During Tuesday’s House Homeland Security Committee hearing, Rep. Carlos Giménez (R-FL) questioned experts about private sector offensive capabilities and cyber regulations by the Federal government.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00The gentleman yields back. I now recognize the gentleman from Florida, Mr. Jimenez, for five
00:04minutes of questions. Thank you very much, Chairman. And today I had actually a meeting with
00:09the airline industry, and then we talked about this issue, and we asked about, okay, when they
00:15have an incident, how many different reporting requirements they have? They have at least 10
00:22different agencies that they have to report the same incident to, which seems a little bit
00:31inefficient, all right? And so, and I, you know, Mr., you know, Representative Higgins asked the
00:39same question. You were saying it's 10, 12, etc. Would it make sense to have one form sent to one
00:47place, and then that one place disseminate that information? Can I ask? It would absolutely make
00:55sense. It's critical. Yeah, we're not going to do that then. I'm sorry. Okay, thanks.
01:02Yeah, you're asking us to do the impossible. So, moving on.
01:08How many reportable incidents do you think there are? I guess you would know in your
01:19particular case, but across the United States, how many reportable incidents do you think they
01:24are per day? Per day, yeah. What definition are you using? I mean, something that requires a
01:33report. Well, something that requires an industry to write a report. How many of those incidents
01:39occur per day here in the United States? Do anybody have any idea? I would expect,
01:43I'm taking a guess here, I think over a thousand incidents could be reported daily. Over a thousand?
01:49Over a thousand, collectively across the entire, our sector. Just your sector? Just my sector. Just
01:54sector. How about banking? I struggle to answer that because of the threshold. You have incidents
02:02or events that might occur constantly, but they don't necessarily rise. No, I'm saying reportable.
02:07I'm saying reportable. You have to report. We have notification requirements that are private,
02:11so I wouldn't even know, and a firm wouldn't be able to tell me because they're not allowed to.
02:16Can you give me a guess? I would have to get back to you to have an informed response on that.
02:22Okay, how about an uninformed response? Just a, you know, give me a swag, okay?
02:27Honestly, I hesitate. Okay, what about, okay, and energy? So, to something Ms. Hogshead's saying,
02:34there are wildly different reporting requirements. There are some that, you know, pretty low bar,
02:38there's some that have an externally high bar. I can go back to the statistic that I know from
02:42one company that did a relatively deep dive on its reporting requirements, especially
02:46with pursuant to CERCIA's broadest definitions, and that was going to be 65,000 over 10 years.
02:52So, that's one company, 65,000 incidents over 10 years, 6,500 a year, that's 500 a month.
03:02Just one company. That's just one company. How many companies do you have?
03:07EEI represents 62. 62? That's right. So, could I assume 62 times 500 per day? Sure. Or is that
03:16a month? Well, that's also, that's one of our larger companies, and that was 500 a month.
03:22So, maybe it might be easy to get to several thousand a month. Okay, several thousand a month.
03:28Okay. Does anybody know how this data is analyzed?
03:35No? Nobody knows how it's analyzed. So, we require you to send a bunch of stuff, but you guys don't
03:40know how it's analyzed by wherever it is we've sent it to. Okay. I'll bet you it's not, because
03:48the overwhelming volume, right? And so, we need to look at that, Mr. Chairman. Okay. If you
03:56require me to do something, and then we don't use the data for anything, then it's actually worse,
04:02right? Because you're making them do stuff that nobody looks at. So, we need to bring some other
04:07folks and say, how do you analyze all the data that you're getting from, that you require from
04:11everybody else to see that actually we're doing any good? Mr. Aronson, you talked about, we asked
04:17about offensive capability. You don't have offensive capability. You don't want to use
04:22offensive. You don't want to use offensive capability. So, that's a pretty thorny topic. I'll
04:28go. No, I just want to ask, would you like to use offensive capability? No, the private sector would
04:32not like to, the electric companies would not like to get into. You just want to get punched over and
04:37over again, just get punched once. Well, this is where each government comes in. So, there are two
04:42ways you deter, right? Deterring the attack does not have the intended consequence. That's on the
04:46private sector to protect its systems in a way that we can withstand a lot of punches. The other
04:51way you deter is an attack has a consequence. And we would believe that that is fully the purview
04:55of our intelligence and national security apparatus. But we don't have the resources to do
05:01that all, I mean, all the time. But so, we would, what if we, what if we charge the, the, or allow
05:07the private sector with their, all their resources, et cetera, to allow a counterpunch? You wouldn't
05:14want that? So, depends how you define counterpunch. I do not, I don't want to speak for the banks, but
05:19this notion of inking the money bag, that could be construed as, as... My time is up and hopefully
05:25we'll have another round because I really want to get into that one, okay? Thank you and I yield back.