[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
        THE STATE OF SMALL BUSINESS SECURITY IN A CYBER ECONOMY
=======================================================================

                                HEARING

                               before the

            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT

                                 of the

                      COMMITTEE ON SMALL BUSINESS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                     WASHINGTON, DC, MARCH 16, 2006

                               __________

                           Serial No. 109-44

                               __________

         Printed for the use of the Committee on Small Business


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
27-809                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                      COMMITTEE ON SMALL BUSINESS

                 DONALD A. MANZULLO, Illinois, Chairman

ROSCOE BARTLETT, Maryland, Vice      NYDIA VELAZQUEZ, New York
Chairman                             JUANITA MILLENDER-McDONALD,
SUE KELLY, New York                    California
STEVE CHABOT, Ohio                   TOM UDALL, New Mexico
SAM GRAVES, Missouri                 DANIEL LIPINSKI, Illinois
TODD AKIN, Missouri                  ENI FALEOMAVAEGA, American Samoa
BILL SHUSTER, Pennsylvania           DONNA CHRISTENSEN, Virgin Islands
MARILYN MUSGRAVE, Colorado           DANNY DAVIS, Illinois
JEB BRADLEY, New Hampshire           ED CASE, Hawaii
STEVE KING, Iowa                     MADELEINE BORDALLO, Guam
THADDEUS McCOTTER, Michigan          RAUL GRIJALVA, Arizona
RIC KELLER, Florida                  MICHAEL MICHAUD, Maine
TED POE, Texas                       LINDA SANCHEZ, California
MICHAEL SODREL, Indiana              JOHN BARROW, Georgia
JEFF FORTENBERRY, Nebraska           MELISSA BEAN, Illinois
MICHAEL FITZPATRICK, Pennsylvania    GWEN MOORE, Wisconsin
LYNN WESTMORELAND, Georgia
LOUIE GOHMERT, Texas

                  J. Matthew Szymanski, Chief of Staff

          Phil Eskeland, Deputy Chief of Staff/Policy Director

                  Michael Day, Minority Staff Director

            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT

W. TODD AKIN, Missouri Chairman      MADELEINE BORDALLO, Guam
MICHAEL SODREL, Indiana              ENI F. H. FALEOMAVAEGA, American 
LYNN WESTMORELAND, Georgia           Samoa
LOUIE GOHMERT, Texas                 DONNA CHRISTENSEN, Virgin Islands
SUE KELLY, New York                  ED CASE, Hawaii
STEVE KING, Iowa                     LINDA SANCHEZ, California
TED POE, Texas                       GWEN MOORE, Wisconsin

               Christopher Szymanski, Professional Staff

                                  (ii)


                            C O N T E N T S

                              ----------                              

                               Witnesses

                                                                   Page
Furlani, Ms. Cita M., Acting Director, Information Technology 
  Laboratory, National Institute of Standards and Technology.....     3
Parnes, Ms. Lydia, Director of Bureau of Consumer Protection, 
  Federal Trade Commission.......................................     5
Johnson, Mr. Larry D., Special Agent in Charge, Criminal 
  Investigative Division, U.S. Secret Service....................     7
Martinez, Mr. Steven M., Deputy Assistant Director Cyber 
  Division, Federal Bureau of Investigations.....................     9
Schwartz, Mr. Ari, Deputy Director, Center for Democracy and 
  Technology.....................................................    17
Salem, Mr. Enrique, Senior Vice President, Security Products & 
  Solutions, Symantec Corporation................................    18
Kaliski, Dr. Burton S., Jr., Vice President of Research, RSA 
  Security, Chief Scientist, RSA Laboratories....................    20
Cochetti, Mr. Roger, Group Director--U.S. Public Policy, 
  Computing Technology Industry Association......................    22
Schmidt, Mr. Howard, President & CEO, R & H Security Consulting, 
  LLC............................................................    24

                                Appendix

Opening statements:
    Akin, Hon. W. Todd...........................................    34
Prepared statements:
    Furlani, Ms. Cita M., Acting Director, Information Technology 
      Laboratory, National Institute of Standards and Technology.    35
    Parnes, Ms. Lydia, Director of Bureau of Consumer Protection, 
      Federal Trade Commission...................................    42
    Johnson, Mr. Larry D., Special Agent in Charge, Criminal 
      Investigative Division, U.S. Secret Service................    59
    Martinez, Mr. Steven M., Deputy Assistant Director Cyber 
      Division, Federal Bureau of Investigations.................    64
    Schwartz, Mr. Ari, Deputy Director, Center for Democracy and 
      Technology.................................................    68
    Salem, Mr. Enrique, Senior Vice President, Security Products 
      & Solutions, Symantec Corporation..........................    75
    Kaliski, Dr. Burton S., Jr., Vice President of Research, RSA 
      Security, Chief Scientist, RSA Laboratories................    80
    Cochetti, Mr. Roger, Group Director--U.S. Public Policy, 
      Computing Technology Industry Association..................    92
    Schmidt, Mr. Howard, President & CEO, R & H Security 
      Consulting, LLC............................................   103
Additional Material:
    National Small Business Association 2006 Malware Survey......   116

                                 (iii)
      



        THE STATE OF SMALL BUSINESS SECURITY IN A CYBER ECONOMY

                              ----------                              


                        THURSDAY, MARCH 16, 2006

                   House of Representatives
    Subcommittee on Regulatory Reform and Oversight
                                Committee on Small Business
                                                     Washington, DC
    The Subcommittee met, pursuant to call, at 2:00 p.m. in 
Room 2360 Rayburn House Office Building, Hon. W. Todd Akin 
[Chairman of the Subcommittee] presiding.
    Present: Representatives Akin, Kelly, Bordallo.
    Chairman Akin. The hearing will come to order. Good 
afternoon and welcome everybody to today's hearing, ``The State 
of Small Business Security in a Cyber Economy.'' I want to 
especially thank those witnesses who have traveled long 
distances to participate at this important hearing.
    Today this Subcommittee seeks to better understand the 
impact small business cyber security has on the well-being of 
the economy. This Subcommittee also seeks to determine the 
types of threats that small businesses encounter on a daily 
basis. According to the Small Business Technology Institute 
Report released in July 2005:
    ``If small businesses are not made fully aware of the 
economic impact of information security incidents, they will 
continue to under-invest in information security protection, 
and their exposure will continue to increase as their 
infrastructures become more complex. This increasing individual 
exposure, when aggregated across the many millions of small 
businesses in the U.S., supporting more than half of the 
Nation's GDP, represents an extremely high and worsening point 
of exposure for the U.S. economy as a whole.''
    Businesses do not have to sell their products online to be 
at risk of a security breech. They are exposed simply by being 
connected to the internet. The Government and large firms have 
dedicated information technology professionals who protect 
their electronic infrastructure.
    Small businesses seldom have either dedicated IT 
professionals or the resources necessary to provide adequate 
levels of protection. I look forward to hearing the testimony 
of your witnesses to learn more of what we can do to protect 
small business from cyber security threats. I now yield to the 
gentlelady from Guam, Madame Bordallo.
    [Chairman Akin's opening statement may be found in the 
appendix.]
    Ms. Bordallo. Thank you very much, Mr. Chairman Before I 
begin my opening remarks, I would like to recognize a very 
young witness in our audience today and that is Mr. Andrew 
Cochetti. He is here on an assignment with his social studies 
class. Welcome, Andrew. He is the son of Roger.
    Internet and telecommunication technologies have a profound 
impact on our daily lives. They have changed how we communicate 
with friends and family and how we interact with our 
Government.
    America's 23 million small businesses are some of the 
savviest users of telecommunication technology using the 
internet to access new markets to grow and to diversify. In 
fact, American small businesses have a strong record of being 
the driving forces behind further technological innovation and 
the development of innovative business models that we now take 
for granted.
    Along with being connected comes being exposed to new 
threats. The risks associated with turning more of our lives 
and business into digital i's and o's and burst of light over 
fiber optic cables are significant and require vigilant 
management. A single individual can design computer viruses 
that can be spread across continents in milliseconds.
    Identity theft compromises credit records, businesses and, 
sadly, lives. Destructive computer viruses and other malicious 
Internet activities pose severe problems for small business 
owners that are not prepared to mitigate this kind of a risk. 
This exposure can even result in thousands of hard-earned 
revenues being lost.
    An FBI-conducted survey of computer related crimes 
including viruses, spyware, and theft revealed that a total of 
nearly $70 billion in 2005 alone was lost with companies 
incurring an average of $24,000 in losses. Losses like this are 
make or break for some businesses, and sadly some small 
companies and computer users fail to recognize the benefit of 
cyber risk mitigation as an investment until it is too late.
    The Federal Trade Commission, the FBI, the Secret Service, 
and the National Institute of Standards and Technology have all 
embarked on efforts to offer federal programs designed to 
educate the public on computer security. In fact, federal cyber 
security spending has increased from $5.6 billion in 2004 to 
more than $6 billion in 2007 and is expected to hit $7 billion 
by 2009.
    I am concerned that despite the rise in cyber attacks over 
the past few years and the growing impact they have had on 
small businesses in America, the Small Business Administration, 
the sole agency charged with aiding America's entrepreneurs, 
does not have updated internet security information readily 
accessible on its website.
    Like all of us, small firms are exposed to cyber attacks 
and vulnerable to their malicious affects. Today's hearing will 
give us an opportunity to review whether the increases in 
federal investment, both human and financial resources, have 
had or can have an impact on small firm's ability to mitigate 
their cyber risk.
    The testimony that we hear today I hope will both help us 
to better understand what role the Congress and the Federal 
Government can play in educating the American public and the 
business community to the risks that they face from cyber 
crimes and what recommendations Congress can act on to protect 
Americans and their businesses from this growing threat. I 
thank you, Mr. Chairman.
    Chairman Akin. Thank you for the opening statement. Also, I 
would like to recognize another one of our colleagues, Sue 
Kelly, who also comes from a very businesslike area, New York. 
If you would like to make an opening statement. I understand 
you have a vote pending in another committee and may join us 
later. You are welcome to proceed.
    Ms. Kelly I thank you very much. I represent the New York 
Hudson Valley and I have been meeting recently with a number of 
small businesses in the Hudson Valley and this issue of cyber 
security and cyber economy is very high on their list. I must 
add that we create the IBM computers in the Hudson Valley in 
the district I represent. We also have the research labs for 
not only Phillips Electronics but IBM. This is a highly 
sophisticated group of people in the Hudson Valley and yet my 
small businesses in that area are worried even though they have 
access to highly sophisticated people who are actually building 
some of the systems so it is extremely important that you are 
here today. This is an issue of extreme importance for our 
small businesses in this nation and I look forward to your 
testimony. I do have a vote in another committee. I will have 
to go but I intend to come back to keep listening to what you 
have to say. Thank you very much.
    Chairman Akin. Thank you. We have got a little bit of a 
challenge for the Chairman today. Aside from running a little 
late from too many meetings, I usually like to keep things 
running on time but we have got a double panel so this is a 
double header today. Those of you who need your cups of coffee 
need to be forewarned.
    Our first panel, as you can see, there are four people that 
have joined us here. It is really a Government panel and the 
first witness is Cita Furlani. Did I get that pretty close, 
Cita? You are the Acting Director of Information Technology 
Laboratory from the National Institute of Standards and 
Technology from Gaithersburg, Maryland. Is that correct?
    Ms. Furlani. Correct.
    Chairman Akin. We have the right person. What we are going 
to do is take five-minute statements. I would prefer to take a 
five-minute statement from each of you and then open up with 
some questions afterwards if that is okay. I think probably 
some of you are pros in here. You know the little light in red 
means that somebody is going to throw the hammer at you. Keep 
it within five if we could, please.
    You can submit written statements for the record if you 
would like. I think most of us would prefer to hear you talk to 
us about what you think are the most important things you can 
communicate in five minutes. Thank you very much. Proceed, 
Cita.

STATEMENT OF CITA FURLANI, NATIONAL INSTITUTE OF STANDARDS AND 
                           TECHNOLOGY

    Ms. Furlani. Thank you. I appreciate this opportunity to be 
here today. We recognize that small businesses play an 
important role in the U.S. economy. Since use of the Internet 
is critical in the delivery of goods and services for all 
businesses, the importance of addressing risks associated with 
doing business in a cyber environment cannot be overstated. 
Today I will focus my testimony on NIST's cyber security 
programs, the National Institute of Standards and Technology, 
and our programs and activities that can assist small 
businesses.
    NIST has long worked effectively with industry and federal 
agencies to help protect the confidentiality, integrity, and 
availability of information systems. Ensuring that business-
related information is secure is essential to the functioning 
of our economy and indeed to our democracy. Our broader work in 
the areas of information security, trusted networks, and 
software quality is applicable to a wide variety of users, from 
small and medium enterprises to large private and public 
organizations including agencies of the federal government.
    Since small businesses are nearly 99 percent of all U.S. 
businesses, a vulnerability common to a large percentage of 
these organizations could indeed pose a significant threat to 
the Nation's economy and overall security. In the 
interconnected environment in which we all operate, it is vital 
that this important sector of our economy be aware of the risks 
and take appropriate steps to ensure their systems are secure.
    Under the Federal Information Security Management Act 
(FISMA), NIST was assigned the responsibility to develop IT 
standards and guidelines to secure federal systems. While 
targeted primarily toward federal agencies, these security 
standards and guidelines are also used widely by other 
organizations including small businesses.
    These documents are available on our web-based Computer 
Security Resource Center. I brought two or three of them today 
to show that they really do exist but they can be downloaded. 
The website provides a wide range of security materials and 
information and has over 20 million hits annually.
    In 2002 NIST partnered with the Small Business 
Administration and the Federal Bureau of Investigation's 
InfraGard program to sponsor computer security workshops and 
provide online support for small businesses. We have developed 
a small business outreach site where small businesses may find 
information on local workshops.
    NIST also is raising the awareness of the importance of 
cyber security among small manufacturers. The NIST Hollings 
Manufacturing Extension Partnership was created to improve the 
competitiveness of America's smaller manufacturers and now 
provides the eScan Security Assessment. This diagnostic tool 
was designed specifically for small businesses to determine how 
well their IT systems are protected against failure or 
intrusion.
    NIST with support from the Department of Homeland Security 
recently developed the National Vulnerability Database that 
integrates all publicly available U.S. Government computer 
vulnerability resources and provides references to industry 
resources. It contains information on almost 16,000 
vulnerabilities and is also available on our website.
    Small business, indeed all organizations, rely on the 
software used on their information system. We continue to work 
with industry to improve the security and reliability of 
software. For example, we develop standards and test suites for 
interoperable, robust, quality web applications and products. 
We conduct research to improve the quality of software 
including software trustworthiness.
    NIST works with industry and other Government agencies in 
research to improve the interoperability, scalability, and 
performance of new Internet security systems, to expedite the 
development of Internet infrastructure protection technologies, 
and to protect the core infrastructure of the Internet.
    Meeting the challenge of securing our nation's IT 
infrastructure demands a greater emphasis on the development of 
security-related metrics, models, datasets, and testbeds so 
that new products and best practices can be evaluated. The 
President's FY '07 proposed budget will support NIST's 
collaborations with industry and academia to develop the 
necessary metrics and measurement techniques to provide an 
assessment of overall system vulnerability.
    In summary, Mr. Chairman, the IT security challenge facing 
small businesses is indeed great. Systems managed by small 
businesses are part of a large, interconnected community enable 
by extensive networks and increased computing power. Certainly, 
there is great potential for malicious activity against non-
secured or poorly secured systems or for accidental 
unauthorized disclosure of sensitive information or breach of 
privacy.
    We believe the programs and activities described today in 
this testimony demonstrate our commitment to a more effective 
national cyber security environment as we assist small 
enterprises and protecting their assets.
    Detailed information can be found in my written testimony 
which I hope you will add to the meeting minutes.
    Chairman Akin. Without objection.
    Ms. Furlani. Thank you, Mr. Chairman, for the opportunity 
to present NIST's views regarding security challenges facing 
small businesses. I will be pleased to answer any questions.
    [Ms. Furlani's testimony may be found in the appendix.]
    Chairman Akin. Thank you, Cita.
    Next is Lydia Parnes. Did I get the last name right?
    Ms. Parnes. It is Parnes.
    Chairman Akin. Parnes. Excuse me. Parnes. Director of the 
Bureau of Consumer Protection, Federal Trade Commission, 
Washington, D.C. You didn't have to travel too far.
    Ms. Parnes. No, I didn't. Just down the block.
    Chairman Akin. Thank you, Lydia. Same thing, five minutes, 
please.
    Ms. Parnes. Thank you.

      STATEMENT OF LYDIA PARNES, FEDERAL TRADE COMMISSION

    Ms. Parnes. Mr. Chairman and members of the Subcommittee, I 
appreciate the opportunity to appear before you today to 
discuss the challenges consumers and small businesses face in 
protecting their computer systems, as well as the Commission's 
efforts to promote a culture of security among all Internet 
users.
    The views in my written testimony are those of the 
Commission. My oral remarks and responses to questions 
represent my own views and not necessarily those of the 
Commission or any individual Commissioner.
    For more than a decade protecting the privacy of American 
consumers as been a top FTC priority. The explosive growth of 
the Internet and the development of sophisticated computer 
systems have made it easier than ever for companies to gather 
and use information about their customers.
    Small businesses once limited to consumers walking into 
their stores on main street now reach consumers across the 
globe and complete transactions entirely online. These 
information systems provide enormous benefits. At the same time 
they can have serious vulnerabilities that threaten the 
security of information stored in them.
    Securing these systems against an ever changing array of 
threats is challenging, particularly for small businesses. For 
several years the FTC has engaged in a broad outreach campaign 
to educate businesses and consumers about information security 
and the precautions they can take to protect or minimize risks 
to personal information.
    Last September the FTC unveiled a cyber security campaign 
called OnGuard Online. Our campaign is built around seven 
online safety tips presented in modules with information on 
specific topics such as phishing, spyware, and spam. Each 
module includes articles, videos, and engaging interactive 
quizzes in English and in Spanish. Numerous firms including 
many small businesses are now using OnGuard Online materials in 
their own security training programs.
    The FTC created OnGuard Online with consumers in mind but 
it is a valuable tool for small businesses as well. In many 
ways computer users and small firms are like home users. They 
employ similar applications to participate in e-commerce, send 
e-mail, build spreadsheets, and create presentations. And, as 
in the typical household, often there is no information 
technology professional on site.
    Unlike most consumer users, however, small businesses may 
maintain records on hundreds, if not thousands of consumers 
making their computers especially attractive to information 
thieves. If consumers are to have confidence in our information 
economy, it is essential that these records be adequately 
protected.
    The Commission recognizes that the key to developing an 
effective cyber security program is flexibility. The Commission 
Safeguards Rule, for example, requires covered financial 
institutions to develop written information security plans. The 
rule gives each company the flexibility to develop a plan that 
takes into account its size and complexity, the nature and 
scope of its activities, and the sensitivity of the consumer 
information it handles.
    The Commission follows a similar flexible approach to its 
enforcement actions under Section 5 of the FTC Act. To date we 
have brought 12 data security cases enforcing the FTC Act and 
the Safeguards Rule.
    The Commission also recently issued the Disposal Rule which 
requires all users of credit reports to dispose of them 
properly and not, for example, by leaving them lying in a 
dumpster available to identity thieves. Like the Safeguards 
Rule the Disposal Rule contains a flexible standard, reasonable 
measures to protect against unauthorized access to the 
information being disposed of.
    Safeguarding customer information is not just the law. It 
also makes good business sense. When small businesses show that 
they care about the security of customer's personal 
information, they increase their customer's confidence in the 
company in order to help businesses of all sizes comply with 
both the Safeguards and Disposal Rules the FTC has issued 
business education materials which are available on our 
website.
    Providing adequate security for consumer information 
presents challenges for everyone in the global information 
based economy. The Commission recognizes that this can be 
particularly challenging for small businesses. The Commission 
is committed to continuing its work promoting security 
awareness and sound information practices through education, 
enforcement, and international cooperation.
    I appreciate the opportunity to testify today and look 
forward to the Committee's questions. Thank you.
    Chairman Akin. Thank you, Lydia. Right on time. Next 
witness is Larry Johnson, Special Agent in Charge of Criminal 
Investigative Division, United States Secret Service, 
Washington, D.C. Larry, thank you.
    [Ms. Parnes' testimony may be found in the appendix.]

        STATEMENT OF LARRY JOHNSON, U.S. SECRET SERVICE

    Mr. Johnson. Good afternoon, Mr. Chairman The Secret 
Service was established in 1865 to protect our fledgling 
financial infrastructure through the investigation of 
counterfeiting and counterfeit currency. The Secret Service has 
adapted its investigated methodologies to accommodate the 
increasingly sophisticated systems we protect.
    With the passage of federal laws in 1984, the Secret 
Service was provided the statutory authority to investigate a 
wide range of financial crimes to include false identification, 
18 U.S.C. 1028, access device fraud, 18 U.S.C. 1029, and 
computer fraud, 1030.
    These three statutes encompass the core violations that 
constitute the technology-based identity crimes that affect 
small businesses every day. Over the last two decades the 
Secret Service has conducted more than 733,000 financial fraud 
and identity theft investigations involving these statutes 
mostly involving small businesses.
    Additionally, the Secret Service and the Computer Emergency 
Response Team, CERT, located in Carnegie Mellon University, 
collaborated on a project called the Insider Threat Study which 
was a behavioral and technical analysis of computer intrusions 
by organization insiders in various critical infrastructure 
sectors.
    The Insider Threat Study provided insight to both the 
activities of the insiders and the vulnerabilities which they 
exploited. The results of this study are available on the 
Secret Service public website.
    In 1995 in response to the ever-increasing tide of 
electronic crimes, the Secret Service developed a highly 
effective formula for combating high-tech crime. It was the 
Electronic Crime Task Forces, ECTF. They are an information-
sharing conduit where state, local, and federal law 
enforcement, private industry, and financial sector, academia 
work together in a collaborative crime-fighting environment. 
Participation includes every major federal, state, and local 
law enforcement agency in the region.
    In 2001 the USA PATRIOT Act authorized the Secret Service 
to ``develop a nationwide network of electronic crime task 
forces based on the New York Electronic Crimes Task Force model 
throughout the United States for the purpose of preventing, 
detecting, and investigating various forms of electronic 
crimes, including potential terrorist attacks against critical 
infrastructure and financial payment systems.''
    The Secret Service has since launched 15 ECTFs based upon 
the New York model. We also have nine electronic crimes task 
force working groups and 24 financial crime task forces. In 
2005 the Secret Service also established the Criminal 
Intelligence Section. This Criminal Intelligence Section 
provided coordination and oversight to every significant cyber 
case with international ties in 2003 and 4.
    During this case Secret Service agents uncovered 
significant vulnerabilities within the computer systems of a 
number of Fortune 500 companies and their smaller company 
counterparts without alarming the public quietly notifying each 
of these companies of their findings, thus preventing an 
estimated $53 million in losses.
    Estimated exposure to the U.S. financial institutions based 
on this case were nearly $1 billion. The success of this 
undercover operation led to the establishment of numerous other 
online undercover operations which are currently ongoing today. 
The Secret Service is convinced that building trusted 
partnerships with the private sector, and specifically small 
business in an effort to educate the public on how they can 
reduce the threats of data breaches and improve their system 
security is the model for combating electronic crimes in the 
information age.
    Though a large percentage of the private sector breaches to 
which the Secret Service provides investigative assistance and 
support are large data brokers, corporations or financial 
institutions, we do not differentiate based upon the size of 
the victim or the amount of potential loss. We are equally 
concerned with compromises being experienced by small companies 
or independent service organizations or ISOs, and will respond 
with the appropriately trained personnel when notified of a 
suspected compromise. This is why we believe so strongly in a 
proactive educational platform as a preventative measure. 
Bottom line, if you are victimized, we will respond.
    Through the use of company best practices you can reduce 
the risk of Internet crime. Some actions we recommend to small 
and large businesses alike include establishing internal 
policies and communicate them to your customers, provide a 
method for customers to confirm the authenticity of their e-
mails, employ stronger authentication methods at websites using 
information other than Social Security numbers. If Social 
Security numbers aren't solicited on websites, this information 
will not be at risk. Also, monitor the Internet for phishing 
websites that spoof your company's legitimate sites.
    Chairman Akin. Larry, I need to stop you. You are way over 
here and we have got votes going on right now so I am going to 
try and quickly slip you in, Steve, if we could. Then I think I 
am going to let Ms. Bordallo ask some questions. I am going to 
be gone close to half an hour voting and we will resume 
following that.
    [Mr. Johnson's testimony may be found in the appendix.]

 STATEMENT OF STEVEN MARTINEZ, FEDERAL BUREAU OF INVESTIGATION

    Mr. Martinez. Thank you. Good afternoon, Chairman Akin, 
Ranking Member Bordallo, and members of the Committee. I want 
to thank you for this opportunity to testify before you today 
about Small Business Cyber-Security Issues.
    As retail business moves to the world of e-commerce, cyber 
crime will follow. In 2000 e-commerce accounted for 1 percent 
of all retail sales. Today it accounts for 2.4 percent of all 
sales. this upward trend will undoubtedly continue. Adding to 
this the revenue generated by non-retail Internet businesses, 
such as media and entertainment, e-commerce will soon dominate 
all commercial activity worldwide. The FBI is committed to 
investigating threats at all levels against this major force in 
our economy.
    Small business forms a vital link in the overall security 
of the Internet. First, small business accounts for a 
significant portion of the retail business occurring on the 
Internet. Many online businesses and e-retailers are small 
businesses, many small businesses are customers of online 
businesses, and still other small businesses support the IT and 
Internet operations of large businesses and the government. 
Second, the integrity of Internet-connected small business 
systems has an impact on security of the Internet as a whole.
    The FBI has recognized that the best way to combat the 
growing threat of cyber crime is to form a partnership with 
businesses and industries that rely on the Internet for their 
success. By teaming up with the private sector the FBI is able 
to find out what issues affect business and what problems are 
causing the most harm. This has allowed us to focus our efforts 
on the major problems affecting the Internet.
    Further, through our outreach and information-sharing 
initiatives we are able to share our experiences with the 
business community so that they can better protect and defend 
themselves against new and evolving cyber threats. The 
education of small businesses about the scope and nature of 
cyber threats is an important first step in protecting those 
businesses.
    The FBI has two initiatives focused on building a 
partnership with business: The National Cyber-Forensics and 
Training Alliance (NCFTA) and InfraGard. The NCFTA is a first-
of-its-kind public-private alliance located in Pittsburgh, PA. 
At the NCFTA members of law enforcement work side-by-side with 
representatives from business on addressing the latest and most 
significant cyber threats. Through this collaboration the FBI 
has been able to identify and prosecute some of the most 
serious cyber criminals including those who distribute computer 
viruses, operate large networks of compromised computers (known 
as botnets), and perpetrate fraud schemes such as phishing 
scams. The NCFTA is strategically located near Carnegie Mellon 
University's Computer Emergency and Response Team/ Coordination 
Center (CERT/CC) and is also within driving distance of the 
FBI's Internet Crime Complaint Center (1C3).
    As an example on how we address cyber complaints, the NCFTA 
was recently contacted by a small bank in New Jersey. The bank 
was the victim of a phishing attack. In this type of attack the 
criminal creates a fake website that is identical to the real 
bank site and uses the fake site to steal credit card and other 
identity information from the bank's customers.
    With the victim bank to help them, the NCFTA traced the 
attack to its source and identified what measures they could 
take to mitigate the effects of this attack. With the help of 
the NCFTA, the bank was able to send ``cease and desist'' 
letters to the Internet service providers hosting the fake 
sites in order to have the sites shut down.
    InfraGard is an alliance between the FBI and the public 
whose mission is to prevent attacks, both physical and 
electronic, against critical infrastructure including, but not 
limited to banks, hospitals, telecommunications systems and the 
Internet. InfraGard has over 14,800 private sector members 
spread across 84 local chapters throughout the United States. 
These private sector partners represent the full spectrum of 
infrastructure experts in their local communities.
    FBI Agents assigned to each chapter bring meaningful news 
and information to the table such as threat alerts and 
warnings, vulnerabilities, investigative updates, overall 
threat assessments and case studies. The FBI's private sector 
partners, who own and operate some 85 percent of the nation's 
critical infrastructures, share expertise, strategies, and most 
importantly information and leads that help the FBI track down 
criminals and terrorists.
    The Internet Crime Complaint Center, IC3, is a joint 
initiative between the FBI and the National White Collar Crime 
Center (NW3C). Located in West Virginia, a short distance from 
the NCFTA facility in Pittsburgh, the IC3 serves as a clearing 
house for cyber crime incidents reported by both individuals 
and business.
    The 1C3 receives, on average, 25,000 reports of cyber crime 
incidents each month. By analyzing these complaints for 
commonalities and trends the 1C3 is able to develop cases that 
have a national impact. These cases are then referred to local, 
state, or federal law enforcement agencies for investigation. 
As with the NCFTA, the 1C3 also focuses on partnerships with 
business as the most efficient and effective way to combat 
cyber crime.
    In 2002 the 1C3 began an initiative online retailers combat 
fraud from re-shipping scams. The initiative known as Retailers 
and Law Enforcement Against Fraud (RELEAF) brought together 
teams of analysts at the 1C3 and e-commerce businesses to 
identify fraudulent online purchase which were being shipped by 
domestic re-shippers to destinations overseas.

    In one 30-day period, the RELEAF initiative resulted in 17 
arrests, 14 controlled deliveries, the recovery of $340,000 in 
stolen merchandise, and the recovery of over $115,000 in 
counterfeit cashier's checks.
    Chairman Akin. Steve, you are about out of time.
    Mr. Martinez. Okay. Thank you. I would be happy to answer 
any other questions about our initiatives.
    [Mr. Martinez's testimony may be found in the appendix.]
    Chairman Akin. Thank you. Because of the vote being called, 
I am going to have to scoot out. I would like to start by 
asking a question. I do have some staff here that can take a 
few notes. I guess the first thing that I am interested in, and 
all of you are immersed in this whole situation on a day-to-day 
basis, we just touch on it and run to lots of other things.
    I would like to know your assessment of how big a problem 
we have, first of all, and how do you measure that. Then the 
second thing is within the scope of where we have a problem, do 
those things tend to cluster in certain areas? Are there a 
couple of certain particular places such as identity theft or 
something where that is the majority of what we are concerned 
with. So I am interested in scoping the problem and getting a 
little bit of a sense as to what categories those things are 
in. If you could answer that.
    Then I am going to turn the chair over to Ms. Bordallo. I 
have got probably about half an hour of voting or so so I would 
expect you will adjourn and we will call a second panel at that 
time. Thank you very much.
    Ms. Bordallo. Thank you very much, Mr. Chairman Since I 
represent the territory of Guam we don't vote on the floor. 
That is one thing I wish we could but the territories do not 
have that privilege. We vote in committee but not on the floor.
    I think we will take the two questions that the Chairman 
presented and we will begin with Mr. Larry Johnson. What would 
your answer to those two concerns that he has.
    Mr. Johnson. What the Secret Service has seen a large 
percentage of the time is that attacks on businesses, whether 
small or large, are typically for financial gain. What we have 
also seen is identity theft being a component of not only 
assuming someone's identity through intrusions, social 
engineering and other methods. That is very prevalent of the 
major attack.
    However, a recent trend is that if you can bypass the 
identity theft and go right to an institution that stores 
financial data. We have seen that now more common than ever 
that if you can bypass the identity theft and steal credit card 
numbers and other financial data, account takeovers. We have 
seen alarming rate of account takeovers, specifically 
retirement accounts because that is where the largest amount of 
money people usually have.
    Ms. Bordallo. So you would consider that the biggest 
problem?
    Mr. Johnson. Yes.
    Ms. Bordallo. All right. Next would be Mr. Steven Martinez. 
Can you answer the question that the Chairman presented?
    Mr. Martinez. Sure. I think what we are seeing in the FBI 
is we are looking at cyber crime across the entire spectrum is 
a convergence of the hackers on the one side that we used to 
see as kind of stovepiped in doing their own thing for bragging 
rights and that type of thing, and the cyber frauders on the 
other.
    They are now meeting in the middle. They are now leveraging 
each other's knowledge and it is all for profit just like Mr. 
Johnson mentioned. That is really a change that we have seen 
over the last couple of years and it isbeing facilitated by 
automation in the way that these hacks are conducted.
    I mentioned botnets in my testimony. They give a standoff 
capability to cyber fraudsters and hackers where they can 
perpetrate frauds against Americans from anywhere in the world. 
It provides an additional challenge for us because we really 
have to have an international scope, international reach, in 
order to address these things.
    But, on the other hand, small businesses have a huge part 
to play in this. I briefed on a very successful case targeting 
a botnet that was brought to us by a relatively small business 
in the Los Angeles area. This case was expanded and we 
determined that it impacted on large ISPs across the nation but 
the nexus of this was an attack on a small business and they 
brought that information forward. Outreach is an important part 
of this because there are some disincentives to reporting that 
you have been attacked and have a problem. It might put you at 
a competitive disadvantage. We are working very, very hard on 
outreach in order to get the information in. As far as the 
scope goes, are best estimate is we probably only see maybe a 
quarter at best of the reporting that we would hope to get as 
far as the nature of the problem. There are a lot of reasons 
for that. Again, there are some financial disincentives for 
bringing that information forward. As businesses small and 
large get used to the fact that the FBI and law enforcement 
agencies know how to work these investigations without 
disrupting their operations, I think we can create more good 
will and get more of the reporting we need to address the 
problem better.
    Ms. Bordallo. Thank you. Thank you. Now Lydia Parnes. What 
do you feel is the biggest problem facing you?
    Ms. Parnes. Well, the Commission really looks at this issue 
from the perspective of information security across the Board. 
I think it would be difficult for us to kind of single out how 
big the problem is for small businesses but we know that 
information security is a major issue. The issue that we have a 
particular focus on is identity theft.
    The Commission is charged with maintaining an ID theft 
clearing house and so we get the consumer complaints and the 
inquiries from consumers who have been subjected to identity 
theft. I think ultimately that is the real concern about 
information security. We want to promote a culture of security 
and we want to do it because when security is lacking, identity 
theft can be the result with all of the resulting injury.
    Ms. Bordallo. Thank you. Cita Furlani.
    Ms. Furlani. Thank you. I think there are a few more 
aspects that should be considered. One I mentioned was just the 
sheer complexity of how you provide security. There are too 
many ways that things can be breached. The things that I think 
small businesses and any other business need to consider is 
that they are frequently partnering with others. They need to 
have some way of determining whether their partners are 
maintaining secure environments. They frequently outsource and 
are provided some kind of software or supporting structure by 
other businesses and how do they measure that whether they are 
meeting the same level of requirements that they have set 
inhouse.
    The whole aspect of an always on Internet, always able to 
be on and connected adds a complexity of understanding of how 
you provide the firewalls and the patches. Everything that has 
to be done is a difficult problem.
    Ms. Bordallo. Thank you very much. Now for my round of 
questions. I have one for Mr. Johnson first. I was particularly 
interested in a point you made near the end of your prepared 
testimony that Secret Service Electronic Crime Special Agent 
Program Officers are committed to taking preventative action to 
guard industry from crime in addition to their responsibilities 
to investigate following a crime. I would encourage the Secret 
Service to review ways in which its technical expertise can be 
shared with SBA client firms. What existing partnerships, Mr. 
Johnson, does the Secret Service have with SBA on cyber 
security?
    Mr. Johnson. With the Electronic Crime Special Agent 
Program, I'll just address that first. That is a training 
situation that the Secret Service has probably been involved in 
in the last couple years. We train our agents in three levels 
of cyber investigators. First, the No. 1 level is the forensic 
investigator that actually looks at the hard drives and 
determines the vulnerabilities based on the electronic 
evidence.
    The middle level of cyber investigator is the network 
intrusion expert who is very involved and has extensive 
training in network intrusions. Then that lowest level is the 
basic cyber investigator training program where we try to have 
all of our special agents go through this type of training. 
Obviously they cycle into other assignments but eventually in 
the next couple of years we hope to have all special agents in 
the Secret Service trained as cyber investigators.
    As far as the affiliations of small businesses and large 
businesses, we have numerous members to our Electronic Crimes 
Task Forces and they are located, like my testimony indicated, 
throughout the United States. That's where the sharing of the 
information is from one small company to another and they 
basically talk about what is the security concern of the day. 
What keeps their CEO up at night.
    These discussions a lot of times bring out a lot of 
information that they would not otherwise talk about what was 
previously not spoken about because I don't want to admit to 
you my vulnerabilities. Now we have gotten companies both large 
and small to talk about what their security problems are and we 
think that has been beneficial.
    Ms. Bordallo. So what you are telling me then about these 
programs, the various programs that you explained, you are 
partnering with the SBA? Is that what you're telling me or 
thinking about it?
    Mr. Johnson. Well, I probably have to get back to you on 
whether or not specifically we have a partnership or an MOU. I 
believe they are a members of one or more than one of our task 
force but I can let you know for sure.
    Ms. Bordallo. I think that is the basis of my question. I 
think it is important that we partnership.
    Mr. Johnson. Okay.
    Ms. Bordallo. All right. The next question I have is for 
Mr. Martinez. I am concerned, Mr. Martinez, that after 
reviewing the SBA website this morning I was unable to find any 
information on it regarding cyber crime and small business or 
information on how small businesses can contact law enforcement 
in the event of a suspected cyber crime.
    I wonder whether a small business owner or an entrepreneur 
knows that it should consider contacting the FBI regarding 
potential cyber crime. Has the FBI ever done any coordination 
with the SBA to educate small companies on cyber security 
issues? What kinds of outreach and training programs does your 
agency have for small business or would such a program need to 
be developed?
    Mr. Martinez. Well, the FBI does have a formal arrangement 
with the SBA through a memorandum of understanding to provide 
support leveraging our InfraGard program and the membership to 
assist with a series of very specifically targeted cyber 
security is good business. That is what these training sessions 
are called that target small businesses specifically across the 
country.
    In fact, recently there have been, or will be sessions in 
places from San Diego, California, Sioux Falls, Minneapolis, 
Casper, Wyoming, places where you might likely find smaller 
businesses. Again, this is an effort to leverage what we have 
built with InfraGard, provide both access to the membership 
because a lot of the best information is held in the private 
sector, but also to provide subject matter experts within the 
FBI, investigators, whatever the case may be, to participate in 
these training sessions if need be.
    Ms. Bordallo. I certainly think that both the FBI and the 
Secret Service these are partnerships and I think they should 
be included on the website, the SBA website. We don't find 
anything and I think this would be extremely helpful if you 
could work with them and see that this be included.
    I have a question for Ms. Furlani. What are the two most 
important lessons you teach small business owners on computer 
security?
    Ms. Furlani. Vigilance. How to determine whether they are--
we provide checklists and ways to understand the issue and what 
they need to do. Frequently they have the kinds of people that 
can understand what needs to be done but it is a matter of 
resources, how much time can be spent. We try to find simpler 
ways to describe what can be done and give them checklists that 
they can go down and determine whether all the various patches 
have been done and the intrusion detection zone and all these 
things that they need to do.
    Most important is mainly being aware and being vigilant. 
That is probably the most important because all the other 
things change as the threats change. It is more important to be 
aware of it and be understanding of what and access to where 
the resources are to understand how to deal with the changing 
environment.
    Ms. Bordallo. And, Lydia, I have a couple of questions for 
you. To what extent has the FDC attempted to involve the Small 
Business Administration in cyber security efforts that are 
targeted at small businesses?
    Ms. Parnes. We actually have a history of working with the 
SBA on frauds that are directed to small businesses and we have 
had a number of real successes. We have not kind of dealt with 
them specifically on cyber security but we would be delighted 
to have them participate in OnGuard Online which is our online 
cyber security information.
    The OnGuard Online is not marked as an FTC site 
particularly. You can get it through our site but we encourage 
others to use it and put it out there and we will definitely 
contact the SBA. They can take the site. They can link to it or 
just put it on their site as well. I think it would give small 
businesses very good information.
    Ms. Bordallo. But this, again, hasn't happened as yet.
    Ms. Parnes. No, it hasn't. I would add that we do have 
federal agencies who partner on OnGuard Online as well as 
private industry. It is up there and it is available to anybody 
who wants to use it and we will seek out the SBA.
    Ms. Bordallo. Another question. Under what circumstances 
should a small business owner report cyber attacks to FTC? What 
would be the extent of the problem before they contact you? 
What would the circumstances be?
    Ms. Parnes. Well, certainly the FTC is one place that a 
small business can contact about a cyber security attack. The 
information that we get goes into a database that is available 
and actually is downloaded onto the FBI database that Mr. 
Martinez talked to. The Secret Service has access to our 
database as well.
    A small business could easily contact the FTC. We would 
take all of the information. We would put it in our database 
and it would be available to law enforcers, both federal law 
enforcers and also law enforcers on the local and state level. 
The FTC does not have any criminal authority, however. So many 
of these attacks are criminal in nature.
    Ms. Bordallo. What would you say the frequency of inquiries 
are? Any of you could answer that.
    Mr. Martinez. On the IC3, the Internet Crime Complaint 
Center complaint intake runs about 25,000 complaints a month. 
That is individual consumer complaints. That doesn't include 
aggregated information that we get from private sector 
partners.
    Ms. Bordallo. That is a staggering number. Let me see here. 
I think that is pretty much all the questions. We are trying to 
extend this before we call up the second panel. Oh, yes. I have 
one for the FBI. What is the most common roadblock you 
encounter when tracking down cyber criminals?
    Mr. Martinez. I think the biggest challenge for us right 
now is the international nature of cyber crime because going 
across the world you have different relationships with 
different countries and different levels of cooperation so we 
put an awful lot of effort into developing and firming up those 
relationships in places where we haven't had a presence before.
    You know, former Soviet states, the Far East. We have a 
legal attache program where we have a presence in many, many 
foreign countries but we found that we actually have to put 
people on the ground to work with some of these countries that 
haven't developed their legal systems or their capabilities to 
address cyber crime so that has been a huge challenge. It is 
really a change in the way we do business because we used to 
focus mostly on domestic crime problems but it really is a 
completely international global crime problem now.
    Ms. Bordallo. Secret Service, how would they respond?
    Mr. Johnson. I would agree with Mr. Martinez. The only 
thing I would add is that there is a different scam every day. 
I become briefed on the latest and greatest and it is always 
something added to an existing scam on the Internet. It is a 
more sophisticated from phishing to pharming more sophisticated 
and that is just one example of trying to stay one step ahead 
or at least equal with the bad guys.
    Ms. Bordallo. Can you share with us what is the latest scam 
so we are ready for it?
    Mr. Johnson. I think I kind of mentioned the account 
takeovers are very prevalent. You kind of put me on the spot 
with the latest.
    Ms. Bordallo. You know we have to be up to date here.
    Mr. Johnson. I understand.
    Ms. Bordallo. Thank you very much. I think we spoke about 
that, the small businesses to protect against inside. You 
mentioned vigilance which is very importance.
     Ms. Furlani. And how best to apply their scare resources. 
Which vulnerability should they work on? Some kind of 
prioritization.
    Ms. Bordallo. Can small businesses employ adequate security 
measures with their limited resources? What would the cost of 
that be? You are talking very limited resources.
    Ms. Furlani. Again, if you know--if you have access to how 
to do it you can make choices as to what is the most important 
way to close the door and where you apply your resources. 
Obviously it is easier when you have a larger budget. You are 
using a smaller percentage of it but education and awareness 
and I think that is what you are focused on today is where the 
resources are that they can make use of.
    Ms. Bordallo. And who provides--who can provide that?
    Ms. Furlani. Our website has a lot of information and I 
think each of the other agencies do.
    Ms. Bordallo. But technical assistance?
    Ms. Furlani. Technical assistance is generally where they 
are going to be getting it from a vendor of some sort. There 
again, they need to have enough understanding of what they are 
hiring and what risk they are taking there with partners, 
vendors. Every time you add someone else there is another 
vulnerability risk.
    Ms. Bordallo. That is correct.
    Ms. Furlani. Being aware of that.
    Ms. Bordallo. We want to thank all of you for appearing 
before the Committee today and we appreciate all your testimony 
and certainly we take it into account. I would like to excuse 
you and bring on the second panel. Oh, we will recess for a 
short time until we bring up the second panel.
    [Whereupon, at 3:04 the Subcommittee adjourned until 3:24 
p.m.]
    Chairman Akin. The Committee will come to order. Sorry 
about breaking things up here. I think we are prepared to go 
with our second panel if I am not mistaken. Ari Schwartz. Is 
that correct?
    Mr. Schwartz. Ari, yes.
    Chairman Akin. Ari. Okay. Deputy Director of Center for 
Democracy and Technology, Washington, D.C. You have five 
minutes, please, Ari.
    Mr. Schwartz. Thank you.

 STATEMENT OF ARI SCHWARTZ, CENTER FOR DEMOCRACY AND TECHNOLOGY

    Mr. Schwartz. Thank you. Mr. Chairman, Madam Ranking 
Member, thank you for holding this hearing on cyber security 
and inviting the Center for Democracy and Technology to 
testify. CDT hopes that this marks the beginning of the 
Subcommittee's interest in the important issues of information 
security and its impact on small business and consumers.
    Much as been written and said about the Internet as a 
revolutionary platform for human interaction. Indeed, the 
Internet levels the playing field for individual speakers and 
small businesses. It is a cheap and effective way to reach 
around the world.
    There are many factors that make the Internet unique among 
communications tools but its strength has always been it is 
open, decentralized, and user-controlled nature. As such, the 
medium inherently has the potential that promotes democracy and 
entrepreneurial ideas. However, the Internet's strength is also 
one of its weaknesses.
    Just as networking and interconnectivity allows for 
unprecedented sharing of ideas, those factors also expose the 
medium to a growing number of threats such as viruses and spam 
and phishing spyware. Individually these attacks are dangerous 
enough but taken together they have begun to chip away at the 
trust Internet users have in the medium.
    A recent survey done by Consumer's Union has indicated that 
25 percent of consumers have stopped making purchases online 
and another 29 percent have cut back on their online shopping 
because of concerns about identity theft alone.
    To address these dangers we must ensure both that our 
proposed solutions get to the root of the problem and that 
those solutions don't inadvertently harm the essential nature 
of the medium. To reach these goals we must understand the 
motivation and character of the threats. Although popular 
portrayals of Internet criminals continue to focus on young 
hackers, vandalizing websites, or launching denial of service 
attacks to gain notoriety among their peers. Most of the real 
threats today are driven by financial gain, as we said, by the 
FBI and the Secret Service in the earlier panel.
    It is easy to get lulled into the belief that these are new 
threats because of the new terminology like phishing with a 
``ph'' or spyware, but in reality they are for the most part 
typical fraud cases that we have seen offline for years and 
years. In our research into consumer complaints EDTS found 
these attacks are generally driven by five types of financial 
motivation.
    (1) Identify theft to consumers and businesses.
    (2) Corporate espionage, that is, taking confidential 
information.
    (3) Advertising software that provides pop-ups financially 
motivated because companies are paying affiliates to install 
software onto users computers and often do so without consent.
    (4) Fraudulent marketing schemes like those that we become 
used to in our e-mail boxes every day. And,
    (5) Extortion where consumers or business data or an entire 
machine is held ransom in one way or another.
    We are also seeing more attacks that rely on multiple 
techniques also known as blended threats that are uniquely 
targeted to a specific type of user. The New York Times 
recently reported that large gangs of criminals in Brazil and 
Russia are using virus-like techniques to install password 
crackers that only work on certain banking websites. This 
demonstrates not only the new skill of the criminals but also 
the international nature of the threat.
    These attacks have magnified impact on small business 
because many small businesses suffer from those attacks of the 
consumers as well as those aimed at businesses. Also, while 
large enterprises can afford spare capacity in the form of 
additional computers and servers, many small businesses do not 
have that luxury.
     Because of the changing nature of the threats, it is 
important that security programs continue to improve. Computer 
security companies have become experts at finding problems and 
distributing information about whatever malicious programs 
caused the problem, but they are only just beginning to build 
and test programs that stop malicious software at the first 
signs of bad behavior even before the names of those programs 
are known.
    Finally, it is essential that we address the financial 
motivation of these threats as we have in offline fraud. This 
is not as easy as it sounds because the Internet models pass 
information to the hands of so many players and across borders 
as well. CDT is currently in the process of documenting how 
large and respected companies are unsuspectingly supporting 
unfair and deceptive practices of their partners. Yet, we must 
get beyond all these difficulties and find the sources of 
funding and cut it off or risk losing the potential of the 
Internet for future generations.
    Thank you again for having me here and I look forward to 
your questions.
    [Mr. Schwartz's testimony may be found in the appendix.]
    Chairman Akin. Thank you, Ari. Right on time there. Next we 
have Enrique Salem, Senior Vice President, Security Products & 
Solutions from Symantec Corporation from California. Thank you 
for coming the distance here, Enrique.

        STATEMENT OF ENRIQUE SALEM, SYMANTEC CORPORATION

    Mr. Salem. Thank you, Chairman Akin, and Ranking Member 
Bordallo for giving me the opportunity to testify at today's 
hearing on the state of small business security and cyber 
economy. I am hopeful that my remarks will provide the 
Committee with a comprehensive overall of the U.S. small 
business cyber threat landscape. I also hope to give you some 
thoughtful insights on the many security challenges small 
business owners face in today's growing digital economy. I look 
forward to responding to the Committee's questions following my 
remarks.
    I come before you today representing Symantec Corporation. 
We are the fourth largest software company in the world and we 
help our customers to protect their information and we provide 
them solutions around security and availability and integrity 
of their data.
    As the Senior Vice President for Consumer Products Business 
Unit I am responsible for both the consumer market and the 
small business segment. Prior to joining Symantec I was the CEO 
of Brightmail, Inc., a leading provider of anti-spam solutions 
so I am able to talk to you about some of the key challenges 
that small businesses face when they try to deal with spam. I 
also provided comments to Congress on the issues surrounding 
the CAN SPAM Act.
    Last week Symantec released its ninth Internet Security 
Threat Report which is widely acknowledged to be the most 
comprehensive analysis of information regarding security 
activity for today's economy. The report includes an analysis 
of network based attacks including those on small businesses 
with a review of known threats, vulnerabilities, and security 
risks. We have been providing this report on a semi-annual 
basis since 2002.
    The last two Internet security threat reports found that 
small businesses have consistently been in the top three most 
targeted groups for cyber attacks. Cyber criminals have found 
that small businesses are less likely to have a well-
established security infrastructure making them more vulnerable 
to attacks.
    Symantec has also sponsored the first comprehensive study 
of its kind analyzing the state of information security 
readiness in the U.S. small business market. The July 2005 
study conducted by the Small Business Technology Institute 
surveyed more than 1,000 businesses and found that information 
security is a high priority for small business owners. But it 
also showed a lack of appreciation of the true economic impact 
of information security incidents and a lack of knowledge 
around cyber threats.
    I would like to submit this report with the Chairman's 
permission.
    Chairman Akin. Without objection.
    Mr. Salem. Some key findings that we found in the report 
are as followed. While over 70 percent of small businesses 
consider information security a very high priority, they are 
not increasing their investment and protection. The study 
revealed that small businesses demonstrate an alarmingly 
complacent and passive attitude to information security.
    A majority of small businesses, 56 percent, have 
experienced at least one security incident in the past year and 
small businesses make overwhelmingly reactive purchase 
decisions when it comes to Internet security with 35 percent 
increasing spending on security products only after their 
business has been compromised or attacked resulting in a loss 
of data or corruption.
    It is difficult to quantify the impact of cyber crime but 
according to the FBI's 2005 Cyber Crime Survey costs today are 
around $67 billion to U.S. firms over the last year. 
Additionally, the FTC found that the identity thief cost 
businesses $48 billion and last year consumers $680 million in 
losses.
    But more damaging than the loss of money is the loss of 
trust and confidence by consumers in the Internet economy. With 
so much of the nation's small businesses depending upon the 
Internet, we can't risk losing the public's confidence in doing 
online transactions with small businesses as it is essential 
that they have the right resources to protect themselves.
    Symantec continues to play an instrumental role in 
protecting small businesses through the security solutions we 
offer and our education and awareness efforts.
    For example, Symantec is a major sponsor of the National 
Cyber Security Alliance, or the NCSA, a non-profit which 
educates small businesses and consumers how to stay safe 
online. The NCSA website, staysafeonline.org, is a useful 
resource for small businesses and partners with the Department 
of Homeland Security, FTC, Small Business Administration, NIST, 
and many others on several initiatives including the small 
business training workshops lead by NIST.
    In addition to its sponsorship of the NCSA, Symantec has 
created several tools, including educational books and CD-ROMs 
to address the unique needs of small businesses. We have copies 
of these materials available at today's hearing that Symantec 
has also developed in a wide-range of areas to help protect 
data that small businesses find critical to run their 
businesses.
    We must focus on increasing cyber security awareness, 
educating and enabling small businesses to properly assess 
their true level of risk and encouraging them to take the 
necessary and preventative and corrective measures.
    Symantec looks forward to continuing to work in partnership 
with the private sector and Congress to conduct research and 
create tools that lead the way in providing U.S. small 
businesses with the right resources they need and deserve to 
truly secure and prosper in today's high-tech global economy.
    Thank you again, Chairman Akin, and Ranking Member 
Bordallo, allowing me to testify today in front of the House 
Small Business Subcommittee on Regulatory Reform and Oversight.
    [Mr. Salem's testimony may be found in the appendix.]
    Chairman Akin. Thank you very much, Enrique. Appreciate 
your perspective.
    Next is Dr. Burton Kaliski. Is that right?
    Dr. Kaliski. Kaliski, sir.
    Chairman Akin. Kaliski. You are the Vice President of 
Research for RSA Security, Chief Scientist, RSA Laboratories 
from Bedford, Massachusetts.

STATEMENT OF DR. BURTON S. KALISKI, JR., RSA LABORATORIES, RSA 
                            SECURITY

    Dr. Kaliski. Chairman Akin and Ranking Member Bordallo, I 
am honored to be with you today. You might wonder what the 
three letters RSA stand for. They are the initials of three 
inventors of a very widely-used encryption algorithm developed 
in 1977 at MIT with federal research funding.
    We have a conference held annually on the west coast which 
now attracts 14,000 attendees and at the most recent conference 
Robert Muller spoke and said that, ``While the Internet has 
become a growth engine for business, it has also become a 
global target for cyber criminals.'' He is exactly right and 
this is a dilemma for small businesses because, on the one 
hand, you want to go online to expand your business 
opportunity. On the other hand, when you go online you face 
tremendous threats and small businesses don't have the IT 
security departments to help them but there is hope.
    We need to look at what is an adequate level of security 
for a small business or any business. We believe that security 
ought to be commensurate with the value of the data as well as 
the resource being protected. Just as you don't shred every 
piece of paper, you don't need to encrypt every file but you 
need to be shredding and encrypting sensitive information. Just 
as you don't lock every door, you don't need to have strong 
access controls to every file but those that are sensitive need 
that appropriate level of protection.
    Now, traditionally the protection for access to information 
has been a password and it is recently that across many 
industries people have realized it is finally time to do 
something better. But what is there that is better than a 
password?
    Well, at the RSA conference this year Bill Gates was one of 
the speakers and he said, to paraphrase, that the era of 
passwords is over. Organizations are looking at many 
technologies for making it easier to use stronger security but 
we again have a dilemma. If you have strong security that is 
very strong but not easy to use, you really have no improvement 
at all. Great security is good to have if you can use it.
    There has been a substantial increase in the focus on 
usability and I would like to highlight several ways that is 
taking place. One is that vendors are finding ways to make 
security more usable across the industry as a whole. You may 
have different interfaces on every site you interact with, a 
different way of providing your password, a different way of 
answering questions about your account.
    You may have ways that you can reset your password in one 
case and in another case it is different but industry is 
working to standardize and harmonize these approaches so that 
users have a consistent experience. Users also have many 
opportunities to increase their security with the devices that 
they already have.
    We are all carrying mobile phones. Couldn't that be used 
someway to enhance our security experience if we could just 
connect that with the places at which we do business. That 
would certainly simplify the situation for a small business 
rather than having to find some unique solution to put security 
in the user's hands. And vendors including my company are 
looking at many ways like this.
    Now, the third point, though, is that you basically need it 
to be a crypto-engineer, and I wish I could tell you more about 
that career because it is fascinating. You needed to be a 
crypto-engineer to put security in your products. Up until 
recently you had to know details of every algorithm and acronym 
and so forth. Well, that is changing. Vendors are finding ways 
so that you can put encryption in and other features of 
security just based on policy. You say, ``Here is the kind of 
data I have. Please encrypt it,'' and it is done and it is 
managed well.
    Security appliances are another example. You don't need an 
IT security department to enhance your security. You can plug 
in a device that is ready to go into your network and it 
enhances your security. Finally, IT vendors are working on 
improvements to the user interface because, after all, that is 
the last and the weakest link. How does the user know that he 
or she is more secure? Well, there are improvements on web 
interfaces that help you to see when you are secure and when 
you are not.
    In all of this the public and private partnership is 
essential. As my colleague mentioned, the National Cyber 
Security Alliance is an important player. RSA Security has also 
been invested in that organization. We encourage others to take 
part in it.
    We are also interested in the area of breach notification 
legislation. I understand that the House and the Senate are 
both working in that area. We consider it important as an 
incentive and reward to businesses that apply best practices, 
that those best practices are recognized in terms of a safe 
harbor provision.
    To conclude, just because you are a small business doesn't 
mean the criminals aren't out to get you as well. You have 
valuable resources. Just because you are a small business 
doesn't mean you can't do anything about it. There are tools, 
the built-in security into many products, the tools for 
encrypting data more easily.
    You know, RSA Security used to be a small business and at 
RSA Laboratories we maintain that entrepreneurial perspective. 
We look forward to working with this Committee on Small 
Businesses for a safety and more secure economy.
    [Dr. Kaliski's testimony may be found in the appendix.]
    Chairman Akin. Thank you. Very well done. Thank you very 
much.
    Our next guest is Roger Cochetti?
    Mr. Cochetti. Cochetti.
    Chairman Akin. Cochetti. Your son Andrew is supervising 
this operation as well I understand.
    Mr. Cochetti. Thank you very much.
    Chairman Akin. You the Group Director of U.S. Public 
Policy, Computing Technology Industry Association from 
Arlington.
    Mr. Cochetti. Yes, sir.
    Chairman Akin. Thank you, Roger.

  STATEMENT OF ROGER COCHETTI, U.S. PUBLIC POLICY, COMPUTING 
                TECHNOLOGY INDUSTRY ASSOCIATION

    Mr. Cochetti. Thank you, Mr. Chairman Thank you Ranking 
Member Bordallo. Thank you both for your warm welcome for my 
13-year-old son Andrew for whom the subject of cyber security I 
can assure you is not a theoretical issue.
    My name is Roger Cochetti and I am Group Director of U.S. 
Public Policy for the Computing Technology Industry Association 
(CompTIA). I am here today on behalf of our 20,000 member 
companies.
    Mr. Chairman, I want to thank you and the members of your 
Subcommittee for holding this important hearing on the State of 
Small Business Security in the Cyber Economy. We believe that 
your efforts to focus public attention on cyber security and 
small business will help American small business avoid cyber 
threats.
    Before I continue, Mr. Chairman, I would like to ask that 
my written statement be submitted for the record.
    Chairman Akin. Without objection.
    Mr. Cochetti. Mr. Chairman, the Computing Technology 
Industry Association is the nation's oldest and largest trade 
association representing the information technology or IT 
industry. For 24 years CompTIA has provided research, 
networking, and partnering opportunities to its 20,000 mostly 
American member companies.
    While we represent nearly every major computer hardware 
manufacturer, software publisher, and systems integrator, 
nearly 75 percent of our membership is made up of the small 
American computer companies who themselves provide integrated 
computer systems to small businesses which I will explain more 
in a moment.
    As this Subcommittee knows, small business is the backbone 
of the American economy. Some 23 million small businesses 
generate over half of our GDP and employ most of the private 
sector workforce. Today nearly all American small businesses 
are dependent upon information technology and most are 
increasingly dependent upon the Internet. Failures in the IT 
infrastructure or in the Internet threaten the viability of 
American small business and their vulnerability to cyber 
threats is America's vulnerability.
    The IT needs of small businesses are mainly addressed by an 
important segment of the computer industry called Value-Added 
Resellers, or VARs. These small system integrators, which are 
the bulk of our members, set up and maintain computer systems 
and networks for small businesses. VARs create and maintain the 
computer systems in your dentist office, in your doctor's 
office, for your corner store, and for your local plumber.
    VARs are the front line in America's defense against cyber 
security threats. An estimated 32,000 VARs sell about one-third 
of all computer hardware sold in the United States today and 
most of that to small business. Because of our unique role 
representing America's VARs CompTIA has done a great deal to 
address the issue of cyber security for a small business, much 
of it in conjunction with governments.
    We recently launched a series of regional educational 
programs on cyber security expressly for VARs and through them 
the small businesses whom they serve. In 2002 we introduced 
these security plus professional certification for IT 
professionals. It validates an IT professional's abilities in 
the area of cyber security and to date over 23,000 IT pros, 
many working for small businesses, have taken and passed 
CompTIA's security plus exam.
    Over the past few years we have commissioned an annual 
survey of the state of IT security. Two-thirds of the 
participants in these surveys are small businesses and the 
results tell us a lot about the cyber threat to small business. 
Almost 40 percent experienced a major IT security breach within 
the last six months.
    Human error, either alone or in combination with a 
technical malfunction, caused four out of every five IT 
security breaches. More than half do not have written IT 
security policies. One half have no plans to implement security 
awareness training for their employees outside of the IT 
department, nor have they even considered it. About two-thirds 
have no plans to hire IT security personnel and just a quarter 
require IT security training and a 10th require professional 
certification.
    With our permission, Mr. Chairman, I would like to submit 
our most recent study for the record of this hearing. It talks 
a lot about what is happening in small business.
    Chairman Akin. Without objection.
    Mr. Cochetti. Based on our studies it is clear that more 
needs to be done to raise cyber security awareness, education 
training, and professional certification within the small 
business community. It is also clear to anyone who understands 
how small businesses operate in the United States that VARs 
must play the central role in any effort to reach out to small 
business in this area. What is most needed is a Government 
industry partnership that takes advantage of the unique access 
and perspective of thousands of VARs who IT enable small 
business in the U.S.
    Mr. Chairman, let me emphasize at this point that the most 
effective solutions to nearly all cyber security threats, to 
small business or any other IT users, do not rely on new 
federal or other regulations. The nature of the Internet in 
particular is a global network of networks that is dynamic and 
rapidly changing is such that Government regulations will have 
a limited impact.
    Much more effective in dealing with threats like cyber 
security are technology tools, industry best practices, and 
consumer and business education backed up by strong law 
enforcement. The key role that Government agencies can and 
should play, aside from arresting and prosecuting criminals, is 
to work with industry and consumers on education, technology 
tools, and best practices.
    We look forward to working with this Subcommittee and the 
relevant agencies in such a cooperative effort. Thank you, Mr. 
Chairman.
    [Mr. Cochetti's testimony may be found in the appendix.]
    Chairman Akin. Thank you, Roger. Appreciate your testimony.
    Our last witness is Howard Schmidt, President and CEO of R 
& H Security Consulting LLC, and former White House Cyber 
Security Adviser from the State of Washington.
    Howard.

  STATEMENT OF HOWARD SCHMIDT, R & H SECURITY CONSULTING, LLC.

    Mr. Schmidt. Thank you very much, Mr. Chairman and Ranking 
Member Bordallo. Thank you for the opportunity to appear before 
you this afternoon.
    My colleagues have done a very good job of sort of laying 
out the problems. I would like to spend my five minutes sort of 
talking about some of the things that we have seen which 
actually have helped improve it and some of the things that are 
either low cost or no cost that small and medium businesses can 
work with.
    First I would like to frame it in saying when I look at a 
small business we see in three categories their IT 
capabilities. First, we are basically aware that their IT 
system is also their home computer system, the mom and pop 
operation, so to speak.
    We have others where small and medium enterprises have 
dedicated computer systems, relatively small staff that 
basically work really hard to make the IT system run but no 
special expertise in security. Then the third category, the 
ones that actually outsource this to a service provider that 
basically provides them a turnkey operation.
    With these categories in mind, their success depends on 
four things, technology, awareness and training, information 
sharing and, of course, we heard from the earlier panel the law 
enforcement capabilities.
    From a technology perspective we have seen software 
developers invest heavily in tools and processes to reduce the 
number of vulnerabilities which then make us much safer in the 
software we are running today. There is also now automated 
tools available to identify vulnerabilities, effectively the 
unlocked door on a computer system that can be found 
automatically, once again, for a low price.
    The automatic updating of anti-virus applications, spyware, 
operating systems, things of this nature, once again, are being 
built into the computer systems we are running. We now see a 
new generation of toolbars for web browsers that turn red, 
green, or yellow depending on whether the site is trusted, 
unknown, or untrusted.
    We also see new technology that is very affordable for the 
consumer and the small and medium enterprise with the all-in-
one device where you have a hardware device that is your cable 
modem, firewall, wireless router, anti-spyware built in that is 
managed just like it would be for a large enterprise.
    As Burt talked about, two factor authentication, a concept 
like an ATM card, something you have, something you know. It is 
very important for us to help secure our systems today. Also 
the encryption technologies are much more affordable, easier to 
use than ever before, and more widely accepted.
    For the awareness and training, one of the issues I see 
with the small and medium businesses is the fact that they 
don't often times recognize they are and can be a target. 
Clearly recognizing that takes place is one of the key issues 
for awareness and training.
    The Treasury Department released a DVD called ``Identity 
Theft: Outsmarting the Crooks'' which includes, of course, 
information for SNBs, The FTC, USPS, USSS, my role as a 
reservist with Army CID as well as other private sector groups 
helped put this together. It is available free of charge on the 
Treasury website. I might note here, if I could, I have a 
number of URLs or weblinks in my written testimony. I would 
like to just point that out. I won't repeat these things.
    Of course, FTC with the Online OnGuard site, National Cyber 
Security Alliance, also for state and local governments working 
with the local Chamber of Commerce, the multi-state ISAC, 
Information Sharing Analysis Center, led by Will Pelgrin out of 
Governor Pataki's office, have put together state and 
territory-wide information sharing analysis.
    The US-CERT provides services free of charge. The National 
Cyber Security Partnership was also mentioned earlier. Also 
there is a special guide called, ``Common Sense Guide to Cyber 
Security'' for small and medium businesses given out by the US-
CERT ready.gov website, as well as the U.S. Chamber of 
Commerce.
    On the sharing earlier we mentioned the InfraGard and the 
Electronic Crimes Task Force working with the local folks that 
actually are doing the work on a day-to-day basis. We also see 
information and training also take place during those 
organizational meetings they have.
    The last piece I would like to cover briefly is the law 
enforcement efforts. Like any other effort, there is going to 
be bad actors out there. We can't escape that. With the 
technology, the awareness and information sharing we can help 
reduce the threats against the small and medium businesses but 
they still will see some out there.
    The very nature of the crimes make them difficult to 
investigate so we need to make sure we currently fund 
particularly small, local jurisdictions which don't have the 
resources to conduct these investigations without some 
assistance.
    The International White Collar Crime Center actually is an 
NIJ funded project designed to help state and local law 
enforcement investigators investigate all types of cyber 
crimes, particularly, once again, targeting the audience of the 
small and medium enterprises.
    Lastly, some quick recommendations in my last 30 seconds or 
so. We have seen since we have released the President's 
National Strategy to Secure Cyber Space that a lot of these 
efforts have taken place but we still see some areas. The idea 
of pulling the technology websites doesn't really cut it. We 
need to be able to provide this information. Maybe the Small 
Business Administration working with the U.S. Chamber and the 
local Chamber of Commerce to hold in-person type events to be 
very, very helpful.
    We also basically need to make sure that when the Small 
Business Administration works with the loaning process you have 
to submit a business plan and things of this nature. Also a 
cyber security plan would be very helpful
    With that I will wrap up my verbal comments. Once again, 
thank you for the opportunity and look forward to any questions 
that you may have. Thank you.
    [Mr. Schmidt's testimony may be found in the appendix.]
    Chairman Akin. Thank you very much, Howard. You have really 
led into my first question. As a hard to get along with crusty 
old conservative, I have a natural inclination to wonder 
whether the Government is going to do any good and maybe make 
the process worse. I guess one of the things that we are 
investigating here, the first set of questions which I really 
left to be asked when I was gone was, one, how big is the 
problem and where is the problem? Can we define what the 
problem is?
    Second of all, what we are looking at is is there someway 
we can be constructive and help and in certain places maybe we 
should get out of the way. I wanted to let anybody who wants a 
shot at that question to make recommendations because we are 
going to be taking notes. If there are some logical places for 
us to put some legislation together, we probably have a good 
chance of getting something done. Maybe there are some places 
we want to stay away from and just let industry work with it. 
Have at it, my friends.
    Mr. Schmidt. If I may on the issue of scoping, just my 
local law enforcement as well as my experience with the FBI we 
don't do a good job on capturing what is really computer crime 
or cyber crime, particularly as it relates to the smaller 
organizations. We have these broad categories which don't 
especially do it. Fraud whether using a computer or a 
typewriter is still a fraud and we don't differentiate that 
very well.
    As far as the regulation piece, once again, it is in the 
same category. I don't think regulation itself helps but what 
you do is make sure the resources are available to the Small 
Business Administration to do not pull technology but push 
technology to the constituents they work with.
    Chairman Akin. Your idea that if somebody wants an SBA loan 
or something, you say, ``Well, if you want that, then maybe 
what you need to is at least ensure some level of security in 
your system.'' That seems to be kind of an incentive, I 
suppose, that you could use. Is that a good idea, other 
gentlemen, or is that just making it harder? Our last hearing 
that we had was how people are having trouble getting SBA 
loans. They said it is taking a lot of red tape and hassle. Do 
we want to add another step to that or not? You tell me.
    Mr. Cochetti. Mr. Chairman, if I could go back to the 
broader question and then touch on the SBA loan qualification 
question, I think it is important to keep in mind the scale of 
the problem and the scale of the problem is enormous and we 
believe serious. All of the surveys, ours in particular, 
suggest that well over half of the 23 million small businesses 
in the United States have very little preparation for cyber 
threats and well over half. Half would be a modest way of 
looking at it.
    There are many things that are needed to be prepared. 
Technology tools are one, training is another, and procedures 
are another. There are others but those are typically the three 
main things. You train people, need the technology, and you 
need the procedures. Most small businesses have none of these.
    Clearly from our point of view the starting point in any 
discussion about what to do is awareness, education, and 
training. Small business until they are aware of this problem 
are not going to do much about it and aware of the seriousness 
of it and the impact it could have on them.
    The outreach issue consequently is the fundamental issue, 
we believe, that needs to be addressed. If you think about the 
size of the small business segment to the American economy, 
however, reaching out to 23 million small businesses is not 
something that is going to be done through putting up another 
website. We have got a dozen very well organized websites that 
provide a lot of information. How many small business men or 
women do you know who spend their time searching websites to 
learn more about cyber security?
    We need a proactive outreach effort. The fact is, however, 
that if we were to put on a conference a month with 100 small 
businesses participating in each conference, it would take us 
several thousand years before we would reach the small business 
in the United States. It is for that reason, Mr. Chairman, that 
we believe that the intermediaries, the VARs, are really the 
key to the solution.
    If you go to a dentist, the next time you talk to your 
dentist ask him, ``Who handles your computer system in this 
office?'' The odds are almost certain that he or she will not 
say, ``I do it myself.'' Almost certain they will not say some 
big multi-national company that we have all heard of.
    He or she will say, ``It is Joe's Computers down the 
street. These are the people who are the IT departments for 
small business. These are the people who have to raise the bar 
on the awareness. These are the education outreach programs 
that we believe are needed, Mr. Chairman Thank you.
    Chairman Akin. Are you saying that the Government should 
fund education outreach programs? Is that what you are saying, 
Roger?
    Mr. Cochetti. I think the Government should use every tool 
at its disposal and we wouldn't be adverse to Government 
funding for these programs but it would not be a wise use of 
Government resources to try to do a conference for small 
business because after 3,000 or 4,000 years you might have 
gotten two-thirds of the way through the small business 
community in the United States.
    Chairman Akin. Maybe we ought to publish a couple of really 
good juicy scandals and scare everybody. Maybe that would be 
the way to do it.
    Mr. Cochetti. That unfortunately sometimes helps.
    Chairman Akin. Anybody else want to take a shot at anything 
that we need to do legislatively or governmentally that could 
be helpful?
    Dr. Kaliski. Sir, a couple of comments. First on the scope 
of the problem, Chairman Our report clearly shows that small 
businesses are increasingly being targeted now by cyber 
criminals so the scope of the problem is only going to continue 
to increase. I think the second point is--
    Chairman Akin. You talked about the fact that it is 
increasing. Do you have a sentence or two on what the scope is 
itself?
    Dr. Kaliski. Yes. So what we are seeing is specifically 
that there has been at least one incident at about 56 percent 
of all small businesses where their data or security has been 
compromised so that is more than half have had an incident in 
the last year so that is pretty significant.
    I think the second point is we do need to provide 
incentives for small businesses to take action to protect 
themselves. You mentioned this notion of small business loans. 
I think that may be an incentive but we should look for other 
mechanisms that we can use to encourage them to secure their 
businesses.
    I think the other thing is, as Mr. Cochetti said, I don't 
think we need new websites. There already are existing ones 
such as staysafeonline.org which I think is a fine website to 
leverage for providing information to small businesses. Lastly, 
I think the SBA just needs to take a stronger role in helping 
small businesses to secure their businesses.
    Mr. Schwartz. The one area where I think there has been 
some discussion about legislative initiatives is in terms of 
international cooperation among law enforcement. We have seen a 
lot of the cases we track go to the border. Some of them are 
simply routed through foreign servers to make it look as though 
it is becoming foreign because the bad guys know that law 
enforcement goes up to the border and that's where they end 
their hunt because we don't have this kind of cooperation even 
though they are actually located in the United States.
    Although some really are, there are a growing number of 
threats that really are outside of the U.S. and come in and 
work across borders, multi-national partners in these schemes 
because they really are money-making schemes these days. That 
means they will work with whoever is willing to partner with 
them to make money. We have seen schemes that involve seven or 
eight countries sometimes.
    Chairman Akin. Thank you very much. I'll turn the 
questioning over now to Ranking Member.
    Ms. Bordallo. Thank you very much, Mr. Chairman My first 
question is to Mr. Kaliski. I got mixed signals here in 
listening to some of the comments. Who do you think is best 
situated to handle cyber security threats, the Federal 
Government or private industry?
    Dr. Kaliski. In think it has to be a combination of both. I 
don't think it should be an ``or'' situation. I think we 
definitely have to raise awareness. I think there is some 
knowledge out there but I think it is both private sector and 
Congress that need to work together.
    As we mentioned, there are resources today available for 
small businesses. We just need to make sure that folks 
understand that they are there and can take advantage of them. 
I also think the SBA needs to take a strong role in working 
with the private sector and small businesses to make sure that 
they have the staffing and resources necessary to protect 
themselves.
    Ms. Bordallo. It is unfortunate, I guess, that we don't 
have an SBA representative here today but certainly I did hear 
you all speak about what you have up on your websites but when 
you look into the SBA website there just isn't anything that 
deal with this problem so it is something we are going to have 
to work on.
    Is there is a representative from SBA? Is there anyone in 
the audience? Do you wish to make any comments on this? Please 
come forward and identify yourself for the record, please.
    Ms. Thrasher. Good afternoon. I am Ellen Trasher. I am with 
the Office of Entrepreneurial Development at the Small Business 
Administration. My colleague who is here is Antonio Doss also 
with the Small Business Administration.
    Chairman Akin. Thank you for joining us.
    Ms. Thrasher. It is our pleasure and we welcome the 
opportunity to be here and also to hear so many of the 
comments, many of which we share and understand. The dynamics 
within the small business community has changed dramatically 
over the last couple of years. The whole idea of e-commerce, 
doing business online, while at the same time trying to open 
and sustain a small business is a challenge.
     Our role within Entrepreneurial Development is to educate, 
inform, counsel, and train small businesses to make smart 
business decision. We do this in a variety of ways. We work in 
public/private partnerships. For example, we are very active in 
the National Cyber Security Alliance. We work with NIST, the 
FBI InfraGard in offering training, and online counseling and 
training.
    Through our resource partners such as SCORE and SBDCs we 
offer counseling and training both face-to-face and online. For 
example, SCORE has an online counseling service and if you go 
to www.score.org you can find at least 140 online cyber 
counselors with an expertise in computer security that are 
available 24/7 to provide you counseling and training.
    We are aware of the problem. We are trying to collaborate 
as best we can in avenues to, again, outreach, as we were 
talking about. We do the training, the counseling, the 
awareness, and we hope to refer people to the areas for 
deterrents, enforcement, and remediation. Thank you.
    Ms. Bordallo. You say that this then, Ellen, is all on your 
website now?
    Ms. Thrasher. Much of it is. In fact, I just provided the 
Committee with brochures that we give out. We have a 
collaborative agreement with Hartford and have published a 
whole series on risk management, of course, which cyber 
security is part of. The brochure and the training is available 
both in English and Spanish and it is on site. We are also 
launching a webinar that will be a self-styled tutorial 
training course on what we call business catastrophe of which 
anything, of course, that would happen to your cyber security 
is part.
    Ms. Bordallo. Very good. Thank you. It has been very 
informative and I have the material here in front of me. Thank 
you, Ellen.
    I have a question now for Mr. Cochetti and that is you 
spoke about the outreach program, the education outreach. Who 
should head the education outreach program that you described?
    Mr. Cochetti. Delegate Bordallo, there is no question, I 
think, in the minds of anyone on this panel that it is that 
educational outreach program which is the most important thing 
that needs to be done. If nothing else happens, without that 
there will be little progress. I think certainly in our view, 
and I suspect most of the panelists here would agree, is that 
this really needs to be a Government/industry partnership.
    There is simply no way the industry is going to mount an 
effective outreach program on its own, nor is there anyway the 
Government could do it effectively on its own so a partnership 
is what is needed. I would say there are a number of federal 
agencies that are already active. They have modest programs 
underway right now. Most of the programs that exist today are 
responsive. In other words, I have a website.
    If anybody feels like coming to it, I have information 
available. What really is needed is a proactive program that 
goes out and it is, again, for that reason that we think these 
VARs are what the military planners call sort of forced 
multiplier. Each VAR is the IT department for about 200 small 
businesses. You get a VAR and you reach 200 small businesses 
and it is a way to deal directly with the problem. I think the 
fact is there are a number of federal agencies, many who are 
here and some who are not here, who have an interest in some 
programs in this area. They need to work together--
    Ms. Bordallo. With private industry.
    Mr. Cochetti. Yes.
    Ms. Bordallo. Thank you. Mr. Schwartz, in your mind should 
the Federal Government be focusing on enforcement of existing 
laws or should we be looking at new laws? If new laws and 
regulations are needed, what recommendation do you have?
    Mr. Schwartz. Well, in terms of the existing laws there are 
several existing laws where they should be enforced more 
diligently and where we need greater oversight. The Computer 
Fraud and Abuse Act, for example, is one that we see regularly 
broken, criminal statute where action can be taken.
    The FTC has started to take greater actions in unfair and 
deceptive practices cases. We started to see more action in 
that area. And the Secret Service has talked about in their 
statute the number of places where they can bring cases under 
current identity theft laws.
    All of those pieces need to be enforced more strongly than 
they are today and with an international focus. There is 
definitely room there. The one area where we have focused on 
regulation where we think it is necessary goes back to the 
basic Internet privacy question.
    There is a general question of Internet trust and of 
consumer trust on the Internet today. A lot of that goes back 
to the fact that consumers don't understand what happened to 
their information and how it is shared on the Internet. There 
is a patchwork of laws right now for consumer information and 
how it is used online behind the scenes for consumers that 
happens online and offline as well. But in the online world 
consumers have this fear and they don't understand what happens 
to their information. In some ways it is justified. We have all 
sorts of different standards. There are lawyers out there that 
do not understand the Gramm-Leach-Bliley Banking Law and 
privacy when they read those privacy notices that they are 
sent. When you are given the privacy notices in your doctor's 
office, a completely different kind of notice than the 
financial notice that you got before. We just have this 
patchwork of laws out there all over the map and consumers just 
don't understand where their information is going and how it 
flows and that is starting to show up online.
    That is one thing that we would like to see is sort of a 
leveling and understanding, a baseline standard for privacy 
that basically the good companies out there are following but 
the other companies out there that are sort of outliers are 
taking advantage of.
    Ms. Bordallo. That is an excellent point. Mr. Kaliski, new 
developments in cyber security certainly will enhance small 
businesses. We have all been talking about that. Are these 
protections affordable?
    Dr. Kaliski. That is an excellent question, ma'am. the 
important part to look at is that as technology is developed 
and standardize it becomes widely available, very effectively 
for a large group of people. Consider the Internet as an 
example and over time the higher speed Internet access that has 
been made available to all kinds of businesses.
    We are seeing a similar trend in security technology. As I 
mentioned, vendors are producing security tools that can be 
used across multiple companies so that you are able to leverage 
the investment that your users have already made to be secure 
in other places. An example, there are security tokens that are 
issued by banks that can potentially be used at other banks 
just as you would use a credit card at multiple places. The 
affordability will come from the common solutions available 
through industry standards.
    Ms. Bordallo. Thank you. Mr. Schmidt, I have just one last 
question. It seems to me that SBA should be playing a larger 
role given that if there is any agency small firms would turn 
to for advice it should be SBA. Would you agree with this 
assessment and what additional programs should the SBA sponsor 
to better fulfill their responsibilities to the American small 
businesses?
    Mr. Schwartz. I agree with that perspective because the 
small business that I talk to the first thing I do is look to 
where the SBA is saying, ``How can I be successful?'' which is 
what is said to do. Part of the SBA's responsibility to due 
diligence, as the Chairman mentioned a few moments ago, about 
making it less complicated. That due diligence also goes to the 
cyber piece.
    Some of the things they can do is not so much focus on how 
to investigate these things because that is often times too 
late for a small business. They are already out of business at 
that juncture so maybe working with the Internet Association 
Chiefs of Police and the Crime Prevention Associations to take 
that good material that they have just passed out to you and 
make sure that those are provided.
    For example, if you were to call up your local police 
department and say, ``I would like you to come to my house and 
my business and do a crime survey,'' they will come out and do 
it. Ask them to do that on your computer business and they 
won't have a clue what to do. The SBA has the expertise, the 
resources to work with them and provide that as a resource to 
local business as well as a crime prevention effort.
    Ms. Bordallo. Thank you very much. Thank you all for the 
information you provided.
    Chairman Akin. I just had one or two quick questions. I 
have got a meeting that started at 4:00 so I am going to have 
to scoot before long. Just a couple of thoughts. First of all, 
is there anybody that provides insurance to small businesses to 
protect them against these kinds of problems?
    Mr. Schmidt. As a matter of fact there are. When we 
released the National Strategies to Secure Cyberspace a number 
of the major organizations, AIG, Chubb, you name them, not only 
provide data insurance for the data that they protect, fire and 
damage, all the things relative to that at relatively low cost 
for small business as well. The policies are there. The 
underwriting capabilities are there and it is just a matter of 
asking for it from the insurance companies.
    Chairman Akin. So if I have got a small business, I might 
normally have, I would think, some sort of insurance on the 
building if the small business were in a building that I owned. 
It would be sort of like the equivalent of homeowner's 
insurance. I might have some liability in case an employee gets 
in trouble. Would any of those policies typically have 
insurance that would protect against data security or questions 
that involve the cyber security in general?
    Mr. Schmidt. As an addendum, yes.
    Chairman Akin. You have to add it? It is an extra?
    Mr. Schmidt. You have to add it. Yes, sir.
    Chairman Akin. Okay. And then I guess I would think that if 
somebody is offering me insurance, then they would have an 
interest in seeing whether or not you have the right software 
installed to protect yourself, right?
    Mr. Schmidt. That is correct, yes.
    Chairman Akin. Okay. Then I guess the second question was 
in terms of the VARs, they seem to be covering a lot of the 
sort of small business data processing side of things. Would it 
make any sense to give them some sort of a rating in terms of 
whether or not they have taken proper precautions in terms of 
data security?
    Mr. Cochetti. Mr. Chairman, I think a program like that 
would probably make sense. We have pursued programs of sort of 
VAR certification or best practices, you know, VARs who are 
proven to be competent. It is a nonregulated, nonlicensed 
industry so certification of that sort is certainly an 
attractive idea that we have looked at and we would be more 
than happy to talk with the SBA or others about sort of how to 
pursue it but, yes. And since they are just important 
intermediaries thinking about that is, I think, an important 
aspect of this.
    Chairman Akin. Some of us would prefer to see it maybe done 
on an industry basis as opposed to Government basis because we 
have got more confidence, especially with something that is 
moving as fast as this is the Government has a terrible track 
record at being able to move quickly and keep current.
    Mr. Cochetti. Let me assure you we are 100 percent private 
sector and when I mention that we have been looking at 
certification programs for VARs, that would be an entirely 
private sector certification for VARs.
    Chairman Akin. Thank you all so much for coming in. Because 
some of you have come a long way, I want to give you the last 
word. Is there anybody that has something else they want to add 
in? We do questions but we do answers as well so anybody who 
wants to make a comment.
    [Whereupon, at 4:15 p.m. the Subcommittee was adjourned.]

    [GRAPHIC] [TIFF OMITTED] T7809.001
    
    [GRAPHIC] [TIFF OMITTED] T7809.002
    
    [GRAPHIC] [TIFF OMITTED] T7809.003
    
    [GRAPHIC] [TIFF OMITTED] T7809.004
    
    [GRAPHIC] [TIFF OMITTED] T7809.005
    
    [GRAPHIC] [TIFF OMITTED] T7809.006
    
    [GRAPHIC] [TIFF OMITTED] T7809.007
    
    [GRAPHIC] [TIFF OMITTED] T7809.008
    
    [GRAPHIC] [TIFF OMITTED] T7809.009
    
    [GRAPHIC] [TIFF OMITTED] T7809.010
    
    [GRAPHIC] [TIFF OMITTED] T7809.011
    
    [GRAPHIC] [TIFF OMITTED] T7809.012
    
    [GRAPHIC] [TIFF OMITTED] T7809.013
    
    [GRAPHIC] [TIFF OMITTED] T7809.014
    
    [GRAPHIC] [TIFF OMITTED] T7809.015
    
    [GRAPHIC] [TIFF OMITTED] T7809.016
    
    [GRAPHIC] [TIFF OMITTED] T7809.017
    
    [GRAPHIC] [TIFF OMITTED] T7809.018
    
    [GRAPHIC] [TIFF OMITTED] T7809.019
    
    [GRAPHIC] [TIFF OMITTED] T7809.020
    
    [GRAPHIC] [TIFF OMITTED] T7809.021
    
    [GRAPHIC] [TIFF OMITTED] T7809.022
    
    [GRAPHIC] [TIFF OMITTED] T7809.023
    
    [GRAPHIC] [TIFF OMITTED] T7809.024
    
    [GRAPHIC] [TIFF OMITTED] T7809.025
    
    [GRAPHIC] [TIFF OMITTED] T7809.026
    
    [GRAPHIC] [TIFF OMITTED] T7809.027
    
    [GRAPHIC] [TIFF OMITTED] T7809.028
    
    [GRAPHIC] [TIFF OMITTED] T7809.029
    
    [GRAPHIC] [TIFF OMITTED] T7809.030
    
    [GRAPHIC] [TIFF OMITTED] T7809.031
    
    [GRAPHIC] [TIFF OMITTED] T7809.032
    
    [GRAPHIC] [TIFF OMITTED] T7809.033
    
    [GRAPHIC] [TIFF OMITTED] T7809.034
    
    [GRAPHIC] [TIFF OMITTED] T7809.035
    
    [GRAPHIC] [TIFF OMITTED] T7809.036
    
    [GRAPHIC] [TIFF OMITTED] T7809.037
    
    [GRAPHIC] [TIFF OMITTED] T7809.038
    
    [GRAPHIC] [TIFF OMITTED] T7809.039
    
    [GRAPHIC] [TIFF OMITTED] T7809.040
    
    [GRAPHIC] [TIFF OMITTED] T7809.041
    
    [GRAPHIC] [TIFF OMITTED] T7809.042
    
    [GRAPHIC] [TIFF OMITTED] T7809.043
    
    [GRAPHIC] [TIFF OMITTED] T7809.044
    
    [GRAPHIC] [TIFF OMITTED] T7809.045
    
    [GRAPHIC] [TIFF OMITTED] T7809.046
    
    [GRAPHIC] [TIFF OMITTED] T7809.047
    
    [GRAPHIC] [TIFF OMITTED] T7809.048
    
    [GRAPHIC] [TIFF OMITTED] T7809.049
    
    [GRAPHIC] [TIFF OMITTED] T7809.050
    
    [GRAPHIC] [TIFF OMITTED] T7809.051
    
    [GRAPHIC] [TIFF OMITTED] T7809.052
    
    [GRAPHIC] [TIFF OMITTED] T7809.053
    
    [GRAPHIC] [TIFF OMITTED] T7809.054
    
    [GRAPHIC] [TIFF OMITTED] T7809.055
    
    [GRAPHIC] [TIFF OMITTED] T7809.056
    
    [GRAPHIC] [TIFF OMITTED] T7809.057
    
    [GRAPHIC] [TIFF OMITTED] T7809.058
    
    [GRAPHIC] [TIFF OMITTED] T7809.072
    
    [GRAPHIC] [TIFF OMITTED] T7809.073
    
    [GRAPHIC] [TIFF OMITTED] T7809.074
    
    [GRAPHIC] [TIFF OMITTED] T7809.075
    
    [GRAPHIC] [TIFF OMITTED] T7809.076
    
    [GRAPHIC] [TIFF OMITTED] T7809.077
    
    [GRAPHIC] [TIFF OMITTED] T7809.078
    
    [GRAPHIC] [TIFF OMITTED] T7809.079
    
    [GRAPHIC] [TIFF OMITTED] T7809.080
    
    [GRAPHIC] [TIFF OMITTED] T7809.081
    
    [GRAPHIC] [TIFF OMITTED] T7809.082
    
    [GRAPHIC] [TIFF OMITTED] T7809.059
    
    [GRAPHIC] [TIFF OMITTED] T7809.060
    
    [GRAPHIC] [TIFF OMITTED] T7809.061
    
    [GRAPHIC] [TIFF OMITTED] T7809.062
    
    [GRAPHIC] [TIFF OMITTED] T7809.063
    
    [GRAPHIC] [TIFF OMITTED] T7809.064
    
    [GRAPHIC] [TIFF OMITTED] T7809.065
    
    [GRAPHIC] [TIFF OMITTED] T7809.066
    
    [GRAPHIC] [TIFF OMITTED] T7809.067
    
    [GRAPHIC] [TIFF OMITTED] T7809.068
    
    [GRAPHIC] [TIFF OMITTED] T7809.069
    
    [GRAPHIC] [TIFF OMITTED] T7809.070
    
    [GRAPHIC] [TIFF OMITTED] T7809.071
    
    [GRAPHIC] [TIFF OMITTED] T7809.083
    
    [GRAPHIC] [TIFF OMITTED] T7809.084
    
      

                                 
