[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] THE STATE OF SMALL BUSINESS SECURITY IN A CYBER ECONOMY ======================================================================= HEARING before the SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT of the COMMITTEE ON SMALL BUSINESS HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ WASHINGTON, DC, MARCH 16, 2006 __________ Serial No. 109-44 __________ Printed for the use of the Committee on Small Business Available via the World Wide Web: http://www.access.gpo.gov/congress/ house ______ U.S. GOVERNMENT PRINTING OFFICE 27-809 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON SMALL BUSINESS DONALD A. MANZULLO, Illinois, Chairman ROSCOE BARTLETT, Maryland, Vice NYDIA VELAZQUEZ, New York Chairman JUANITA MILLENDER-McDONALD, SUE KELLY, New York California STEVE CHABOT, Ohio TOM UDALL, New Mexico SAM GRAVES, Missouri DANIEL LIPINSKI, Illinois TODD AKIN, Missouri ENI FALEOMAVAEGA, American Samoa BILL SHUSTER, Pennsylvania DONNA CHRISTENSEN, Virgin Islands MARILYN MUSGRAVE, Colorado DANNY DAVIS, Illinois JEB BRADLEY, New Hampshire ED CASE, Hawaii STEVE KING, Iowa MADELEINE BORDALLO, Guam THADDEUS McCOTTER, Michigan RAUL GRIJALVA, Arizona RIC KELLER, Florida MICHAEL MICHAUD, Maine TED POE, Texas LINDA SANCHEZ, California MICHAEL SODREL, Indiana JOHN BARROW, Georgia JEFF FORTENBERRY, Nebraska MELISSA BEAN, Illinois MICHAEL FITZPATRICK, Pennsylvania GWEN MOORE, Wisconsin LYNN WESTMORELAND, Georgia LOUIE GOHMERT, Texas J. Matthew Szymanski, Chief of Staff Phil Eskeland, Deputy Chief of Staff/Policy Director Michael Day, Minority Staff Director SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT W. TODD AKIN, Missouri Chairman MADELEINE BORDALLO, Guam MICHAEL SODREL, Indiana ENI F. H. FALEOMAVAEGA, American LYNN WESTMORELAND, Georgia Samoa LOUIE GOHMERT, Texas DONNA CHRISTENSEN, Virgin Islands SUE KELLY, New York ED CASE, Hawaii STEVE KING, Iowa LINDA SANCHEZ, California TED POE, Texas GWEN MOORE, Wisconsin Christopher Szymanski, Professional Staff (ii) C O N T E N T S ---------- Witnesses Page Furlani, Ms. Cita M., Acting Director, Information Technology Laboratory, National Institute of Standards and Technology..... 3 Parnes, Ms. Lydia, Director of Bureau of Consumer Protection, Federal Trade Commission....................................... 5 Johnson, Mr. Larry D., Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service.................... 7 Martinez, Mr. Steven M., Deputy Assistant Director Cyber Division, Federal Bureau of Investigations..................... 9 Schwartz, Mr. Ari, Deputy Director, Center for Democracy and Technology..................................................... 17 Salem, Mr. Enrique, Senior Vice President, Security Products & Solutions, Symantec Corporation................................ 18 Kaliski, Dr. Burton S., Jr., Vice President of Research, RSA Security, Chief Scientist, RSA Laboratories.................... 20 Cochetti, Mr. Roger, Group Director--U.S. Public Policy, Computing Technology Industry Association...................... 22 Schmidt, Mr. Howard, President & CEO, R & H Security Consulting, LLC............................................................ 24 Appendix Opening statements: Akin, Hon. W. Todd........................................... 34 Prepared statements: Furlani, Ms. Cita M., Acting Director, Information Technology Laboratory, National Institute of Standards and Technology. 35 Parnes, Ms. Lydia, Director of Bureau of Consumer Protection, Federal Trade Commission................................... 42 Johnson, Mr. Larry D., Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service................ 59 Martinez, Mr. Steven M., Deputy Assistant Director Cyber Division, Federal Bureau of Investigations................. 64 Schwartz, Mr. Ari, Deputy Director, Center for Democracy and Technology................................................. 68 Salem, Mr. Enrique, Senior Vice President, Security Products & Solutions, Symantec Corporation.......................... 75 Kaliski, Dr. Burton S., Jr., Vice President of Research, RSA Security, Chief Scientist, RSA Laboratories................ 80 Cochetti, Mr. Roger, Group Director--U.S. Public Policy, Computing Technology Industry Association.................. 92 Schmidt, Mr. Howard, President & CEO, R & H Security Consulting, LLC............................................ 103 Additional Material: National Small Business Association 2006 Malware Survey...... 116 (iii) THE STATE OF SMALL BUSINESS SECURITY IN A CYBER ECONOMY ---------- THURSDAY, MARCH 16, 2006 House of Representatives Subcommittee on Regulatory Reform and Oversight Committee on Small Business Washington, DC The Subcommittee met, pursuant to call, at 2:00 p.m. in Room 2360 Rayburn House Office Building, Hon. W. Todd Akin [Chairman of the Subcommittee] presiding. Present: Representatives Akin, Kelly, Bordallo. Chairman Akin. The hearing will come to order. Good afternoon and welcome everybody to today's hearing, ``The State of Small Business Security in a Cyber Economy.'' I want to especially thank those witnesses who have traveled long distances to participate at this important hearing. Today this Subcommittee seeks to better understand the impact small business cyber security has on the well-being of the economy. This Subcommittee also seeks to determine the types of threats that small businesses encounter on a daily basis. According to the Small Business Technology Institute Report released in July 2005: ``If small businesses are not made fully aware of the economic impact of information security incidents, they will continue to under-invest in information security protection, and their exposure will continue to increase as their infrastructures become more complex. This increasing individual exposure, when aggregated across the many millions of small businesses in the U.S., supporting more than half of the Nation's GDP, represents an extremely high and worsening point of exposure for the U.S. economy as a whole.'' Businesses do not have to sell their products online to be at risk of a security breech. They are exposed simply by being connected to the internet. The Government and large firms have dedicated information technology professionals who protect their electronic infrastructure. Small businesses seldom have either dedicated IT professionals or the resources necessary to provide adequate levels of protection. I look forward to hearing the testimony of your witnesses to learn more of what we can do to protect small business from cyber security threats. I now yield to the gentlelady from Guam, Madame Bordallo. [Chairman Akin's opening statement may be found in the appendix.] Ms. Bordallo. Thank you very much, Mr. Chairman Before I begin my opening remarks, I would like to recognize a very young witness in our audience today and that is Mr. Andrew Cochetti. He is here on an assignment with his social studies class. Welcome, Andrew. He is the son of Roger. Internet and telecommunication technologies have a profound impact on our daily lives. They have changed how we communicate with friends and family and how we interact with our Government. America's 23 million small businesses are some of the savviest users of telecommunication technology using the internet to access new markets to grow and to diversify. In fact, American small businesses have a strong record of being the driving forces behind further technological innovation and the development of innovative business models that we now take for granted. Along with being connected comes being exposed to new threats. The risks associated with turning more of our lives and business into digital i's and o's and burst of light over fiber optic cables are significant and require vigilant management. A single individual can design computer viruses that can be spread across continents in milliseconds. Identity theft compromises credit records, businesses and, sadly, lives. Destructive computer viruses and other malicious Internet activities pose severe problems for small business owners that are not prepared to mitigate this kind of a risk. This exposure can even result in thousands of hard-earned revenues being lost. An FBI-conducted survey of computer related crimes including viruses, spyware, and theft revealed that a total of nearly $70 billion in 2005 alone was lost with companies incurring an average of $24,000 in losses. Losses like this are make or break for some businesses, and sadly some small companies and computer users fail to recognize the benefit of cyber risk mitigation as an investment until it is too late. The Federal Trade Commission, the FBI, the Secret Service, and the National Institute of Standards and Technology have all embarked on efforts to offer federal programs designed to educate the public on computer security. In fact, federal cyber security spending has increased from $5.6 billion in 2004 to more than $6 billion in 2007 and is expected to hit $7 billion by 2009. I am concerned that despite the rise in cyber attacks over the past few years and the growing impact they have had on small businesses in America, the Small Business Administration, the sole agency charged with aiding America's entrepreneurs, does not have updated internet security information readily accessible on its website. Like all of us, small firms are exposed to cyber attacks and vulnerable to their malicious affects. Today's hearing will give us an opportunity to review whether the increases in federal investment, both human and financial resources, have had or can have an impact on small firm's ability to mitigate their cyber risk. The testimony that we hear today I hope will both help us to better understand what role the Congress and the Federal Government can play in educating the American public and the business community to the risks that they face from cyber crimes and what recommendations Congress can act on to protect Americans and their businesses from this growing threat. I thank you, Mr. Chairman. Chairman Akin. Thank you for the opening statement. Also, I would like to recognize another one of our colleagues, Sue Kelly, who also comes from a very businesslike area, New York. If you would like to make an opening statement. I understand you have a vote pending in another committee and may join us later. You are welcome to proceed. Ms. Kelly I thank you very much. I represent the New York Hudson Valley and I have been meeting recently with a number of small businesses in the Hudson Valley and this issue of cyber security and cyber economy is very high on their list. I must add that we create the IBM computers in the Hudson Valley in the district I represent. We also have the research labs for not only Phillips Electronics but IBM. This is a highly sophisticated group of people in the Hudson Valley and yet my small businesses in that area are worried even though they have access to highly sophisticated people who are actually building some of the systems so it is extremely important that you are here today. This is an issue of extreme importance for our small businesses in this nation and I look forward to your testimony. I do have a vote in another committee. I will have to go but I intend to come back to keep listening to what you have to say. Thank you very much. Chairman Akin. Thank you. We have got a little bit of a challenge for the Chairman today. Aside from running a little late from too many meetings, I usually like to keep things running on time but we have got a double panel so this is a double header today. Those of you who need your cups of coffee need to be forewarned. Our first panel, as you can see, there are four people that have joined us here. It is really a Government panel and the first witness is Cita Furlani. Did I get that pretty close, Cita? You are the Acting Director of Information Technology Laboratory from the National Institute of Standards and Technology from Gaithersburg, Maryland. Is that correct? Ms. Furlani. Correct. Chairman Akin. We have the right person. What we are going to do is take five-minute statements. I would prefer to take a five-minute statement from each of you and then open up with some questions afterwards if that is okay. I think probably some of you are pros in here. You know the little light in red means that somebody is going to throw the hammer at you. Keep it within five if we could, please. You can submit written statements for the record if you would like. I think most of us would prefer to hear you talk to us about what you think are the most important things you can communicate in five minutes. Thank you very much. Proceed, Cita. STATEMENT OF CITA FURLANI, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Ms. Furlani. Thank you. I appreciate this opportunity to be here today. We recognize that small businesses play an important role in the U.S. economy. Since use of the Internet is critical in the delivery of goods and services for all businesses, the importance of addressing risks associated with doing business in a cyber environment cannot be overstated. Today I will focus my testimony on NIST's cyber security programs, the National Institute of Standards and Technology, and our programs and activities that can assist small businesses. NIST has long worked effectively with industry and federal agencies to help protect the confidentiality, integrity, and availability of information systems. Ensuring that business- related information is secure is essential to the functioning of our economy and indeed to our democracy. Our broader work in the areas of information security, trusted networks, and software quality is applicable to a wide variety of users, from small and medium enterprises to large private and public organizations including agencies of the federal government. Since small businesses are nearly 99 percent of all U.S. businesses, a vulnerability common to a large percentage of these organizations could indeed pose a significant threat to the Nation's economy and overall security. In the interconnected environment in which we all operate, it is vital that this important sector of our economy be aware of the risks and take appropriate steps to ensure their systems are secure. Under the Federal Information Security Management Act (FISMA), NIST was assigned the responsibility to develop IT standards and guidelines to secure federal systems. While targeted primarily toward federal agencies, these security standards and guidelines are also used widely by other organizations including small businesses. These documents are available on our web-based Computer Security Resource Center. I brought two or three of them today to show that they really do exist but they can be downloaded. The website provides a wide range of security materials and information and has over 20 million hits annually. In 2002 NIST partnered with the Small Business Administration and the Federal Bureau of Investigation's InfraGard program to sponsor computer security workshops and provide online support for small businesses. We have developed a small business outreach site where small businesses may find information on local workshops. NIST also is raising the awareness of the importance of cyber security among small manufacturers. The NIST Hollings Manufacturing Extension Partnership was created to improve the competitiveness of America's smaller manufacturers and now provides the eScan Security Assessment. This diagnostic tool was designed specifically for small businesses to determine how well their IT systems are protected against failure or intrusion. NIST with support from the Department of Homeland Security recently developed the National Vulnerability Database that integrates all publicly available U.S. Government computer vulnerability resources and provides references to industry resources. It contains information on almost 16,000 vulnerabilities and is also available on our website. Small business, indeed all organizations, rely on the software used on their information system. We continue to work with industry to improve the security and reliability of software. For example, we develop standards and test suites for interoperable, robust, quality web applications and products. We conduct research to improve the quality of software including software trustworthiness. NIST works with industry and other Government agencies in research to improve the interoperability, scalability, and performance of new Internet security systems, to expedite the development of Internet infrastructure protection technologies, and to protect the core infrastructure of the Internet. Meeting the challenge of securing our nation's IT infrastructure demands a greater emphasis on the development of security-related metrics, models, datasets, and testbeds so that new products and best practices can be evaluated. The President's FY '07 proposed budget will support NIST's collaborations with industry and academia to develop the necessary metrics and measurement techniques to provide an assessment of overall system vulnerability. In summary, Mr. Chairman, the IT security challenge facing small businesses is indeed great. Systems managed by small businesses are part of a large, interconnected community enable by extensive networks and increased computing power. Certainly, there is great potential for malicious activity against non- secured or poorly secured systems or for accidental unauthorized disclosure of sensitive information or breach of privacy. We believe the programs and activities described today in this testimony demonstrate our commitment to a more effective national cyber security environment as we assist small enterprises and protecting their assets. Detailed information can be found in my written testimony which I hope you will add to the meeting minutes. Chairman Akin. Without objection. Ms. Furlani. Thank you, Mr. Chairman, for the opportunity to present NIST's views regarding security challenges facing small businesses. I will be pleased to answer any questions. [Ms. Furlani's testimony may be found in the appendix.] Chairman Akin. Thank you, Cita. Next is Lydia Parnes. Did I get the last name right? Ms. Parnes. It is Parnes. Chairman Akin. Parnes. Excuse me. Parnes. Director of the Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. You didn't have to travel too far. Ms. Parnes. No, I didn't. Just down the block. Chairman Akin. Thank you, Lydia. Same thing, five minutes, please. Ms. Parnes. Thank you. STATEMENT OF LYDIA PARNES, FEDERAL TRADE COMMISSION Ms. Parnes. Mr. Chairman and members of the Subcommittee, I appreciate the opportunity to appear before you today to discuss the challenges consumers and small businesses face in protecting their computer systems, as well as the Commission's efforts to promote a culture of security among all Internet users. The views in my written testimony are those of the Commission. My oral remarks and responses to questions represent my own views and not necessarily those of the Commission or any individual Commissioner. For more than a decade protecting the privacy of American consumers as been a top FTC priority. The explosive growth of the Internet and the development of sophisticated computer systems have made it easier than ever for companies to gather and use information about their customers. Small businesses once limited to consumers walking into their stores on main street now reach consumers across the globe and complete transactions entirely online. These information systems provide enormous benefits. At the same time they can have serious vulnerabilities that threaten the security of information stored in them. Securing these systems against an ever changing array of threats is challenging, particularly for small businesses. For several years the FTC has engaged in a broad outreach campaign to educate businesses and consumers about information security and the precautions they can take to protect or minimize risks to personal information. Last September the FTC unveiled a cyber security campaign called OnGuard Online. Our campaign is built around seven online safety tips presented in modules with information on specific topics such as phishing, spyware, and spam. Each module includes articles, videos, and engaging interactive quizzes in English and in Spanish. Numerous firms including many small businesses are now using OnGuard Online materials in their own security training programs. The FTC created OnGuard Online with consumers in mind but it is a valuable tool for small businesses as well. In many ways computer users and small firms are like home users. They employ similar applications to participate in e-commerce, send e-mail, build spreadsheets, and create presentations. And, as in the typical household, often there is no information technology professional on site. Unlike most consumer users, however, small businesses may maintain records on hundreds, if not thousands of consumers making their computers especially attractive to information thieves. If consumers are to have confidence in our information economy, it is essential that these records be adequately protected. The Commission recognizes that the key to developing an effective cyber security program is flexibility. The Commission Safeguards Rule, for example, requires covered financial institutions to develop written information security plans. The rule gives each company the flexibility to develop a plan that takes into account its size and complexity, the nature and scope of its activities, and the sensitivity of the consumer information it handles. The Commission follows a similar flexible approach to its enforcement actions under Section 5 of the FTC Act. To date we have brought 12 data security cases enforcing the FTC Act and the Safeguards Rule. The Commission also recently issued the Disposal Rule which requires all users of credit reports to dispose of them properly and not, for example, by leaving them lying in a dumpster available to identity thieves. Like the Safeguards Rule the Disposal Rule contains a flexible standard, reasonable measures to protect against unauthorized access to the information being disposed of. Safeguarding customer information is not just the law. It also makes good business sense. When small businesses show that they care about the security of customer's personal information, they increase their customer's confidence in the company in order to help businesses of all sizes comply with both the Safeguards and Disposal Rules the FTC has issued business education materials which are available on our website. Providing adequate security for consumer information presents challenges for everyone in the global information based economy. The Commission recognizes that this can be particularly challenging for small businesses. The Commission is committed to continuing its work promoting security awareness and sound information practices through education, enforcement, and international cooperation. I appreciate the opportunity to testify today and look forward to the Committee's questions. Thank you. Chairman Akin. Thank you, Lydia. Right on time. Next witness is Larry Johnson, Special Agent in Charge of Criminal Investigative Division, United States Secret Service, Washington, D.C. Larry, thank you. [Ms. Parnes' testimony may be found in the appendix.] STATEMENT OF LARRY JOHNSON, U.S. SECRET SERVICE Mr. Johnson. Good afternoon, Mr. Chairman The Secret Service was established in 1865 to protect our fledgling financial infrastructure through the investigation of counterfeiting and counterfeit currency. The Secret Service has adapted its investigated methodologies to accommodate the increasingly sophisticated systems we protect. With the passage of federal laws in 1984, the Secret Service was provided the statutory authority to investigate a wide range of financial crimes to include false identification, 18 U.S.C. 1028, access device fraud, 18 U.S.C. 1029, and computer fraud, 1030. These three statutes encompass the core violations that constitute the technology-based identity crimes that affect small businesses every day. Over the last two decades the Secret Service has conducted more than 733,000 financial fraud and identity theft investigations involving these statutes mostly involving small businesses. Additionally, the Secret Service and the Computer Emergency Response Team, CERT, located in Carnegie Mellon University, collaborated on a project called the Insider Threat Study which was a behavioral and technical analysis of computer intrusions by organization insiders in various critical infrastructure sectors. The Insider Threat Study provided insight to both the activities of the insiders and the vulnerabilities which they exploited. The results of this study are available on the Secret Service public website. In 1995 in response to the ever-increasing tide of electronic crimes, the Secret Service developed a highly effective formula for combating high-tech crime. It was the Electronic Crime Task Forces, ECTF. They are an information- sharing conduit where state, local, and federal law enforcement, private industry, and financial sector, academia work together in a collaborative crime-fighting environment. Participation includes every major federal, state, and local law enforcement agency in the region. In 2001 the USA PATRIOT Act authorized the Secret Service to ``develop a nationwide network of electronic crime task forces based on the New York Electronic Crimes Task Force model throughout the United States for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.'' The Secret Service has since launched 15 ECTFs based upon the New York model. We also have nine electronic crimes task force working groups and 24 financial crime task forces. In 2005 the Secret Service also established the Criminal Intelligence Section. This Criminal Intelligence Section provided coordination and oversight to every significant cyber case with international ties in 2003 and 4. During this case Secret Service agents uncovered significant vulnerabilities within the computer systems of a number of Fortune 500 companies and their smaller company counterparts without alarming the public quietly notifying each of these companies of their findings, thus preventing an estimated $53 million in losses. Estimated exposure to the U.S. financial institutions based on this case were nearly $1 billion. The success of this undercover operation led to the establishment of numerous other online undercover operations which are currently ongoing today. The Secret Service is convinced that building trusted partnerships with the private sector, and specifically small business in an effort to educate the public on how they can reduce the threats of data breaches and improve their system security is the model for combating electronic crimes in the information age. Though a large percentage of the private sector breaches to which the Secret Service provides investigative assistance and support are large data brokers, corporations or financial institutions, we do not differentiate based upon the size of the victim or the amount of potential loss. We are equally concerned with compromises being experienced by small companies or independent service organizations or ISOs, and will respond with the appropriately trained personnel when notified of a suspected compromise. This is why we believe so strongly in a proactive educational platform as a preventative measure. Bottom line, if you are victimized, we will respond. Through the use of company best practices you can reduce the risk of Internet crime. Some actions we recommend to small and large businesses alike include establishing internal policies and communicate them to your customers, provide a method for customers to confirm the authenticity of their e- mails, employ stronger authentication methods at websites using information other than Social Security numbers. If Social Security numbers aren't solicited on websites, this information will not be at risk. Also, monitor the Internet for phishing websites that spoof your company's legitimate sites. Chairman Akin. Larry, I need to stop you. You are way over here and we have got votes going on right now so I am going to try and quickly slip you in, Steve, if we could. Then I think I am going to let Ms. Bordallo ask some questions. I am going to be gone close to half an hour voting and we will resume following that. [Mr. Johnson's testimony may be found in the appendix.] STATEMENT OF STEVEN MARTINEZ, FEDERAL BUREAU OF INVESTIGATION Mr. Martinez. Thank you. Good afternoon, Chairman Akin, Ranking Member Bordallo, and members of the Committee. I want to thank you for this opportunity to testify before you today about Small Business Cyber-Security Issues. As retail business moves to the world of e-commerce, cyber crime will follow. In 2000 e-commerce accounted for 1 percent of all retail sales. Today it accounts for 2.4 percent of all sales. this upward trend will undoubtedly continue. Adding to this the revenue generated by non-retail Internet businesses, such as media and entertainment, e-commerce will soon dominate all commercial activity worldwide. The FBI is committed to investigating threats at all levels against this major force in our economy. Small business forms a vital link in the overall security of the Internet. First, small business accounts for a significant portion of the retail business occurring on the Internet. Many online businesses and e-retailers are small businesses, many small businesses are customers of online businesses, and still other small businesses support the IT and Internet operations of large businesses and the government. Second, the integrity of Internet-connected small business systems has an impact on security of the Internet as a whole. The FBI has recognized that the best way to combat the growing threat of cyber crime is to form a partnership with businesses and industries that rely on the Internet for their success. By teaming up with the private sector the FBI is able to find out what issues affect business and what problems are causing the most harm. This has allowed us to focus our efforts on the major problems affecting the Internet. Further, through our outreach and information-sharing initiatives we are able to share our experiences with the business community so that they can better protect and defend themselves against new and evolving cyber threats. The education of small businesses about the scope and nature of cyber threats is an important first step in protecting those businesses. The FBI has two initiatives focused on building a partnership with business: The National Cyber-Forensics and Training Alliance (NCFTA) and InfraGard. The NCFTA is a first- of-its-kind public-private alliance located in Pittsburgh, PA. At the NCFTA members of law enforcement work side-by-side with representatives from business on addressing the latest and most significant cyber threats. Through this collaboration the FBI has been able to identify and prosecute some of the most serious cyber criminals including those who distribute computer viruses, operate large networks of compromised computers (known as botnets), and perpetrate fraud schemes such as phishing scams. The NCFTA is strategically located near Carnegie Mellon University's Computer Emergency and Response Team/ Coordination Center (CERT/CC) and is also within driving distance of the FBI's Internet Crime Complaint Center (1C3). As an example on how we address cyber complaints, the NCFTA was recently contacted by a small bank in New Jersey. The bank was the victim of a phishing attack. In this type of attack the criminal creates a fake website that is identical to the real bank site and uses the fake site to steal credit card and other identity information from the bank's customers. With the victim bank to help them, the NCFTA traced the attack to its source and identified what measures they could take to mitigate the effects of this attack. With the help of the NCFTA, the bank was able to send ``cease and desist'' letters to the Internet service providers hosting the fake sites in order to have the sites shut down. InfraGard is an alliance between the FBI and the public whose mission is to prevent attacks, both physical and electronic, against critical infrastructure including, but not limited to banks, hospitals, telecommunications systems and the Internet. InfraGard has over 14,800 private sector members spread across 84 local chapters throughout the United States. These private sector partners represent the full spectrum of infrastructure experts in their local communities. FBI Agents assigned to each chapter bring meaningful news and information to the table such as threat alerts and warnings, vulnerabilities, investigative updates, overall threat assessments and case studies. The FBI's private sector partners, who own and operate some 85 percent of the nation's critical infrastructures, share expertise, strategies, and most importantly information and leads that help the FBI track down criminals and terrorists. The Internet Crime Complaint Center, IC3, is a joint initiative between the FBI and the National White Collar Crime Center (NW3C). Located in West Virginia, a short distance from the NCFTA facility in Pittsburgh, the IC3 serves as a clearing house for cyber crime incidents reported by both individuals and business. The 1C3 receives, on average, 25,000 reports of cyber crime incidents each month. By analyzing these complaints for commonalities and trends the 1C3 is able to develop cases that have a national impact. These cases are then referred to local, state, or federal law enforcement agencies for investigation. As with the NCFTA, the 1C3 also focuses on partnerships with business as the most efficient and effective way to combat cyber crime. In 2002 the 1C3 began an initiative online retailers combat fraud from re-shipping scams. The initiative known as Retailers and Law Enforcement Against Fraud (RELEAF) brought together teams of analysts at the 1C3 and e-commerce businesses to identify fraudulent online purchase which were being shipped by domestic re-shippers to destinations overseas. In one 30-day period, the RELEAF initiative resulted in 17 arrests, 14 controlled deliveries, the recovery of $340,000 in stolen merchandise, and the recovery of over $115,000 in counterfeit cashier's checks. Chairman Akin. Steve, you are about out of time. Mr. Martinez. Okay. Thank you. I would be happy to answer any other questions about our initiatives. [Mr. Martinez's testimony may be found in the appendix.] Chairman Akin. Thank you. Because of the vote being called, I am going to have to scoot out. I would like to start by asking a question. I do have some staff here that can take a few notes. I guess the first thing that I am interested in, and all of you are immersed in this whole situation on a day-to-day basis, we just touch on it and run to lots of other things. I would like to know your assessment of how big a problem we have, first of all, and how do you measure that. Then the second thing is within the scope of where we have a problem, do those things tend to cluster in certain areas? Are there a couple of certain particular places such as identity theft or something where that is the majority of what we are concerned with. So I am interested in scoping the problem and getting a little bit of a sense as to what categories those things are in. If you could answer that. Then I am going to turn the chair over to Ms. Bordallo. I have got probably about half an hour of voting or so so I would expect you will adjourn and we will call a second panel at that time. Thank you very much. Ms. Bordallo. Thank you very much, Mr. Chairman Since I represent the territory of Guam we don't vote on the floor. That is one thing I wish we could but the territories do not have that privilege. We vote in committee but not on the floor. I think we will take the two questions that the Chairman presented and we will begin with Mr. Larry Johnson. What would your answer to those two concerns that he has. Mr. Johnson. What the Secret Service has seen a large percentage of the time is that attacks on businesses, whether small or large, are typically for financial gain. What we have also seen is identity theft being a component of not only assuming someone's identity through intrusions, social engineering and other methods. That is very prevalent of the major attack. However, a recent trend is that if you can bypass the identity theft and go right to an institution that stores financial data. We have seen that now more common than ever that if you can bypass the identity theft and steal credit card numbers and other financial data, account takeovers. We have seen alarming rate of account takeovers, specifically retirement accounts because that is where the largest amount of money people usually have. Ms. Bordallo. So you would consider that the biggest problem? Mr. Johnson. Yes. Ms. Bordallo. All right. Next would be Mr. Steven Martinez. Can you answer the question that the Chairman presented? Mr. Martinez. Sure. I think what we are seeing in the FBI is we are looking at cyber crime across the entire spectrum is a convergence of the hackers on the one side that we used to see as kind of stovepiped in doing their own thing for bragging rights and that type of thing, and the cyber frauders on the other. They are now meeting in the middle. They are now leveraging each other's knowledge and it is all for profit just like Mr. Johnson mentioned. That is really a change that we have seen over the last couple of years and it isbeing facilitated by automation in the way that these hacks are conducted. I mentioned botnets in my testimony. They give a standoff capability to cyber fraudsters and hackers where they can perpetrate frauds against Americans from anywhere in the world. It provides an additional challenge for us because we really have to have an international scope, international reach, in order to address these things. But, on the other hand, small businesses have a huge part to play in this. I briefed on a very successful case targeting a botnet that was brought to us by a relatively small business in the Los Angeles area. This case was expanded and we determined that it impacted on large ISPs across the nation but the nexus of this was an attack on a small business and they brought that information forward. Outreach is an important part of this because there are some disincentives to reporting that you have been attacked and have a problem. It might put you at a competitive disadvantage. We are working very, very hard on outreach in order to get the information in. As far as the scope goes, are best estimate is we probably only see maybe a quarter at best of the reporting that we would hope to get as far as the nature of the problem. There are a lot of reasons for that. Again, there are some financial disincentives for bringing that information forward. As businesses small and large get used to the fact that the FBI and law enforcement agencies know how to work these investigations without disrupting their operations, I think we can create more good will and get more of the reporting we need to address the problem better. Ms. Bordallo. Thank you. Thank you. Now Lydia Parnes. What do you feel is the biggest problem facing you? Ms. Parnes. Well, the Commission really looks at this issue from the perspective of information security across the Board. I think it would be difficult for us to kind of single out how big the problem is for small businesses but we know that information security is a major issue. The issue that we have a particular focus on is identity theft. The Commission is charged with maintaining an ID theft clearing house and so we get the consumer complaints and the inquiries from consumers who have been subjected to identity theft. I think ultimately that is the real concern about information security. We want to promote a culture of security and we want to do it because when security is lacking, identity theft can be the result with all of the resulting injury. Ms. Bordallo. Thank you. Cita Furlani. Ms. Furlani. Thank you. I think there are a few more aspects that should be considered. One I mentioned was just the sheer complexity of how you provide security. There are too many ways that things can be breached. The things that I think small businesses and any other business need to consider is that they are frequently partnering with others. They need to have some way of determining whether their partners are maintaining secure environments. They frequently outsource and are provided some kind of software or supporting structure by other businesses and how do they measure that whether they are meeting the same level of requirements that they have set inhouse. The whole aspect of an always on Internet, always able to be on and connected adds a complexity of understanding of how you provide the firewalls and the patches. Everything that has to be done is a difficult problem. Ms. Bordallo. Thank you very much. Now for my round of questions. I have one for Mr. Johnson first. I was particularly interested in a point you made near the end of your prepared testimony that Secret Service Electronic Crime Special Agent Program Officers are committed to taking preventative action to guard industry from crime in addition to their responsibilities to investigate following a crime. I would encourage the Secret Service to review ways in which its technical expertise can be shared with SBA client firms. What existing partnerships, Mr. Johnson, does the Secret Service have with SBA on cyber security? Mr. Johnson. With the Electronic Crime Special Agent Program, I'll just address that first. That is a training situation that the Secret Service has probably been involved in in the last couple years. We train our agents in three levels of cyber investigators. First, the No. 1 level is the forensic investigator that actually looks at the hard drives and determines the vulnerabilities based on the electronic evidence. The middle level of cyber investigator is the network intrusion expert who is very involved and has extensive training in network intrusions. Then that lowest level is the basic cyber investigator training program where we try to have all of our special agents go through this type of training. Obviously they cycle into other assignments but eventually in the next couple of years we hope to have all special agents in the Secret Service trained as cyber investigators. As far as the affiliations of small businesses and large businesses, we have numerous members to our Electronic Crimes Task Forces and they are located, like my testimony indicated, throughout the United States. That's where the sharing of the information is from one small company to another and they basically talk about what is the security concern of the day. What keeps their CEO up at night. These discussions a lot of times bring out a lot of information that they would not otherwise talk about what was previously not spoken about because I don't want to admit to you my vulnerabilities. Now we have gotten companies both large and small to talk about what their security problems are and we think that has been beneficial. Ms. Bordallo. So what you are telling me then about these programs, the various programs that you explained, you are partnering with the SBA? Is that what you're telling me or thinking about it? Mr. Johnson. Well, I probably have to get back to you on whether or not specifically we have a partnership or an MOU. I believe they are a members of one or more than one of our task force but I can let you know for sure. Ms. Bordallo. I think that is the basis of my question. I think it is important that we partnership. Mr. Johnson. Okay. Ms. Bordallo. All right. The next question I have is for Mr. Martinez. I am concerned, Mr. Martinez, that after reviewing the SBA website this morning I was unable to find any information on it regarding cyber crime and small business or information on how small businesses can contact law enforcement in the event of a suspected cyber crime. I wonder whether a small business owner or an entrepreneur knows that it should consider contacting the FBI regarding potential cyber crime. Has the FBI ever done any coordination with the SBA to educate small companies on cyber security issues? What kinds of outreach and training programs does your agency have for small business or would such a program need to be developed? Mr. Martinez. Well, the FBI does have a formal arrangement with the SBA through a memorandum of understanding to provide support leveraging our InfraGard program and the membership to assist with a series of very specifically targeted cyber security is good business. That is what these training sessions are called that target small businesses specifically across the country. In fact, recently there have been, or will be sessions in places from San Diego, California, Sioux Falls, Minneapolis, Casper, Wyoming, places where you might likely find smaller businesses. Again, this is an effort to leverage what we have built with InfraGard, provide both access to the membership because a lot of the best information is held in the private sector, but also to provide subject matter experts within the FBI, investigators, whatever the case may be, to participate in these training sessions if need be. Ms. Bordallo. I certainly think that both the FBI and the Secret Service these are partnerships and I think they should be included on the website, the SBA website. We don't find anything and I think this would be extremely helpful if you could work with them and see that this be included. I have a question for Ms. Furlani. What are the two most important lessons you teach small business owners on computer security? Ms. Furlani. Vigilance. How to determine whether they are-- we provide checklists and ways to understand the issue and what they need to do. Frequently they have the kinds of people that can understand what needs to be done but it is a matter of resources, how much time can be spent. We try to find simpler ways to describe what can be done and give them checklists that they can go down and determine whether all the various patches have been done and the intrusion detection zone and all these things that they need to do. Most important is mainly being aware and being vigilant. That is probably the most important because all the other things change as the threats change. It is more important to be aware of it and be understanding of what and access to where the resources are to understand how to deal with the changing environment. Ms. Bordallo. And, Lydia, I have a couple of questions for you. To what extent has the FDC attempted to involve the Small Business Administration in cyber security efforts that are targeted at small businesses? Ms. Parnes. We actually have a history of working with the SBA on frauds that are directed to small businesses and we have had a number of real successes. We have not kind of dealt with them specifically on cyber security but we would be delighted to have them participate in OnGuard Online which is our online cyber security information. The OnGuard Online is not marked as an FTC site particularly. You can get it through our site but we encourage others to use it and put it out there and we will definitely contact the SBA. They can take the site. They can link to it or just put it on their site as well. I think it would give small businesses very good information. Ms. Bordallo. But this, again, hasn't happened as yet. Ms. Parnes. No, it hasn't. I would add that we do have federal agencies who partner on OnGuard Online as well as private industry. It is up there and it is available to anybody who wants to use it and we will seek out the SBA. Ms. Bordallo. Another question. Under what circumstances should a small business owner report cyber attacks to FTC? What would be the extent of the problem before they contact you? What would the circumstances be? Ms. Parnes. Well, certainly the FTC is one place that a small business can contact about a cyber security attack. The information that we get goes into a database that is available and actually is downloaded onto the FBI database that Mr. Martinez talked to. The Secret Service has access to our database as well. A small business could easily contact the FTC. We would take all of the information. We would put it in our database and it would be available to law enforcers, both federal law enforcers and also law enforcers on the local and state level. The FTC does not have any criminal authority, however. So many of these attacks are criminal in nature. Ms. Bordallo. What would you say the frequency of inquiries are? Any of you could answer that. Mr. Martinez. On the IC3, the Internet Crime Complaint Center complaint intake runs about 25,000 complaints a month. That is individual consumer complaints. That doesn't include aggregated information that we get from private sector partners. Ms. Bordallo. That is a staggering number. Let me see here. I think that is pretty much all the questions. We are trying to extend this before we call up the second panel. Oh, yes. I have one for the FBI. What is the most common roadblock you encounter when tracking down cyber criminals? Mr. Martinez. I think the biggest challenge for us right now is the international nature of cyber crime because going across the world you have different relationships with different countries and different levels of cooperation so we put an awful lot of effort into developing and firming up those relationships in places where we haven't had a presence before. You know, former Soviet states, the Far East. We have a legal attache program where we have a presence in many, many foreign countries but we found that we actually have to put people on the ground to work with some of these countries that haven't developed their legal systems or their capabilities to address cyber crime so that has been a huge challenge. It is really a change in the way we do business because we used to focus mostly on domestic crime problems but it really is a completely international global crime problem now. Ms. Bordallo. Secret Service, how would they respond? Mr. Johnson. I would agree with Mr. Martinez. The only thing I would add is that there is a different scam every day. I become briefed on the latest and greatest and it is always something added to an existing scam on the Internet. It is a more sophisticated from phishing to pharming more sophisticated and that is just one example of trying to stay one step ahead or at least equal with the bad guys. Ms. Bordallo. Can you share with us what is the latest scam so we are ready for it? Mr. Johnson. I think I kind of mentioned the account takeovers are very prevalent. You kind of put me on the spot with the latest. Ms. Bordallo. You know we have to be up to date here. Mr. Johnson. I understand. Ms. Bordallo. Thank you very much. I think we spoke about that, the small businesses to protect against inside. You mentioned vigilance which is very importance. Ms. Furlani. And how best to apply their scare resources. Which vulnerability should they work on? Some kind of prioritization. Ms. Bordallo. Can small businesses employ adequate security measures with their limited resources? What would the cost of that be? You are talking very limited resources. Ms. Furlani. Again, if you know--if you have access to how to do it you can make choices as to what is the most important way to close the door and where you apply your resources. Obviously it is easier when you have a larger budget. You are using a smaller percentage of it but education and awareness and I think that is what you are focused on today is where the resources are that they can make use of. Ms. Bordallo. And who provides--who can provide that? Ms. Furlani. Our website has a lot of information and I think each of the other agencies do. Ms. Bordallo. But technical assistance? Ms. Furlani. Technical assistance is generally where they are going to be getting it from a vendor of some sort. There again, they need to have enough understanding of what they are hiring and what risk they are taking there with partners, vendors. Every time you add someone else there is another vulnerability risk. Ms. Bordallo. That is correct. Ms. Furlani. Being aware of that. Ms. Bordallo. We want to thank all of you for appearing before the Committee today and we appreciate all your testimony and certainly we take it into account. I would like to excuse you and bring on the second panel. Oh, we will recess for a short time until we bring up the second panel. [Whereupon, at 3:04 the Subcommittee adjourned until 3:24 p.m.] Chairman Akin. The Committee will come to order. Sorry about breaking things up here. I think we are prepared to go with our second panel if I am not mistaken. Ari Schwartz. Is that correct? Mr. Schwartz. Ari, yes. Chairman Akin. Ari. Okay. Deputy Director of Center for Democracy and Technology, Washington, D.C. You have five minutes, please, Ari. Mr. Schwartz. Thank you. STATEMENT OF ARI SCHWARTZ, CENTER FOR DEMOCRACY AND TECHNOLOGY Mr. Schwartz. Thank you. Mr. Chairman, Madam Ranking Member, thank you for holding this hearing on cyber security and inviting the Center for Democracy and Technology to testify. CDT hopes that this marks the beginning of the Subcommittee's interest in the important issues of information security and its impact on small business and consumers. Much as been written and said about the Internet as a revolutionary platform for human interaction. Indeed, the Internet levels the playing field for individual speakers and small businesses. It is a cheap and effective way to reach around the world. There are many factors that make the Internet unique among communications tools but its strength has always been it is open, decentralized, and user-controlled nature. As such, the medium inherently has the potential that promotes democracy and entrepreneurial ideas. However, the Internet's strength is also one of its weaknesses. Just as networking and interconnectivity allows for unprecedented sharing of ideas, those factors also expose the medium to a growing number of threats such as viruses and spam and phishing spyware. Individually these attacks are dangerous enough but taken together they have begun to chip away at the trust Internet users have in the medium. A recent survey done by Consumer's Union has indicated that 25 percent of consumers have stopped making purchases online and another 29 percent have cut back on their online shopping because of concerns about identity theft alone. To address these dangers we must ensure both that our proposed solutions get to the root of the problem and that those solutions don't inadvertently harm the essential nature of the medium. To reach these goals we must understand the motivation and character of the threats. Although popular portrayals of Internet criminals continue to focus on young hackers, vandalizing websites, or launching denial of service attacks to gain notoriety among their peers. Most of the real threats today are driven by financial gain, as we said, by the FBI and the Secret Service in the earlier panel. It is easy to get lulled into the belief that these are new threats because of the new terminology like phishing with a ``ph'' or spyware, but in reality they are for the most part typical fraud cases that we have seen offline for years and years. In our research into consumer complaints EDTS found these attacks are generally driven by five types of financial motivation. (1) Identify theft to consumers and businesses. (2) Corporate espionage, that is, taking confidential information. (3) Advertising software that provides pop-ups financially motivated because companies are paying affiliates to install software onto users computers and often do so without consent. (4) Fraudulent marketing schemes like those that we become used to in our e-mail boxes every day. And, (5) Extortion where consumers or business data or an entire machine is held ransom in one way or another. We are also seeing more attacks that rely on multiple techniques also known as blended threats that are uniquely targeted to a specific type of user. The New York Times recently reported that large gangs of criminals in Brazil and Russia are using virus-like techniques to install password crackers that only work on certain banking websites. This demonstrates not only the new skill of the criminals but also the international nature of the threat. These attacks have magnified impact on small business because many small businesses suffer from those attacks of the consumers as well as those aimed at businesses. Also, while large enterprises can afford spare capacity in the form of additional computers and servers, many small businesses do not have that luxury. Because of the changing nature of the threats, it is important that security programs continue to improve. Computer security companies have become experts at finding problems and distributing information about whatever malicious programs caused the problem, but they are only just beginning to build and test programs that stop malicious software at the first signs of bad behavior even before the names of those programs are known. Finally, it is essential that we address the financial motivation of these threats as we have in offline fraud. This is not as easy as it sounds because the Internet models pass information to the hands of so many players and across borders as well. CDT is currently in the process of documenting how large and respected companies are unsuspectingly supporting unfair and deceptive practices of their partners. Yet, we must get beyond all these difficulties and find the sources of funding and cut it off or risk losing the potential of the Internet for future generations. Thank you again for having me here and I look forward to your questions. [Mr. Schwartz's testimony may be found in the appendix.] Chairman Akin. Thank you, Ari. Right on time there. Next we have Enrique Salem, Senior Vice President, Security Products & Solutions from Symantec Corporation from California. Thank you for coming the distance here, Enrique. STATEMENT OF ENRIQUE SALEM, SYMANTEC CORPORATION Mr. Salem. Thank you, Chairman Akin, and Ranking Member Bordallo for giving me the opportunity to testify at today's hearing on the state of small business security and cyber economy. I am hopeful that my remarks will provide the Committee with a comprehensive overall of the U.S. small business cyber threat landscape. I also hope to give you some thoughtful insights on the many security challenges small business owners face in today's growing digital economy. I look forward to responding to the Committee's questions following my remarks. I come before you today representing Symantec Corporation. We are the fourth largest software company in the world and we help our customers to protect their information and we provide them solutions around security and availability and integrity of their data. As the Senior Vice President for Consumer Products Business Unit I am responsible for both the consumer market and the small business segment. Prior to joining Symantec I was the CEO of Brightmail, Inc., a leading provider of anti-spam solutions so I am able to talk to you about some of the key challenges that small businesses face when they try to deal with spam. I also provided comments to Congress on the issues surrounding the CAN SPAM Act. Last week Symantec released its ninth Internet Security Threat Report which is widely acknowledged to be the most comprehensive analysis of information regarding security activity for today's economy. The report includes an analysis of network based attacks including those on small businesses with a review of known threats, vulnerabilities, and security risks. We have been providing this report on a semi-annual basis since 2002. The last two Internet security threat reports found that small businesses have consistently been in the top three most targeted groups for cyber attacks. Cyber criminals have found that small businesses are less likely to have a well- established security infrastructure making them more vulnerable to attacks. Symantec has also sponsored the first comprehensive study of its kind analyzing the state of information security readiness in the U.S. small business market. The July 2005 study conducted by the Small Business Technology Institute surveyed more than 1,000 businesses and found that information security is a high priority for small business owners. But it also showed a lack of appreciation of the true economic impact of information security incidents and a lack of knowledge around cyber threats. I would like to submit this report with the Chairman's permission. Chairman Akin. Without objection. Mr. Salem. Some key findings that we found in the report are as followed. While over 70 percent of small businesses consider information security a very high priority, they are not increasing their investment and protection. The study revealed that small businesses demonstrate an alarmingly complacent and passive attitude to information security. A majority of small businesses, 56 percent, have experienced at least one security incident in the past year and small businesses make overwhelmingly reactive purchase decisions when it comes to Internet security with 35 percent increasing spending on security products only after their business has been compromised or attacked resulting in a loss of data or corruption. It is difficult to quantify the impact of cyber crime but according to the FBI's 2005 Cyber Crime Survey costs today are around $67 billion to U.S. firms over the last year. Additionally, the FTC found that the identity thief cost businesses $48 billion and last year consumers $680 million in losses. But more damaging than the loss of money is the loss of trust and confidence by consumers in the Internet economy. With so much of the nation's small businesses depending upon the Internet, we can't risk losing the public's confidence in doing online transactions with small businesses as it is essential that they have the right resources to protect themselves. Symantec continues to play an instrumental role in protecting small businesses through the security solutions we offer and our education and awareness efforts. For example, Symantec is a major sponsor of the National Cyber Security Alliance, or the NCSA, a non-profit which educates small businesses and consumers how to stay safe online. The NCSA website, staysafeonline.org, is a useful resource for small businesses and partners with the Department of Homeland Security, FTC, Small Business Administration, NIST, and many others on several initiatives including the small business training workshops lead by NIST. In addition to its sponsorship of the NCSA, Symantec has created several tools, including educational books and CD-ROMs to address the unique needs of small businesses. We have copies of these materials available at today's hearing that Symantec has also developed in a wide-range of areas to help protect data that small businesses find critical to run their businesses. We must focus on increasing cyber security awareness, educating and enabling small businesses to properly assess their true level of risk and encouraging them to take the necessary and preventative and corrective measures. Symantec looks forward to continuing to work in partnership with the private sector and Congress to conduct research and create tools that lead the way in providing U.S. small businesses with the right resources they need and deserve to truly secure and prosper in today's high-tech global economy. Thank you again, Chairman Akin, and Ranking Member Bordallo, allowing me to testify today in front of the House Small Business Subcommittee on Regulatory Reform and Oversight. [Mr. Salem's testimony may be found in the appendix.] Chairman Akin. Thank you very much, Enrique. Appreciate your perspective. Next is Dr. Burton Kaliski. Is that right? Dr. Kaliski. Kaliski, sir. Chairman Akin. Kaliski. You are the Vice President of Research for RSA Security, Chief Scientist, RSA Laboratories from Bedford, Massachusetts. STATEMENT OF DR. BURTON S. KALISKI, JR., RSA LABORATORIES, RSA SECURITY Dr. Kaliski. Chairman Akin and Ranking Member Bordallo, I am honored to be with you today. You might wonder what the three letters RSA stand for. They are the initials of three inventors of a very widely-used encryption algorithm developed in 1977 at MIT with federal research funding. We have a conference held annually on the west coast which now attracts 14,000 attendees and at the most recent conference Robert Muller spoke and said that, ``While the Internet has become a growth engine for business, it has also become a global target for cyber criminals.'' He is exactly right and this is a dilemma for small businesses because, on the one hand, you want to go online to expand your business opportunity. On the other hand, when you go online you face tremendous threats and small businesses don't have the IT security departments to help them but there is hope. We need to look at what is an adequate level of security for a small business or any business. We believe that security ought to be commensurate with the value of the data as well as the resource being protected. Just as you don't shred every piece of paper, you don't need to encrypt every file but you need to be shredding and encrypting sensitive information. Just as you don't lock every door, you don't need to have strong access controls to every file but those that are sensitive need that appropriate level of protection. Now, traditionally the protection for access to information has been a password and it is recently that across many industries people have realized it is finally time to do something better. But what is there that is better than a password? Well, at the RSA conference this year Bill Gates was one of the speakers and he said, to paraphrase, that the era of passwords is over. Organizations are looking at many technologies for making it easier to use stronger security but we again have a dilemma. If you have strong security that is very strong but not easy to use, you really have no improvement at all. Great security is good to have if you can use it. There has been a substantial increase in the focus on usability and I would like to highlight several ways that is taking place. One is that vendors are finding ways to make security more usable across the industry as a whole. You may have different interfaces on every site you interact with, a different way of providing your password, a different way of answering questions about your account. You may have ways that you can reset your password in one case and in another case it is different but industry is working to standardize and harmonize these approaches so that users have a consistent experience. Users also have many opportunities to increase their security with the devices that they already have. We are all carrying mobile phones. Couldn't that be used someway to enhance our security experience if we could just connect that with the places at which we do business. That would certainly simplify the situation for a small business rather than having to find some unique solution to put security in the user's hands. And vendors including my company are looking at many ways like this. Now, the third point, though, is that you basically need it to be a crypto-engineer, and I wish I could tell you more about that career because it is fascinating. You needed to be a crypto-engineer to put security in your products. Up until recently you had to know details of every algorithm and acronym and so forth. Well, that is changing. Vendors are finding ways so that you can put encryption in and other features of security just based on policy. You say, ``Here is the kind of data I have. Please encrypt it,'' and it is done and it is managed well. Security appliances are another example. You don't need an IT security department to enhance your security. You can plug in a device that is ready to go into your network and it enhances your security. Finally, IT vendors are working on improvements to the user interface because, after all, that is the last and the weakest link. How does the user know that he or she is more secure? Well, there are improvements on web interfaces that help you to see when you are secure and when you are not. In all of this the public and private partnership is essential. As my colleague mentioned, the National Cyber Security Alliance is an important player. RSA Security has also been invested in that organization. We encourage others to take part in it. We are also interested in the area of breach notification legislation. I understand that the House and the Senate are both working in that area. We consider it important as an incentive and reward to businesses that apply best practices, that those best practices are recognized in terms of a safe harbor provision. To conclude, just because you are a small business doesn't mean the criminals aren't out to get you as well. You have valuable resources. Just because you are a small business doesn't mean you can't do anything about it. There are tools, the built-in security into many products, the tools for encrypting data more easily. You know, RSA Security used to be a small business and at RSA Laboratories we maintain that entrepreneurial perspective. We look forward to working with this Committee on Small Businesses for a safety and more secure economy. [Dr. Kaliski's testimony may be found in the appendix.] Chairman Akin. Thank you. Very well done. Thank you very much. Our next guest is Roger Cochetti? Mr. Cochetti. Cochetti. Chairman Akin. Cochetti. Your son Andrew is supervising this operation as well I understand. Mr. Cochetti. Thank you very much. Chairman Akin. You the Group Director of U.S. Public Policy, Computing Technology Industry Association from Arlington. Mr. Cochetti. Yes, sir. Chairman Akin. Thank you, Roger. STATEMENT OF ROGER COCHETTI, U.S. PUBLIC POLICY, COMPUTING TECHNOLOGY INDUSTRY ASSOCIATION Mr. Cochetti. Thank you, Mr. Chairman Thank you Ranking Member Bordallo. Thank you both for your warm welcome for my 13-year-old son Andrew for whom the subject of cyber security I can assure you is not a theoretical issue. My name is Roger Cochetti and I am Group Director of U.S. Public Policy for the Computing Technology Industry Association (CompTIA). I am here today on behalf of our 20,000 member companies. Mr. Chairman, I want to thank you and the members of your Subcommittee for holding this important hearing on the State of Small Business Security in the Cyber Economy. We believe that your efforts to focus public attention on cyber security and small business will help American small business avoid cyber threats. Before I continue, Mr. Chairman, I would like to ask that my written statement be submitted for the record. Chairman Akin. Without objection. Mr. Cochetti. Mr. Chairman, the Computing Technology Industry Association is the nation's oldest and largest trade association representing the information technology or IT industry. For 24 years CompTIA has provided research, networking, and partnering opportunities to its 20,000 mostly American member companies. While we represent nearly every major computer hardware manufacturer, software publisher, and systems integrator, nearly 75 percent of our membership is made up of the small American computer companies who themselves provide integrated computer systems to small businesses which I will explain more in a moment. As this Subcommittee knows, small business is the backbone of the American economy. Some 23 million small businesses generate over half of our GDP and employ most of the private sector workforce. Today nearly all American small businesses are dependent upon information technology and most are increasingly dependent upon the Internet. Failures in the IT infrastructure or in the Internet threaten the viability of American small business and their vulnerability to cyber threats is America's vulnerability. The IT needs of small businesses are mainly addressed by an important segment of the computer industry called Value-Added Resellers, or VARs. These small system integrators, which are the bulk of our members, set up and maintain computer systems and networks for small businesses. VARs create and maintain the computer systems in your dentist office, in your doctor's office, for your corner store, and for your local plumber. VARs are the front line in America's defense against cyber security threats. An estimated 32,000 VARs sell about one-third of all computer hardware sold in the United States today and most of that to small business. Because of our unique role representing America's VARs CompTIA has done a great deal to address the issue of cyber security for a small business, much of it in conjunction with governments. We recently launched a series of regional educational programs on cyber security expressly for VARs and through them the small businesses whom they serve. In 2002 we introduced these security plus professional certification for IT professionals. It validates an IT professional's abilities in the area of cyber security and to date over 23,000 IT pros, many working for small businesses, have taken and passed CompTIA's security plus exam. Over the past few years we have commissioned an annual survey of the state of IT security. Two-thirds of the participants in these surveys are small businesses and the results tell us a lot about the cyber threat to small business. Almost 40 percent experienced a major IT security breach within the last six months. Human error, either alone or in combination with a technical malfunction, caused four out of every five IT security breaches. More than half do not have written IT security policies. One half have no plans to implement security awareness training for their employees outside of the IT department, nor have they even considered it. About two-thirds have no plans to hire IT security personnel and just a quarter require IT security training and a 10th require professional certification. With our permission, Mr. Chairman, I would like to submit our most recent study for the record of this hearing. It talks a lot about what is happening in small business. Chairman Akin. Without objection. Mr. Cochetti. Based on our studies it is clear that more needs to be done to raise cyber security awareness, education training, and professional certification within the small business community. It is also clear to anyone who understands how small businesses operate in the United States that VARs must play the central role in any effort to reach out to small business in this area. What is most needed is a Government industry partnership that takes advantage of the unique access and perspective of thousands of VARs who IT enable small business in the U.S. Mr. Chairman, let me emphasize at this point that the most effective solutions to nearly all cyber security threats, to small business or any other IT users, do not rely on new federal or other regulations. The nature of the Internet in particular is a global network of networks that is dynamic and rapidly changing is such that Government regulations will have a limited impact. Much more effective in dealing with threats like cyber security are technology tools, industry best practices, and consumer and business education backed up by strong law enforcement. The key role that Government agencies can and should play, aside from arresting and prosecuting criminals, is to work with industry and consumers on education, technology tools, and best practices. We look forward to working with this Subcommittee and the relevant agencies in such a cooperative effort. Thank you, Mr. Chairman. [Mr. Cochetti's testimony may be found in the appendix.] Chairman Akin. Thank you, Roger. Appreciate your testimony. Our last witness is Howard Schmidt, President and CEO of R & H Security Consulting LLC, and former White House Cyber Security Adviser from the State of Washington. Howard. STATEMENT OF HOWARD SCHMIDT, R & H SECURITY CONSULTING, LLC. Mr. Schmidt. Thank you very much, Mr. Chairman and Ranking Member Bordallo. Thank you for the opportunity to appear before you this afternoon. My colleagues have done a very good job of sort of laying out the problems. I would like to spend my five minutes sort of talking about some of the things that we have seen which actually have helped improve it and some of the things that are either low cost or no cost that small and medium businesses can work with. First I would like to frame it in saying when I look at a small business we see in three categories their IT capabilities. First, we are basically aware that their IT system is also their home computer system, the mom and pop operation, so to speak. We have others where small and medium enterprises have dedicated computer systems, relatively small staff that basically work really hard to make the IT system run but no special expertise in security. Then the third category, the ones that actually outsource this to a service provider that basically provides them a turnkey operation. With these categories in mind, their success depends on four things, technology, awareness and training, information sharing and, of course, we heard from the earlier panel the law enforcement capabilities. From a technology perspective we have seen software developers invest heavily in tools and processes to reduce the number of vulnerabilities which then make us much safer in the software we are running today. There is also now automated tools available to identify vulnerabilities, effectively the unlocked door on a computer system that can be found automatically, once again, for a low price. The automatic updating of anti-virus applications, spyware, operating systems, things of this nature, once again, are being built into the computer systems we are running. We now see a new generation of toolbars for web browsers that turn red, green, or yellow depending on whether the site is trusted, unknown, or untrusted. We also see new technology that is very affordable for the consumer and the small and medium enterprise with the all-in- one device where you have a hardware device that is your cable modem, firewall, wireless router, anti-spyware built in that is managed just like it would be for a large enterprise. As Burt talked about, two factor authentication, a concept like an ATM card, something you have, something you know. It is very important for us to help secure our systems today. Also the encryption technologies are much more affordable, easier to use than ever before, and more widely accepted. For the awareness and training, one of the issues I see with the small and medium businesses is the fact that they don't often times recognize they are and can be a target. Clearly recognizing that takes place is one of the key issues for awareness and training. The Treasury Department released a DVD called ``Identity Theft: Outsmarting the Crooks'' which includes, of course, information for SNBs, The FTC, USPS, USSS, my role as a reservist with Army CID as well as other private sector groups helped put this together. It is available free of charge on the Treasury website. I might note here, if I could, I have a number of URLs or weblinks in my written testimony. I would like to just point that out. I won't repeat these things. Of course, FTC with the Online OnGuard site, National Cyber Security Alliance, also for state and local governments working with the local Chamber of Commerce, the multi-state ISAC, Information Sharing Analysis Center, led by Will Pelgrin out of Governor Pataki's office, have put together state and territory-wide information sharing analysis. The US-CERT provides services free of charge. The National Cyber Security Partnership was also mentioned earlier. Also there is a special guide called, ``Common Sense Guide to Cyber Security'' for small and medium businesses given out by the US- CERT ready.gov website, as well as the U.S. Chamber of Commerce. On the sharing earlier we mentioned the InfraGard and the Electronic Crimes Task Force working with the local folks that actually are doing the work on a day-to-day basis. We also see information and training also take place during those organizational meetings they have. The last piece I would like to cover briefly is the law enforcement efforts. Like any other effort, there is going to be bad actors out there. We can't escape that. With the technology, the awareness and information sharing we can help reduce the threats against the small and medium businesses but they still will see some out there. The very nature of the crimes make them difficult to investigate so we need to make sure we currently fund particularly small, local jurisdictions which don't have the resources to conduct these investigations without some assistance. The International White Collar Crime Center actually is an NIJ funded project designed to help state and local law enforcement investigators investigate all types of cyber crimes, particularly, once again, targeting the audience of the small and medium enterprises. Lastly, some quick recommendations in my last 30 seconds or so. We have seen since we have released the President's National Strategy to Secure Cyber Space that a lot of these efforts have taken place but we still see some areas. The idea of pulling the technology websites doesn't really cut it. We need to be able to provide this information. Maybe the Small Business Administration working with the U.S. Chamber and the local Chamber of Commerce to hold in-person type events to be very, very helpful. We also basically need to make sure that when the Small Business Administration works with the loaning process you have to submit a business plan and things of this nature. Also a cyber security plan would be very helpful With that I will wrap up my verbal comments. Once again, thank you for the opportunity and look forward to any questions that you may have. Thank you. [Mr. Schmidt's testimony may be found in the appendix.] Chairman Akin. Thank you very much, Howard. You have really led into my first question. As a hard to get along with crusty old conservative, I have a natural inclination to wonder whether the Government is going to do any good and maybe make the process worse. I guess one of the things that we are investigating here, the first set of questions which I really left to be asked when I was gone was, one, how big is the problem and where is the problem? Can we define what the problem is? Second of all, what we are looking at is is there someway we can be constructive and help and in certain places maybe we should get out of the way. I wanted to let anybody who wants a shot at that question to make recommendations because we are going to be taking notes. If there are some logical places for us to put some legislation together, we probably have a good chance of getting something done. Maybe there are some places we want to stay away from and just let industry work with it. Have at it, my friends. Mr. Schmidt. If I may on the issue of scoping, just my local law enforcement as well as my experience with the FBI we don't do a good job on capturing what is really computer crime or cyber crime, particularly as it relates to the smaller organizations. We have these broad categories which don't especially do it. Fraud whether using a computer or a typewriter is still a fraud and we don't differentiate that very well. As far as the regulation piece, once again, it is in the same category. I don't think regulation itself helps but what you do is make sure the resources are available to the Small Business Administration to do not pull technology but push technology to the constituents they work with. Chairman Akin. Your idea that if somebody wants an SBA loan or something, you say, ``Well, if you want that, then maybe what you need to is at least ensure some level of security in your system.'' That seems to be kind of an incentive, I suppose, that you could use. Is that a good idea, other gentlemen, or is that just making it harder? Our last hearing that we had was how people are having trouble getting SBA loans. They said it is taking a lot of red tape and hassle. Do we want to add another step to that or not? You tell me. Mr. Cochetti. Mr. Chairman, if I could go back to the broader question and then touch on the SBA loan qualification question, I think it is important to keep in mind the scale of the problem and the scale of the problem is enormous and we believe serious. All of the surveys, ours in particular, suggest that well over half of the 23 million small businesses in the United States have very little preparation for cyber threats and well over half. Half would be a modest way of looking at it. There are many things that are needed to be prepared. Technology tools are one, training is another, and procedures are another. There are others but those are typically the three main things. You train people, need the technology, and you need the procedures. Most small businesses have none of these. Clearly from our point of view the starting point in any discussion about what to do is awareness, education, and training. Small business until they are aware of this problem are not going to do much about it and aware of the seriousness of it and the impact it could have on them. The outreach issue consequently is the fundamental issue, we believe, that needs to be addressed. If you think about the size of the small business segment to the American economy, however, reaching out to 23 million small businesses is not something that is going to be done through putting up another website. We have got a dozen very well organized websites that provide a lot of information. How many small business men or women do you know who spend their time searching websites to learn more about cyber security? We need a proactive outreach effort. The fact is, however, that if we were to put on a conference a month with 100 small businesses participating in each conference, it would take us several thousand years before we would reach the small business in the United States. It is for that reason, Mr. Chairman, that we believe that the intermediaries, the VARs, are really the key to the solution. If you go to a dentist, the next time you talk to your dentist ask him, ``Who handles your computer system in this office?'' The odds are almost certain that he or she will not say, ``I do it myself.'' Almost certain they will not say some big multi-national company that we have all heard of. He or she will say, ``It is Joe's Computers down the street. These are the people who are the IT departments for small business. These are the people who have to raise the bar on the awareness. These are the education outreach programs that we believe are needed, Mr. Chairman Thank you. Chairman Akin. Are you saying that the Government should fund education outreach programs? Is that what you are saying, Roger? Mr. Cochetti. I think the Government should use every tool at its disposal and we wouldn't be adverse to Government funding for these programs but it would not be a wise use of Government resources to try to do a conference for small business because after 3,000 or 4,000 years you might have gotten two-thirds of the way through the small business community in the United States. Chairman Akin. Maybe we ought to publish a couple of really good juicy scandals and scare everybody. Maybe that would be the way to do it. Mr. Cochetti. That unfortunately sometimes helps. Chairman Akin. Anybody else want to take a shot at anything that we need to do legislatively or governmentally that could be helpful? Dr. Kaliski. Sir, a couple of comments. First on the scope of the problem, Chairman Our report clearly shows that small businesses are increasingly being targeted now by cyber criminals so the scope of the problem is only going to continue to increase. I think the second point is-- Chairman Akin. You talked about the fact that it is increasing. Do you have a sentence or two on what the scope is itself? Dr. Kaliski. Yes. So what we are seeing is specifically that there has been at least one incident at about 56 percent of all small businesses where their data or security has been compromised so that is more than half have had an incident in the last year so that is pretty significant. I think the second point is we do need to provide incentives for small businesses to take action to protect themselves. You mentioned this notion of small business loans. I think that may be an incentive but we should look for other mechanisms that we can use to encourage them to secure their businesses. I think the other thing is, as Mr. Cochetti said, I don't think we need new websites. There already are existing ones such as staysafeonline.org which I think is a fine website to leverage for providing information to small businesses. Lastly, I think the SBA just needs to take a stronger role in helping small businesses to secure their businesses. Mr. Schwartz. The one area where I think there has been some discussion about legislative initiatives is in terms of international cooperation among law enforcement. We have seen a lot of the cases we track go to the border. Some of them are simply routed through foreign servers to make it look as though it is becoming foreign because the bad guys know that law enforcement goes up to the border and that's where they end their hunt because we don't have this kind of cooperation even though they are actually located in the United States. Although some really are, there are a growing number of threats that really are outside of the U.S. and come in and work across borders, multi-national partners in these schemes because they really are money-making schemes these days. That means they will work with whoever is willing to partner with them to make money. We have seen schemes that involve seven or eight countries sometimes. Chairman Akin. Thank you very much. I'll turn the questioning over now to Ranking Member. Ms. Bordallo. Thank you very much, Mr. Chairman My first question is to Mr. Kaliski. I got mixed signals here in listening to some of the comments. Who do you think is best situated to handle cyber security threats, the Federal Government or private industry? Dr. Kaliski. In think it has to be a combination of both. I don't think it should be an ``or'' situation. I think we definitely have to raise awareness. I think there is some knowledge out there but I think it is both private sector and Congress that need to work together. As we mentioned, there are resources today available for small businesses. We just need to make sure that folks understand that they are there and can take advantage of them. I also think the SBA needs to take a strong role in working with the private sector and small businesses to make sure that they have the staffing and resources necessary to protect themselves. Ms. Bordallo. It is unfortunate, I guess, that we don't have an SBA representative here today but certainly I did hear you all speak about what you have up on your websites but when you look into the SBA website there just isn't anything that deal with this problem so it is something we are going to have to work on. Is there is a representative from SBA? Is there anyone in the audience? Do you wish to make any comments on this? Please come forward and identify yourself for the record, please. Ms. Thrasher. Good afternoon. I am Ellen Trasher. I am with the Office of Entrepreneurial Development at the Small Business Administration. My colleague who is here is Antonio Doss also with the Small Business Administration. Chairman Akin. Thank you for joining us. Ms. Thrasher. It is our pleasure and we welcome the opportunity to be here and also to hear so many of the comments, many of which we share and understand. The dynamics within the small business community has changed dramatically over the last couple of years. The whole idea of e-commerce, doing business online, while at the same time trying to open and sustain a small business is a challenge. Our role within Entrepreneurial Development is to educate, inform, counsel, and train small businesses to make smart business decision. We do this in a variety of ways. We work in public/private partnerships. For example, we are very active in the National Cyber Security Alliance. We work with NIST, the FBI InfraGard in offering training, and online counseling and training. Through our resource partners such as SCORE and SBDCs we offer counseling and training both face-to-face and online. For example, SCORE has an online counseling service and if you go to www.score.org you can find at least 140 online cyber counselors with an expertise in computer security that are available 24/7 to provide you counseling and training. We are aware of the problem. We are trying to collaborate as best we can in avenues to, again, outreach, as we were talking about. We do the training, the counseling, the awareness, and we hope to refer people to the areas for deterrents, enforcement, and remediation. Thank you. Ms. Bordallo. You say that this then, Ellen, is all on your website now? Ms. Thrasher. Much of it is. In fact, I just provided the Committee with brochures that we give out. We have a collaborative agreement with Hartford and have published a whole series on risk management, of course, which cyber security is part of. The brochure and the training is available both in English and Spanish and it is on site. We are also launching a webinar that will be a self-styled tutorial training course on what we call business catastrophe of which anything, of course, that would happen to your cyber security is part. Ms. Bordallo. Very good. Thank you. It has been very informative and I have the material here in front of me. Thank you, Ellen. I have a question now for Mr. Cochetti and that is you spoke about the outreach program, the education outreach. Who should head the education outreach program that you described? Mr. Cochetti. Delegate Bordallo, there is no question, I think, in the minds of anyone on this panel that it is that educational outreach program which is the most important thing that needs to be done. If nothing else happens, without that there will be little progress. I think certainly in our view, and I suspect most of the panelists here would agree, is that this really needs to be a Government/industry partnership. There is simply no way the industry is going to mount an effective outreach program on its own, nor is there anyway the Government could do it effectively on its own so a partnership is what is needed. I would say there are a number of federal agencies that are already active. They have modest programs underway right now. Most of the programs that exist today are responsive. In other words, I have a website. If anybody feels like coming to it, I have information available. What really is needed is a proactive program that goes out and it is, again, for that reason that we think these VARs are what the military planners call sort of forced multiplier. Each VAR is the IT department for about 200 small businesses. You get a VAR and you reach 200 small businesses and it is a way to deal directly with the problem. I think the fact is there are a number of federal agencies, many who are here and some who are not here, who have an interest in some programs in this area. They need to work together-- Ms. Bordallo. With private industry. Mr. Cochetti. Yes. Ms. Bordallo. Thank you. Mr. Schwartz, in your mind should the Federal Government be focusing on enforcement of existing laws or should we be looking at new laws? If new laws and regulations are needed, what recommendation do you have? Mr. Schwartz. Well, in terms of the existing laws there are several existing laws where they should be enforced more diligently and where we need greater oversight. The Computer Fraud and Abuse Act, for example, is one that we see regularly broken, criminal statute where action can be taken. The FTC has started to take greater actions in unfair and deceptive practices cases. We started to see more action in that area. And the Secret Service has talked about in their statute the number of places where they can bring cases under current identity theft laws. All of those pieces need to be enforced more strongly than they are today and with an international focus. There is definitely room there. The one area where we have focused on regulation where we think it is necessary goes back to the basic Internet privacy question. There is a general question of Internet trust and of consumer trust on the Internet today. A lot of that goes back to the fact that consumers don't understand what happened to their information and how it is shared on the Internet. There is a patchwork of laws right now for consumer information and how it is used online behind the scenes for consumers that happens online and offline as well. But in the online world consumers have this fear and they don't understand what happens to their information. In some ways it is justified. We have all sorts of different standards. There are lawyers out there that do not understand the Gramm-Leach-Bliley Banking Law and privacy when they read those privacy notices that they are sent. When you are given the privacy notices in your doctor's office, a completely different kind of notice than the financial notice that you got before. We just have this patchwork of laws out there all over the map and consumers just don't understand where their information is going and how it flows and that is starting to show up online. That is one thing that we would like to see is sort of a leveling and understanding, a baseline standard for privacy that basically the good companies out there are following but the other companies out there that are sort of outliers are taking advantage of. Ms. Bordallo. That is an excellent point. Mr. Kaliski, new developments in cyber security certainly will enhance small businesses. We have all been talking about that. Are these protections affordable? Dr. Kaliski. That is an excellent question, ma'am. the important part to look at is that as technology is developed and standardize it becomes widely available, very effectively for a large group of people. Consider the Internet as an example and over time the higher speed Internet access that has been made available to all kinds of businesses. We are seeing a similar trend in security technology. As I mentioned, vendors are producing security tools that can be used across multiple companies so that you are able to leverage the investment that your users have already made to be secure in other places. An example, there are security tokens that are issued by banks that can potentially be used at other banks just as you would use a credit card at multiple places. The affordability will come from the common solutions available through industry standards. Ms. Bordallo. Thank you. Mr. Schmidt, I have just one last question. It seems to me that SBA should be playing a larger role given that if there is any agency small firms would turn to for advice it should be SBA. Would you agree with this assessment and what additional programs should the SBA sponsor to better fulfill their responsibilities to the American small businesses? Mr. Schwartz. I agree with that perspective because the small business that I talk to the first thing I do is look to where the SBA is saying, ``How can I be successful?'' which is what is said to do. Part of the SBA's responsibility to due diligence, as the Chairman mentioned a few moments ago, about making it less complicated. That due diligence also goes to the cyber piece. Some of the things they can do is not so much focus on how to investigate these things because that is often times too late for a small business. They are already out of business at that juncture so maybe working with the Internet Association Chiefs of Police and the Crime Prevention Associations to take that good material that they have just passed out to you and make sure that those are provided. For example, if you were to call up your local police department and say, ``I would like you to come to my house and my business and do a crime survey,'' they will come out and do it. Ask them to do that on your computer business and they won't have a clue what to do. The SBA has the expertise, the resources to work with them and provide that as a resource to local business as well as a crime prevention effort. Ms. Bordallo. Thank you very much. Thank you all for the information you provided. Chairman Akin. I just had one or two quick questions. I have got a meeting that started at 4:00 so I am going to have to scoot before long. Just a couple of thoughts. First of all, is there anybody that provides insurance to small businesses to protect them against these kinds of problems? Mr. Schmidt. As a matter of fact there are. When we released the National Strategies to Secure Cyberspace a number of the major organizations, AIG, Chubb, you name them, not only provide data insurance for the data that they protect, fire and damage, all the things relative to that at relatively low cost for small business as well. The policies are there. The underwriting capabilities are there and it is just a matter of asking for it from the insurance companies. Chairman Akin. So if I have got a small business, I might normally have, I would think, some sort of insurance on the building if the small business were in a building that I owned. It would be sort of like the equivalent of homeowner's insurance. I might have some liability in case an employee gets in trouble. Would any of those policies typically have insurance that would protect against data security or questions that involve the cyber security in general? Mr. Schmidt. As an addendum, yes. Chairman Akin. You have to add it? It is an extra? Mr. Schmidt. You have to add it. Yes, sir. Chairman Akin. Okay. And then I guess I would think that if somebody is offering me insurance, then they would have an interest in seeing whether or not you have the right software installed to protect yourself, right? Mr. Schmidt. That is correct, yes. Chairman Akin. Okay. Then I guess the second question was in terms of the VARs, they seem to be covering a lot of the sort of small business data processing side of things. Would it make any sense to give them some sort of a rating in terms of whether or not they have taken proper precautions in terms of data security? Mr. Cochetti. Mr. Chairman, I think a program like that would probably make sense. We have pursued programs of sort of VAR certification or best practices, you know, VARs who are proven to be competent. It is a nonregulated, nonlicensed industry so certification of that sort is certainly an attractive idea that we have looked at and we would be more than happy to talk with the SBA or others about sort of how to pursue it but, yes. And since they are just important intermediaries thinking about that is, I think, an important aspect of this. Chairman Akin. Some of us would prefer to see it maybe done on an industry basis as opposed to Government basis because we have got more confidence, especially with something that is moving as fast as this is the Government has a terrible track record at being able to move quickly and keep current. Mr. Cochetti. Let me assure you we are 100 percent private sector and when I mention that we have been looking at certification programs for VARs, that would be an entirely private sector certification for VARs. Chairman Akin. Thank you all so much for coming in. Because some of you have come a long way, I want to give you the last word. Is there anybody that has something else they want to add in? We do questions but we do answers as well so anybody who wants to make a comment. [Whereupon, at 4:15 p.m. the Subcommittee was adjourned.] [GRAPHIC] [TIFF OMITTED] T7809.001 [GRAPHIC] [TIFF OMITTED] T7809.002 [GRAPHIC] [TIFF OMITTED] T7809.003 [GRAPHIC] [TIFF OMITTED] T7809.004 [GRAPHIC] [TIFF OMITTED] T7809.005 [GRAPHIC] [TIFF OMITTED] T7809.006 [GRAPHIC] [TIFF OMITTED] T7809.007 [GRAPHIC] [TIFF OMITTED] T7809.008 [GRAPHIC] [TIFF OMITTED] T7809.009 [GRAPHIC] [TIFF OMITTED] T7809.010 [GRAPHIC] [TIFF OMITTED] T7809.011 [GRAPHIC] [TIFF OMITTED] T7809.012 [GRAPHIC] [TIFF OMITTED] T7809.013 [GRAPHIC] [TIFF OMITTED] T7809.014 [GRAPHIC] [TIFF OMITTED] T7809.015 [GRAPHIC] [TIFF OMITTED] T7809.016 [GRAPHIC] [TIFF OMITTED] T7809.017 [GRAPHIC] [TIFF OMITTED] T7809.018 [GRAPHIC] [TIFF OMITTED] T7809.019 [GRAPHIC] [TIFF OMITTED] T7809.020 [GRAPHIC] [TIFF OMITTED] T7809.021 [GRAPHIC] [TIFF OMITTED] T7809.022 [GRAPHIC] [TIFF OMITTED] T7809.023 [GRAPHIC] [TIFF OMITTED] T7809.024 [GRAPHIC] [TIFF OMITTED] T7809.025 [GRAPHIC] [TIFF OMITTED] T7809.026 [GRAPHIC] [TIFF OMITTED] T7809.027 [GRAPHIC] [TIFF OMITTED] T7809.028 [GRAPHIC] [TIFF OMITTED] T7809.029 [GRAPHIC] [TIFF OMITTED] T7809.030 [GRAPHIC] [TIFF OMITTED] T7809.031 [GRAPHIC] [TIFF OMITTED] T7809.032 [GRAPHIC] [TIFF OMITTED] T7809.033 [GRAPHIC] [TIFF OMITTED] T7809.034 [GRAPHIC] [TIFF OMITTED] T7809.035 [GRAPHIC] [TIFF OMITTED] T7809.036 [GRAPHIC] [TIFF OMITTED] T7809.037 [GRAPHIC] [TIFF OMITTED] T7809.038 [GRAPHIC] [TIFF OMITTED] T7809.039 [GRAPHIC] [TIFF OMITTED] T7809.040 [GRAPHIC] [TIFF OMITTED] T7809.041 [GRAPHIC] [TIFF OMITTED] T7809.042 [GRAPHIC] [TIFF OMITTED] T7809.043 [GRAPHIC] [TIFF OMITTED] T7809.044 [GRAPHIC] [TIFF OMITTED] T7809.045 [GRAPHIC] [TIFF OMITTED] T7809.046 [GRAPHIC] [TIFF OMITTED] T7809.047 [GRAPHIC] [TIFF OMITTED] T7809.048 [GRAPHIC] [TIFF OMITTED] T7809.049 [GRAPHIC] [TIFF OMITTED] T7809.050 [GRAPHIC] [TIFF OMITTED] T7809.051 [GRAPHIC] [TIFF OMITTED] T7809.052 [GRAPHIC] [TIFF OMITTED] T7809.053 [GRAPHIC] [TIFF OMITTED] T7809.054 [GRAPHIC] [TIFF OMITTED] T7809.055 [GRAPHIC] [TIFF OMITTED] T7809.056 [GRAPHIC] [TIFF OMITTED] T7809.057 [GRAPHIC] [TIFF OMITTED] T7809.058 [GRAPHIC] [TIFF OMITTED] T7809.072 [GRAPHIC] [TIFF OMITTED] T7809.073 [GRAPHIC] [TIFF OMITTED] T7809.074 [GRAPHIC] [TIFF OMITTED] T7809.075 [GRAPHIC] [TIFF OMITTED] T7809.076 [GRAPHIC] [TIFF OMITTED] T7809.077 [GRAPHIC] [TIFF OMITTED] T7809.078 [GRAPHIC] [TIFF OMITTED] T7809.079 [GRAPHIC] [TIFF OMITTED] T7809.080 [GRAPHIC] [TIFF OMITTED] T7809.081 [GRAPHIC] [TIFF OMITTED] T7809.082 [GRAPHIC] [TIFF OMITTED] T7809.059 [GRAPHIC] [TIFF OMITTED] T7809.060 [GRAPHIC] [TIFF OMITTED] T7809.061 [GRAPHIC] [TIFF OMITTED] T7809.062 [GRAPHIC] [TIFF OMITTED] T7809.063 [GRAPHIC] [TIFF OMITTED] T7809.064 [GRAPHIC] [TIFF OMITTED] T7809.065 [GRAPHIC] [TIFF OMITTED] T7809.066 [GRAPHIC] [TIFF OMITTED] T7809.067 [GRAPHIC] [TIFF OMITTED] T7809.068 [GRAPHIC] [TIFF OMITTED] T7809.069 [GRAPHIC] [TIFF OMITTED] T7809.070 [GRAPHIC] [TIFF OMITTED] T7809.071 [GRAPHIC] [TIFF OMITTED] T7809.083 [GRAPHIC] [TIFF OMITTED] T7809.084