Rep. Mike Rogers on “CyberThreats & The Economy”
By Rep. Mike Rogers, Michael B. Mukasey
Saturday, April 27th, 2013 @ 4:29AM
This is the unedited transcription of Rep, Rogers remarks.
former Attorney General.
It is a pleasure and a privilege to introduce Mike Rogers. He is the Chair of the House Intelligence Committee, which is the House’s principal panel responsible for authorizing and funding and overseeing the execution of the Intelligence Act of the United States. He is the rarest of creatures particularly in the Washington area, a person who moves things in a bipartisan, nonpartisan way. He got three of his intelligence projects passed the House. The last one went through on a vote of 386 to 28. You can’t get a majority like that for the Flag Day Resolution, and it mattered that he got it for an intelligence budget.
He’s also taken the lead on critical cyber security issues, including cyber security legislation to help better protect this country against the constant onslaughts that you just heard summarized by Rachel [Ehrenfeld]. In fact his bill is going to markup tomorrow, and I’m hoping that you can hear some[thing about] that today. This is not the beginning of his public service. In addition to having been a commissioned officer in the United States Army, he served his country as an FBI agent, fighting organized crime in Chicago, and then was elected to a position in senate in 1995. He was elected to Congress in 2000. He represents Michigan’s 8th District. It’s my great pleasure and honor to introduce Mike Rogers.
Thank you, Your Honor. I appreciate that kind introduction. I’m not sure that I want to say anything to change what you’re thinking of me right now. I appreciate the opportunity to be here and take a few minutes, and I don’t want to go long. We have some very, very distinguished panelists, and I wish I could stay for that.
I just wanted to talk about a few things. I first got on the committee in 2004, and got my first classified briefing on cyber activities in the United States and around the world. It was one of those things that is something that we might want to pay attention to, something that could become an issue that we can’t handle, and unfortunately exponential since that day. It grew worse and more complicated and is an issue that is a serious threat to our national security that America is not prepared to handle. It is amazing to watch, even just the last couple of years, about nation states–whether one would argue or not, rational actors–North Korea, Iran developing and building their cyber capability to not only … well they’re not [just] interested in espionage, let’s put it that way. They are interested in attack and disruption. And we have non-rational actors who have that capability.
I worry about this every single night after we go through our daily prep debriefings on new policy decisions during the course of the day. This is alive and well, and we are in a cyber war, and we just don’t know it. It’s that bad. I just happen to have come back from New York, talking to a few folks– somebody who should know better and who didn’t was someone who was involved in a small venture capital company–had heard some of the rumblings about cyber security. Now, this is somebody who’s investing (it’s a small fund) about a-billion-and-a-half dollars. They went back and said, you know, just for design, we check our systems to see, so they brought in a security company and found the Chinese had been on his network, probably (they’ve estimated) between six and eight months. This is a small firm when it comes to venture capital firms in a city like New York. Cyber intrusion is so prolific, so dangerous and so bad.
We had better do something now, or on my recollected watch, we will destroy the economic prosperity of the United States. I don’t say that lightly. We have several different realms now: you have to get to reams of political hacktivists, people who are trying to make a point, Anonymous. You have individual criminals; you know the guys with the bunny slippers in their mother’s basement, who are all trying to break into your account, steal a few bucks. Organized criminals, internationally, who are well trained, well schooled, many of them former intelligence officers from places like Russia.
Then you have cyber espionage, that the Chinese are engaged in, with which there is no comparison in history of the amount of economic wealth that they have stolen from not only the United States, but other innovative economies–Japan and Germany and South Korea and France and Great Britain–and the list does not stop there. If you have something of value, they have geared their military intelligence services to configure a way to make it a priority to steal intellectual property, to bring it back to China, to “repurpose” it, develop it and put it into the market. That is a horrible competitive disadvantage for countries like the United States who are so heavily dependent on innovation for the national growth.
One of the things that we have to do is begin to protect ourselves first: so this is how we do it. As the chairman of the Intelligence Committee, it’s my job as the director to tell you to be on these folks and say, “what do we know about X, we need to fill in a little Y.” We need information about these three things, so we push them, and they come back with their proposals, and they go out and do their work around the world. They go out and find out what bad actors are doing in the cyber arena. They bring that information back, and we use that to protect our data mill networks. Candidly, our data mill networks are very well protected, probably the best in the world. The problem is about 80% of all of the networks across the United States are private networks, and so we are prohibited from sharing that information with the private sector in a meaningful way so that they might be able to protect their own networks.
I was an FBI agent in Chicago. If somebody called me and said, “hey there’s going to be a home invasion at 123 Street tonight at six o’clock,” I am morally obligated to do something about it. I will contact the local police to show all our calls to make sure that that person doesn’t get through the front door and cause some harm. Think about what this cyber activity is. It is no different than a company willing to pick up that 911 call and say, we are under attack and we need some help. So what we’ve said is “listen, [we need to] do all of this talk about offensive capability and developing an offensive capability in the United States”–and we have lots of debates about that, believe me, all worthy debates. None of it means anything if we cannot protect our networks here at home. Candidly, we are not ready to protect our networks here at home.
Talk about Chinese espionage: that last string, those were a cyber attack. We have several nations that have used it, Russia clearly in Estonia, 2007. You recall when they tore down Lenin’s statue, [the Russians] were a little miffed apparently, and they used a very aggressive cyber attack on a submarine–severe damage, shut them down, scared them to death. One of the most vocal advocates of the government’s assistance in protecting networks you’ll find is Estonia, and I highly recommend to meet the ambassador, she’ll school you well on the threats of cyber security. They also used it in prepping the battlefield in South [Ossetia] before they went into [that part of] Georgia, so they had a very aggressive cyber attack, a disruption of their electric grid, their financial services network, then they sent in the soldiers and the tanks.
We know that nation states, including China, by the way, have this capability and are eager to put them into their arsenal. Now there’s one thing about this Russia and China are not likely to go after–our financial services networks, [that’s] not likely unless we are in direct conflict. They’re rational actors as to the consequences of that kind of very destructive behavior, and I argue the Chinese wouldn’t want to go after our financial services networks: we owe them too much money. You have those rational actors. Here’s where it gets concerning: we should be concerned that North Korea [,which] showed, about a month ago, that they had the capability to go in, and they attacked a financial institution in South Korea and did some damage. Probably not where the other nation states are, but it shows they have a growing investment in their ability to conduct cyber attacks that have real consequences.
Iran, clearly has exponentially gotten better and is learning everyday, but if you’re not familiar with the Saudi Aramco case, I would recommend that you get familiar with it. It shows what a nation state can do when it sets its resources to attack a single business to cause destruction and harm to that particular establishment. They attacked Saudi Aramco, a very important energy company in Saudi Arabia, the largest company in all of Saudi Arabia that does all their transactions and clearances–financial transaction clearances for the country when it comes to oil and gas.
Think about this: you had, say, ten thousand computers. You show up to work that day and seven thousand of those computers don’t work anymore, and everything that was on those computers is gone. You can’t reboot them, you’re not going to find it again. It’s gone. You can’t even turn it on. It is a paperweight on your desk. They destroyed thirty-thousand machines in the attack on Saudi Aramco, thirty-thousand.
Here’s where it gets interesting, they also went in and manipulated data. Instead of Mike Rogers owing Saudi Aramco $100, they had it turned around the other way. They manipulated data, they destroyed data and then they destroyed machines. The scary part was [that the telecommunications network almost caught fire. It’s still vulnerable.
I don’t think that was by design, I think that was just by propagation of this particular mode of attack. They almost shut down and destroyed certain pieces of equipment in the telecommunication sectors of private companies that were operating in that particular region. It doesn’t take too much, if you understand common communications, that [something like that] can hop, pretty quickly, not only from across the Middle East or across continents, across oceans and get to a place like the United States. If that doesn’t worry you enough, imagine that.
We now know that, according to public reports, Iran has been lapping at our shores and probing our financial services institutions. Not with their best stuff, their best stuff was we believe Saudi Aramco Plus, but they were just trying to find vulnerabilities in our financial services networks. Is that a problem? Imagine a bank, that does say eight-trillion, nine-trillion dollars in transaction clearances a day, gets attacked and the data is lost, the machines are broken, and we have what we would call chaos occur. They know it. They’re not a rational actor. They’re corner unbalanced, at this point in the world, isolated clearly, and they’re on the offense.
This is a huge problem. It is not Orwellian, it’s not Hollywood, it’s today. The problem is most people at home don’t have any understanding of the impact and how it might affect their lives. Trust me, if you have money in a 401K account, you will be in that. If your check, for those Federal employees … some of these banks clear a whole bunch of Federal transactions, stops coming … And your Social Security checks can stop for a period of time.
Try to imagine going back and reconfiguring that in a timely way to get people their checks. So, you can compound this pretty quickly and get to a place where chaos is the reigning [condition] of the day. Here’s why I know this is going to work, and here’s why we have to have this today.
The Internet is one-sixth of our economy today. If we want to maintain the economic engine, I would argue the freedom engine that the Internet has brought to not just us but the world, means that people have to have faith that it works for them and not against them. If you want a free and open Internet, we better take some steps today to make sure that we can protect it and maintain the confidence that, when you use the Internet, somebody’s not stealing you blind.
Imagine that happens at a bank, and it happens at your bank, and it happens every time you use your credit card, you pretty soon will stop using the Internet as a means of commercial transaction. I can’t imagine what we would look like, if we started withdrawing from the commercial aspects of the Internet. I think it would be a horrible outcome.
What we did is we stepped back, quickly, my ranking member and I, a Democrat from Maryland, he’s a prosecutor and former FBI agent … We figured we could talk the same language. I would say the FBI does the work, the prosecutors get all the credit. We’d probably have a marriage made in heaven here.
We sit down, and we start with a blank piece of paper. We said, no let’s not bring anything to the table. Let’s go out and let’s talk to Silicon Valley. Let’s talk to the high-tech industry folks, let’s go to New York City and talk to those folks. Let’s talk to the privacy groups. Let’s talk to the end users, and try to figure out what is the narrowest, least intrusive, nongovernment mandated way that we can provide cyber security information to the private sector so they can protect their own networks, very simply.
Well, we came up with a whopping thirteen-page bill. I know some of you are aghast at that. Right? I was going to put on that a four hundred page amendment, just to show you all I was serious. Nothing in it, but just weight. So, through time, we’ve been working with those players.
Last year, it passed in a bipartisan way, mainly by people who were exposed to the real threat of what’s happening out there in the real world when it comes to cyber. This year, we have been bringing members down. I call it a “holy mackerel briefing.” You come down, we expose members of Congress to what the real threats are in a classified environment. Why we can’t sleep at night, why this is a relevant problem, why more nations are themselves investing in the capability to do this kind of thing, because it’s so lucrative for them, and how we can take a very narrow small step to do something about it.
Let’s share the secret sauce, that information that we collect overseas, that really nasty, malicious source code, and share it with the private sector, so that they can protect their networks. And when you’re at home on your computer, you don’t have to worry about somebody stealing your personal identity.
We can make it a little more difficult for them to be successful. And vice versa. You know, probably the biggest misperception about this whole thing is that your National Security Agency, or your CIA, is plugged into the domestic Internet circle, if you will. It’s clearly not. It’s illegal for them to do it. We monitor that very closely. They would have no benefit to themselves to do that. They are not on a vested network. This wouldn’t change at all. All it does is say, well you want to help the private sector when they get hit.
What happens is a private sector company gets hit with something very complicated and very nasty — and by the way remember — I could be a mid-sized company trying to fight off a nation state like China. You’re going to lose that fight in a cyber war, I don’t care how good you are.
If you get a thousand people getting up every single day with the sole purpose of getting into your system, guess what? They’re going to get in your system. And when they got hit with something, what we said is we’ll give you as much as we can on the mail order side, and you shoot something back that says, this is the 911 call I was telling you about. This happens in real time by the way. Nobody really picks up the phone. If they have to pick up the phone, it won’t work. Their machine sends that nasty piece of code to folks who understand it. They look at it, and they can go back overseas and find out where it came from.Just as you call a detective and they come and catch the burglar that’s in your house or outside your house, same system. But it happens in real time.
It’ll happen a hundred million times a second, and to give you an idea of why that’s important, the average credit card in your wallet, that company will get hit three hundred thousand times today alone by bad actors trying to steal–credit card companies, three hundred thousand times today. I talked to one agency that got hit six hundred million times last year, one company, six hundred million times in one year, a huge process.
What we’re doing tomorrow is we’re doing markups, that’s the legislative jargon for taking a vote, working amendments on the bill in the Intelligence Committee. Again that does that very narrow simple thing: have the government share what it knows and when you get hit as a private sector only if you want–100% voluntary.
You share that malicious source code back with the government so the government can take it and try to figure out who the perpetrator is, and build those signatures into its network so we can stop him from robbing us blind. As it is, it’s happening everyday. So, we’re looking forward. if I haven’t depressed you enough already, I can take a few questions.
I’m on the cyber economic espionage front. If we’re a system of, a nation of laws, rule blocked, we have governmental information that we know that X hundred billion or trillion dollars worth of electric property will be stolen, why can’t we not use our court system to go through the process, repeal false judgments, and start decrementing the debt we owe to the people who are violating our laws?
Because we are members of the WTO, there are companies that choose that route. It is just not successful. If you have a company who is using it’s government military intelligence services to steal information for the sole purpose of building it’s economy, you can tell that the rule of law is not nearly as important to them as we would think. It works in a system where both parties believe in the rule of law. You go to court, some win, some lose. Right? That is just the way that our system is. If you respect that system, it works fantastic. If you don’t respect that system, it will hardly work at all.
There are efforts underway to try to raise the pressure on countries like China. And remember that they have to grow 7% a year, just to maintain their social programming. Growth … you know we’ll be lucky if we hit 2% this year for a profit. If we’re really lucky this year, we’ll have 2% growth. So, you imagine that they are not great innovators, but they have shown they can be great, well I won’t use the word, but they’re taking a lot of stuff. Right? They can take that stolen material, and it helps them fulfill their need. By us filing a charge and doing it that way, I don’t believe it’ll work. I believe that by raising the pressure dramatically, this should be the number one, number two, and number three bilateral discussion on any issue we talk about with China moving forward. We’ve got to get them there.
You’re talking about what your committee is doing, what cooperation are you getting from the Senate and from the administration?
Part of the problem is last year, we got caught in the election cycle, so we got the bill out of my committee too late. This year is better,and we are much better aware, because you cannot open the paper today without another example of a cyber theft, a cyber intrusion, a hacking. That helped.
Unfortunately, that helped build awareness in both voices. The good news is we’re having a constructive dialogue, so far with the White House and a constructive dialogue in the Senate. We’re going to get a bill by the end of this year that will get on the President’s desk and get signed. I believe that.
We are right in the middle of the making sausage part of that whole thing, and our goal is to protect privacy, civil liberties. Let people understand exactly what the bill does. People must have faith that this thing is not intruding on their lives and won’t work, we need to make sure that that’s right and it doesn’t intrude. It’s not a surveillance organized event. So, we’re going through that process now, and we’re going through this education process.
If you know a member of Congress, I highly recommend you call them and say whatever you do for, you better get out there and start fixing it. This is a great opportunity to do that.
Because we’re private citizens, everything we really know about the Chinese attacks is from reports like GrossNet. Private citizens got into their command and recall servers and figured out what they were doing and learned a lot about the perpetrators MO. We can’t do this just with government resources. You’re under a lot of pressure, and I fear from the Second Amendment that basically says we’re not going to give any additional authority to private sector guys who want to investigate who’s attacking them. Can’t we find a way to make sure that we have leveraged some of those resources?
A lot of people are worried about this.
You’re talking about the hacking back provision of the bill. I do worry a little bit about cyber vigilantism, because if you’re not at the top of that spectrum, you can get a bomb for sure.
Same audience member:
We need this really badly.
Absolutely. One of the things that we didn’t want to do is get into establishing new law by allowing people to participate in stealing, stealing back or hacking back. However, that being said, in an information sharing regimen, it empowers the government to know more about what’s hitting the private sector, because we sometimes don’t know. If we don’t catch it overseas, and you don’t call the FBI, the federal government does not know what business has been hacked, which is part of our problem, why we’re trying to get a handle on this.
Most people think that the government is sitting on the Internet, listening to all of that. It doesn’t happen. So one of our challenges is how do we entice businesses to cooperate back so that we can find these new signatures out there? So the government cannot do it without the private sector. It is impossible. The private sector cannot do it without what the government knows. I’ll guarantee you it’s impossible. Even your best CIO who tells you, “we’ve got a handle on it. We know exactly who they are, no problems”, my argument is find yourself a new CIO.
Because we know for sure, the last estimate I heard from our intelligence services was that we would know almost 40% more on malicious source code that’s laying on the shelf than the private sector even knows exists. Imagine the value of having that protect every network in America, but all you’ve got to do is get in the right. If you know what you’re looking for, you can find it. That’s the beautiful thing, but this stuff so sophisticated, so complicated, you have to know what you’re looking for. That’s the benefit of sharing that we hope gets away from the need … because what you’re going to do is have somebody make the mistake of bringing down a business, with at the most unintended consequences can be very very serious.
I will tell you that the good news is that the government is getting better about catching on to how they do it, the signature based-task, but it’s difficult. That may take you through five or six countries of a hundred different cities before you find out where that thing was written and sent. That’s the challenge, and I would argue knowing what we know on our side, even some of the best private sector companies wouldn’t have the ability to track it all the way out. Some can, a lot cannot. My fear would be those, a lot that cannot, could cause more harm than they do good. So that’s why we’re kind of at where we’re at.
What role do you see state and local governments in this cyber policy?
Obviously the criminal part of this is important. We’re dealing with, as the intelligence chatter, we’re worried about what threats come in to the country from overseas. I think it’s not limited to that. We have criminal problems here in the country. Part of that sharing needs to be from federal to local and local to federal as well. And the more we know and find out in a classified setting, the more you can stop.
The goal is, can we make it so hard and so difficult as we move forward? Can we make it so hard and difficult that it’s not worth trying and investing as much money as they are in training a legion of cyber attack warriors and intellectual property thieves? And that’s what they’re doing. But how do we make that so it has no dividend? And right now, there is no consequence. That’s the problem. So, that’s why we need to see this sharing regime between them [the federal and state and local governments]. And then state and federal, state and local would be heading out, trying to hopefully find those criminal elements that operate within the United States, conducting crimes here. The FBI is going to be a part of this as well.
In your markup of the bill, do you intend to address at all DLS attacks on 911 Centers?
Well, we wouldn’t do it specifically by institution. You would hope that local units of government would participate. This again is all voluntary. There are no mandates in this whatsoever. I don’t think that would work. You’d hope that they would participate. The FBI, I will tell you, is getting better and better and better when it comes to the forensic cyber crime part. There are discussions about how do you try to stop it before it hits. That is a much more difficult proposition, and one that we wrestle with quite a bit, based on what the FBI’s duties and assignments are here in the United States.
We hope through this sharing regimen you can get a lot of that. And here’s the other benefit: when that 911 Center is hit, God forbid, if you have real time sharing capability and you’re part of that loop, it is much easier to use the capability of say the FBI, which has this growing cyber capability to find them quickly and have somebody hauled off in handcuffs and put in jail. They’re risking people’s lives when they do that. It’s pretty sick of them.
We know, at least some of us know, the Iranians have been targeting and hacking second-tier government contractors. Do you believe that there should be a cyber security standard in order to get a government contract?
The problem is you don’t want to be exclusionary. And you want to find, to me the best and most cost effective way, to allow those companies the outlet. So, in the first part, you’re going to see this anyway, but while it’s not only in some of the defense contracts, that “yeah I have at least these element,” I would be very reluctant to have a legislated standard that starts to get the government into setting the standards, through rules about what their secure network looks like. That’s the other side of our argument: a lot of people are pushing that. I think that’s a disaster. By the time you do the rules it takes eighteen months. Guess what? Your threat matrix is completely different by the time you’re finished.
You have companies trying to beat the standard that doesn’t beat the threat, because it’s happening today. A) I think it’s a waste of money, and B) I don’t really want government regulating the Internet. I think that would be a disaster. So, where we’re at is a discussion. I’ll tell you what’s interesting, coming out of New York over the weekend, is now these venture capital firms are starting to realize that they don’t want to invest in a company that is exposed to the vulnerability of getting all of that intellectual property in which they invested stolen. So now they’re putting as part of their contract of investment their own standards of what those networks should look like.
Honestly, if you have the private sector and these folks who are exchanging money saying, “Hey, this is important enough for us to say, ‘You want our money? Your system has got to look like this.'” Perfect, that’s fast. They don’t have to go to the government for permission. They can set their own standards, and when it changes in six months, you can change with the threat matrix. I think that market force is starting to kick in by the sheer volume of loss to economics in this, and I think it’s going to have a great outcome. I’ll just take a couple more questions, if I can.
Andy Cameron with Augur-Nexus:
In the War on Drugs, we found out that banks were a big part of the problem with the money back and forth. In cyber warfare obviously a lot of these groups denied state sponsored funds are getting funded somewhere, and banks are involved in this. We’ve been talking to people on Wall Street. They want to figure out who they should be dealing with and not dealing with, and try to give bad banks bad ratings and such, is there an economic bent to this?
On the fence, if you’re talking about people trying to launder money or if you’re talking about … or did you just say that bankers were on drugs? Did I understand that?
But there are banks that are literally funding corporations in China and Asia that are knowingly …
I see what you’re saying.
Is there a way to get Wall Street more involved in a proactive list by management?
Again, I think the driving force is this sharing regime, and I do think there’s going to be a parallel track here. The only reason that I talk about the defense part is because we’re so far behind. We haven’t even, you know in the old saying of the day, we haven’t hired one soldier or one rifle yet to protect our networks, and there is an invasion underway. Right? We’re way behind target. We have to fix that part. The second part and the parallel part that I understand is equally important is where we gain the support of Germany and Japan and South Korea, other innovation economies in the world, getting absolutely killed, is where we start putting pressure on China directly.
The Mandiant report was important because it named names, that was really important, and the Chinese hate that, and so what we’re going to do is we’re going to name more names, and we’re going to start ramping this up. I argue that we ought to look at trade issues when it comes to companies that we have determined have stolen intellectual property, repurposed it, and put it in the market. I’m a passionate believer that, I guarantee that, that will definitely get their attention. And again, we have to start putting into place things that take away the benefit of stealing this property and repurposing it.
We had one American company, a well known manufacturer, that had their property, the blueprints for their products stolen. That product is now in production in China. Twenty-five thousand American manufacturing jobs, one company. I didn’t talk about it, because they were afraid of the brand or afraid of announcing vulnerabilities. They don’t get out there and wave a flag that they’d been hit, but that’s the kind of thing that’s happening.
There’s another company that actually came to us. They had a company named American Semiconductor, that went into China to do a joint venture, and has technology or had technology that would allow windmills and solar to be converted to the grid. Right? Had this patented technology. The Chinese government stole it, all of it. They went from a company that was valued at 1.8 billion dollars monthly, that’s worth about 170 million today. They are no longer doing business in China. The number-one company in China doing that business is the company that stole it from him, that he did a joint venture with. And I wish that I could tell you this is a rare thing.
It happens again and again: there’s a line around the capitol building of companies willing to come in and tell us in a classified setting. I’ve got my whole frontal property portfolio gone. I’ve never seen anything like this, where we are jazzed, and our blood pressure isn’t up. I mean it’s unbelievable. I’m getting all worked up…
Okay, I also have your permission, we also have that, but we also have to go back and practice, create a number of programs to make this thing difficult to do–like, liability, privacy, competition amongst companies who already have cyber protection, plus education rules about information, how do we do that?
If we don’t have liability in the bill, he was just saying, this is a hard problem to work, because you have liability issues with sharing information, and you have, my fear would be, this unwieldy cooperation of competition between companies, and so, yes, we put liability protection in the bill, and again we did that because it has to be in my mind a voluntary process. We don’t want any mandates telling people, “you must give us information, or you must cooperate.” We don’t do that in the … well we did do it in the FBI, but it was only in the hardest cases.
We did, we built in liability so that they can share, and remember this still has to happen in a classified way. If you just put all of this open, on the open Internet, take that source code, change enough of it, and it’s in. I mean this is complicated stuff, so that’s what we look at. So, what we tried to do is, you’ll push it as far upstream in the system as you can. Your Internet service providers would likely be the first members, I would guess that would join. You share with me, and I’ll tell you what we’re catching on our system that’s really nasty, and we’ll build a better system together. And we think that’s what happens. Then you’ll have that next tier of very capable IT companies.
If you’re a small company in America, you don’t want to build a SCIF (Sensitive Compartmented Information Facility], and have to meet all the standards of having and maintaining a SCIF, and have the people for compliance for the SCIF, just to share information, if your ISP provider is already getting it. Right? I wouldn’t spend the money. That’s where we think we get the value on that downstream. Somebody was talking about supply chain. That supply chain is very vulnerable, that’s how we think that we can help the supply chain, before it ever gets to the network, or personal office network, it has to go through that ISP provider that is sharing classified data. Thanks everybody getting involved in this discussion. It is very, very important.