say just while we're switching to questions if you notice Alex and I do clean ourselves up here sometimes it was actually cuz where we were very impressed by how much this resemble real hearing so technical difficulties the ranking member and the chairman actually like elbowing each other and making fun of each other very normal and it was obvious that these two had testified before which I didn't know and I think he's testified in front of my committee which made it even more hilarious so anyway that was some of that so in the last statement this is a question to the whole panel you mentioned right people at the right time all four of you are here obviously
because you have some interest passion or knowledge of the subject matter that we're discussing this week in Las Vegas being cybersecurity and specifically here cybersecurity of connected cyber physical systems but what is your impression of the interest or knowledge across the rest of the hill not just the members but also their staff and whether or not their interest in knowledge is even relevant to passing the working policy I I'm curious to hear I defer to to the joshan Oh on on that part I'm more executive I've actually been my background was was more executive branch military and White House and on that I've been pleased at least in what this this administer the folks at this administration's been
putting in place the new assistant secretary for infrastructure protection Chris Krebs came out of Microsoft he's been doing that for years jeanette Manfred the assistant secretary for CS and see solid she gets it they both care very very deeply good networks good colleagues both both well-respected and well-liked which matters a lot in getting things done Rob Joyce gets this Tom Basra it gets this one I'm one of our fellows from the informer fellow from the Atlantic Council so we're seeing good people that are that are going in on the executive branch side and the things like cyber security industrial control systems are not going to be magic to them right they get it they understand it and they're going to
be starting to move to move that ship hopefully but we'll see it's so if I can speak about my experience with staffers and members for that matter this may be a somewhat unsatisfactory answer to the question but I actually think they get it relatively well if you focus on what the it is because it for someone on the hill is not the sort of things that for the most part we spend our time at b-sides and black hat and DEF CON talking about it's not technical issues the policy level is fundamentally different and I think at that level the the level of I'm pretty pleased with the level of debate actually on these kinds of issues I see Congress focusing on the
kinds of things that Congress can make a difference about and while I won't say that you have you know hundreds of Hill staffers with the kind of technical knowledge that jessica has you you are seeing increasingly people who have someone that they know to call when they get some technical cybersecurity thing like they they they know somebody in the community even if it's not like their issue so cyber ski I have my issues 9-1-1 that's my big thing cyber is a part of that it's a growing part of that but it's not the biggest part but there are folks who will call me even when it's not an on one thing because they know I have that sort of security
interest and I think that's one of the powerful things about I am the cavalry is you know creating a sort of ready Corps of folks who can be that person that people call when they need someone who knows something yeah I just add to this if you're sticking around for DEFCON so there are several elected members in the House and Senate that have quite a bit of clue on cybersecurity not gonna give an exhaustive list but for our part when we are on the hill versus in the executive branch we actually have two sitting members of Congress coming in DEFCON on Saturday and Sunday representative Lanigan a Rhode Island Democrat who's the co-chair of the cyber
caucus I think the first time he saw the the Idaho National Labs attack on critical infrastructure call or aura he asked a lot of questions and why aren't people more upset about this and when he couldn't find a good answer started as I work Bacchus and has been very intellectually curious and asking lots of questions and getting very smart on this and has an incredibly good technical staffer and Nick Larsen the other member is represented heard a Republican from Texas and he will be up with this at a fireside chat as well so there's some activities going on on Saturday things the first time we've had sitting congressmen at DEFCON there's also ted Lieu of california
senator Warner of Virginia quite a few people showing significant proactive interest in this in general though and we're not have a specific topic that matches what they care about we tend to go to Committees of jurisdiction so one of the reasons we know Jessica's her committee has jurisdiction over health care and well everything not every automotive but it's French for a lot of the cyber-physical systems it tends to be a very good place to invest time and round tables and discussion and research and make yourselves available so I think it's a mix of who is self identified as having clue or having very strong staffers and who is on Committees of jurisdiction for the things that we care
most about but a lot of it though is we have absolutely no idea what we're doing but it seems to be working but I didn't mean to interrupt you mister thank you yeah only only thing that says there's don't have an expectation even if it's a reasonable expectation that staffers are really gonna understand the depth that you would need them to in order for them to have a real conversation about security with you right so I think I was one of the only staffers who I knew who like actually did computer networking and just like blew people away and honestly the Capitol Police thought I had a bomb under my desk I have like a small like
two switches in a router and that's it and they were like what is that and and it you know is interesting because you know all of the staff who work on security internet policy all sorts of things they're talking with giant companies you know they're talking with 18t Verizon alcatel-lucent until I can you know t-mobile not Alcatel anymore but you know I mean they they get lobbied aggressively by people generally the people who Lobby know only a little bit more than the people who they are lobbying congressional staff are incredibly under compensated like I mean it's insulting how under compensating congressional staff are and into this creates a real challenge because you will not be talking with generally well
compensated tech workers who understand the the challenges involved and you know network function virtualization right the reason why Jess I can I did is because she is smart and it was very rare and I was very surprised and so I don't have an expectation that you can go in there and you can have a conversation about security architecture have an expectation that you can go and you can have a conversation about this is what we want to achieve and let me make myself available to provide some advice that's the best possible outcome one thing that I do want to do is give somebody sitting in the room a little bit of credit so Travis Moore is the
founder of tech Congress and so his goal is get tech smart people into Congress he has fellows who come in and they work for specific offices their specific committees and they try and make us smarter on on cybersecurity so I think Travis really deserves a lot of credit for that so quick statistic there are 12,000 staff in Congress and I'm aware of five staffers that have any formal technical background right up jessica is one of them they're all in the House of Representatives so we we need good candidates because the technology security and Technology underlie it's not just traditional tech it's it's health and its finance and it's it's all of it it's education and so we have a
one year policymaking fellowship Fellows go in they work directly for a member of Congress or committee House Oversight Committee senator Wyden they work on things like surveillance reform encryption investigating the OPM breach health IT really really Hardy great work and so if you know good candidates please send them my way I'm giving you a little pitch here it's it's a it's a it's a great role and because there is this dearth of expertise these fellows get to go in and work right at the front lines of these issues so come find me after it's tech Congress I oh and would love help finding new recruits we're going to start recruiting within the next month and the application will
close September 30th
yeah and one point I wanted to make which builds on Travis's quite nicely is you know there may be five staffers who have a formal technical background there are maybe two to three times as many of those people on the outside that congressional staffers feel really comfortable to turn to as an independent voice and that's one of the best things that I've learned in in coming to DC is I don't have to have a pile of money in a lobbyist in my pocket in order to go in and have a forthright and candid conversation about any of the technical issues or policy issues that I want to get across it's it's more about being honest candid telling the truth and not
running down a list of talking points or not particularly advocating for one thing or another and tailoring my message to the level of the person that I'm talking to which is especially important you can start to see people's eyes glaze over when you get to in the weeds and then you can you know pull up urgently desperately to get back to some of the broader issues but I think that's one of the most enlightening things for me is that Congress and agencies are very accessible we've got lots of people from DC in the room lots of people who had to get permission to come here sometimes literally from an act of Congress to get on a plane to get here
also the second thing is how few people there are that they can actually turn to and feel confident in that and for those of us who are doing it a it doesn't scale well so right now when there's only five people who kind of know who to turn to having 10 or 15 who can answer their questions is roughly right we want a lot more than five though and we want a lot more of the people who don't have formal technical backgrounds to get a clue and to be able to reach out to people so we need more people who those people can turn - to ask really good questions and sometimes that will be in DC so that
might mean that you might have to come for a visit or for a little longer than that depending on what your appetite is so this is kind of related to that but if somebody isn't in a position to move to DC or become a staffer but they're interested in politics that are interested in cybersecurity what can they do to get involved in from all the way over from the West Coast and and stuff so this is also not meant to be a shameless plug but get involved with I in the cavalry it's it's difficult if you're not immersed in DC culture to understand the importance of groups that you can turn to who have sort of a specific purpose
so I forget in particular who was mentioned in it yesterday but somebody was saying you know oh is Alan Friedman who's saying there are you know there are a lot of groups who concentrate on privacy or there are a lot of groups who concentrate on health care issues or things like that but it's it there hasn't really been a security focused group like that or a security research community focus group like that and so in in my perspective over the last four years that I've been with Congress I am the cavalry has really filled that role so now when I need a security research focused perspective what I do is I go to I am the cavalry and I ask hey what do
you think and then you know they can through their their network they essentially will put me in touch I was saying yesterday you know when I need somebody who understands automobile cybersecurity I called Joshua I call Bono say like hey who do you know who's really smart on cars and they'll give me a couple names or who do you know who's really smart on medical device cybersecurity and they gave me a couple of names so I would I would HIGHLY highly highly recommend get involved with um without in the cavalry the other thing that I would I would say is you know we we kind of get big heads with the federal government we think we're
the only government that matters but you're local and you're state governments are incredibly incredibly incredibly important in fact that's arguably where more of the impact happens is at the state level than at the federal level so I would say get involved with your local in your state government if you're if you're smart tech-savvy you know find out do they need tech help do they do they need people who they can they feel like they can turn to in instances like that so you know take a look at local and state opportunities yeah I want to echo that because this is something that we emphasize strongly with our members is be a resource for all of your elected
representatives and all of your sort of administrative representatives there was a great talk at thought con this year about hacking local government and it was from the perspective of show up offer to participate and they're likely to hand you a job that actually has some impact on something they'll put you in you know their I looked up after the talk actually I went back and I thought well okay what does Alexandria Virginia have that's where I live it turns out there's like 45 different boards that are populated by whoever showed up right and so you know but they have nonetheless a big impact on the city's functioning and the same goes at the state level I get you know there are
lots of these sorts of things that you can do it doesn't necessarily have to be with Congress state legislators are just the same my uncle is a state legislator in Tennessee and you know knowing who to call for that particular issue is a huge deal particularly when you don't have like a big personal staff the way you know a senator a United States Senator might so that's that's one thing I would say you know get involved I in the cavalry but absolutely you know state and local government hugely important so a ton of state legislators are part-time and beyond that most state legislators are incredibly underfunded for staff and so they rely very very heavily on
literally anyone who will show up and talk to them and this is terrible and also great right because it's terrible because you've literally no idea the advice you're getting and it's impossible to vet it but it's also great because if you're a smart honest thoughtful person you can make a really big important difference the second piece though is that there's like two or three states that control an enormous amount of outcomes because of their weight so like Texas Texas Texas controls all textbooks right the the State Department of Education controls but almost every other student in America Reads in California and New York control basically privacy policy and so if you live in California and you have an
opportunity to get involved and invested in that or in New York or in other places you can actually make a really big difference nationally I would say you know also for example like we're gonna see GDP our roll out in the European Union right in the next like I think it's year year and a half and that will fundamentally change the way that American companies deploy their infrastructure software services in Europe and the same thing is true in the United States when California decides to make a decision and so participation is the thing that's actually really important I kind of pile on they are the national associations of the commissioners right so National Association of Insurance Commissioners
the National Association of G's energy commissioners all those all those organizations are dying for talent as well and where they get their information is questionable at best so kind of the same same deal with those those organizations as well especially as they write model law that just gets transferred into state regs no questions asked and actually maybe funnily enough maybe if I can pile onto everybody piling on one thing that's really funny about national policy sometimes is that when we start looking to implement national policy what we'll do is we'll go look at like hey what did some of the states do so we'll go pull up what the states did and we'll look at theirs and
then maybe we you know we'll pick five that we think did good jobs and we'll synthesize those so you know if you if you work at the state level sometimes you will have that follow-on impact because we'll base the national policy on what the state policy was laboratories of democracy yeah so that that's a wonderful point that you made about about those groups one one kind of cool hack is just to go so like see where their annual conference is going to be the next year and you know find out if that's near enough to you that you could get there and you know something that is relevant to their community it like me and like every
other Association we're all desperate for content providers like if you want to come and talk about something and it looks like you might know something about it fantastic please come and talk about this and and so what they'll probably say is you you find the right person in the organization like who handles security issues for nehru core nako or whoever and then say hey you know I know something about this I'd know a little bit about god I would love to come and talk to your members about it if they have an opportunity here's you know somebody who can verify that I'm not crazy yeah and you know a lot of times they'll say great yeah I'd love to
have you come on just if anyone's interested I gave that back on talk it was great thank you so if anyone wanted to know more about like local governments I was in it for five years like heavily in it and I'd be happy to talk to you one on one one thing that nobody's yet mentioned is all the national legislators have a local staff and sometimes the local staffs can also be good places for you to go and it's also from what I hear I've never engaged a local staff but you just kind of show up and like talk to them they're like oh wow somebody really wants to talk to ya so that's actually a really fantastic
point so each representative in that this is the same thing in the Senate I assume but frankly the Senate is like another universe to me because I work in the house representatives but for each house what would both said is absolutely correct each House member has a a DC staff and they have a district staff so if you go find out one who your House of Representatives member is and then you go find out who they're where their district office is and you go talk to that district office that's also a really good way to get involved I'll uh I'll keep piling on as long as nobody else is one of the things it's been one
of the secrets to our success and Jessica and Suzanne you can tell me if I'm wrong is that we kind of started with the idea that we're gonna go in and have honest decent conversations up here to Pierre level rather than go in and just talk about all the things that we think are stupid or wrong or bad or whatever and we led with empathy and understanding we made it honest and genuine effort to invest in the people we were talking to and that paid huge dividends because it meant that you know we didn't get a law passed on day one right but it meant that when there was something going on we got a call or next time we were in
town we'd ping somebody hey you know grab a coffee and catch up interested to hear what you're working on and that built a trust relationship over time that couldn't have happened in a single encounter or couldn't have happened if we just came in with our issue and wanted to bang the drum on it so some of it's just sitting there and listening and giving smart feedback in a time when you don't have anything particular that's on your minds and when there is something burning you've got that connection already built so Congress takes regular breaks which no one's surprised about and so there's a month-long recess in August in which they're back and their district offices
they you know the the calendar is very well published and publicly available and so what you can always do is you can find out okay when is Congress on a break because that's the best time usually to engage staff at that at that point because they don't have to handle or manage their boss like they normally would have to I had a really great experience and it you know training I've talked a lot about this but I had a woman who like literally fundamentally changed my life because she was incredibly giving of her time and her effort and she was fully unrecognized for it and she worked for the Congressional Research Service her name was Linda Moore and she died a few weeks
ago well a few months ago but anyway the output was you know she had this she had this very capable ability of breaking down really complicated topics very simply and and made an incredible effort to work with staffers and also with lobbyists and other people who work in public policy to help them understand some real ground truth and so if you're really good at communicating complicated topics the thing that you could do literally right now is you could find out who your member of Congress is who the who handles that issue and offer up as a resource like hey look I would like to sit down and talk with you about the you know critical security control top 20
list and we're gonna talk through this and I'm gonna tell you what this means in English right and then ask questions of hey do you understand this do we need to have some maybe some more conversation okay great you think you're cool that's awesome I'm gonna go away and in a couple of weeks I'll maybe follow up with you with an email I mean you build a relationship with that person and honestly because of people like Glinda like I went through engineering school and I run a company and it's not because I did it on my own because I had a lot of help so I'd like to associate myself with everything that the gentleman from Wisconsin just said
but I want to add I think and this is some it always astonishes me and I guess it's because at this point I've been around DC so long but like the really pragmatic mechanical aspects of how you interact with legislators and their staff are incredibly important if you demonstrate a baseline understanding of like what their day looks like that is worth so many brownie points it's unbelievable so so just basic things like his point of you know look for the recesses and call the staff when there's a recess on when they don't have 19 different fires that they're putting out 200 pages to write by the close of the day and oh my god their boss just voted
the wrong way on this thing and this and the Whip's office is calling to find out what the hell just happened right I mean that you know they that's like that's their day it's hair on fire from the moment they get there until the moment they leave when they're in session in fundraising right thereafter so so so pragmatic things like for a meeting most congressional offices are itty-bitty if you're going in for a meeting show up on time and buy on time I don't I certainly don't mean late because that's the next meeting and I actually don't mean early either because that's the meeting before and and expect your meeting to happen in a hallway or sitting in a couch in the
middle of the lobby of their office or at best sitting around a table with eight other people in cubes right next to you who have their hair on fire because that's how it works like I mean you know that don't be surprised about that be prepared for it and be ready to fit your your pitch whatever it is the three most important things that you've got to say to them into that 15-minute window because that's all you've got and and and have a leave behind this is the other thing we always tell them you know more than one page front and back but have something to leave with them that has your contact information on it
prominently so that they can get back to you I like to use paper that is not white so that when they think oh god where's that thing that that guy gave me like two weeks ago they can like shuffle through the gigantic stack of papers and go oh there's the one that's cream he's not joking there's a stack of papers on the corner of my desk that's about that high and I have to sort through it every couple of months because it starts just topple but he's got a very good point yeah I mean I just justify long because I am a current congressional staffer and he everything that everyone has said is very true you know I think the biggest
thing that I would I would recommend if you're trying to get involved with Congress I know Bo and Josh say this a lot is have empathy and be really patient with us a lot of the times you know politics is gets very ugly and for anybody who is paying attention to what's happening in DC right now I mean it's it's it's hard I mean it's it's hard to be a staffer in DC right now and the thing that I would I would say is just try and keep in mind like we're people too and you know so we do get people really angry people who call us or write us angry emails yelling at us
about how we're horrible people and we're we're doing horrible things and all these kinds of things and you know I mean like we at a certain point you're like okay this is my job and I get used to it but when you're coming in and you're very very passionate about a topic and you really want to see us do something on it because you think it's incredibly important just you know bare bare with us we've got tons and tons and tons of other things that are going on we may we almost certainly don't understand the issue the way that you do and the the way that we have to look at it is slightly different we have you
know seven other stakeholders who also think that the issue is very important and who are all so coming in and talking to us about it so you know we we kind of have to synthesize all that into one thing so you know sometimes I think people get discouraged because they feel like they get brushed off the the first or the second time that they try and talk to a congressional office that's that's fair but that's kind of what happens so if you if you really want to have an impact the best thing that you can do is just continue to be that resource all right you can't be with me this week great here's a here's three bullet points that
I put together on this issue that I think might help you and then you you check back in a couple weeks later and then you check back in a couple weeks later you don't annoy them because you don't only to ear but just that that patience and that empathy for for the the plight of your underfunded congressional staffer would be much appreciated yeah I want to add one thing to that because and this is the other thing that I think most people don't necessarily know or or fully internalize Alexson and Jessica both talked about the pressures on congressional staff in very real ways I want to give another example I have a very close friend who's a congressional
staffer his issue portfolio includes national security animal rights abortion taxation and health care and he is expected at the drop of a hat to provide expert advice to his boss on every single one of those topics no matter how narrow the question is and the turnaround time for something is 30 minutes if you're lucky imagine doing that every day I mean that that's the level so that that tells you kind of the depth at which like people have to have like mind modules that they like plug in and take out and if this is not the moment when your module is plugged in forget it like you just leave the leave behind and get out of the way I mean
that that's that's kind of the reality of how like compressed the congressional staffs are now
[Music]
unless we've got any more questions I wondered if maybe we could go around the room we've heard a lot of pretty practical advice in the last 20 minutes and if if we could go around and maybe try and summarize and I'll start but the past couple of days have been pretty intense I will come to the front last couple of days have been pretty intense we've had a lot of things going on we've tried some things that were probably too crazy to work I think they they managed to work out okay like this crazy thing we did turning hackers into Congress people which i think was pretty fun and so give it up for the panelists first of
all [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51