[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
THE STATE OF SMALL BUSINESS SECURITY IN A CYBER ECONOMY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT
of the
COMMITTEE ON SMALL BUSINESS
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
WASHINGTON, DC, MARCH 16, 2006
__________
Serial No. 109-44
__________
Printed for the use of the Committee on Small Business
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
______
U.S. GOVERNMENT PRINTING OFFICE
27-809 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON SMALL BUSINESS
DONALD A. MANZULLO, Illinois, Chairman
ROSCOE BARTLETT, Maryland, Vice NYDIA VELAZQUEZ, New York
Chairman JUANITA MILLENDER-McDONALD,
SUE KELLY, New York California
STEVE CHABOT, Ohio TOM UDALL, New Mexico
SAM GRAVES, Missouri DANIEL LIPINSKI, Illinois
TODD AKIN, Missouri ENI FALEOMAVAEGA, American Samoa
BILL SHUSTER, Pennsylvania DONNA CHRISTENSEN, Virgin Islands
MARILYN MUSGRAVE, Colorado DANNY DAVIS, Illinois
JEB BRADLEY, New Hampshire ED CASE, Hawaii
STEVE KING, Iowa MADELEINE BORDALLO, Guam
THADDEUS McCOTTER, Michigan RAUL GRIJALVA, Arizona
RIC KELLER, Florida MICHAEL MICHAUD, Maine
TED POE, Texas LINDA SANCHEZ, California
MICHAEL SODREL, Indiana JOHN BARROW, Georgia
JEFF FORTENBERRY, Nebraska MELISSA BEAN, Illinois
MICHAEL FITZPATRICK, Pennsylvania GWEN MOORE, Wisconsin
LYNN WESTMORELAND, Georgia
LOUIE GOHMERT, Texas
J. Matthew Szymanski, Chief of Staff
Phil Eskeland, Deputy Chief of Staff/Policy Director
Michael Day, Minority Staff Director
SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT
W. TODD AKIN, Missouri Chairman MADELEINE BORDALLO, Guam
MICHAEL SODREL, Indiana ENI F. H. FALEOMAVAEGA, American
LYNN WESTMORELAND, Georgia Samoa
LOUIE GOHMERT, Texas DONNA CHRISTENSEN, Virgin Islands
SUE KELLY, New York ED CASE, Hawaii
STEVE KING, Iowa LINDA SANCHEZ, California
TED POE, Texas GWEN MOORE, Wisconsin
Christopher Szymanski, Professional Staff
(ii)
C O N T E N T S
----------
Witnesses
Page
Furlani, Ms. Cita M., Acting Director, Information Technology
Laboratory, National Institute of Standards and Technology..... 3
Parnes, Ms. Lydia, Director of Bureau of Consumer Protection,
Federal Trade Commission....................................... 5
Johnson, Mr. Larry D., Special Agent in Charge, Criminal
Investigative Division, U.S. Secret Service.................... 7
Martinez, Mr. Steven M., Deputy Assistant Director Cyber
Division, Federal Bureau of Investigations..................... 9
Schwartz, Mr. Ari, Deputy Director, Center for Democracy and
Technology..................................................... 17
Salem, Mr. Enrique, Senior Vice President, Security Products &
Solutions, Symantec Corporation................................ 18
Kaliski, Dr. Burton S., Jr., Vice President of Research, RSA
Security, Chief Scientist, RSA Laboratories.................... 20
Cochetti, Mr. Roger, Group Director--U.S. Public Policy,
Computing Technology Industry Association...................... 22
Schmidt, Mr. Howard, President & CEO, R & H Security Consulting,
LLC............................................................ 24
Appendix
Opening statements:
Akin, Hon. W. Todd........................................... 34
Prepared statements:
Furlani, Ms. Cita M., Acting Director, Information Technology
Laboratory, National Institute of Standards and Technology. 35
Parnes, Ms. Lydia, Director of Bureau of Consumer Protection,
Federal Trade Commission................................... 42
Johnson, Mr. Larry D., Special Agent in Charge, Criminal
Investigative Division, U.S. Secret Service................ 59
Martinez, Mr. Steven M., Deputy Assistant Director Cyber
Division, Federal Bureau of Investigations................. 64
Schwartz, Mr. Ari, Deputy Director, Center for Democracy and
Technology................................................. 68
Salem, Mr. Enrique, Senior Vice President, Security Products
& Solutions, Symantec Corporation.......................... 75
Kaliski, Dr. Burton S., Jr., Vice President of Research, RSA
Security, Chief Scientist, RSA Laboratories................ 80
Cochetti, Mr. Roger, Group Director--U.S. Public Policy,
Computing Technology Industry Association.................. 92
Schmidt, Mr. Howard, President & CEO, R & H Security
Consulting, LLC............................................ 103
Additional Material:
National Small Business Association 2006 Malware Survey...... 116
(iii)
THE STATE OF SMALL BUSINESS SECURITY IN A CYBER ECONOMY
----------
THURSDAY, MARCH 16, 2006
House of Representatives
Subcommittee on Regulatory Reform and Oversight
Committee on Small Business
Washington, DC
The Subcommittee met, pursuant to call, at 2:00 p.m. in
Room 2360 Rayburn House Office Building, Hon. W. Todd Akin
[Chairman of the Subcommittee] presiding.
Present: Representatives Akin, Kelly, Bordallo.
Chairman Akin. The hearing will come to order. Good
afternoon and welcome everybody to today's hearing, ``The State
of Small Business Security in a Cyber Economy.'' I want to
especially thank those witnesses who have traveled long
distances to participate at this important hearing.
Today this Subcommittee seeks to better understand the
impact small business cyber security has on the well-being of
the economy. This Subcommittee also seeks to determine the
types of threats that small businesses encounter on a daily
basis. According to the Small Business Technology Institute
Report released in July 2005:
``If small businesses are not made fully aware of the
economic impact of information security incidents, they will
continue to under-invest in information security protection,
and their exposure will continue to increase as their
infrastructures become more complex. This increasing individual
exposure, when aggregated across the many millions of small
businesses in the U.S., supporting more than half of the
Nation's GDP, represents an extremely high and worsening point
of exposure for the U.S. economy as a whole.''
Businesses do not have to sell their products online to be
at risk of a security breech. They are exposed simply by being
connected to the internet. The Government and large firms have
dedicated information technology professionals who protect
their electronic infrastructure.
Small businesses seldom have either dedicated IT
professionals or the resources necessary to provide adequate
levels of protection. I look forward to hearing the testimony
of your witnesses to learn more of what we can do to protect
small business from cyber security threats. I now yield to the
gentlelady from Guam, Madame Bordallo.
[Chairman Akin's opening statement may be found in the
appendix.]
Ms. Bordallo. Thank you very much, Mr. Chairman Before I
begin my opening remarks, I would like to recognize a very
young witness in our audience today and that is Mr. Andrew
Cochetti. He is here on an assignment with his social studies
class. Welcome, Andrew. He is the son of Roger.
Internet and telecommunication technologies have a profound
impact on our daily lives. They have changed how we communicate
with friends and family and how we interact with our
Government.
America's 23 million small businesses are some of the
savviest users of telecommunication technology using the
internet to access new markets to grow and to diversify. In
fact, American small businesses have a strong record of being
the driving forces behind further technological innovation and
the development of innovative business models that we now take
for granted.
Along with being connected comes being exposed to new
threats. The risks associated with turning more of our lives
and business into digital i's and o's and burst of light over
fiber optic cables are significant and require vigilant
management. A single individual can design computer viruses
that can be spread across continents in milliseconds.
Identity theft compromises credit records, businesses and,
sadly, lives. Destructive computer viruses and other malicious
Internet activities pose severe problems for small business
owners that are not prepared to mitigate this kind of a risk.
This exposure can even result in thousands of hard-earned
revenues being lost.
An FBI-conducted survey of computer related crimes
including viruses, spyware, and theft revealed that a total of
nearly $70 billion in 2005 alone was lost with companies
incurring an average of $24,000 in losses. Losses like this are
make or break for some businesses, and sadly some small
companies and computer users fail to recognize the benefit of
cyber risk mitigation as an investment until it is too late.
The Federal Trade Commission, the FBI, the Secret Service,
and the National Institute of Standards and Technology have all
embarked on efforts to offer federal programs designed to
educate the public on computer security. In fact, federal cyber
security spending has increased from $5.6 billion in 2004 to
more than $6 billion in 2007 and is expected to hit $7 billion
by 2009.
I am concerned that despite the rise in cyber attacks over
the past few years and the growing impact they have had on
small businesses in America, the Small Business Administration,
the sole agency charged with aiding America's entrepreneurs,
does not have updated internet security information readily
accessible on its website.
Like all of us, small firms are exposed to cyber attacks
and vulnerable to their malicious affects. Today's hearing will
give us an opportunity to review whether the increases in
federal investment, both human and financial resources, have
had or can have an impact on small firm's ability to mitigate
their cyber risk.
The testimony that we hear today I hope will both help us
to better understand what role the Congress and the Federal
Government can play in educating the American public and the
business community to the risks that they face from cyber
crimes and what recommendations Congress can act on to protect
Americans and their businesses from this growing threat. I
thank you, Mr. Chairman.
Chairman Akin. Thank you for the opening statement. Also, I
would like to recognize another one of our colleagues, Sue
Kelly, who also comes from a very businesslike area, New York.
If you would like to make an opening statement. I understand
you have a vote pending in another committee and may join us
later. You are welcome to proceed.
Ms. Kelly I thank you very much. I represent the New York
Hudson Valley and I have been meeting recently with a number of
small businesses in the Hudson Valley and this issue of cyber
security and cyber economy is very high on their list. I must
add that we create the IBM computers in the Hudson Valley in
the district I represent. We also have the research labs for
not only Phillips Electronics but IBM. This is a highly
sophisticated group of people in the Hudson Valley and yet my
small businesses in that area are worried even though they have
access to highly sophisticated people who are actually building
some of the systems so it is extremely important that you are
here today. This is an issue of extreme importance for our
small businesses in this nation and I look forward to your
testimony. I do have a vote in another committee. I will have
to go but I intend to come back to keep listening to what you
have to say. Thank you very much.
Chairman Akin. Thank you. We have got a little bit of a
challenge for the Chairman today. Aside from running a little
late from too many meetings, I usually like to keep things
running on time but we have got a double panel so this is a
double header today. Those of you who need your cups of coffee
need to be forewarned.
Our first panel, as you can see, there are four people that
have joined us here. It is really a Government panel and the
first witness is Cita Furlani. Did I get that pretty close,
Cita? You are the Acting Director of Information Technology
Laboratory from the National Institute of Standards and
Technology from Gaithersburg, Maryland. Is that correct?
Ms. Furlani. Correct.
Chairman Akin. We have the right person. What we are going
to do is take five-minute statements. I would prefer to take a
five-minute statement from each of you and then open up with
some questions afterwards if that is okay. I think probably
some of you are pros in here. You know the little light in red
means that somebody is going to throw the hammer at you. Keep
it within five if we could, please.
You can submit written statements for the record if you
would like. I think most of us would prefer to hear you talk to
us about what you think are the most important things you can
communicate in five minutes. Thank you very much. Proceed,
Cita.
STATEMENT OF CITA FURLANI, NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY
Ms. Furlani. Thank you. I appreciate this opportunity to be
here today. We recognize that small businesses play an
important role in the U.S. economy. Since use of the Internet
is critical in the delivery of goods and services for all
businesses, the importance of addressing risks associated with
doing business in a cyber environment cannot be overstated.
Today I will focus my testimony on NIST's cyber security
programs, the National Institute of Standards and Technology,
and our programs and activities that can assist small
businesses.
NIST has long worked effectively with industry and federal
agencies to help protect the confidentiality, integrity, and
availability of information systems. Ensuring that business-
related information is secure is essential to the functioning
of our economy and indeed to our democracy. Our broader work in
the areas of information security, trusted networks, and
software quality is applicable to a wide variety of users, from
small and medium enterprises to large private and public
organizations including agencies of the federal government.
Since small businesses are nearly 99 percent of all U.S.
businesses, a vulnerability common to a large percentage of
these organizations could indeed pose a significant threat to
the Nation's economy and overall security. In the
interconnected environment in which we all operate, it is vital
that this important sector of our economy be aware of the risks
and take appropriate steps to ensure their systems are secure.
Under the Federal Information Security Management Act
(FISMA), NIST was assigned the responsibility to develop IT
standards and guidelines to secure federal systems. While
targeted primarily toward federal agencies, these security
standards and guidelines are also used widely by other
organizations including small businesses.
These documents are available on our web-based Computer
Security Resource Center. I brought two or three of them today
to show that they really do exist but they can be downloaded.
The website provides a wide range of security materials and
information and has over 20 million hits annually.
In 2002 NIST partnered with the Small Business
Administration and the Federal Bureau of Investigation's
InfraGard program to sponsor computer security workshops and
provide online support for small businesses. We have developed
a small business outreach site where small businesses may find
information on local workshops.
NIST also is raising the awareness of the importance of
cyber security among small manufacturers. The NIST Hollings
Manufacturing Extension Partnership was created to improve the
competitiveness of America's smaller manufacturers and now
provides the eScan Security Assessment. This diagnostic tool
was designed specifically for small businesses to determine how
well their IT systems are protected against failure or
intrusion.
NIST with support from the Department of Homeland Security
recently developed the National Vulnerability Database that
integrates all publicly available U.S. Government computer
vulnerability resources and provides references to industry
resources. It contains information on almost 16,000
vulnerabilities and is also available on our website.
Small business, indeed all organizations, rely on the
software used on their information system. We continue to work
with industry to improve the security and reliability of
software. For example, we develop standards and test suites for
interoperable, robust, quality web applications and products.
We conduct research to improve the quality of software
including software trustworthiness.
NIST works with industry and other Government agencies in
research to improve the interoperability, scalability, and
performance of new Internet security systems, to expedite the
development of Internet infrastructure protection technologies,
and to protect the core infrastructure of the Internet.
Meeting the challenge of securing our nation's IT
infrastructure demands a greater emphasis on the development of
security-related metrics, models, datasets, and testbeds so
that new products and best practices can be evaluated. The
President's FY '07 proposed budget will support NIST's
collaborations with industry and academia to develop the
necessary metrics and measurement techniques to provide an
assessment of overall system vulnerability.
In summary, Mr. Chairman, the IT security challenge facing
small businesses is indeed great. Systems managed by small
businesses are part of a large, interconnected community enable
by extensive networks and increased computing power. Certainly,
there is great potential for malicious activity against non-
secured or poorly secured systems or for accidental
unauthorized disclosure of sensitive information or breach of
privacy.
We believe the programs and activities described today in
this testimony demonstrate our commitment to a more effective
national cyber security environment as we assist small
enterprises and protecting their assets.
Detailed information can be found in my written testimony
which I hope you will add to the meeting minutes.
Chairman Akin. Without objection.
Ms. Furlani. Thank you, Mr. Chairman, for the opportunity
to present NIST's views regarding security challenges facing
small businesses. I will be pleased to answer any questions.
[Ms. Furlani's testimony may be found in the appendix.]
Chairman Akin. Thank you, Cita.
Next is Lydia Parnes. Did I get the last name right?
Ms. Parnes. It is Parnes.
Chairman Akin. Parnes. Excuse me. Parnes. Director of the
Bureau of Consumer Protection, Federal Trade Commission,
Washington, D.C. You didn't have to travel too far.
Ms. Parnes. No, I didn't. Just down the block.
Chairman Akin. Thank you, Lydia. Same thing, five minutes,
please.
Ms. Parnes. Thank you.
STATEMENT OF LYDIA PARNES, FEDERAL TRADE COMMISSION
Ms. Parnes. Mr. Chairman and members of the Subcommittee, I
appreciate the opportunity to appear before you today to
discuss the challenges consumers and small businesses face in
protecting their computer systems, as well as the Commission's
efforts to promote a culture of security among all Internet
users.
The views in my written testimony are those of the
Commission. My oral remarks and responses to questions
represent my own views and not necessarily those of the
Commission or any individual Commissioner.
For more than a decade protecting the privacy of American
consumers as been a top FTC priority. The explosive growth of
the Internet and the development of sophisticated computer
systems have made it easier than ever for companies to gather
and use information about their customers.
Small businesses once limited to consumers walking into
their stores on main street now reach consumers across the
globe and complete transactions entirely online. These
information systems provide enormous benefits. At the same time
they can have serious vulnerabilities that threaten the
security of information stored in them.
Securing these systems against an ever changing array of
threats is challenging, particularly for small businesses. For
several years the FTC has engaged in a broad outreach campaign
to educate businesses and consumers about information security
and the precautions they can take to protect or minimize risks
to personal information.
Last September the FTC unveiled a cyber security campaign
called OnGuard Online. Our campaign is built around seven
online safety tips presented in modules with information on
specific topics such as phishing, spyware, and spam. Each
module includes articles, videos, and engaging interactive
quizzes in English and in Spanish. Numerous firms including
many small businesses are now using OnGuard Online materials in
their own security training programs.
The FTC created OnGuard Online with consumers in mind but
it is a valuable tool for small businesses as well. In many
ways computer users and small firms are like home users. They
employ similar applications to participate in e-commerce, send
e-mail, build spreadsheets, and create presentations. And, as
in the typical household, often there is no information
technology professional on site.
Unlike most consumer users, however, small businesses may
maintain records on hundreds, if not thousands of consumers
making their computers especially attractive to information
thieves. If consumers are to have confidence in our information
economy, it is essential that these records be adequately
protected.
The Commission recognizes that the key to developing an
effective cyber security program is flexibility. The Commission
Safeguards Rule, for example, requires covered financial
institutions to develop written information security plans. The
rule gives each company the flexibility to develop a plan that
takes into account its size and complexity, the nature and
scope of its activities, and the sensitivity of the consumer
information it handles.
The Commission follows a similar flexible approach to its
enforcement actions under Section 5 of the FTC Act. To date we
have brought 12 data security cases enforcing the FTC Act and
the Safeguards Rule.
The Commission also recently issued the Disposal Rule which
requires all users of credit reports to dispose of them
properly and not, for example, by leaving them lying in a
dumpster available to identity thieves. Like the Safeguards
Rule the Disposal Rule contains a flexible standard, reasonable
measures to protect against unauthorized access to the
information being disposed of.
Safeguarding customer information is not just the law. It
also makes good business sense. When small businesses show that
they care about the security of customer's personal
information, they increase their customer's confidence in the
company in order to help businesses of all sizes comply with
both the Safeguards and Disposal Rules the FTC has issued
business education materials which are available on our
website.
Providing adequate security for consumer information
presents challenges for everyone in the global information
based economy. The Commission recognizes that this can be
particularly challenging for small businesses. The Commission
is committed to continuing its work promoting security
awareness and sound information practices through education,
enforcement, and international cooperation.
I appreciate the opportunity to testify today and look
forward to the Committee's questions. Thank you.
Chairman Akin. Thank you, Lydia. Right on time. Next
witness is Larry Johnson, Special Agent in Charge of Criminal
Investigative Division, United States Secret Service,
Washington, D.C. Larry, thank you.
[Ms. Parnes' testimony may be found in the appendix.]
STATEMENT OF LARRY JOHNSON, U.S. SECRET SERVICE
Mr. Johnson. Good afternoon, Mr. Chairman The Secret
Service was established in 1865 to protect our fledgling
financial infrastructure through the investigation of
counterfeiting and counterfeit currency. The Secret Service has
adapted its investigated methodologies to accommodate the
increasingly sophisticated systems we protect.
With the passage of federal laws in 1984, the Secret
Service was provided the statutory authority to investigate a
wide range of financial crimes to include false identification,
18 U.S.C. 1028, access device fraud, 18 U.S.C. 1029, and
computer fraud, 1030.
These three statutes encompass the core violations that
constitute the technology-based identity crimes that affect
small businesses every day. Over the last two decades the
Secret Service has conducted more than 733,000 financial fraud
and identity theft investigations involving these statutes
mostly involving small businesses.
Additionally, the Secret Service and the Computer Emergency
Response Team, CERT, located in Carnegie Mellon University,
collaborated on a project called the Insider Threat Study which
was a behavioral and technical analysis of computer intrusions
by organization insiders in various critical infrastructure
sectors.
The Insider Threat Study provided insight to both the
activities of the insiders and the vulnerabilities which they
exploited. The results of this study are available on the
Secret Service public website.
In 1995 in response to the ever-increasing tide of
electronic crimes, the Secret Service developed a highly
effective formula for combating high-tech crime. It was the
Electronic Crime Task Forces, ECTF. They are an information-
sharing conduit where state, local, and federal law
enforcement, private industry, and financial sector, academia
work together in a collaborative crime-fighting environment.
Participation includes every major federal, state, and local
law enforcement agency in the region.
In 2001 the USA PATRIOT Act authorized the Secret Service
to ``develop a nationwide network of electronic crime task
forces based on the New York Electronic Crimes Task Force model
throughout the United States for the purpose of preventing,
detecting, and investigating various forms of electronic
crimes, including potential terrorist attacks against critical
infrastructure and financial payment systems.''
The Secret Service has since launched 15 ECTFs based upon
the New York model. We also have nine electronic crimes task
force working groups and 24 financial crime task forces. In
2005 the Secret Service also established the Criminal
Intelligence Section. This Criminal Intelligence Section
provided coordination and oversight to every significant cyber
case with international ties in 2003 and 4.
During this case Secret Service agents uncovered
significant vulnerabilities within the computer systems of a
number of Fortune 500 companies and their smaller company
counterparts without alarming the public quietly notifying each
of these companies of their findings, thus preventing an
estimated $53 million in losses.
Estimated exposure to the U.S. financial institutions based
on this case were nearly $1 billion. The success of this
undercover operation led to the establishment of numerous other
online undercover operations which are currently ongoing today.
The Secret Service is convinced that building trusted
partnerships with the private sector, and specifically small
business in an effort to educate the public on how they can
reduce the threats of data breaches and improve their system
security is the model for combating electronic crimes in the
information age.
Though a large percentage of the private sector breaches to
which the Secret Service provides investigative assistance and
support are large data brokers, corporations or financial
institutions, we do not differentiate based upon the size of
the victim or the amount of potential loss. We are equally
concerned with compromises being experienced by small companies
or independent service organizations or ISOs, and will respond
with the appropriately trained personnel when notified of a
suspected compromise. This is why we believe so strongly in a
proactive educational platform as a preventative measure.
Bottom line, if you are victimized, we will respond.
Through the use of company best practices you can reduce
the risk of Internet crime. Some actions we recommend to small
and large businesses alike include establishing internal
policies and communicate them to your customers, provide a
method for customers to confirm the authenticity of their e-
mails, employ stronger authentication methods at websites using
information other than Social Security numbers. If Social
Security numbers aren't solicited on websites, this information
will not be at risk. Also, monitor the Internet for phishing
websites that spoof your company's legitimate sites.
Chairman Akin. Larry, I need to stop you. You are way over
here and we have got votes going on right now so I am going to
try and quickly slip you in, Steve, if we could. Then I think I
am going to let Ms. Bordallo ask some questions. I am going to
be gone close to half an hour voting and we will resume
following that.
[Mr. Johnson's testimony may be found in the appendix.]
STATEMENT OF STEVEN MARTINEZ, FEDERAL BUREAU OF INVESTIGATION
Mr. Martinez. Thank you. Good afternoon, Chairman Akin,
Ranking Member Bordallo, and members of the Committee. I want
to thank you for this opportunity to testify before you today
about Small Business Cyber-Security Issues.
As retail business moves to the world of e-commerce, cyber
crime will follow. In 2000 e-commerce accounted for 1 percent
of all retail sales. Today it accounts for 2.4 percent of all
sales. this upward trend will undoubtedly continue. Adding to
this the revenue generated by non-retail Internet businesses,
such as media and entertainment, e-commerce will soon dominate
all commercial activity worldwide. The FBI is committed to
investigating threats at all levels against this major force in
our economy.
Small business forms a vital link in the overall security
of the Internet. First, small business accounts for a
significant portion of the retail business occurring on the
Internet. Many online businesses and e-retailers are small
businesses, many small businesses are customers of online
businesses, and still other small businesses support the IT and
Internet operations of large businesses and the government.
Second, the integrity of Internet-connected small business
systems has an impact on security of the Internet as a whole.
The FBI has recognized that the best way to combat the
growing threat of cyber crime is to form a partnership with
businesses and industries that rely on the Internet for their
success. By teaming up with the private sector the FBI is able
to find out what issues affect business and what problems are
causing the most harm. This has allowed us to focus our efforts
on the major problems affecting the Internet.
Further, through our outreach and information-sharing
initiatives we are able to share our experiences with the
business community so that they can better protect and defend
themselves against new and evolving cyber threats. The
education of small businesses about the scope and nature of
cyber threats is an important first step in protecting those
businesses.
The FBI has two initiatives focused on building a
partnership with business: The National Cyber-Forensics and
Training Alliance (NCFTA) and InfraGard. The NCFTA is a first-
of-its-kind public-private alliance located in Pittsburgh, PA.
At the NCFTA members of law enforcement work side-by-side with
representatives from business on addressing the latest and most
significant cyber threats. Through this collaboration the FBI
has been able to identify and prosecute some of the most
serious cyber criminals including those who distribute computer
viruses, operate large networks of compromised computers (known
as botnets), and perpetrate fraud schemes such as phishing
scams. The NCFTA is strategically located near Carnegie Mellon
University's Computer Emergency and Response Team/ Coordination
Center (CERT/CC) and is also within driving distance of the
FBI's Internet Crime Complaint Center (1C3).
As an example on how we address cyber complaints, the NCFTA
was recently contacted by a small bank in New Jersey. The bank
was the victim of a phishing attack. In this type of attack the
criminal creates a fake website that is identical to the real
bank site and uses the fake site to steal credit card and other
identity information from the bank's customers.
With the victim bank to help them, the NCFTA traced the
attack to its source and identified what measures they could
take to mitigate the effects of this attack. With the help of
the NCFTA, the bank was able to send ``cease and desist''
letters to the Internet service providers hosting the fake
sites in order to have the sites shut down.
InfraGard is an alliance between the FBI and the public
whose mission is to prevent attacks, both physical and
electronic, against critical infrastructure including, but not
limited to banks, hospitals, telecommunications systems and the
Internet. InfraGard has over 14,800 private sector members
spread across 84 local chapters throughout the United States.
These private sector partners represent the full spectrum of
infrastructure experts in their local communities.
FBI Agents assigned to each chapter bring meaningful news
and information to the table such as threat alerts and
warnings, vulnerabilities, investigative updates, overall
threat assessments and case studies. The FBI's private sector
partners, who own and operate some 85 percent of the nation's
critical infrastructures, share expertise, strategies, and most
importantly information and leads that help the FBI track down
criminals and terrorists.
The Internet Crime Complaint Center, IC3, is a joint
initiative between the FBI and the National White Collar Crime
Center (NW3C). Located in West Virginia, a short distance from
the NCFTA facility in Pittsburgh, the IC3 serves as a clearing
house for cyber crime incidents reported by both individuals
and business.
The 1C3 receives, on average, 25,000 reports of cyber crime
incidents each month. By analyzing these complaints for
commonalities and trends the 1C3 is able to develop cases that
have a national impact. These cases are then referred to local,
state, or federal law enforcement agencies for investigation.
As with the NCFTA, the 1C3 also focuses on partnerships with
business as the most efficient and effective way to combat
cyber crime.
In 2002 the 1C3 began an initiative online retailers combat
fraud from re-shipping scams. The initiative known as Retailers
and Law Enforcement Against Fraud (RELEAF) brought together
teams of analysts at the 1C3 and e-commerce businesses to
identify fraudulent online purchase which were being shipped by
domestic re-shippers to destinations overseas.
In one 30-day period, the RELEAF initiative resulted in 17
arrests, 14 controlled deliveries, the recovery of $340,000 in
stolen merchandise, and the recovery of over $115,000 in
counterfeit cashier's checks.
Chairman Akin. Steve, you are about out of time.
Mr. Martinez. Okay. Thank you. I would be happy to answer
any other questions about our initiatives.
[Mr. Martinez's testimony may be found in the appendix.]
Chairman Akin. Thank you. Because of the vote being called,
I am going to have to scoot out. I would like to start by
asking a question. I do have some staff here that can take a
few notes. I guess the first thing that I am interested in, and
all of you are immersed in this whole situation on a day-to-day
basis, we just touch on it and run to lots of other things.
I would like to know your assessment of how big a problem
we have, first of all, and how do you measure that. Then the
second thing is within the scope of where we have a problem, do
those things tend to cluster in certain areas? Are there a
couple of certain particular places such as identity theft or
something where that is the majority of what we are concerned
with. So I am interested in scoping the problem and getting a
little bit of a sense as to what categories those things are
in. If you could answer that.
Then I am going to turn the chair over to Ms. Bordallo. I
have got probably about half an hour of voting or so so I would
expect you will adjourn and we will call a second panel at that
time. Thank you very much.
Ms. Bordallo. Thank you very much, Mr. Chairman Since I
represent the territory of Guam we don't vote on the floor.
That is one thing I wish we could but the territories do not
have that privilege. We vote in committee but not on the floor.
I think we will take the two questions that the Chairman
presented and we will begin with Mr. Larry Johnson. What would
your answer to those two concerns that he has.
Mr. Johnson. What the Secret Service has seen a large
percentage of the time is that attacks on businesses, whether
small or large, are typically for financial gain. What we have
also seen is identity theft being a component of not only
assuming someone's identity through intrusions, social
engineering and other methods. That is very prevalent of the
major attack.
However, a recent trend is that if you can bypass the
identity theft and go right to an institution that stores
financial data. We have seen that now more common than ever
that if you can bypass the identity theft and steal credit card
numbers and other financial data, account takeovers. We have
seen alarming rate of account takeovers, specifically
retirement accounts because that is where the largest amount of
money people usually have.
Ms. Bordallo. So you would consider that the biggest
problem?
Mr. Johnson. Yes.
Ms. Bordallo. All right. Next would be Mr. Steven Martinez.
Can you answer the question that the Chairman presented?
Mr. Martinez. Sure. I think what we are seeing in the FBI
is we are looking at cyber crime across the entire spectrum is
a convergence of the hackers on the one side that we used to
see as kind of stovepiped in doing their own thing for bragging
rights and that type of thing, and the cyber frauders on the
other.
They are now meeting in the middle. They are now leveraging
each other's knowledge and it is all for profit just like Mr.
Johnson mentioned. That is really a change that we have seen
over the last couple of years and it isbeing facilitated by
automation in the way that these hacks are conducted.
I mentioned botnets in my testimony. They give a standoff
capability to cyber fraudsters and hackers where they can
perpetrate frauds against Americans from anywhere in the world.
It provides an additional challenge for us because we really
have to have an international scope, international reach, in
order to address these things.
But, on the other hand, small businesses have a huge part
to play in this. I briefed on a very successful case targeting
a botnet that was brought to us by a relatively small business
in the Los Angeles area. This case was expanded and we
determined that it impacted on large ISPs across the nation but
the nexus of this was an attack on a small business and they
brought that information forward. Outreach is an important part
of this because there are some disincentives to reporting that
you have been attacked and have a problem. It might put you at
a competitive disadvantage. We are working very, very hard on
outreach in order to get the information in. As far as the
scope goes, are best estimate is we probably only see maybe a
quarter at best of the reporting that we would hope to get as
far as the nature of the problem. There are a lot of reasons
for that. Again, there are some financial disincentives for
bringing that information forward. As businesses small and
large get used to the fact that the FBI and law enforcement
agencies know how to work these investigations without
disrupting their operations, I think we can create more good
will and get more of the reporting we need to address the
problem better.
Ms. Bordallo. Thank you. Thank you. Now Lydia Parnes. What
do you feel is the biggest problem facing you?
Ms. Parnes. Well, the Commission really looks at this issue
from the perspective of information security across the Board.
I think it would be difficult for us to kind of single out how
big the problem is for small businesses but we know that
information security is a major issue. The issue that we have a
particular focus on is identity theft.
The Commission is charged with maintaining an ID theft
clearing house and so we get the consumer complaints and the
inquiries from consumers who have been subjected to identity
theft. I think ultimately that is the real concern about
information security. We want to promote a culture of security
and we want to do it because when security is lacking, identity
theft can be the result with all of the resulting injury.
Ms. Bordallo. Thank you. Cita Furlani.
Ms. Furlani. Thank you. I think there are a few more
aspects that should be considered. One I mentioned was just the
sheer complexity of how you provide security. There are too
many ways that things can be breached. The things that I think
small businesses and any other business need to consider is
that they are frequently partnering with others. They need to
have some way of determining whether their partners are
maintaining secure environments. They frequently outsource and
are provided some kind of software or supporting structure by
other businesses and how do they measure that whether they are
meeting the same level of requirements that they have set
inhouse.
The whole aspect of an always on Internet, always able to
be on and connected adds a complexity of understanding of how
you provide the firewalls and the patches. Everything that has
to be done is a difficult problem.
Ms. Bordallo. Thank you very much. Now for my round of
questions. I have one for Mr. Johnson first. I was particularly
interested in a point you made near the end of your prepared
testimony that Secret Service Electronic Crime Special Agent
Program Officers are committed to taking preventative action to
guard industry from crime in addition to their responsibilities
to investigate following a crime. I would encourage the Secret
Service to review ways in which its technical expertise can be
shared with SBA client firms. What existing partnerships, Mr.
Johnson, does the Secret Service have with SBA on cyber
security?
Mr. Johnson. With the Electronic Crime Special Agent
Program, I'll just address that first. That is a training
situation that the Secret Service has probably been involved in
in the last couple years. We train our agents in three levels
of cyber investigators. First, the No. 1 level is the forensic
investigator that actually looks at the hard drives and
determines the vulnerabilities based on the electronic
evidence.
The middle level of cyber investigator is the network
intrusion expert who is very involved and has extensive
training in network intrusions. Then that lowest level is the
basic cyber investigator training program where we try to have
all of our special agents go through this type of training.
Obviously they cycle into other assignments but eventually in
the next couple of years we hope to have all special agents in
the Secret Service trained as cyber investigators.
As far as the affiliations of small businesses and large
businesses, we have numerous members to our Electronic Crimes
Task Forces and they are located, like my testimony indicated,
throughout the United States. That's where the sharing of the
information is from one small company to another and they
basically talk about what is the security concern of the day.
What keeps their CEO up at night.
These discussions a lot of times bring out a lot of
information that they would not otherwise talk about what was
previously not spoken about because I don't want to admit to
you my vulnerabilities. Now we have gotten companies both large
and small to talk about what their security problems are and we
think that has been beneficial.
Ms. Bordallo. So what you are telling me then about these
programs, the various programs that you explained, you are
partnering with the SBA? Is that what you're telling me or
thinking about it?
Mr. Johnson. Well, I probably have to get back to you on
whether or not specifically we have a partnership or an MOU. I
believe they are a members of one or more than one of our task
force but I can let you know for sure.
Ms. Bordallo. I think that is the basis of my question. I
think it is important that we partnership.
Mr. Johnson. Okay.
Ms. Bordallo. All right. The next question I have is for
Mr. Martinez. I am concerned, Mr. Martinez, that after
reviewing the SBA website this morning I was unable to find any
information on it regarding cyber crime and small business or
information on how small businesses can contact law enforcement
in the event of a suspected cyber crime.
I wonder whether a small business owner or an entrepreneur
knows that it should consider contacting the FBI regarding
potential cyber crime. Has the FBI ever done any coordination
with the SBA to educate small companies on cyber security
issues? What kinds of outreach and training programs does your
agency have for small business or would such a program need to
be developed?
Mr. Martinez. Well, the FBI does have a formal arrangement
with the SBA through a memorandum of understanding to provide
support leveraging our InfraGard program and the membership to
assist with a series of very specifically targeted cyber
security is good business. That is what these training sessions
are called that target small businesses specifically across the
country.
In fact, recently there have been, or will be sessions in
places from San Diego, California, Sioux Falls, Minneapolis,
Casper, Wyoming, places where you might likely find smaller
businesses. Again, this is an effort to leverage what we have
built with InfraGard, provide both access to the membership
because a lot of the best information is held in the private
sector, but also to provide subject matter experts within the
FBI, investigators, whatever the case may be, to participate in
these training sessions if need be.
Ms. Bordallo. I certainly think that both the FBI and the
Secret Service these are partnerships and I think they should
be included on the website, the SBA website. We don't find
anything and I think this would be extremely helpful if you
could work with them and see that this be included.
I have a question for Ms. Furlani. What are the two most
important lessons you teach small business owners on computer
security?
Ms. Furlani. Vigilance. How to determine whether they are--
we provide checklists and ways to understand the issue and what
they need to do. Frequently they have the kinds of people that
can understand what needs to be done but it is a matter of
resources, how much time can be spent. We try to find simpler
ways to describe what can be done and give them checklists that
they can go down and determine whether all the various patches
have been done and the intrusion detection zone and all these
things that they need to do.
Most important is mainly being aware and being vigilant.
That is probably the most important because all the other
things change as the threats change. It is more important to be
aware of it and be understanding of what and access to where
the resources are to understand how to deal with the changing
environment.
Ms. Bordallo. And, Lydia, I have a couple of questions for
you. To what extent has the FDC attempted to involve the Small
Business Administration in cyber security efforts that are
targeted at small businesses?
Ms. Parnes. We actually have a history of working with the
SBA on frauds that are directed to small businesses and we have
had a number of real successes. We have not kind of dealt with
them specifically on cyber security but we would be delighted
to have them participate in OnGuard Online which is our online
cyber security information.
The OnGuard Online is not marked as an FTC site
particularly. You can get it through our site but we encourage
others to use it and put it out there and we will definitely
contact the SBA. They can take the site. They can link to it or
just put it on their site as well. I think it would give small
businesses very good information.
Ms. Bordallo. But this, again, hasn't happened as yet.
Ms. Parnes. No, it hasn't. I would add that we do have
federal agencies who partner on OnGuard Online as well as
private industry. It is up there and it is available to anybody
who wants to use it and we will seek out the SBA.
Ms. Bordallo. Another question. Under what circumstances
should a small business owner report cyber attacks to FTC? What
would be the extent of the problem before they contact you?
What would the circumstances be?
Ms. Parnes. Well, certainly the FTC is one place that a
small business can contact about a cyber security attack. The
information that we get goes into a database that is available
and actually is downloaded onto the FBI database that Mr.
Martinez talked to. The Secret Service has access to our
database as well.
A small business could easily contact the FTC. We would
take all of the information. We would put it in our database
and it would be available to law enforcers, both federal law
enforcers and also law enforcers on the local and state level.
The FTC does not have any criminal authority, however. So many
of these attacks are criminal in nature.
Ms. Bordallo. What would you say the frequency of inquiries
are? Any of you could answer that.
Mr. Martinez. On the IC3, the Internet Crime Complaint
Center complaint intake runs about 25,000 complaints a month.
That is individual consumer complaints. That doesn't include
aggregated information that we get from private sector
partners.
Ms. Bordallo. That is a staggering number. Let me see here.
I think that is pretty much all the questions. We are trying to
extend this before we call up the second panel. Oh, yes. I have
one for the FBI. What is the most common roadblock you
encounter when tracking down cyber criminals?
Mr. Martinez. I think the biggest challenge for us right
now is the international nature of cyber crime because going
across the world you have different relationships with
different countries and different levels of cooperation so we
put an awful lot of effort into developing and firming up those
relationships in places where we haven't had a presence before.
You know, former Soviet states, the Far East. We have a
legal attache program where we have a presence in many, many
foreign countries but we found that we actually have to put
people on the ground to work with some of these countries that
haven't developed their legal systems or their capabilities to
address cyber crime so that has been a huge challenge. It is
really a change in the way we do business because we used to
focus mostly on domestic crime problems but it really is a
completely international global crime problem now.
Ms. Bordallo. Secret Service, how would they respond?
Mr. Johnson. I would agree with Mr. Martinez. The only
thing I would add is that there is a different scam every day.
I become briefed on the latest and greatest and it is always
something added to an existing scam on the Internet. It is a
more sophisticated from phishing to pharming more sophisticated
and that is just one example of trying to stay one step ahead
or at least equal with the bad guys.
Ms. Bordallo. Can you share with us what is the latest scam
so we are ready for it?
Mr. Johnson. I think I kind of mentioned the account
takeovers are very prevalent. You kind of put me on the spot
with the latest.
Ms. Bordallo. You know we have to be up to date here.
Mr. Johnson. I understand.
Ms. Bordallo. Thank you very much. I think we spoke about
that, the small businesses to protect against inside. You
mentioned vigilance which is very importance.
Ms. Furlani. And how best to apply their scare resources.
Which vulnerability should they work on? Some kind of
prioritization.
Ms. Bordallo. Can small businesses employ adequate security
measures with their limited resources? What would the cost of
that be? You are talking very limited resources.
Ms. Furlani. Again, if you know--if you have access to how
to do it you can make choices as to what is the most important
way to close the door and where you apply your resources.
Obviously it is easier when you have a larger budget. You are
using a smaller percentage of it but education and awareness
and I think that is what you are focused on today is where the
resources are that they can make use of.
Ms. Bordallo. And who provides--who can provide that?
Ms. Furlani. Our website has a lot of information and I
think each of the other agencies do.
Ms. Bordallo. But technical assistance?
Ms. Furlani. Technical assistance is generally where they
are going to be getting it from a vendor of some sort. There
again, they need to have enough understanding of what they are
hiring and what risk they are taking there with partners,
vendors. Every time you add someone else there is another
vulnerability risk.
Ms. Bordallo. That is correct.
Ms. Furlani. Being aware of that.
Ms. Bordallo. We want to thank all of you for appearing
before the Committee today and we appreciate all your testimony
and certainly we take it into account. I would like to excuse
you and bring on the second panel. Oh, we will recess for a
short time until we bring up the second panel.
[Whereupon, at 3:04 the Subcommittee adjourned until 3:24
p.m.]
Chairman Akin. The Committee will come to order. Sorry
about breaking things up here. I think we are prepared to go
with our second panel if I am not mistaken. Ari Schwartz. Is
that correct?
Mr. Schwartz. Ari, yes.
Chairman Akin. Ari. Okay. Deputy Director of Center for
Democracy and Technology, Washington, D.C. You have five
minutes, please, Ari.
Mr. Schwartz. Thank you.
STATEMENT OF ARI SCHWARTZ, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. Schwartz. Thank you. Mr. Chairman, Madam Ranking
Member, thank you for holding this hearing on cyber security
and inviting the Center for Democracy and Technology to
testify. CDT hopes that this marks the beginning of the
Subcommittee's interest in the important issues of information
security and its impact on small business and consumers.
Much as been written and said about the Internet as a
revolutionary platform for human interaction. Indeed, the
Internet levels the playing field for individual speakers and
small businesses. It is a cheap and effective way to reach
around the world.
There are many factors that make the Internet unique among
communications tools but its strength has always been it is
open, decentralized, and user-controlled nature. As such, the
medium inherently has the potential that promotes democracy and
entrepreneurial ideas. However, the Internet's strength is also
one of its weaknesses.
Just as networking and interconnectivity allows for
unprecedented sharing of ideas, those factors also expose the
medium to a growing number of threats such as viruses and spam
and phishing spyware. Individually these attacks are dangerous
enough but taken together they have begun to chip away at the
trust Internet users have in the medium.
A recent survey done by Consumer's Union has indicated that
25 percent of consumers have stopped making purchases online
and another 29 percent have cut back on their online shopping
because of concerns about identity theft alone.
To address these dangers we must ensure both that our
proposed solutions get to the root of the problem and that
those solutions don't inadvertently harm the essential nature
of the medium. To reach these goals we must understand the
motivation and character of the threats. Although popular
portrayals of Internet criminals continue to focus on young
hackers, vandalizing websites, or launching denial of service
attacks to gain notoriety among their peers. Most of the real
threats today are driven by financial gain, as we said, by the
FBI and the Secret Service in the earlier panel.
It is easy to get lulled into the belief that these are new
threats because of the new terminology like phishing with a
``ph'' or spyware, but in reality they are for the most part
typical fraud cases that we have seen offline for years and
years. In our research into consumer complaints EDTS found
these attacks are generally driven by five types of financial
motivation.
(1) Identify theft to consumers and businesses.
(2) Corporate espionage, that is, taking confidential
information.
(3) Advertising software that provides pop-ups financially
motivated because companies are paying affiliates to install
software onto users computers and often do so without consent.
(4) Fraudulent marketing schemes like those that we become
used to in our e-mail boxes every day. And,
(5) Extortion where consumers or business data or an entire
machine is held ransom in one way or another.
We are also seeing more attacks that rely on multiple
techniques also known as blended threats that are uniquely
targeted to a specific type of user. The New York Times
recently reported that large gangs of criminals in Brazil and
Russia are using virus-like techniques to install password
crackers that only work on certain banking websites. This
demonstrates not only the new skill of the criminals but also
the international nature of the threat.
These attacks have magnified impact on small business
because many small businesses suffer from those attacks of the
consumers as well as those aimed at businesses. Also, while
large enterprises can afford spare capacity in the form of
additional computers and servers, many small businesses do not
have that luxury.
Because of the changing nature of the threats, it is
important that security programs continue to improve. Computer
security companies have become experts at finding problems and
distributing information about whatever malicious programs
caused the problem, but they are only just beginning to build
and test programs that stop malicious software at the first
signs of bad behavior even before the names of those programs
are known.
Finally, it is essential that we address the financial
motivation of these threats as we have in offline fraud. This
is not as easy as it sounds because the Internet models pass
information to the hands of so many players and across borders
as well. CDT is currently in the process of documenting how
large and respected companies are unsuspectingly supporting
unfair and deceptive practices of their partners. Yet, we must
get beyond all these difficulties and find the sources of
funding and cut it off or risk losing the potential of the
Internet for future generations.
Thank you again for having me here and I look forward to
your questions.
[Mr. Schwartz's testimony may be found in the appendix.]
Chairman Akin. Thank you, Ari. Right on time there. Next we
have Enrique Salem, Senior Vice President, Security Products &
Solutions from Symantec Corporation from California. Thank you
for coming the distance here, Enrique.
STATEMENT OF ENRIQUE SALEM, SYMANTEC CORPORATION
Mr. Salem. Thank you, Chairman Akin, and Ranking Member
Bordallo for giving me the opportunity to testify at today's
hearing on the state of small business security and cyber
economy. I am hopeful that my remarks will provide the
Committee with a comprehensive overall of the U.S. small
business cyber threat landscape. I also hope to give you some
thoughtful insights on the many security challenges small
business owners face in today's growing digital economy. I look
forward to responding to the Committee's questions following my
remarks.
I come before you today representing Symantec Corporation.
We are the fourth largest software company in the world and we
help our customers to protect their information and we provide
them solutions around security and availability and integrity
of their data.
As the Senior Vice President for Consumer Products Business
Unit I am responsible for both the consumer market and the
small business segment. Prior to joining Symantec I was the CEO
of Brightmail, Inc., a leading provider of anti-spam solutions
so I am able to talk to you about some of the key challenges
that small businesses face when they try to deal with spam. I
also provided comments to Congress on the issues surrounding
the CAN SPAM Act.
Last week Symantec released its ninth Internet Security
Threat Report which is widely acknowledged to be the most
comprehensive analysis of information regarding security
activity for today's economy. The report includes an analysis
of network based attacks including those on small businesses
with a review of known threats, vulnerabilities, and security
risks. We have been providing this report on a semi-annual
basis since 2002.
The last two Internet security threat reports found that
small businesses have consistently been in the top three most
targeted groups for cyber attacks. Cyber criminals have found
that small businesses are less likely to have a well-
established security infrastructure making them more vulnerable
to attacks.
Symantec has also sponsored the first comprehensive study
of its kind analyzing the state of information security
readiness in the U.S. small business market. The July 2005
study conducted by the Small Business Technology Institute
surveyed more than 1,000 businesses and found that information
security is a high priority for small business owners. But it
also showed a lack of appreciation of the true economic impact
of information security incidents and a lack of knowledge
around cyber threats.
I would like to submit this report with the Chairman's
permission.
Chairman Akin. Without objection.
Mr. Salem. Some key findings that we found in the report
are as followed. While over 70 percent of small businesses
consider information security a very high priority, they are
not increasing their investment and protection. The study
revealed that small businesses demonstrate an alarmingly
complacent and passive attitude to information security.
A majority of small businesses, 56 percent, have
experienced at least one security incident in the past year and
small businesses make overwhelmingly reactive purchase
decisions when it comes to Internet security with 35 percent
increasing spending on security products only after their
business has been compromised or attacked resulting in a loss
of data or corruption.
It is difficult to quantify the impact of cyber crime but
according to the FBI's 2005 Cyber Crime Survey costs today are
around $67 billion to U.S. firms over the last year.
Additionally, the FTC found that the identity thief cost
businesses $48 billion and last year consumers $680 million in
losses.
But more damaging than the loss of money is the loss of
trust and confidence by consumers in the Internet economy. With
so much of the nation's small businesses depending upon the
Internet, we can't risk losing the public's confidence in doing
online transactions with small businesses as it is essential
that they have the right resources to protect themselves.
Symantec continues to play an instrumental role in
protecting small businesses through the security solutions we
offer and our education and awareness efforts.
For example, Symantec is a major sponsor of the National
Cyber Security Alliance, or the NCSA, a non-profit which
educates small businesses and consumers how to stay safe
online. The NCSA website, staysafeonline.org, is a useful
resource for small businesses and partners with the Department
of Homeland Security, FTC, Small Business Administration, NIST,
and many others on several initiatives including the small
business training workshops lead by NIST.
In addition to its sponsorship of the NCSA, Symantec has
created several tools, including educational books and CD-ROMs
to address the unique needs of small businesses. We have copies
of these materials available at today's hearing that Symantec
has also developed in a wide-range of areas to help protect
data that small businesses find critical to run their
businesses.
We must focus on increasing cyber security awareness,
educating and enabling small businesses to properly assess
their true level of risk and encouraging them to take the
necessary and preventative and corrective measures.
Symantec looks forward to continuing to work in partnership
with the private sector and Congress to conduct research and
create tools that lead the way in providing U.S. small
businesses with the right resources they need and deserve to
truly secure and prosper in today's high-tech global economy.
Thank you again, Chairman Akin, and Ranking Member
Bordallo, allowing me to testify today in front of the House
Small Business Subcommittee on Regulatory Reform and Oversight.
[Mr. Salem's testimony may be found in the appendix.]
Chairman Akin. Thank you very much, Enrique. Appreciate
your perspective.
Next is Dr. Burton Kaliski. Is that right?
Dr. Kaliski. Kaliski, sir.
Chairman Akin. Kaliski. You are the Vice President of
Research for RSA Security, Chief Scientist, RSA Laboratories
from Bedford, Massachusetts.
STATEMENT OF DR. BURTON S. KALISKI, JR., RSA LABORATORIES, RSA
SECURITY
Dr. Kaliski. Chairman Akin and Ranking Member Bordallo, I
am honored to be with you today. You might wonder what the
three letters RSA stand for. They are the initials of three
inventors of a very widely-used encryption algorithm developed
in 1977 at MIT with federal research funding.
We have a conference held annually on the west coast which
now attracts 14,000 attendees and at the most recent conference
Robert Muller spoke and said that, ``While the Internet has
become a growth engine for business, it has also become a
global target for cyber criminals.'' He is exactly right and
this is a dilemma for small businesses because, on the one
hand, you want to go online to expand your business
opportunity. On the other hand, when you go online you face
tremendous threats and small businesses don't have the IT
security departments to help them but there is hope.
We need to look at what is an adequate level of security
for a small business or any business. We believe that security
ought to be commensurate with the value of the data as well as
the resource being protected. Just as you don't shred every
piece of paper, you don't need to encrypt every file but you
need to be shredding and encrypting sensitive information. Just
as you don't lock every door, you don't need to have strong
access controls to every file but those that are sensitive need
that appropriate level of protection.
Now, traditionally the protection for access to information
has been a password and it is recently that across many
industries people have realized it is finally time to do
something better. But what is there that is better than a
password?
Well, at the RSA conference this year Bill Gates was one of
the speakers and he said, to paraphrase, that the era of
passwords is over. Organizations are looking at many
technologies for making it easier to use stronger security but
we again have a dilemma. If you have strong security that is
very strong but not easy to use, you really have no improvement
at all. Great security is good to have if you can use it.
There has been a substantial increase in the focus on
usability and I would like to highlight several ways that is
taking place. One is that vendors are finding ways to make
security more usable across the industry as a whole. You may
have different interfaces on every site you interact with, a
different way of providing your password, a different way of
answering questions about your account.
You may have ways that you can reset your password in one
case and in another case it is different but industry is
working to standardize and harmonize these approaches so that
users have a consistent experience. Users also have many
opportunities to increase their security with the devices that
they already have.
We are all carrying mobile phones. Couldn't that be used
someway to enhance our security experience if we could just
connect that with the places at which we do business. That
would certainly simplify the situation for a small business
rather than having to find some unique solution to put security
in the user's hands. And vendors including my company are
looking at many ways like this.
Now, the third point, though, is that you basically need it
to be a crypto-engineer, and I wish I could tell you more about
that career because it is fascinating. You needed to be a
crypto-engineer to put security in your products. Up until
recently you had to know details of every algorithm and acronym
and so forth. Well, that is changing. Vendors are finding ways
so that you can put encryption in and other features of
security just based on policy. You say, ``Here is the kind of
data I have. Please encrypt it,'' and it is done and it is
managed well.
Security appliances are another example. You don't need an
IT security department to enhance your security. You can plug
in a device that is ready to go into your network and it
enhances your security. Finally, IT vendors are working on
improvements to the user interface because, after all, that is
the last and the weakest link. How does the user know that he
or she is more secure? Well, there are improvements on web
interfaces that help you to see when you are secure and when
you are not.
In all of this the public and private partnership is
essential. As my colleague mentioned, the National Cyber
Security Alliance is an important player. RSA Security has also
been invested in that organization. We encourage others to take
part in it.
We are also interested in the area of breach notification
legislation. I understand that the House and the Senate are
both working in that area. We consider it important as an
incentive and reward to businesses that apply best practices,
that those best practices are recognized in terms of a safe
harbor provision.
To conclude, just because you are a small business doesn't
mean the criminals aren't out to get you as well. You have
valuable resources. Just because you are a small business
doesn't mean you can't do anything about it. There are tools,
the built-in security into many products, the tools for
encrypting data more easily.
You know, RSA Security used to be a small business and at
RSA Laboratories we maintain that entrepreneurial perspective.
We look forward to working with this Committee on Small
Businesses for a safety and more secure economy.
[Dr. Kaliski's testimony may be found in the appendix.]
Chairman Akin. Thank you. Very well done. Thank you very
much.
Our next guest is Roger Cochetti?
Mr. Cochetti. Cochetti.
Chairman Akin. Cochetti. Your son Andrew is supervising
this operation as well I understand.
Mr. Cochetti. Thank you very much.
Chairman Akin. You the Group Director of U.S. Public
Policy, Computing Technology Industry Association from
Arlington.
Mr. Cochetti. Yes, sir.
Chairman Akin. Thank you, Roger.
STATEMENT OF ROGER COCHETTI, U.S. PUBLIC POLICY, COMPUTING
TECHNOLOGY INDUSTRY ASSOCIATION
Mr. Cochetti. Thank you, Mr. Chairman Thank you Ranking
Member Bordallo. Thank you both for your warm welcome for my
13-year-old son Andrew for whom the subject of cyber security I
can assure you is not a theoretical issue.
My name is Roger Cochetti and I am Group Director of U.S.
Public Policy for the Computing Technology Industry Association
(CompTIA). I am here today on behalf of our 20,000 member
companies.
Mr. Chairman, I want to thank you and the members of your
Subcommittee for holding this important hearing on the State of
Small Business Security in the Cyber Economy. We believe that
your efforts to focus public attention on cyber security and
small business will help American small business avoid cyber
threats.
Before I continue, Mr. Chairman, I would like to ask that
my written statement be submitted for the record.
Chairman Akin. Without objection.
Mr. Cochetti. Mr. Chairman, the Computing Technology
Industry Association is the nation's oldest and largest trade
association representing the information technology or IT
industry. For 24 years CompTIA has provided research,
networking, and partnering opportunities to its 20,000 mostly
American member companies.
While we represent nearly every major computer hardware
manufacturer, software publisher, and systems integrator,
nearly 75 percent of our membership is made up of the small
American computer companies who themselves provide integrated
computer systems to small businesses which I will explain more
in a moment.
As this Subcommittee knows, small business is the backbone
of the American economy. Some 23 million small businesses
generate over half of our GDP and employ most of the private
sector workforce. Today nearly all American small businesses
are dependent upon information technology and most are
increasingly dependent upon the Internet. Failures in the IT
infrastructure or in the Internet threaten the viability of
American small business and their vulnerability to cyber
threats is America's vulnerability.
The IT needs of small businesses are mainly addressed by an
important segment of the computer industry called Value-Added
Resellers, or VARs. These small system integrators, which are
the bulk of our members, set up and maintain computer systems
and networks for small businesses. VARs create and maintain the
computer systems in your dentist office, in your doctor's
office, for your corner store, and for your local plumber.
VARs are the front line in America's defense against cyber
security threats. An estimated 32,000 VARs sell about one-third
of all computer hardware sold in the United States today and
most of that to small business. Because of our unique role
representing America's VARs CompTIA has done a great deal to
address the issue of cyber security for a small business, much
of it in conjunction with governments.
We recently launched a series of regional educational
programs on cyber security expressly for VARs and through them
the small businesses whom they serve. In 2002 we introduced
these security plus professional certification for IT
professionals. It validates an IT professional's abilities in
the area of cyber security and to date over 23,000 IT pros,
many working for small businesses, have taken and passed
CompTIA's security plus exam.
Over the past few years we have commissioned an annual
survey of the state of IT security. Two-thirds of the
participants in these surveys are small businesses and the
results tell us a lot about the cyber threat to small business.
Almost 40 percent experienced a major IT security breach within
the last six months.
Human error, either alone or in combination with a
technical malfunction, caused four out of every five IT
security breaches. More than half do not have written IT
security policies. One half have no plans to implement security
awareness training for their employees outside of the IT
department, nor have they even considered it. About two-thirds
have no plans to hire IT security personnel and just a quarter
require IT security training and a 10th require professional
certification.
With our permission, Mr. Chairman, I would like to submit
our most recent study for the record of this hearing. It talks
a lot about what is happening in small business.
Chairman Akin. Without objection.
Mr. Cochetti. Based on our studies it is clear that more
needs to be done to raise cyber security awareness, education
training, and professional certification within the small
business community. It is also clear to anyone who understands
how small businesses operate in the United States that VARs
must play the central role in any effort to reach out to small
business in this area. What is most needed is a Government
industry partnership that takes advantage of the unique access
and perspective of thousands of VARs who IT enable small
business in the U.S.
Mr. Chairman, let me emphasize at this point that the most
effective solutions to nearly all cyber security threats, to
small business or any other IT users, do not rely on new
federal or other regulations. The nature of the Internet in
particular is a global network of networks that is dynamic and
rapidly changing is such that Government regulations will have
a limited impact.
Much more effective in dealing with threats like cyber
security are technology tools, industry best practices, and
consumer and business education backed up by strong law
enforcement. The key role that Government agencies can and
should play, aside from arresting and prosecuting criminals, is
to work with industry and consumers on education, technology
tools, and best practices.
We look forward to working with this Subcommittee and the
relevant agencies in such a cooperative effort. Thank you, Mr.
Chairman.
[Mr. Cochetti's testimony may be found in the appendix.]
Chairman Akin. Thank you, Roger. Appreciate your testimony.
Our last witness is Howard Schmidt, President and CEO of R
& H Security Consulting LLC, and former White House Cyber
Security Adviser from the State of Washington.
Howard.
STATEMENT OF HOWARD SCHMIDT, R & H SECURITY CONSULTING, LLC.
Mr. Schmidt. Thank you very much, Mr. Chairman and Ranking
Member Bordallo. Thank you for the opportunity to appear before
you this afternoon.
My colleagues have done a very good job of sort of laying
out the problems. I would like to spend my five minutes sort of
talking about some of the things that we have seen which
actually have helped improve it and some of the things that are
either low cost or no cost that small and medium businesses can
work with.
First I would like to frame it in saying when I look at a
small business we see in three categories their IT
capabilities. First, we are basically aware that their IT
system is also their home computer system, the mom and pop
operation, so to speak.
We have others where small and medium enterprises have
dedicated computer systems, relatively small staff that
basically work really hard to make the IT system run but no
special expertise in security. Then the third category, the
ones that actually outsource this to a service provider that
basically provides them a turnkey operation.
With these categories in mind, their success depends on
four things, technology, awareness and training, information
sharing and, of course, we heard from the earlier panel the law
enforcement capabilities.
From a technology perspective we have seen software
developers invest heavily in tools and processes to reduce the
number of vulnerabilities which then make us much safer in the
software we are running today. There is also now automated
tools available to identify vulnerabilities, effectively the
unlocked door on a computer system that can be found
automatically, once again, for a low price.
The automatic updating of anti-virus applications, spyware,
operating systems, things of this nature, once again, are being
built into the computer systems we are running. We now see a
new generation of toolbars for web browsers that turn red,
green, or yellow depending on whether the site is trusted,
unknown, or untrusted.
We also see new technology that is very affordable for the
consumer and the small and medium enterprise with the all-in-
one device where you have a hardware device that is your cable
modem, firewall, wireless router, anti-spyware built in that is
managed just like it would be for a large enterprise.
As Burt talked about, two factor authentication, a concept
like an ATM card, something you have, something you know. It is
very important for us to help secure our systems today. Also
the encryption technologies are much more affordable, easier to
use than ever before, and more widely accepted.
For the awareness and training, one of the issues I see
with the small and medium businesses is the fact that they
don't often times recognize they are and can be a target.
Clearly recognizing that takes place is one of the key issues
for awareness and training.
The Treasury Department released a DVD called ``Identity
Theft: Outsmarting the Crooks'' which includes, of course,
information for SNBs, The FTC, USPS, USSS, my role as a
reservist with Army CID as well as other private sector groups
helped put this together. It is available free of charge on the
Treasury website. I might note here, if I could, I have a
number of URLs or weblinks in my written testimony. I would
like to just point that out. I won't repeat these things.
Of course, FTC with the Online OnGuard site, National Cyber
Security Alliance, also for state and local governments working
with the local Chamber of Commerce, the multi-state ISAC,
Information Sharing Analysis Center, led by Will Pelgrin out of
Governor Pataki's office, have put together state and
territory-wide information sharing analysis.
The US-CERT provides services free of charge. The National
Cyber Security Partnership was also mentioned earlier. Also
there is a special guide called, ``Common Sense Guide to Cyber
Security'' for small and medium businesses given out by the US-
CERT ready.gov website, as well as the U.S. Chamber of
Commerce.
On the sharing earlier we mentioned the InfraGard and the
Electronic Crimes Task Force working with the local folks that
actually are doing the work on a day-to-day basis. We also see
information and training also take place during those
organizational meetings they have.
The last piece I would like to cover briefly is the law
enforcement efforts. Like any other effort, there is going to
be bad actors out there. We can't escape that. With the
technology, the awareness and information sharing we can help
reduce the threats against the small and medium businesses but
they still will see some out there.
The very nature of the crimes make them difficult to
investigate so we need to make sure we currently fund
particularly small, local jurisdictions which don't have the
resources to conduct these investigations without some
assistance.
The International White Collar Crime Center actually is an
NIJ funded project designed to help state and local law
enforcement investigators investigate all types of cyber
crimes, particularly, once again, targeting the audience of the
small and medium enterprises.
Lastly, some quick recommendations in my last 30 seconds or
so. We have seen since we have released the President's
National Strategy to Secure Cyber Space that a lot of these
efforts have taken place but we still see some areas. The idea
of pulling the technology websites doesn't really cut it. We
need to be able to provide this information. Maybe the Small
Business Administration working with the U.S. Chamber and the
local Chamber of Commerce to hold in-person type events to be
very, very helpful.
We also basically need to make sure that when the Small
Business Administration works with the loaning process you have
to submit a business plan and things of this nature. Also a
cyber security plan would be very helpful
With that I will wrap up my verbal comments. Once again,
thank you for the opportunity and look forward to any questions
that you may have. Thank you.
[Mr. Schmidt's testimony may be found in the appendix.]
Chairman Akin. Thank you very much, Howard. You have really
led into my first question. As a hard to get along with crusty
old conservative, I have a natural inclination to wonder
whether the Government is going to do any good and maybe make
the process worse. I guess one of the things that we are
investigating here, the first set of questions which I really
left to be asked when I was gone was, one, how big is the
problem and where is the problem? Can we define what the
problem is?
Second of all, what we are looking at is is there someway
we can be constructive and help and in certain places maybe we
should get out of the way. I wanted to let anybody who wants a
shot at that question to make recommendations because we are
going to be taking notes. If there are some logical places for
us to put some legislation together, we probably have a good
chance of getting something done. Maybe there are some places
we want to stay away from and just let industry work with it.
Have at it, my friends.
Mr. Schmidt. If I may on the issue of scoping, just my
local law enforcement as well as my experience with the FBI we
don't do a good job on capturing what is really computer crime
or cyber crime, particularly as it relates to the smaller
organizations. We have these broad categories which don't
especially do it. Fraud whether using a computer or a
typewriter is still a fraud and we don't differentiate that
very well.
As far as the regulation piece, once again, it is in the
same category. I don't think regulation itself helps but what
you do is make sure the resources are available to the Small
Business Administration to do not pull technology but push
technology to the constituents they work with.
Chairman Akin. Your idea that if somebody wants an SBA loan
or something, you say, ``Well, if you want that, then maybe
what you need to is at least ensure some level of security in
your system.'' That seems to be kind of an incentive, I
suppose, that you could use. Is that a good idea, other
gentlemen, or is that just making it harder? Our last hearing
that we had was how people are having trouble getting SBA
loans. They said it is taking a lot of red tape and hassle. Do
we want to add another step to that or not? You tell me.
Mr. Cochetti. Mr. Chairman, if I could go back to the
broader question and then touch on the SBA loan qualification
question, I think it is important to keep in mind the scale of
the problem and the scale of the problem is enormous and we
believe serious. All of the surveys, ours in particular,
suggest that well over half of the 23 million small businesses
in the United States have very little preparation for cyber
threats and well over half. Half would be a modest way of
looking at it.
There are many things that are needed to be prepared.
Technology tools are one, training is another, and procedures
are another. There are others but those are typically the three
main things. You train people, need the technology, and you
need the procedures. Most small businesses have none of these.
Clearly from our point of view the starting point in any
discussion about what to do is awareness, education, and
training. Small business until they are aware of this problem
are not going to do much about it and aware of the seriousness
of it and the impact it could have on them.
The outreach issue consequently is the fundamental issue,
we believe, that needs to be addressed. If you think about the
size of the small business segment to the American economy,
however, reaching out to 23 million small businesses is not
something that is going to be done through putting up another
website. We have got a dozen very well organized websites that
provide a lot of information. How many small business men or
women do you know who spend their time searching websites to
learn more about cyber security?
We need a proactive outreach effort. The fact is, however,
that if we were to put on a conference a month with 100 small
businesses participating in each conference, it would take us
several thousand years before we would reach the small business
in the United States. It is for that reason, Mr. Chairman, that
we believe that the intermediaries, the VARs, are really the
key to the solution.
If you go to a dentist, the next time you talk to your
dentist ask him, ``Who handles your computer system in this
office?'' The odds are almost certain that he or she will not
say, ``I do it myself.'' Almost certain they will not say some
big multi-national company that we have all heard of.
He or she will say, ``It is Joe's Computers down the
street. These are the people who are the IT departments for
small business. These are the people who have to raise the bar
on the awareness. These are the education outreach programs
that we believe are needed, Mr. Chairman Thank you.
Chairman Akin. Are you saying that the Government should
fund education outreach programs? Is that what you are saying,
Roger?
Mr. Cochetti. I think the Government should use every tool
at its disposal and we wouldn't be adverse to Government
funding for these programs but it would not be a wise use of
Government resources to try to do a conference for small
business because after 3,000 or 4,000 years you might have
gotten two-thirds of the way through the small business
community in the United States.
Chairman Akin. Maybe we ought to publish a couple of really
good juicy scandals and scare everybody. Maybe that would be
the way to do it.
Mr. Cochetti. That unfortunately sometimes helps.
Chairman Akin. Anybody else want to take a shot at anything
that we need to do legislatively or governmentally that could
be helpful?
Dr. Kaliski. Sir, a couple of comments. First on the scope
of the problem, Chairman Our report clearly shows that small
businesses are increasingly being targeted now by cyber
criminals so the scope of the problem is only going to continue
to increase. I think the second point is--
Chairman Akin. You talked about the fact that it is
increasing. Do you have a sentence or two on what the scope is
itself?
Dr. Kaliski. Yes. So what we are seeing is specifically
that there has been at least one incident at about 56 percent
of all small businesses where their data or security has been
compromised so that is more than half have had an incident in
the last year so that is pretty significant.
I think the second point is we do need to provide
incentives for small businesses to take action to protect
themselves. You mentioned this notion of small business loans.
I think that may be an incentive but we should look for other
mechanisms that we can use to encourage them to secure their
businesses.
I think the other thing is, as Mr. Cochetti said, I don't
think we need new websites. There already are existing ones
such as staysafeonline.org which I think is a fine website to
leverage for providing information to small businesses. Lastly,
I think the SBA just needs to take a stronger role in helping
small businesses to secure their businesses.
Mr. Schwartz. The one area where I think there has been
some discussion about legislative initiatives is in terms of
international cooperation among law enforcement. We have seen a
lot of the cases we track go to the border. Some of them are
simply routed through foreign servers to make it look as though
it is becoming foreign because the bad guys know that law
enforcement goes up to the border and that's where they end
their hunt because we don't have this kind of cooperation even
though they are actually located in the United States.
Although some really are, there are a growing number of
threats that really are outside of the U.S. and come in and
work across borders, multi-national partners in these schemes
because they really are money-making schemes these days. That
means they will work with whoever is willing to partner with
them to make money. We have seen schemes that involve seven or
eight countries sometimes.
Chairman Akin. Thank you very much. I'll turn the
questioning over now to Ranking Member.
Ms. Bordallo. Thank you very much, Mr. Chairman My first
question is to Mr. Kaliski. I got mixed signals here in
listening to some of the comments. Who do you think is best
situated to handle cyber security threats, the Federal
Government or private industry?
Dr. Kaliski. In think it has to be a combination of both. I
don't think it should be an ``or'' situation. I think we
definitely have to raise awareness. I think there is some
knowledge out there but I think it is both private sector and
Congress that need to work together.
As we mentioned, there are resources today available for
small businesses. We just need to make sure that folks
understand that they are there and can take advantage of them.
I also think the SBA needs to take a strong role in working
with the private sector and small businesses to make sure that
they have the staffing and resources necessary to protect
themselves.
Ms. Bordallo. It is unfortunate, I guess, that we don't
have an SBA representative here today but certainly I did hear
you all speak about what you have up on your websites but when
you look into the SBA website there just isn't anything that
deal with this problem so it is something we are going to have
to work on.
Is there is a representative from SBA? Is there anyone in
the audience? Do you wish to make any comments on this? Please
come forward and identify yourself for the record, please.
Ms. Thrasher. Good afternoon. I am Ellen Trasher. I am with
the Office of Entrepreneurial Development at the Small Business
Administration. My colleague who is here is Antonio Doss also
with the Small Business Administration.
Chairman Akin. Thank you for joining us.
Ms. Thrasher. It is our pleasure and we welcome the
opportunity to be here and also to hear so many of the
comments, many of which we share and understand. The dynamics
within the small business community has changed dramatically
over the last couple of years. The whole idea of e-commerce,
doing business online, while at the same time trying to open
and sustain a small business is a challenge.
Our role within Entrepreneurial Development is to educate,
inform, counsel, and train small businesses to make smart
business decision. We do this in a variety of ways. We work in
public/private partnerships. For example, we are very active in
the National Cyber Security Alliance. We work with NIST, the
FBI InfraGard in offering training, and online counseling and
training.
Through our resource partners such as SCORE and SBDCs we
offer counseling and training both face-to-face and online. For
example, SCORE has an online counseling service and if you go
to www.score.org you can find at least 140 online cyber
counselors with an expertise in computer security that are
available 24/7 to provide you counseling and training.
We are aware of the problem. We are trying to collaborate
as best we can in avenues to, again, outreach, as we were
talking about. We do the training, the counseling, the
awareness, and we hope to refer people to the areas for
deterrents, enforcement, and remediation. Thank you.
Ms. Bordallo. You say that this then, Ellen, is all on your
website now?
Ms. Thrasher. Much of it is. In fact, I just provided the
Committee with brochures that we give out. We have a
collaborative agreement with Hartford and have published a
whole series on risk management, of course, which cyber
security is part of. The brochure and the training is available
both in English and Spanish and it is on site. We are also
launching a webinar that will be a self-styled tutorial
training course on what we call business catastrophe of which
anything, of course, that would happen to your cyber security
is part.
Ms. Bordallo. Very good. Thank you. It has been very
informative and I have the material here in front of me. Thank
you, Ellen.
I have a question now for Mr. Cochetti and that is you
spoke about the outreach program, the education outreach. Who
should head the education outreach program that you described?
Mr. Cochetti. Delegate Bordallo, there is no question, I
think, in the minds of anyone on this panel that it is that
educational outreach program which is the most important thing
that needs to be done. If nothing else happens, without that
there will be little progress. I think certainly in our view,
and I suspect most of the panelists here would agree, is that
this really needs to be a Government/industry partnership.
There is simply no way the industry is going to mount an
effective outreach program on its own, nor is there anyway the
Government could do it effectively on its own so a partnership
is what is needed. I would say there are a number of federal
agencies that are already active. They have modest programs
underway right now. Most of the programs that exist today are
responsive. In other words, I have a website.
If anybody feels like coming to it, I have information
available. What really is needed is a proactive program that
goes out and it is, again, for that reason that we think these
VARs are what the military planners call sort of forced
multiplier. Each VAR is the IT department for about 200 small
businesses. You get a VAR and you reach 200 small businesses
and it is a way to deal directly with the problem. I think the
fact is there are a number of federal agencies, many who are
here and some who are not here, who have an interest in some
programs in this area. They need to work together--
Ms. Bordallo. With private industry.
Mr. Cochetti. Yes.
Ms. Bordallo. Thank you. Mr. Schwartz, in your mind should
the Federal Government be focusing on enforcement of existing
laws or should we be looking at new laws? If new laws and
regulations are needed, what recommendation do you have?
Mr. Schwartz. Well, in terms of the existing laws there are
several existing laws where they should be enforced more
diligently and where we need greater oversight. The Computer
Fraud and Abuse Act, for example, is one that we see regularly
broken, criminal statute where action can be taken.
The FTC has started to take greater actions in unfair and
deceptive practices cases. We started to see more action in
that area. And the Secret Service has talked about in their
statute the number of places where they can bring cases under
current identity theft laws.
All of those pieces need to be enforced more strongly than
they are today and with an international focus. There is
definitely room there. The one area where we have focused on
regulation where we think it is necessary goes back to the
basic Internet privacy question.
There is a general question of Internet trust and of
consumer trust on the Internet today. A lot of that goes back
to the fact that consumers don't understand what happened to
their information and how it is shared on the Internet. There
is a patchwork of laws right now for consumer information and
how it is used online behind the scenes for consumers that
happens online and offline as well. But in the online world
consumers have this fear and they don't understand what happens
to their information. In some ways it is justified. We have all
sorts of different standards. There are lawyers out there that
do not understand the Gramm-Leach-Bliley Banking Law and
privacy when they read those privacy notices that they are
sent. When you are given the privacy notices in your doctor's
office, a completely different kind of notice than the
financial notice that you got before. We just have this
patchwork of laws out there all over the map and consumers just
don't understand where their information is going and how it
flows and that is starting to show up online.
That is one thing that we would like to see is sort of a
leveling and understanding, a baseline standard for privacy
that basically the good companies out there are following but
the other companies out there that are sort of outliers are
taking advantage of.
Ms. Bordallo. That is an excellent point. Mr. Kaliski, new
developments in cyber security certainly will enhance small
businesses. We have all been talking about that. Are these
protections affordable?
Dr. Kaliski. That is an excellent question, ma'am. the
important part to look at is that as technology is developed
and standardize it becomes widely available, very effectively
for a large group of people. Consider the Internet as an
example and over time the higher speed Internet access that has
been made available to all kinds of businesses.
We are seeing a similar trend in security technology. As I
mentioned, vendors are producing security tools that can be
used across multiple companies so that you are able to leverage
the investment that your users have already made to be secure
in other places. An example, there are security tokens that are
issued by banks that can potentially be used at other banks
just as you would use a credit card at multiple places. The
affordability will come from the common solutions available
through industry standards.
Ms. Bordallo. Thank you. Mr. Schmidt, I have just one last
question. It seems to me that SBA should be playing a larger
role given that if there is any agency small firms would turn
to for advice it should be SBA. Would you agree with this
assessment and what additional programs should the SBA sponsor
to better fulfill their responsibilities to the American small
businesses?
Mr. Schwartz. I agree with that perspective because the
small business that I talk to the first thing I do is look to
where the SBA is saying, ``How can I be successful?'' which is
what is said to do. Part of the SBA's responsibility to due
diligence, as the Chairman mentioned a few moments ago, about
making it less complicated. That due diligence also goes to the
cyber piece.
Some of the things they can do is not so much focus on how
to investigate these things because that is often times too
late for a small business. They are already out of business at
that juncture so maybe working with the Internet Association
Chiefs of Police and the Crime Prevention Associations to take
that good material that they have just passed out to you and
make sure that those are provided.
For example, if you were to call up your local police
department and say, ``I would like you to come to my house and
my business and do a crime survey,'' they will come out and do
it. Ask them to do that on your computer business and they
won't have a clue what to do. The SBA has the expertise, the
resources to work with them and provide that as a resource to
local business as well as a crime prevention effort.
Ms. Bordallo. Thank you very much. Thank you all for the
information you provided.
Chairman Akin. I just had one or two quick questions. I
have got a meeting that started at 4:00 so I am going to have
to scoot before long. Just a couple of thoughts. First of all,
is there anybody that provides insurance to small businesses to
protect them against these kinds of problems?
Mr. Schmidt. As a matter of fact there are. When we
released the National Strategies to Secure Cyberspace a number
of the major organizations, AIG, Chubb, you name them, not only
provide data insurance for the data that they protect, fire and
damage, all the things relative to that at relatively low cost
for small business as well. The policies are there. The
underwriting capabilities are there and it is just a matter of
asking for it from the insurance companies.
Chairman Akin. So if I have got a small business, I might
normally have, I would think, some sort of insurance on the
building if the small business were in a building that I owned.
It would be sort of like the equivalent of homeowner's
insurance. I might have some liability in case an employee gets
in trouble. Would any of those policies typically have
insurance that would protect against data security or questions
that involve the cyber security in general?
Mr. Schmidt. As an addendum, yes.
Chairman Akin. You have to add it? It is an extra?
Mr. Schmidt. You have to add it. Yes, sir.
Chairman Akin. Okay. And then I guess I would think that if
somebody is offering me insurance, then they would have an
interest in seeing whether or not you have the right software
installed to protect yourself, right?
Mr. Schmidt. That is correct, yes.
Chairman Akin. Okay. Then I guess the second question was
in terms of the VARs, they seem to be covering a lot of the
sort of small business data processing side of things. Would it
make any sense to give them some sort of a rating in terms of
whether or not they have taken proper precautions in terms of
data security?
Mr. Cochetti. Mr. Chairman, I think a program like that
would probably make sense. We have pursued programs of sort of
VAR certification or best practices, you know, VARs who are
proven to be competent. It is a nonregulated, nonlicensed
industry so certification of that sort is certainly an
attractive idea that we have looked at and we would be more
than happy to talk with the SBA or others about sort of how to
pursue it but, yes. And since they are just important
intermediaries thinking about that is, I think, an important
aspect of this.
Chairman Akin. Some of us would prefer to see it maybe done
on an industry basis as opposed to Government basis because we
have got more confidence, especially with something that is
moving as fast as this is the Government has a terrible track
record at being able to move quickly and keep current.
Mr. Cochetti. Let me assure you we are 100 percent private
sector and when I mention that we have been looking at
certification programs for VARs, that would be an entirely
private sector certification for VARs.
Chairman Akin. Thank you all so much for coming in. Because
some of you have come a long way, I want to give you the last
word. Is there anybody that has something else they want to add
in? We do questions but we do answers as well so anybody who
wants to make a comment.
[Whereupon, at 4:15 p.m. the Subcommittee was adjourned.]
[GRAPHIC] [TIFF OMITTED] T7809.001
[GRAPHIC] [TIFF OMITTED] T7809.002
[GRAPHIC] [TIFF OMITTED] T7809.003
[GRAPHIC] [TIFF OMITTED] T7809.004
[GRAPHIC] [TIFF OMITTED] T7809.005
[GRAPHIC] [TIFF OMITTED] T7809.006
[GRAPHIC] [TIFF OMITTED] T7809.007
[GRAPHIC] [TIFF OMITTED] T7809.008
[GRAPHIC] [TIFF OMITTED] T7809.009
[GRAPHIC] [TIFF OMITTED] T7809.010
[GRAPHIC] [TIFF OMITTED] T7809.011
[GRAPHIC] [TIFF OMITTED] T7809.012
[GRAPHIC] [TIFF OMITTED] T7809.013
[GRAPHIC] [TIFF OMITTED] T7809.014
[GRAPHIC] [TIFF OMITTED] T7809.015
[GRAPHIC] [TIFF OMITTED] T7809.016
[GRAPHIC] [TIFF OMITTED] T7809.017
[GRAPHIC] [TIFF OMITTED] T7809.018
[GRAPHIC] [TIFF OMITTED] T7809.019
[GRAPHIC] [TIFF OMITTED] T7809.020
[GRAPHIC] [TIFF OMITTED] T7809.021
[GRAPHIC] [TIFF OMITTED] T7809.022
[GRAPHIC] [TIFF OMITTED] T7809.023
[GRAPHIC] [TIFF OMITTED] T7809.024
[GRAPHIC] [TIFF OMITTED] T7809.025
[GRAPHIC] [TIFF OMITTED] T7809.026
[GRAPHIC] [TIFF OMITTED] T7809.027
[GRAPHIC] [TIFF OMITTED] T7809.028
[GRAPHIC] [TIFF OMITTED] T7809.029
[GRAPHIC] [TIFF OMITTED] T7809.030
[GRAPHIC] [TIFF OMITTED] T7809.031
[GRAPHIC] [TIFF OMITTED] T7809.032
[GRAPHIC] [TIFF OMITTED] T7809.033
[GRAPHIC] [TIFF OMITTED] T7809.034
[GRAPHIC] [TIFF OMITTED] T7809.035
[GRAPHIC] [TIFF OMITTED] T7809.036
[GRAPHIC] [TIFF OMITTED] T7809.037
[GRAPHIC] [TIFF OMITTED] T7809.038
[GRAPHIC] [TIFF OMITTED] T7809.039
[GRAPHIC] [TIFF OMITTED] T7809.040
[GRAPHIC] [TIFF OMITTED] T7809.041
[GRAPHIC] [TIFF OMITTED] T7809.042
[GRAPHIC] [TIFF OMITTED] T7809.043
[GRAPHIC] [TIFF OMITTED] T7809.044
[GRAPHIC] [TIFF OMITTED] T7809.045
[GRAPHIC] [TIFF OMITTED] T7809.046
[GRAPHIC] [TIFF OMITTED] T7809.047
[GRAPHIC] [TIFF OMITTED] T7809.048
[GRAPHIC] [TIFF OMITTED] T7809.049
[GRAPHIC] [TIFF OMITTED] T7809.050
[GRAPHIC] [TIFF OMITTED] T7809.051
[GRAPHIC] [TIFF OMITTED] T7809.052
[GRAPHIC] [TIFF OMITTED] T7809.053
[GRAPHIC] [TIFF OMITTED] T7809.054
[GRAPHIC] [TIFF OMITTED] T7809.055
[GRAPHIC] [TIFF OMITTED] T7809.056
[GRAPHIC] [TIFF OMITTED] T7809.057
[GRAPHIC] [TIFF OMITTED] T7809.058
[GRAPHIC] [TIFF OMITTED] T7809.072
[GRAPHIC] [TIFF OMITTED] T7809.073
[GRAPHIC] [TIFF OMITTED] T7809.074
[GRAPHIC] [TIFF OMITTED] T7809.075
[GRAPHIC] [TIFF OMITTED] T7809.076
[GRAPHIC] [TIFF OMITTED] T7809.077
[GRAPHIC] [TIFF OMITTED] T7809.078
[GRAPHIC] [TIFF OMITTED] T7809.079
[GRAPHIC] [TIFF OMITTED] T7809.080
[GRAPHIC] [TIFF OMITTED] T7809.081
[GRAPHIC] [TIFF OMITTED] T7809.082
[GRAPHIC] [TIFF OMITTED] T7809.059
[GRAPHIC] [TIFF OMITTED] T7809.060
[GRAPHIC] [TIFF OMITTED] T7809.061
[GRAPHIC] [TIFF OMITTED] T7809.062
[GRAPHIC] [TIFF OMITTED] T7809.063
[GRAPHIC] [TIFF OMITTED] T7809.064
[GRAPHIC] [TIFF OMITTED] T7809.065
[GRAPHIC] [TIFF OMITTED] T7809.066
[GRAPHIC] [TIFF OMITTED] T7809.067
[GRAPHIC] [TIFF OMITTED] T7809.068
[GRAPHIC] [TIFF OMITTED] T7809.069
[GRAPHIC] [TIFF OMITTED] T7809.070
[GRAPHIC] [TIFF OMITTED] T7809.071
[GRAPHIC] [TIFF OMITTED] T7809.083
[GRAPHIC] [TIFF OMITTED] T7809.084
�