[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
                         CYBERSECURITY: THREATS
                        TO THE FINANCIAL SECTOR

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS

                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 14, 2011

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 112-60



                  U.S. GOVERNMENT PRINTING OFFICE
72-601                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                   SPENCER BACHUS, Alabama, Chairman

JEB HENSARLING, Texas, Vice          BARNEY FRANK, Massachusetts, 
    Chairman                             Ranking Member
PETER T. KING, New York              MAXINE WATERS, California
EDWARD R. ROYCE, California          CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma             LUIS V. GUTIERREZ, Illinois
RON PAUL, Texas                      NYDIA M. VELAZQUEZ, New York
DONALD A. MANZULLO, Illinois         MELVIN L. WATT, North Carolina
WALTER B. JONES, North Carolina      GARY L. ACKERMAN, New York
JUDY BIGGERT, Illinois               BRAD SHERMAN, California
GARY G. MILLER, California           GREGORY W. MEEKS, New York
SHELLEY MOORE CAPITO, West Virginia  MICHAEL E. CAPUANO, Massachusetts
SCOTT GARRETT, New Jersey            RUBEN HINOJOSA, Texas
RANDY NEUGEBAUER, Texas              WM. LACY CLAY, Missouri
PATRICK T. McHENRY, North Carolina   CAROLYN McCARTHY, New York
JOHN CAMPBELL, California            JOE BACA, California
MICHELE BACHMANN, Minnesota          STEPHEN F. LYNCH, Massachusetts
THADDEUS G. McCOTTER, Michigan       BRAD MILLER, North Carolina
KEVIN McCARTHY, California           DAVID SCOTT, Georgia
STEVAN PEARCE, New Mexico            AL GREEN, Texas
BILL POSEY, Florida                  EMANUEL CLEAVER, Missouri
MICHAEL G. FITZPATRICK,              GWEN MOORE, Wisconsin
    Pennsylvania                     KEITH ELLISON, Minnesota
LYNN A. WESTMORELAND, Georgia        ED PERLMUTTER, Colorado
BLAINE LUETKEMEYER, Missouri         JOE DONNELLY, Indiana
BILL HUIZENGA, Michigan              ANDRE CARSON, Indiana
SEAN P. DUFFY, Wisconsin             JAMES A. HIMES, Connecticut
NAN A. S. HAYWORTH, New York         GARY C. PETERS, Michigan
JAMES B. RENACCI, Ohio               JOHN C. CARNEY, Jr., Delaware
ROBERT HURT, Virginia
ROBERT J. DOLD, Illinois
DAVID SCHWEIKERT, Arizona
MICHAEL G. GRIMM, New York
FRANCISCO ``QUICO'' CANSECO, Texas
STEVE STIVERS, Ohio
STEPHEN LEE FINCHER, Tennessee

                   Larry C. Lavender, Chief of Staff
       Subcommittee on Financial Institutions and Consumer Credit

             SHELLEY MOORE CAPITO, West Virginia, Chairman

JAMES B. RENACCI, Ohio, Vice         CAROLYN B. MALONEY, New York, 
    Chairman                             Ranking Member
EDWARD R. ROYCE, California          LUIS V. GUTIERREZ, Illinois
DONALD A. MANZULLO, Illinois         MELVIN L. WATT, North Carolina
WALTER B. JONES, North Carolina      GARY L. ACKERMAN, New York
JEB HENSARLING, Texas                RUBEN HINOJOSA, Texas
PATRICK T. McHENRY, North Carolina   CAROLYN McCARTHY, New York
THADDEUS G. McCOTTER, Michigan       JOE BACA, California
KEVIN McCARTHY, California           BRAD MILLER, North Carolina
STEVAN PEARCE, New Mexico            DAVID SCOTT, Georgia
LYNN A. WESTMORELAND, Georgia        NYDIA M. VELAZQUEZ, New York
BLAINE LUETKEMEYER, Missouri         GREGORY W. MEEKS, New York
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             JOHN C. CARNEY, Jr., Delaware
FRANCISCO ``QUICO'' CANSECO, Texas
MICHAEL G. GRIMM, New York
STEPHEN LEE FINCHER, Tennessee


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    September 14, 2011...........................................     1
Appendix:
    September 14, 2011...........................................    53

                               WITNESSES
                      Thursday, September 14, 2011

Garcia, Greg, Partnership Executive for Cybersecurity and 
  Identity Management, Bank of America...........................    41
Nelson, William B., President and Chief Executive Officer, the 
  Financial Services Information Sharing & Analysis Center (FS-
  ISAC)..........................................................    34
Rotenberg, Marc, Executive Director, the Electronic Privacy 
  Information Center (EPIC)......................................    45
Sartin, A. Bryan, Director, Investigative Response, Verizon......    36
Schaffer, Greg, Acting Deputy Under Secretary, U.S. Department of 
  Homeland Security..............................................    10
Shannon, Gregory E., Chief Scientist, Carnegie Mellon 
  University's Software Engineering Institute CERT Program.......    43
Smith, A.T., Assistant Director, United States Secret Service....     7
Snow, Gordon M., Assistant Director, Cyber Division, Federal 
  Bureau of Investigation........................................     8
Tillett, Brian, Chief Security Strategist, Public Sector Group, 
  Symantec.......................................................    38

                                APPENDIX

Prepared statements:
    Garcia, Greg.................................................    54
    Nelson, William B............................................    64
    Rotenberg, Marc..............................................    88
    Sartin, A. Bryan.............................................   101
    Schaffer, Greg...............................................   111
    Shannon, Gregory E...........................................   118
    Smith, A.T...................................................   131
    Snow, Gordon M...............................................   137
    Tillett, Brian...............................................   149


                         CYBERSECURITY: THREATS
                        TO THE FINANCIAL SECTOR

                              ----------                              


                      Thursday, September 14, 2011

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:01 a.m., in 
room 2128, Rayburn House Office Building, Hon. Shelley Moore 
Capito [chairwoman of the subcommittee] presiding.
    Members present: Representatives Capito, Renacci, McHenry, 
Pearce, Luetkemeyer, Duffy, Canseco, Grimm, Fincher; Maloney, 
Watt, Baca, Scott, and Carney.
    Ex officio present: Representative Bachus.
    Also present: Representative Al Green of Texas.
    Chairwoman Capito. This hearing will come to order.
    This will be our first hearing in the Financial 
Institutions Subcommittee since the August recess. I would like 
to remind Members to try to abide by the 5-minute rule when 
questioning witnesses so all Members will have sufficient time 
to ask questions. I am sure we will have more Members coming in 
as the hearing goes on.
    Today's hearing will provide members of this subcommittee 
the opportunity to better understand the challenges financial 
institutions and their customers face from cyber threats. This 
year alone, there have been numerous security breaches and 
attacks on private companies, Federal agencies, and financial 
institutions. Actually, I think I might include myself in one 
of those; I think my card got caught up in one of these. 
Reports estimate that more than $1 trillion is lost annually to 
cyber attacks and that, on average, a security breach costs a 
small business approximately $7 million.
    These threats are especially acute and worrisome in the 
financial services industry. In June of this year, Citigroup 
reported that sensitive account information for 200,000 
customers had been compromised by hackers. Statistics show that 
most of these attacks originate in Eastern European countries 
that were once part of the Soviet Union. Unfortunately, most of 
these nations do not regard the actions of the hackers to be a 
crime so it is very difficult to bring these criminals to 
justice.
    The technological advances that provide hackers with the 
ability to carry out these attacks also make it very difficult 
to track the actions of the hackers. In order to effectively 
combat these hackers, it is critical for financial institutions 
to share information with other institutions as well as Federal 
law enforcement agencies.
    The Administration and Congress are actively working 
together on ways to better protect our Nation's businesses and 
citizens from these attacks, and today's hearing is just one 
component of this work.
    I look forward to hearing from both witness panels this 
morning. Their testimony and candid conversation will provide 
Members with a better understanding of this very complex issue.
    I am especially interested to hear from our witnesses about 
the creation of the Office of Financial Research, as has been 
called for by the Dodd-Frank Act. I have serious reservations 
about the creation of this new bureaucracy, and I am most 
concerned with the potential for new cyber threats surrounding 
the information the Office of Financial Research would be 
compiling. By compiling sensitive financial information into 
one Federal agency, are we just making it easier for hackers to 
attack us? Certainly, that is a question to ask today.
    I would like to also say that I am disappointed that the 
OCC was unable to provide a witness for us here. As the primary 
supervisory body for many of our Nation's largest financial 
institutions, their participation is very critical. I hope and 
I am sure they recognize the role that they play in this 
conversation and will become an active participant.
    I would like to recognize the ranking minority member, the 
gentlelady from New York, Mrs. Maloney, for the purpose of 
making an opening statement.
    Mrs. Maloney. Thank you very much, Madam Chairwoman.
    And welcome to our witnesses today.
    This is an incredibly important issue and an incredibly 
important challenge before our Nation. The security of our 
financial system is so important, especially in this digital 
age where consumers have unprecedented access to financial 
information, online banking, and trading platforms. They need 
to know that their personal information is protected and that 
the systems they access are being protected from large-scale 
hacking operations.
    Like the chairwoman, I also have had my identity stolen, so 
this is a challenge that we face in our personal lives, as do 
many of our constituents. Not only is it a threat to our 
financial institutions, where I understand roughly 22 percent 
of the hacking is taking place in financial institutions, but 
it is also our military complexes, our government--every area 
that we have sensitive information and our intellectual 
property. So it is critical in all of these areas to protect 
our information.
    I am very pleased that we have impressive panels of 
witnesses today to discuss the threats to the financial 
services sector. Threats are growing more real as cyber 
terrorists become more sophisticated, but our response to these 
threats has also evolved and grown. And I am hopeful that we 
are better at it than they are and that we are better at 
protecting our people than they are.
    I will just say, spying has always been part of our lives 
on this planet. Usually, people got into some costume and hid 
their identity and came in and tried to gain information, but 
now one just sits at a computer someplace and can access 
information, and it is a huge threat to our institutions and to 
our government.
    I would like to hear today how we are cooperating with our 
international allies who also face this challenge. Are we 
sharing information? Are we working together? And are we 
working together between the financial private sector and our 
government? I know there is proprietary information in the 
private sector; I know that there is classified information on 
the government area. But we need to sit down and, in an 
organized way, work to share this information so that we are 
stronger in fighting and working together for cybersecurity.
    There is one thing we know: Every entity that uses a 
digital framework or platform is vulnerable. There is no such 
thing as a completely secure network. And the cost to secure 
these systems is extremely high, both in terms of protecting 
against hacking incidents and combating them when they happen.
    President Obama has stated that the cyber threat, ``is one 
of the most serious economic and national security challenges 
we face as a Nation'' and that America's economic prosperity in 
the 21st Century will depend on cybersecurity. I would also say 
that our national security depends on cybersecurity.
    Just this month, the Department of Homeland Security issued 
a bulletin warning that the hacking collective known as 
``Anonymous'' was planning to target financial services 
companies and their employees who are ``ideologically 
dissatisfied and sympathetic'' to their cause, to give them 
information and access. Although this group has not launched a 
wide-scale attack, we know they are attempting to increase 
their level of sophistication.
    This hearing today is an informational one, as we attempt 
to gather intelligence about the threats to cybersecurity, law 
enforcement's response, and the impact a cyber attack could 
have on the financial sector and consumers. But there are a 
number of legislative proposals already before this Congress, 
mainly before the Commerce Committee, and they are out there to 
address the data security and cyber threats. And the 
Administration has put forward a broad proposal aimed at 
cybersecurity broadly, not just in the financial sector. The 
goal is twofold: improve our resilience to cyber incidents; and 
reduce the cyber threat.
    In this hearing, I hope we can better educate ourselves 
about specific threats in the financial sector and whether 
there are things that can and should be done to specifically 
protect financial institutions from cyber threats and to 
protect the consumers who access financial institutions online. 
I believe that in a deeply divided Congress, this is one area 
where we can come together and work with great determination to 
give the resources and come up with the answers to protect our 
industries and our individuals.
    Since it is the week after 9/11, I just want to share with 
you that when we worked to create the 9/11 Commission that came 
forward with the report that outlined 51 recommendations of how 
to make this Nation safer, their number one recommendation was 
the need to reform our intelligence system, that our best 
defense against another terrorist attack was better 
intelligence. And we have brought together our FBI, our CIA, 17 
different intelligence agencies to work together under one 
Director, sharing information down to the local level with New 
York City and other cities where we have an anti-terrorism task 
force. And I believe that this sharing of information is one of 
the reasons that we were able to thwart 12 different attempts, 
just in the case of New York, to hurt us since 9/11.
    I hope we have that same type of sharing and coming 
together between all of the agencies to combat this very, very 
serious threat to our national security and to our economic 
security and to our individual privacy. And I look forward to 
working with the chairwoman and everyone else on both sides of 
the aisle to make our country more effective, more secure, and 
a leader in cybersecurity and protecting our information.
    One of the things that we have in this country is the 
talent of our individuals, our intellectual property. We have 
to protect that. And I look forward to hearing from the public 
sector and the private sector, whom I hope are working together 
in sharing this information, on how you are moving forward to 
help our great country.
    I thank you for your work. I thank you for this hearing. 
And I yield back.
    Chairwoman Capito. Thank you.
    I would like to recognize the chairman of the full 
Financial Services Committee, Mr. Bachus, for 3 minutes.
    Chairman Bachus. I thank the chairwoman.
    The Financial Services Committee is presented with many 
important, complex issues and challenges: financial regulation; 
the health of our economy; the Nation's housing policy; and 
increasing exports, to name just a few. All of these affect us 
daily. Another issue that is maybe not talked about as much is 
cybersecurity, which affects each and every one of us and the 
companies we deal with every day, whether we realize it or not.
    And each of us is dependent on good cybersecurity. Chances 
are that everyone in this room knows someone who has been the 
victim of a hacker or has had their identity stolen or their 
credit cards used for purposes they did not approve or even 
know about. I have had that happen to me, personally. Because 
of good cybersecurity by one of our banks, about 2 years ago I 
was called and told that they had stopped my credit card 
because they felt there were unauthorized purchases, and, in 
fact, there were. So they were right on top of it.
    The financial services industry, actually, has led the 
Nation and has really been, I think, at the forefront of 
developing ways to enhance cybersecurity, and that is because 
they have been a huge target for cyber crime. The International 
Monetary Fund and Citigroup, just this last month were targets 
of sophisticated computer networks offshore trying to crack 
their systems. Even the Central Intelligence Agency has been a 
target, and the U.S. Senate recently. So it is just amazing.
    At the same time that we are meeting this challenge, 
government budget cuts have resulted in fewer resources being 
available to not only our Federal but State and local law 
enforcement agencies in combating cyber crime. One critical 
thing is training personnel to deal with it.
    And I want to close by commending one of our witnesses, 
A.T. Smith, and the Secret Service. One of the most outstanding 
resources that the Secret Service has developed is the National 
Computer Forensic Institute. We actually had a hearing there in 
June where we heard from State and local law enforcement 
officers from all over the country, prosecutors and judges who 
had been trained there, and as a result of their training, 
successfully prosecuted cybersecurity cases. In fact, in two 
recent very high-profile cases, people who were trained at that 
center actually were forensic witnesses who helped convict 
individuals.
    So I want to say to you and the Secret Service, Director 
Smith, thank you. Thank you very much for a job well done.
    And I would commend anyone to visit that center. Sometimes, 
we criticize the efforts of our government or the agencies, but 
if you want to see a success story, that is one place to go.
    Thank you.
    Chairwoman Capito. Thank you, Mr. Chairman.
    I would like to recognize Mr. Scott for 3 minutes for the 
purpose of an opening statement.
    Mr. Scott. Thank you very much, distinguished chairwoman.
    This is an important and very timely hearing. Just 3 days 
ago, we all recognized the 10th anniversary of the September 
11th terrorist attacks on the United States. And along with 
remembering the victims of that day and the survivors of that 
day, we have reflected upon what has truly changed and what has 
continued to evolve so much over the last 10 years. In the past 
10 years, in terms of national security and the ability to 
predict future threats to our country, we have certainly 
improved. We have been watchful; we have not let our guard 
down.
    This concern has become increasingly relevant as we become 
more increasingly dependent upon digital devices and methods of 
communications in general. And as our society becomes more 
reliant on technology, security experts have brought to light 
potential vulnerabilities in our technological infrastructure. 
As many of you may know, the computer networks of our CIA have 
been breached. The computer networks of the Department of 
Defense have been breached. And even Federal Reserve Chairman 
Ben Bernanke--his computers have been hacked and breached.
    That is why this is so important. And it is so good to have 
our key national security and intelligence experts here with us 
today, and especially in the law enforcement area.
    I think it is particularly important that we address about 
two or three major questions that I certainly have a great 
interest in. For example, do Federal law enforcement agencies 
share information about cyber attacks that are experienced by 
one financial company, or one company, to help other companies 
to protect their networks? And how can information-sharing be 
improved between government agencies responsible for 
cybersecurity and the critical infrastructure of the financial 
sector? And then, how does the Federal Government compare to 
what the private sector is doing?
    This must be a shared experience, and I am hopeful that 
Congress will address these threats to cybersecurity 
appropriately and effectively by means of legislation and that 
we do it quickly. A number of proposals have been discussed 
already, namely measures that would strengthen the law 
enforcement of cyber crimes or provide the Department of 
Homeland Security with some oversight of Federal IT and 
critical infrastructure security. Whether such changes are made 
piecemeal or as part of a comprehensive bill, we must address 
these weaknesses in our digital infrastructure right away, 
quickly, immediately, with all deliberate speed.
    Thank you, Madam Chairwoman.
    Chairwoman Capito. Thank you.
    I would like to recognize Mr. Canseco for 1 minute for an 
opening statement.
    Mr. Canseco. Thank you, Madam Chairwoman, and thank you for 
holding this very important hearing.
    As we will hear from our witnesses today, one of the 
greatest continuing threats to our country are cyber criminals 
who target our government, financial institutions, and private 
American citizens. These attacks threaten both our national 
security and the stability of our financial systems.
    I represent a large portion of San Antonio, Texas, a city 
which has earned the moniker of ``Cyber City, USA'' for the 
numerous collaborative efforts that take place there between 
industry, military, and academia to deter cyber crime.
    While I applaud the efforts by those in San Antonio and 
from agencies such as the Secret Service in preventing a number 
of attacks, we must recognize this is an ongoing and evolving 
threat that requires a great amount of vigilance to combat. And 
I look forward to hearing from our witnesses today on this 
important matter.
    I yield back.
    Chairwoman Capito. Thank you.
    And our final opening statement, Mr. Grimm from New York, 
for 1 minute.
    Mr. Grimm. Thank you, Madam Chairwoman. And thank you for 
calling a hearing on cyber crime and the threat it poses to our 
financial system.
    As a former FBI agent, I am well aware of the threat cyber 
crime poses to individuals, institutions, and, most 
importantly, our national security. It is estimated that each 
year, cyber crime costs the United States $114 billion, with 
$37 billion of that coming from identity theft alone. This is a 
cost that is ultimately borne by every U.S. citizen in one form 
or another.
    While many people assume the threat from cyber crime is 
financial, there has been a growing risk that hostile 
governments can use emerging cyber warfare techniques to steal 
vital secrets from the United States and weaken our position in 
the world. Therefore, I am very interested in hearing what our 
panelists see as the latest threats that are emerging in this 
field and what we can do here in Congress to assist in staying 
one step ahead of those who wish to harm both financial 
institutions and our national security.
    Thank you, and I yield back.
    Chairwoman Capito. Thank you.
    That concludes our opening statements.
    I would like to welcome the first panel for the purpose of 
giving a 5-minute opening statement. We have your written 
statements submitted for the record.
    We will start with Mr. A.T. Smith, who is the Assistant 
Director of the United States Secret Service.
    Welcome, Mr. Smith.

  STATEMENT OF A.T. SMITH, ASSISTANT DIRECTOR, UNITED STATES 
                         SECRET SERVICE

    Mr. Smith. Thank you. And good morning, Chairwoman Capito 
and Ranking Member Maloney as well as the distinguished members 
of the subcommittee. Thank you for the opportunity to 
participate in this morning's hearing.
    One of the significant challenges in analyzing threats that 
cyber criminals pose to the financial sector lies in the 
diversity of the online criminal community. For example, 
criminals may choose to come together around a particular set 
of Internet-based chat rooms or Web-based carding forums. 
Diversity is also reflected in the group's interests and aims. 
However, there is always one common goal among them: financial 
gain.
    Two of the hallmarks that distinguish effective online 
criminal groups are organizational structure and access to 
well-developed criminal infrastructure. One of the trends in 
online criminality first began to merge approximately a decade 
ago. In the early days, online forums were established by 
hacking groups or by groups of carders. Today, many of these 
forums have a strong representation of members from the Eastern 
Europe theater, although membership in these groups often spans 
the globe.
    Some of these online forums developed into marketplaces for 
criminal goods and services. By 2004, forums such as 
DumpsMarket, CarderPortal, Shadowcrew, and CarderPlanet were 
already well-developed criminal marketplaces. In reality, these 
sites serve as a business platform for a fusion of criminal 
communities which provide reliable criminal services to all 
members.
    In collaboration with Verizon on the ``2011 Data Breach 
Investigations Report,'' the Secret Service has worked to 
identify emerging threats, educate Internet users, and evaluate 
new technologies that work to prevent and to mitigate attacks 
against critical computer networks. The results show that two 
noticeable trends in cyber crime involve the ongoing targeting 
of point-of-sale terminals as well as the compromise of online 
financial accounts, often through malware.
    Compared to recent history, it appears that while more data 
breaches occurred in 2010, the amount of compromised data 
decreased due to the size of those compromised databases. This 
change demonstrates the willingness of the criminal groups to 
go after the smaller, easier targets. In light of recent 
arrests and prosecutions following intrusions into the 
financial services firms, criminals may now be weighing the 
reward versus the risk.
    There has been a noticeable increase in account takeovers 
that result in fraudulent transfers from the victim's account 
to an account under the control of the perpetrator. This 
increase can be directly tied to the continued rise of malware 
variants created to capture log-in credentials and financial 
Web sites. The Secret Service and the financial services 
community are working together to combat this growing trend. 
The FS-ISAC has teamed up with the Secret Service, the 
Department of the Treasury, the Department of Justice, and many 
other agencies to create the Account Takeover Task Force, which 
focuses on prevention, detection, and response to account 
takeovers.
    The Secret Service continues to combat these crimes by 
adapting our investigative methodologies. Our success is due, 
in part, to effective collaboration that we have established 
with the private sector, the law enforcement community, and 
academia, and our 31 electronic crimes task forces. To date, 
the Secret Service has currently over 1,400 agents, trained in 
various levels of computer forensics, serving throughout our 
142 domestic and 24 international offices. In fact, we value 
this training so highly that the basic level is now 
incorporated into part of the curriculum for all new agents.
    In partnership with DHS, the Secret Service has established 
the National Computer Forensics Institute that Chairman Bachus 
mentioned a moment ago, and with NPPD to provide a national 
standard of training for a variety of electronic crimes 
investigations.
    In collaboration with S&T, the Secret Service, the CERT 
Insider Threat Center, and the Department of the Treasury are 
all working to update the ``Insider Threat Study.'' This study 
was the first of its kind, combining both psychologists from 
the Secret Service and technical experts from CERT to examine 
insider cases both from a behavioral and a technical 
perspective. The new study will focus solely on cases that 
occurred in the banking and finance sector and will be released 
later this year.
    Madam Chairwoman, Ranking Member Maloney, and distinguished 
members of the subcommittee, the Secret Service is committed to 
our mission of safeguarding the Nation's financial 
infrastructure and will continue to aggressively investigate 
cyber and computer-related crimes to protect the American 
consumer and our institutions from harm.
    This concludes my prepared statement. Thank you again for 
the opportunity to have the Secret Service at this hearing.
    [The prepared statement of Assistant Director Smith can be 
found on page 131 of the appendix.]
    Chairwoman Capito. Thank you, Mr. Smith.
    Our second witness is Mr. Gordon Snow, Assistant Director, 
Cyber Division, Federal Bureau of Investigation.
    Welcome.

    STATEMENT OF GORDON M. SNOW, ASSISTANT DIRECTOR, CYBER 
           DIVISION, FEDERAL BUREAU OF INVESTIGATION

    Mr. Snow. Good morning, Chairwoman Capito, Ranking Member 
Maloney, and members of the subcommittee. I am pleased to 
appear before you today to discuss cyber threats against the 
financial sector and how the FBI is working to protect 
businesses and American consumers.
    As you know, industries continue to adopt Internet-based 
commerce systems while cyber criminals continue to advance 
their organization, professionalism, and sophistication. Do-it-
yourself cyber crime toolkits have lowered entry barriers for 
new cyber criminals, making it easy to exploit systems and 
steal information to be used for financial gain.
    Criminal activity is increasingly taking root in countries 
with emerging broadband infrastructure, making it even more 
difficult to determine attribution and prosecute the criminals. 
Malicious code is more rampant than ever, and average computer 
users continue to have difficulties installing the security 
patches that would prevent and protect their systems.
    For businesses and financial institutions, the implications 
are significant. There is a critical need for a major change in 
the way we think about cybersecurity and protecting our systems 
against cyber crime. Cybersecurity can no longer be just an 
afterthought. It must become part of the financial sector's 
intelligence, planning, and commerce strategy.
    The FBI is currently investigating over 400 reported cases 
of corporate account takeovers in which cyber criminals have 
initiated unauthorized, automated clearinghouse wire transfers 
from the bank accounts of U.S. businesses. These cases involve 
the attempted theft of over $255 million and have resulted in 
the actual loss of approximately $85 million.
    In 2010, the village of Summit, a town of 10,000 citizens 
outside of Chicago, was the victim of a cyber intrusion 
resulting in unauthorized ACH transfers totaling $100,000. When 
an authorized individual logged in to the town's bank account, 
the individual was redirected to a site alerting her the bank's 
Web site was experiencing technical difficulties. During this 
redirection, the criminal used the victim's valid credentials 
to initiate transactions. The town was able to recover only 
$30,000 from these transfers.
    Cyber criminals are also targeting the networks of large 
payment processors. In November 2008, a U.S. payment processor 
discovered that hackers had breached the company's network and 
compromised the personal data of over 1\1/2\ million customers. 
Approximately 1 million Social Security numbers were also 
exposed. The criminals used the stolen data to create 
counterfeit debit cards and withdrew more than $9 million from 
ATMs worldwide.
    Securities and brokerage firms are also at risk of 
exploitation. In February 2011, the parent company of NASDAQ 
confirmed that they had been the victim of a security breach in 
the ``Director's Desk'' Web application, a system that was not 
directly linked to their trading platforms but was used by 
senior executives and directors to share sensitive information.
    Although our cyber adversaries' capabilities are at an all-
time high, combating this challenge is a top priority of the 
FBI and the entire government. Thanks to Congress and the 
Administration, we are devoting significant resources to this 
threat. Our partnerships with industry, academia, and across 
all of government have led to a dramatic improvement in our 
ability to combat the threat. With cyber squads in each of our 
56 field offices and more than 1,000 advanced cyber-trained FBI 
agents, analysts, and forensic examiners, we have increased the 
capabilities of our employees by selectively seeking candidates 
with technical skills and continually updating our cyber 
training.
    The FBI is also adapting to the ever-evolving technology 
used by cyber criminals. Intelligence drives operations in the 
FBI, and the Bureau is working in creative ways with all our 
partners to address the cybersecurity threat. We currently have 
FBI agents embedded full-time in foreign police agencies to 
assist with cyber investigations. These cyber personnel have 
identified cyber organized crime groups targeting U.S. 
interests and have supported other FBI efforts.
    The FBI has worked with a number of regulatory agencies to 
determine the scope of the financial cyber crime threat, 
develop mitigation strategies, and provide public service 
announcements where appropriate. The FBI partners with criminal 
investigators from the United States Secret Service and other 
law enforcement agencies, along with members of industry 
government entities such as the National Electronic Payments 
Association and the Financial Industry Regulatory Authority.
    The FBI has been able to mitigate a number of fraud matters 
by sharing identified threat data amongst financial-sector 
partners. A good example of this cooperation is the FBI's 
identification of a bank fraud trend in which U.S. banks were 
unaware that they were being defrauded by businesses in another 
country. As a result of the FBI intelligence analysis, a joint 
FBI/Financial Services-Information Sharing and Analysis Center 
document was drafted and sent to the FS-ISAC's membership, 
alerting them of these crimes and providing recommendations on 
how to protect themselves from falling victim to the same 
scheme.
    Another recent success was the combined efforts of the FBI 
and the Department of Justice and industry subject matter 
expects to take down the Coreflood botnet. This botnet infected 
user computers and stole banking credentials and other 
sensitive information. In this instance, government and private 
industry worked together to provide an innovative response to a 
cyber threat. Not only was the botnet shut down through a 
temporary restraining order, the government was authorized to 
respond to signals sent from infected computers in the United 
States in order to stop the Coreflood software from running. 
This prevented further harm to hundreds of thousands of 
unsuspecting users of infected computers in the United States.
    We at the FBI are faced with an enormous task fighting 
cyber crime. We are gaining traction, but we need the full 
support of every stakeholder. A successful fight against cyber 
crime will require a combination of people, processes, and 
technologies across multiple entities. We look forward to 
working with the subcommittee and Congress as a whole to 
determine a successful course and outcome.
    Thank you.
    [The prepared statement of Assistant Director Snow can be 
found on page 137 of the appendix.]
    Chairwoman Capito. Thank you.
    Our final witness on this panel is Mr. Greg Schaffer, 
Acting Deputy Under Secretary, Department of Homeland Security.
    Welcome, Mr. Schaffer.

STATEMENT OF GREG SCHAFFER, ACTING DEPUTY UNDER SECRETARY, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Schaffer. Thank you, Madam Chairwoman, and thank you, 
Vice Chairman Renacci and Ranking Member Maloney, for having me 
here to testify about DHS's efforts to reduce risk from 
cybersecurity issues to the banking and finance sector.
    It is really quite hard to identify a security issue today 
that is more pressing than cybersecurity. Indeed, this is an 
area that raises issues of national security, homeland 
security, and economic security for our country.
    The reality is that we are increasingly under attack in a 
dangerous cyber environment. The attacks are more targeted, 
more sophisticated, and more serious than they have been in the 
past. Our adversaries are stealing sensitive information, both 
from government and from industry, and they are taking away our 
comparative economic advantage as they do so, as well as 
jeopardizing individual privacy.
    More disturbing, as more and more of our infrastructure is 
attached to these networks, we know that our adversaries are 
capable of targeting and impacting the elements of critical 
infrastructure that underpin our financial systems and other 
critical infrastructure. Major financial institutions and those 
resources that they depend on, like communications and the 
electric grid, are all subject to attack. And, indeed, this is 
not conjecture. This is happening on a daily basis, with 
hackers probing and attempting to impact critical 
infrastructure entities. Moreover, because our financial 
institutions are critical to our Nation's economic security and 
handle large sums of money, they are, needless to say, targeted 
for many of these attacks.
    In response to these growing and persistent issues, the 
Department of Homeland Security, along with our Federal 
partners, are working collaboratively with the financial 
institutions to assist in defending and securing our Nation's 
most essential networks. This public-private partnership is 
extremely important to our success in protecting our 
infrastructure. No single technology, no single entity in 
government or in industry can solve this problem alone. This is 
truly a shared responsibility.
    The National Protection and Programs Directorate, or NPPD, 
within DHS has several cybersecurity roles. First, we protect 
the Federal Executive Branch civilian networks, or the dot-gov 
space. Second, in partnership with our private-sector partners 
and others within government, we lead the protection of 
critical infrastructure, working with industry to provide 
technical expertise, to broaden risk-assessment capability, to 
develop mitigation strategies, incident response capabilities, 
and generally reduce risk. We are responsible for coordinating 
national incident response capabilities, working with law 
enforcement agencies, the intelligence community, the defense 
community, and Homeland Security resources across the Nation. 
And, generally, we are tasked with raising awareness of 
cybersecurity issues across-the-board.
    Financial sector initiatives that we are working today are 
diverse and many. Our relationship with critical infrastructure 
stakeholders has matured over the course of the last several 
years, so we are not just thinking about information-sharing 
for the purpose of information-sharing, but operational risk 
reduction through information that is really actionable by 
those entities that receive it.
    For example, we are now working with the private sector, 
literally living on the watch floor at the National 
Cybersecurity and Communications Integration Center. The 
financial services sector, as well as other sectors, are 
placing resources on the watch floor so that we are breathing 
the same air and learning about incidents as they happen and 
able to respond to them together as a team. The financial 
sector's presence really enhances the analysis, warning, and 
response capabilities associated with critical information 
systems.
    We are also working with the financial services 
information-sharing pilot, the FS-ISAC, the Financial Services 
Information Sharing & Analysis Center, to share information 
between DOD, DHS, and the financial services sector. Government 
has provided over 2,800 informational products to the financial 
services sector and received over 394 submissions over the 
course of the pilot. And, indeed, that pilot has shown us, and 
we have learned, that both government and industry have 
information of value to each other that we would not have if we 
were not working in collaboration. Based on the success of the 
pilot thus far, we plan to extend this to several other 
industry sectors over the course of the coming year.
    We have a resiliency review pilot ongoing, as well. We are 
working in two phases to work with the sector in order to do 
assessments of their cybersecurity resiliency as well as 
looking for malicious actors on their networks. We provide a 
range of technical assistance to actors when they request it. 
And, indeed, over the course of the last year, we have provided 
assistance to several institutions in the financial sector.
    I thank you again for the opportunity to provide you with 
testimony this morning and stand ready to answer your 
questions. Thank you.
    [The prepared statement of Acting Deputy Under Secretary 
Schaffer can be found on page 111 of the appendix.]
    Chairwoman Capito. Thank you. Thank you all.
    And I will begin the questioning with a question of Mr. 
Snow.
    You mentioned ``botnet.'' Can you explain that to me and 
what that means for an individual computer user? Because that 
is where somebody can use my computer to go in and compromise 
other people's financial data; am I understanding that 
correctly?
    Mr. Snow. Correct. And the simplistic way to look at it is, 
it is a network of computers run by a malicious actor that acts 
autonomously. So your computer could be under the control of 
another individual to run this bot. The bot herder would be the 
name of the individual. He would run this bot that could be a 
series of a million, 2 million computers that are controlled by 
command-and-control servers, one or many, depending on the size 
of the network.
    And those computers would work on their own. For instance, 
in the Coreflood botnet, as soon as you open a browsing window 
or added in personally identifiable information, the key-logger 
would grab that information. And then, periodically, the way 
the malware was set up is it would send it to the command-and-
control server under the control of the criminal actor, who 
would use that information for whatever purpose they deemed 
appropriate--selling it online, using it to profit, and other 
things.
    Chairwoman Capito. So when we, as individual computer 
users, log on and we think we have security-ware on our 
computer, that may be a myth for some--for most of us, 
probably?
    Mr. Snow. It may not be a myth if you are paying a 
subscription. You may actually have your security antivirus 
there. The myth portion of it is just that it may not have the 
signature or be able to identify that bot.
    For instance, in the Coreflood botnet, it was almost every 
48 hours or 72 hours, there was an update sent to the botnet so 
that the antivirus signature would be behind the power curve.
    Chairwoman Capito. Okay.
    So that was kind of one of my impressions, just listening 
to all three of you, is that it is so difficult to stay one 
step ahead. Because as soon as you change your technique to 
discover, then they change their technique to be undiscovered. 
And, obviously, they are very bright computer folks, with bad 
intentions at the same time.
    Mr. Snow. Correct. And the point that you brought up about 
the individual is very salient. The individual, even if they 
are trying to practice good hygiene on the computer, trying to 
update their software, trying to look for indications that 
there may be a problem, may never see that. And, in addition, 
that malware may disable their antivirus.
    Chairwoman Capito. Let me ask you about--and this is for 
anybody--mobile payments. We are learning that we are going to 
be going--and, actually, I saw this at the airport the other 
day, where, instead of having a physical boarding pass, they 
used their mobile phone as the boarding pass.
    Do you see this as another chance to weaken the security 
system? Is it going to be harder to control mobile payments, 
and is that going to open up a whole new world?
    Mr. Smith?
    Mr. Smith. Clearly, I am not an expert on that, but what I 
have learned is that, as you said, as the technology moves 
forward, that is going to become more in vogue, probably, to be 
used.
    It probably has some negatives. One of the positives might 
be that if you are using your mobile phone to make an online 
payment or withdraw from an ATM, the GPS mechanism may actually 
be able to detect, if you are making that withdrawal in 
Washington, D.C., that you are, in fact, there, as opposed to 
trying to make a withdrawal from Paris, France, if you will.
    So I think there are probably a lot more technical 
advantages to it than disadvantages, but, as you said, there 
will be people out there who will continue to try to breach it 
in one way or the other.
    Chairwoman Capito. Would anybody else like to comment on 
that?
    Mr. Schaffer?
    Mr. Schaffer. Madam Chairwoman, I would simply add that, as 
we see new technologies come to the fore, the most important 
thing is that we focus on the security aspects before those go 
into wide usage. In other words, there are risks associated 
with all new technologies. If they are implemented in a secure 
way, they can be made secure and made to function in a way that 
serves the purpose of the institutions that are bringing them 
to the fore.
    But if we don't focus on that in advance, if we are not 
paying attention, the more complex the technology, the more 
opportunities there are for some of these malicious actors to 
take advantage of them. And so it is critically important that 
we don't try to bolt security on afterwards when we find out 
there is a problem, that we think about it as we go to market.
    Chairwoman Capito. Right. Right.
    One of the questions in my mind as I read through your 
testimony--there are a lot of commissions. And you mentioned, 
Mr. Schaffer, in your testimony, collaboration with the private 
sector. Obviously, the FBI and the Secret Service are 
collaborating.
    This is a judgment question on your part. I don't know if 
this is something you want to get into, but are you satisfied 
with the information-sharing that is going across different 
agencies? How can we improve that?
    And, obviously, this is an international forum. Does that 
present challenges to certain agencies? You mentioned that the 
Secret Service has international offices, but I didn't know 
jurisdictionally if that is a problem.
    Mr. Schaffer. Ma'am, I would say that we are in a better 
place today in terms of information-sharing than we have been 
in the 15 to 17 years I have been in this space, both in 
government, where we have broad collaboration and methodologies 
that are laid down in things like the National Cyber Incident 
Response Plan that help us to coordinate our activity as these 
events occur, and in the private sector, the opportunities for 
people to literally be on the watch floors with us and then 
have that information shared.
    Do we need more information-sharing? I wouldn't say--I 
would suspect that all of us would say we always need to have 
this information flowing as aggressively as possible, and there 
is more that can be done. But we have certainly made a lot of 
progress.
    Mr. Snow. I agree wholeheartedly with Mr. Schaffer. But I 
would state that one of the things that I think we are missing 
here is the timeliness with which the information is shared. We 
have to go from manual speed to network speed.
    If we are talking about a JTTF information exchange, for 
instance, we have might have a person or individual; we notify 
those people, and we work that case. In this instance, this 
threat comes at us in nanoseconds. It keeps on moving. If I 
wait until the time that I see A.T. or Pablo Martinez or Jeff 
Irvine to exchange that information, we have probably already 
lost the battle. We need to be able to figure out how we can do 
that in realtime.
    Chairwoman Capito. All right. Thank you.
    Mrs. Maloney?
    Mrs. Maloney. Thank you for your testimony.
    And since this is our first meeting since 9/11, and we 
rarely have the Secret Service, the FBI, and Homeland Security 
before us, I would like to collectively congratulate you and 
thank you, on behalf of my constituents and New York City and 
probably the whole country for your excellent work in locating 
Osama bin Laden. Thank you.
    On this we all agree, that cybersecurity is a threat to our 
economic security. So I would just like to ask you 
collectively, what keeps you up nights? What are you most 
concerned about? What do you feel we really have to do to be 
prepared?
    And this is a Financial Services Committee hearing, but are 
the attacks different for financial institutions or, say, 
domestic military contractors and the government or the Stock 
Exchange? Is there something that is unique about financial 
institutions?
    Also, are you collecting where it is coming from? Is it 
primarily foreign countries, such as Russia, possibly China, 
India? Where is it coming from? Is it government-sponsored in 
other countries or is the threat from other competitors against 
financial institutions or just plain American criminals trying 
to steal identities?
    I was struck with your testimony, Mr. Smith, so I wanted to 
particularly respond to your statement that there are 
increasing levels of collaboration among cyber criminals, 
particularly in the online space. What steps are we taking, 
collectively, to work with our international law enforcement 
against these sort of collaborative international efforts to 
hack into the information systems of America?
    Again, thank you for your work. And what can Congress do to 
help you? That is it.
    Mr. Smith. Thank you, ma'am.
    With regard to the description that you gave, I would say 
that it is all of those things that you outlined. There are 
definitely malicious actors out there. There are groups who do 
this sort of thing. And, as I said in the testimony earlier, we 
see quite a bit of that activity in the European theater.
    What we have done in the Secret Service, and just to 
follow-up on what Mr. Snow said a moment ago, we are sharing 
information better than we ever have. Whether it is through the 
NCIJTF or the FS-ISACs or just collaborating on best practices, 
if you will, we are better at that than I believe we ever have 
been.
    In terms of the Secret Service and what we have tried to do 
to fight this issue that we see largely in that theater that I 
described, we use our liaison efforts in our foreign offices, 
24 of them around the world, to make sure that we are in 
constant touch with the law enforcement entities in those 
countries. We have recently opened a small Secret Service 
office in Tallinn, Estonia, which, again, for a number of years 
has been a hotbed of this type of cyber crime. We have also 
tried to expand our footprint in other places; we recently have 
just opened an office in Beijing, China.
    So, to address all of those kinds of things that you 
described, whether it is individuals or organized criminal 
groups, we have moved in those directions.
    Mrs. Maloney. But when you said Eastern European, are they 
operating out of Europe? Are they operating out of America?
    Mr. Smith. Probably both. We have had some significant 
cases where we have arrested people in the Eastern European 
countries. And, again, that is usually done through the 
assistance of the host government, the law enforcement entities 
in those countries. So a little of both, quite frankly.
    Mrs. Maloney. Okay.
    And, Mr. Snow, would you like to comment on what keeps you 
up at night, what are you most concerned about, and what do you 
feel we should be doing more of?
    Mr. Snow. Currently, what keeps me up at night is my 9-
month-old. But the--
    Mrs. Maloney. That is a happy occasion.
    Mr. Snow. The threat that keeps me up the most is just a 
concern of how we are actually looking at the problem and 
attacking it.
    For instance, if we look at the standards, the industry 
standards, across networks in all organizations, whether it is 
government, private sector or public sector, I don't think they 
are very high. We talk a lot about the advanced persistent 
threat. It may be persistent because it is still resident in 
the system, but I don't know that the techniques that we are 
using, to use a high school analogy, is the varsity team that 
is coming in. It is the freshman team who is walking in with 
phishing emails and getting a socially engineered attack that 
allows the malware to move laterally across the systems.
    Mrs. Maloney. Is the attack different for different 
institutions, say, a military contractor or the government? Do 
they use a different system than going after financial 
information? And how much of it is competitors trying to get 
information?
    Mr. Snow. It is a great--
    Mrs. Maloney. Or is it just criminal?
    Mr. Snow. Right. It is a great question. And I think if you 
would have asked me that question about 2 years ago, I would 
have said there are many variations and different levels of 
types of information they are looking for. Currently, though, 
they are so successful, they are looking for all information. 
So whether it is a clear defense contractor, whether it is a 
banking institution, whether it is a national security concern 
or issue, they are looking for the same things, using the same 
techniques, to pull everything that they can pull off of it.
    I would want to ensure that we are moving in a more 
realtime fashion. I know that we always have privacy and civil 
libertarian concerns. At the FBI, we take protecting people's 
civil liberties and their rights and their privacy very 
seriously. And, at the same time, I look at a system that has 
been developed to freely share information. It wasn't developed 
to work on a commerce-type issue or to have people ride on it 
without any identification. So I would want to have a structure 
that does two things: one, that offers assurance that those 
pieces and the parts of the network are protected; and two, 
that I have some way to look at the identity of somebody taking 
an action on that system.
    Mrs. Maloney. Great. Thank you.
    Chairwoman Capito. The gentlelady's time has expired.
    Chairman Bachus is recognized for 5 minutes for questions.
    Chairman Bachus. Thank you.
    I read your written testimony last night. As many members 
of this committee may or may not know, we actually have a 
detailee from the Secret Service. And I hope most of the 
Members and the general public would simply be overwhelmed with 
the level of the threat of cybersecurity. There is a great need 
to educate the public.
    And one question I might ask--and you touched on this, all 
of you--is that these are very sophisticated enterprises that 
are conducting most of this. Most people kind of have a 
tendency to think of these as sort of like the Nigerian scheme, 
where there is some guy sitting in a room in Nigeria, but that 
is really not the case. That goes on, but this is a much 
higher, more sophisticated level.
    Many of the people who are conducting these have been 
trained, have master's degrees, have 30 years of experience in 
the government in another country or working for a technology 
company in these countries. And they are well-funded; they are 
multimillion-dollar organizations. I think you have done an 
incredible job.
    When we talk about funding, that is one thing that worries 
me. Last year alone, I think there was $7 billion or $8 billion 
worth of fraud that was prevented. And the amount of 
information--I know, Mr. Smith, in your testimony, you pointed 
out that you had to review more information--or 4 times as many 
terabytes as are in the Library of Congress archives to get 
this information.
    Another collateral benefit is that we solve other type 
crimes, because the training that goes into this for your 
agents and your expertise that is developed in this area allows 
you to--you can apply it in terrorism. You can actually apply 
it in missing children, some of the training, just across-the-
board--child predators.
    A number of cases have been solved by training that was 
received at the National Computer Forensic Institution where 
local law enforcement went back or judges were able to 
successfully prosecute people and make the right ruling. 
Because what you have to successfully do to get a prosecution 
is you have to be able to successfully extract it from the 
computer, the information, find it, which is not easy. Then you 
have to be able to preserve the chain of evidence, and then you 
have to successfully introduce it in a prosecution. That 
sometimes has been the problem, that you had the information, 
but somewhere the chain of evidence was broken, and some sharp 
criminal defense lawyer was able to take advantage of that.
    Mr. Snow, you mentioned Pablo Martinez, who is the 
Assistant Special Agent in Charge, and then I guess Deputy 
Assistant Director Jeff Irvine, who I think is in charge of--
what is it--34 offices overseas? Somewhere in that 
neighborhood?
    Mr. Smith. Twenty-four, yes, sir.
    Chairman Bachus. Would you two gentlemen stand up? I want 
to commend you all for your efforts. And I think probably, each 
day, the efforts of you and your organizations--and thank you--
really keep us all from being ripped off.
    And the banks have done a tremendous--the financial 
institutions are spending millions and millions of dollars in 
this effort, and the collaboration is so important. And, as I 
said, the collateral benefit. There is almost no crime today 
that is committed without the involvement of either a cell 
phone or a computer or a handheld device. So it is pretty 
astounding.
    My time--I have 11 seconds left, so I just want to say, job 
well done. And it is an incredibly difficult job.
    And I would say to the banks--I know you are on the second 
panel--I do think it would help if the public and the financial 
institutions would accept the fact that we may need to go to a 
protocol of getting into your account with two or three 
different levels. And I have seen evidence that the financial 
institutions are doing that. One simple password is becoming 
pretty archaic now.
    Chairwoman Capito. Thank you, Mr. Chairman.
    Mr. Watt for 5 minutes for questioning.
    Mr. Watt. Thank you, Madam Chairwoman.
    And let me applaud the chairwoman and ranking member for 
convening this hearing, and thank these gentlemen for the work 
that they are doing in this area.
    After spending all of the last term of Congress learning 
about derivatives and CDOs and all of those complex financial 
matters as chairman of the Domestic Monetary Policy 
Subcommittee over here, I had an interesting choice at the 
beginning of this term of Congress and chose to go over and 
spend most of my time on the Judiciary Committee as the ranking 
member of the Intellectual Property Subcommittee.
    Some of these gentlemen have testified over there about the 
nature of these problems, because now we are learning about 
rogue and bogus Web sites, and online piracy, and theft of 
music and movies, and knock-off drugs and auto parts and 
military equipment, and just about everything that you can 
obtain legally can be obtained illegally online, which is all 
part and parcel of this whole cybersecurity issue.
    Chairman Bachus was right, because a lot more theft--we 
used to think of bank robberies taking place by people walking 
into a bank with a gun, but all the robberies of banks and 
accounts are taking place electronically now. Almost nobody 
walks in with a gun anymore to do that. But the scope of it is 
mind-boggling, and the technology has made it so easy to steal 
music and everything else out there, and a lot of control of 
this is offshore.
    So, the magnitude of this problem has made this a national 
emergency, really an international emergency, that these 
gentlemen are describing the national component of. But under 
that there is a commercial component, an industrial component, 
a banking component that is staggering in its magnitude.
    On one aspect of that, we are about to introduce a bill in 
the Judiciary Committee, a bipartisan bill. One of the reasons 
I chose to go over to Judiciary at this time, at least the 
intellectual part of it is more bipartisan than the Financial 
Services Committee used to be. It is about the only place you 
can get some bipartisan agreement on something, when you are 
dealing with some of these issues. So we are attacking the 
commercial component of it hopefully in this by giving more 
authority to get jurisdiction over these foreign Web sites, 
which has been a major problem for the FBI to even get access 
or jurisdiction over these entities.
    I have learned a lot more about this than I ever wanted to 
know. I didn't know what a ``cloud'' was until--I thought 
people were walking around with their heads in the clouds, and 
now we are storing everything in the cloud. It has been an 
interesting learning experience for me, just as the last term 
of Congress was a learning experience for all of us about all 
of these sophisticated financial products.
    I am learning about all the sophisticated ways that people 
steal and produce bogus products, pirated products. ``Knock-
offs'' is the term I guess we use for them on the street. But 
there are knock-off drugs, pharmaceuticals. Our military, we 
haven't even figured out a way to stop our military from buying 
knock-off, pirated parts for military equipment.
    So the problem is massive, and the bottom line is I thank 
you all for spending some time exposing it in the financial 
services and the whole cybersecurity area. Thank you.
    Chairwoman Capito. Thank you, Mr. Watt.
    Mr. Renacci for 5 minutes for questioning.
    Mr. Renacci. Thank you, Madam Chairwoman. I want to thank 
the witnesses for being here today and discussing this topic.
    Coming from the private sector and the small business world 
just recently, as you get up every day, and you worry about 
making payrolls, and you worry about just keeping your business 
going, a lot of this doesn't really hit home until you are 
sitting here listening to it.
    I was wondering, from all three of your perspectives, do 
you believe that private industry and the government agencies 
are really doing enough to educate the general public and the 
small businesses and community banks of the safety and security 
conduct issues that they have to be concerned about with online 
transactions these days? I would like to hear your thoughts.
    Mr. Schaffer. Thank you, Congressman.
    I do think that there is a tremendous amount of effort 
going into communicating to the business community. At DHS, we 
have a number of programs to do that. One which is about to 
start is National Cybersecurity Awareness Month, the month of 
October. We will spend a significant amount of time with 
seniors and others working around the country, and indeed 
internationally, to talk about cybersecurity broadly to the 
public.
    We have the ``Stop, Think, Connect'' campaign, which is 
really designed to speak to individuals about paying more 
attention to what they are doing when they are clicking through 
on these links that can cause them to be exposed to some of 
this malicious software and then become part of a botnet and 
part of the problem.
    There are a variety of things that do need to be done to 
reach out to small businesses, and both DHS and the Department 
of Commerce and others have taken some steps to do some of that 
reaching out to make it clear there are resources like on the 
US-CERT Web site where you can get information about how to 
secure your systems and get information about threats and 
vulnerabilities made available to the public broadly, and there 
are many places where that information can be obtained.
    I do think that this is an issue that we cannot just focus 
on security professionals. They understand the issue. They are 
with us. This is an issue that has to be shared with data 
owners, the folks who are making business decisions about where 
to invest. The lock on the door, as someone pointed out, the 
theft is happening through the Internet more than it is 
happening through breaking into the back storage room, and 
people need to invest accordingly and risk manage accordingly, 
and we have to reach those folks and make them understand that 
shift has occurred, and they need to adjust as well.
    Mr. Renacci. Mr. Smith, particularly from a small business 
standpoint, do you have any suggestions for small business 
owners? They don't have the dollars in many cases that the 
larger institutions have for protection. What are some of the 
things that a small business owner can do to protect themselves 
from these security breaches?
    Mr. Smith. You are exactly right, Congressman. You heard 
from my testimony that some of the smaller businesses and 
financial institutions have become more of the victim over this 
past year or so. There are a number of things that they can do, 
and obviously probably one of the best things they can do is 
just consult the FTC's Web site.
    But I do want to point out, and I mentioned in my remarks, 
the Verizon 2011 data breach study that Verizon and the Secret 
Service, and also from the European theater that we mentioned, 
the Dutch High Crimes Unit participated in this report this 
year, and it gives a lot of valuable information about 
breaches, about hacks, and then also further would probably be 
a very good tool that small businesses and financial 
institutions could use in terms of prevention and that sort of 
thing. It certainly talks about how the hacks occurred and sort 
of what kind of crimes were perpetrated against them.
    Mr. Renacci. Mr. Schaffer, are you having unique challenges 
hiring people in regards to cybersecurity?
    Mr. Schaffer. Yes, sir. We indeed do have some challenges 
in that regard. The marketplace for deep cybersecurity 
professionals is extraordinarily competitive. Pay in that space 
is higher than it is for many other professionals who have an 
IT or information technology background.
    As a consequence, with the Department of Homeland Security 
trying to hire into a space where even others in government 
have more hiring flexibility--DOD, for example, has significant 
authority that DHS does not currently have to bring in those 
deep technical experts--we would love to have that same kind of 
capability, and that is part of the legislative proposal that 
is currently circulating.
    Mr. Renacci. Thank you.
    I see I am running out of time. I yield back.
    Chairwoman Capito. Thank you.
    Mr. Scott for 5 minutes.
    Mr. Scott. Thank you very much.
    I was very intrigued by the fact that the CIA, the 
Department of Defense and our Fed Chairman's computers were 
hacked. Let me ask you something, because in order to know 
where we are going, we can learn from experiences that we have 
gone through. What did we learn from that experience? Who did 
this? What were they after? What kinds of information did they 
obtain?
    Mr. Schaffer, each of you, if you could. It would be 
important for us, because I think it is important to know who 
did this, why they did it, what kind of information did they 
get, what were they after, and what have we done to correct it?
    Mr. Schaffer. Congressman, as I think you have heard across 
the panel today, the number of entities that have been breached 
and are constantly under attack far exceeds the few that have 
been mentioned. Literally every department and agency has had 
attacks against it at various points in time, and those attacks 
are from a wide array of threat actors that go from individuals 
to hacktivists or people trying to take political action on the 
Net, to organized criminal organizations, to nation state 
actors. It really does run the gambit.
    The good news from our perspective in terms of defending 
these networks is that most of the studies, including the 
Verizon study that has been referenced that was done with the 
Secret Service, showed that much of the vulnerability that is 
being taken advantage of by all of these actors is known and 
can be fixed by good hygiene and aggressive cybersecurity 
efforts. We know how to do this. We just need to make sure that 
our public and private-sector entities are, in fact, executing 
against those security requirements.
    Mr. Scott. Do either of you want to comment on that?
    Mr. Snow. Congressman, I would say a couple of things also. 
One is--and we talk and relate it back to small business--most 
of the time the people's awareness is only triggered by a loss 
or an intrusion, and it is the first time that they are 
actually reaching out for some of the partners or law 
enforcement or even their peers in the community.
    I think we learned after 9/11 that one of the things we 
need to do is really look at risk, what are your threat times, 
your vulnerability times, your consequence, and how can we fix 
those things. How do we table-top those issues? And if you are 
the IT person or the CEO for the corporation or whatever it 
happens to be, I know we have to make decisions based on 
dollars, but we should run even the first run-through of if 
today you got hacked, what was vulnerable on your networks? Are 
we really looking to manage and secure systems, or are we 
looking to manage and secure information? Is your IT person, is 
the general counsel of that organization, are they good with 
your IT person's decisions? Is the CEO okay with those 
decisions? Does anybody understand, as the chairwoman 
referenced before, that there are proprietary contracts in 
there that may preclude sharing that information robustly? And 
how do we go forward taking a look at those issues?
    Mr. Scott. So we would say, then, that what we have before 
us is a situation where it is the machinery, it is the system, 
it is what we have out there, this new technology that we have 
in and of itself, and that the threats are not necessarily 
primarily at this point terrorists as much as they are 
competitors, as much as they are criminal organizations, as 
much as they are maybe other nations. Is that a fair 
assessment? From some of our information, we found out that it 
is not necessarily terrorists who are at the top of the list 
here in all of this, but it is these other entities.
    What I am trying to get at is we have to figure all of this 
out if we in Congress are going to try to fashion some 
legislative remedies. We have to get our hands around what it 
is if we are going to do something significant.
    And that leads me to, and I don't have much time, given all 
of this, what do you recommend when we look at this? It is like 
a bowl of Jell-O. You get your hand around some of it, and 
another squeezes out. How do we legislate? What do you 
recommend that we do legislatively here in Congress to address 
this extraordinarily difficult and complex issue?
    Mr. Snow. Sir, I will take the question in two parts. One 
is, where does the threat reside? And honestly, the highest 
threat is the counterterrorism threat of a terrorist hacker 
moving into our infrastructure that protects our way of life 
and our basic necessities and our needs throughout the Nation.
    The largest threat right now is the nation state threat 
that comes in and takes a look at all of our critical research 
and development, our intellectual property, the things that are 
coming in lock, stock and barrel, and copying and moving off. 
In that threat is included the criminal threat, and I think 
this Financial Services Committee is focusing in on it 
correctly. The criminal threat to the economic security of the 
United States is very critical.
    What do we do about it? I think that is an answer for all 
of us. But one of the things we really need to do is sit down 
and talk about what are those options we are going to take. How 
do we engage as a Nation? First, what are the citizens within 
the Nation willing to accept on how they want to be protected; 
and second, what are we as a Nation going to do as we respond 
to the threats we see? Are we appropriately engaged in the 
domestic intelligence, military, economic, law enforcement 
model?
    I would pass it over to my peers here.
    Chairwoman Capito. I think the gentleman's time has expired 
on his questioning.
    Mr. Duffy.
    Mr. Duffy. Thank you, Madam Chairwoman, and I appreciate 
the witnesses coming in for their testimony.
    As an individual, is the main threat that comes the 
individual's way through phishing emails, or are people's 
computers being hacked on the individual side?
    Mr. Smith. Congressman, it is actually both. We still see a 
lot of phishing that occurs and people respond to, and, again, 
a good public awareness campaign is probably as efficient as 
anything. By the same token, we do see account takeovers and 
large quantities of personal identification that is actually 
taken in these kinds of instances that we talk about.
    Mr. Duffy. And on the attacks that are happening, whether 
they are hacking into computers or they are sending out 
phishing emails, is it fair to say that a large percentage of 
the attacks are coming from outside the United States?
    Mr. Smith. Yes, sir, they are. And I believe before you got 
here, I covered the fact that we have tried to force multiply 
our efforts, if you will, through our liaison efforts in our 
foreign offices to make sure that when we encounter criminals 
in other countries, we have the right liaison effort there, and 
we can get the right cooperation from the local law enforcement 
in those countries to try to arrest the people responsible for 
those things as well.
    Mr. Duffy. And that is where I was going to go with the 
next question, because if you look at folks who plan and carry 
out terrorist attacks on our country, we pursue them pretty 
aggressively, or, as someone mentioned, walking into a bank 
with a gun and robbing a bank, we also pursue those folks 
pretty aggressively as well. On one side we are either killing 
them or capturing them, and bank robbers, we are putting them 
behind bars for a lengthy period of time.
    How successful are we in branching out around the world to 
get these folks who are actually orchestrating these attacks on 
our country, because if they pursue several attacks, and we 
don't apprehend them, they just sit there and attack and attack 
and attack until they are successful. Are we able to get those 
folks who are orchestrating the attacks on the country?
    Mr. Smith. We are, and we are very aggressive when it comes 
to trying to pursue these individuals. Again, a lot of it 
depends on the country that they may reside in as to the level 
of cooperation that we may get. But through, again, our 
international efforts, we liaison to the nth degree, if you 
will, with those host countries. And we have tried to do that 
through another means, and that really affects the public 
outreach piece, and that is through our Electronic Crimes Task 
Force. We have 29 domestic task forces that have quarterly 
meetings that involve both State and local law enforcement, the 
private sector, particularly the financial sector, as well as 
academia, to keep us on the cutting edge of what is out there.
    But we have also recently organized and started two 
electronic crimes task forces overseas, one in Rome, Italy, and 
the other one in London, England. So we are trying to take the 
model that has worked for us dating all the way back to 1996 in 
New York City and make that spread not only across the country, 
but now around the world, and then through those efforts and 
through that liaison we are able to, we believe, force multiply 
our efforts and get by on, if you will, from those countries 
where we actually have to go and investigate these crimes.
    Mr. Duffy. Are we seeing that more of these folks are then 
congregating in these countries that are less cooperative with 
their law enforcement agencies?
    Mr. Smith. I really can't give you a statistic for that 
because they are all over. Again, we talk a lot about Eastern 
Europe and that area, but there are certainly criminals who do 
this sort of thing in other parts, in Asia. So I don't think 
really there is a hard figure for that.
    Mr. Duffy. My time is just about up.
    I think one of you mentioned this. It is fair to say that 
we do have the technology to protect ourselves. Is it just a 
matter of making sure our financial institutions and our 
individuals are implementing the procedures and the technology 
to make sure they have that firewall from these folks?
    Mr. Schaffer. To be sure, what we have seen statistically 
is that a significant percentage, a very high percentage of the 
attacks can be dealt with through good implementation of 
current technology. That is not to suggest that we can deal 
with everything in that regard. And there are some 
sophisticated attacks that current technology is not going to 
address, and we will need to develop additional capabilities in 
order to do that.
    Unfortunately, today, offense wins in cyber. Defense has to 
be perfect everywhere; offense only has to be right somewhere. 
As a consequence, we have a challenge on our hands, and we do 
need to get to the next level from a technological perspective 
to be able to get to the point where we change that paradigm.
    Mr. Duffy. And do we have the resources available to pursue 
those technologies, to make sure that we are being proactive 
instead of reactive to these attacks?
    Mr. Schaffer. I think we are definitely being proactive. 
For example, one of the things that DHS did earlier this year 
was to publish a paper about what we think needs to happen from 
an ecosystem perspective to get to the next level, where we 
have more automation, better interoperability between security 
solutions, better authentication of people, devices and 
software. And there are indeed initiatives like the Trusted 
Internet Connections Initiative, the name of which just has 
slipped my mind, that are designed to try to get us to a better 
place on that authentication issue.
    So there are several pushes under way to get those new 
technologies in place, but it is something that we have to 
continue to be vigilant about.
    Mr. Duffy. I want to thank you all for your hard work.
    I yield back. No more time.
    Chairwoman Capito. No more time. I would add `speed,'' 
because we have already heard that speed is an issue.
    Mr. Baca for 5 minutes.
    Mr. Baca. Thank you very much, Madam Chairwoman.
    One of the questions that I have, the United States has a 
separate law imposing data privacy requirements for financial 
information and for medical information. Do you think it is 
preferable to have the data protection requirement imposed 
based on who holds the data, or should it be based on the type 
of data, regardless of who holds the information? That is for 
any one of the panelists.
    Mr. Snow. Sir, obviously I wouldn't make the legislative 
decisions for the Department of Justice or weigh in on it, but 
I would say that I think it is regardless of who holds the 
information. As technology and innovation changes so rapidly, I 
think there would be a desire to offload cost by offloading the 
information to somebody who may not have that same regulatory 
requirement. But, once again, that is just a personal opinion 
of my own.
    Mr. Baca. Anybody else want to weigh in on that? Everybody 
wants to take a pass on it, right?
    Okay. Let me ask the next question. To DHS: Can you 
elaborate on the information-sharing pilot and what lessons 
have you learned from it, and how do you expect it to inform 
future actions that you take in this area, which is question 
number one; and does the financial sector have a unique set of 
challenges as opposed to other sectors with respect to the 
cybersecurity; and can you describe some of the unique 
challenges that you see with respect to the financial sector?
    Mr. Schaffer. Yes, sir. Thank you for that question.
    I think we have learned some lessons from the pilot 
activity with the Financial Services Information Sharing & 
Analysis Center. That pilot has shown us a couple of things: 
first, that each sector has its own technological choices. It 
has implemented in financial services a set of solutions that 
are different, for example, from what the defense industrial 
base has employed, and we need to be able to craft our 
capabilities at US-CERT as we push out information to be 
ingested and used and made actionable by the sector. It is 
going to have to be slightly different for the financial 
services sector than it was for the DIB, for example.
    Second, we have learned that interaction between analysts, 
the analyst-to-analyst discussions which we have done quite a 
bit of throughout the pilot, are enormously valuable; that 
having folks sit down and actually discuss where things are 
going, and what mitigations are available, and how best to 
implement those mitigations moves the ball tremendously and 
allows for greater efficiency and effectiveness on both the 
government side and the private-sector side.
    Third, we have learned that having representatives on the 
watch floor, as I have mentioned a couple of times, really does 
enhance the ability to stay up to speed on what both sides are 
doing and make sure that we are able to, if something is 
ratcheting up, have good situational awareness from steady 
state to crisis if indeed something is getting more 
challenging.
    With respect to unique challenges for the financial 
services sector, I think you have heard these gentlemen speak 
to it. The fact is the financial services sector is where the 
money is, and so that sector is targeted in a way that other 
sectors may not be because there is availability of ready cash. 
What we are seeing is that intellectual property is being 
targeted across the entire economy and across all sectors, 
government and industry, but in terms of direct access to cash, 
this sector is particularly valued by those who would do us 
harm. So that targeting puts this sector at the leading edge of 
some of those issues.
    They also are technologically advanced, and they have a lot 
of Web access capability in this sector, so they are making use 
of the technology to deliver services to consumers and to the 
public, and those are some of the places where, again, the 
malicious actors have an opportunity to interact with the 
technology and maybe take advantage of it.
    So those are some of the unique challenges, I think. 
Working with this sector to try to figure out how to do risk 
assessments and working with them to develop good mitigation 
strategies is one of the things we are doing at DHS to try to 
buy down that risk.
    Mr. Baca. Let me follow up with an additional question 
between the Federal Government and the private sector. How does 
the Federal Government compare to the private sector with 
regard to receiving, storing, and maintaining encrypted 
information? And if the private sector has to send or report 
encrypted data to the Federal Government, can the Federal 
Government ensure that it remains so protected?
    Mr. Schaffer. Yes, sir. I believe that the Federal 
Government has the capability to protect data that is submitted 
by the private sector. Again, the devil is in the details, and 
the need to correctly implement solutions and make sure they 
are maintained in the appropriate way is critically important 
for any agency that is intaking data.
    At DHS, we have some programs that are specifically 
designed to allow private-sector entities, particularly 
critical infrastructure players, to submit data with special 
protections so that they are comfortable with telling us about 
their security situation without the worry that the information 
is going to be inappropriately released or made available in 
ways that could hurt their security over the long run, and we 
take measures to ensure that we are indeed protecting and 
maintaining that data in an appropriate way.
    The same issue with respect to personally identifiable 
information that we may come into possession of during our 
cybersecurity work with other departments and agencies. We have 
procedures and processes designed to ensure that the data is 
maintained appropriately and not exposed to unnecessary risk.
    Mr. Baca. I realize that my time has expired, but what I 
heard you make a statement is that we need government 
involvement, because everybody says, all right, let's let the 
private sector separate itself from government and we don't 
want any more government involvement, but here I am saying that 
we do need that for that protection versus not to it. One side 
is saying, all right, let's not allow government to be involved 
in all regulations; but yet we are saying that we do need it 
for that protection to allow that safeguard, because the 
private sector won't be able to provide that kind of protection 
unless we both have a joint partnership in ensuring we have 
that kind of security; is that correct?
    Mr. Schaffer. I certainly think government--
    Mr. Baca. We do need government.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Canseco, for 5 minutes for questions.
    Mr. Canseco. Thank you, Madam Chairwoman.
    San Antonio, Texas, is the home of USAA, the largest 
financial services company in the country. Many of my 
constituents either work there or do business with USAA, and 
members of our military and their families have become huge 
targets for cybercriminals. At USAA, most business is 
transacted online and with our active and retired military.
    Mr. Smith, are there any efforts being made to specifically 
protect members of our military and their families from having 
their personal information financial accounts hacked?
    Mr. Smith. Congressman, none that we are not trying to do 
for the average citizen as well, and a lot of that is again--is 
just through a public awareness campaign and the things that we 
try to do, quite frankly, in our electronic crimes task forces. 
So I wouldn't be able to say that there is specifically for the 
military personnel.
    Mr. Canseco. Many of them are deployed, either in Iraq, 
Afghanistan, or in far reaches of the world, and they have 
their laptops with them, or they have access to computers, and 
they keep current with what is happening with their financial 
accounts and when they get deposits and what they have to pay, 
and they are extremely vulnerable.
    Do you think that it is important to make sure that 
something is done to protect at least our military in a 
specific way?
    Mr. Smith. Yes, sir, I think it would be good. And, again, 
just a lot of personal requirement, I guess, on some levels to 
try to make sure that they are aware of these sorts of things, 
and that they are, in fact, vulnerable, and that they double-
check themselves, as crime prevention goes in terms of 
passwords, the security of their accounts, and that sort of 
thing. I think there is something on an individual basis that 
can be done as well. But I would agree with you.
    Mr. Canseco. Do you feel, Mr. Snow, that the financial 
services sector is appropriately vetting the background of 
personnel?
    Mr. Snow. Yes, sir. It is one of the issues that I will 
bring up. And let me just make a comment about USAA. I know, 
like many financial institutions, they are very proactive, and 
they are trying to do everything they can because of their 
constituency, number one, but because their membership includes 
others besides those in the military.
    We took an individual who came from the Joint Task Force 
Global Network Operations who went down there to work in that 
facility and brought him on board for the clearances through 
the FBI so that we could share that information in realtime. I 
will go down there for the Cybersecurity Awareness Week in the 
opening comments just to thank them for what they do for their 
membership, but also to thank them for being as proactive as 
they can out there.
    But on that line, and we will talk about the vetting first, 
statutorily there are only certain people who have access to 
law enforcement records for checking backgrounds. Some of the 
places like the SWIFT organization that controls the instant 
messaging going from financial institutions to others don't 
have that access statutorily. So that is something we need to 
take a look at.
    Also, which I think is interesting to me, after 9/11 we 
came out with a bill which said we would have off-duty carry 
for former first responders, law enforcement officers, State, 
local, and Federal officers, because it would add to our 
complement throughout the United States a certain response 
capability. Pilots took weapons after proper training up into 
aircraft.
    What I don't see, and it is interesting to me after having 
left the military about 25 years ago--when I was in there, I 
only saw one or two people who had clearances, TS clearances, 
maybe somebody who was in charge of a certain program, or maybe 
someone who was a designated intelligence officer. When I went 
over as the on-scene commander in Afghanistan, I couldn't find 
somebody that didn't have a TS clearance. So every single 
fusion center I went into, every single place that I walked 
into, they carried full credentials.
    But now as I reach out, and we are talking about 
information-sharing, and I try to reach out to people like 
USAA, we have one member there. What about these other 
organizations that don't have a government contract, that don't 
have a military contract, or don't fall into one of the 
historic arenas where they should have those contracts?
    So I have been having discussions on thoughts of, should we 
carry those clearances on? Maybe somebody leaves the military, 
and they are going off into a normal business, but 2 or 3 years 
from now they walk into an area when we see, as Mr. Schaffer 
says and Mr. Smith says, every agency, every organization, 
every department, every size business, small, medium and large, 
and school district, so we could share that information more 
readily.
    Mr. Canseco. Mr. Schaffer, in your opinion, what 
cybersecurity roles are exclusively government functions, and 
which ones are the responsibility of the private sector? And if 
I am out of time, if you could be brief, please?
    Mr. Schaffer. Yes, sir. As mentioned in my opening, I think 
that this is a shared responsibility. In most of these areas, 
we have to work together. Industry owns the vast majority of 
the infrastructure. Government has access to certain 
information, as Mr. Snow just mentioned, some of the classified 
information that can help make things better. We have to work 
together as a team. I think that there are multiple efforts 
under way to make that happen. There are some things that 
government will do at the classified level, but there is much 
that we can do as partners.
    Mr. Canseco. My time is up, but I want to thank you three 
gentlemen for your information very much.
    Chairwoman Capito. Thank you.
    Mr. Carney from Delaware for 5 minutes for questions.
    Mr. Carney. Thank you, Madam Chairwoman.
    I want to thank you and the ranking member for holding this 
hearing today, and the panelists for coming, and for the great 
work you do for our country. I am most interested in the 
threats to our banks and financial services institutions, so I 
would like to just ask a few questions, really following up on 
some of the answers that you have already given and your 
written testimony.
    Could you characterize for me--you have talked about 
individuals, hacktivists, I think you said, nation state 
perpetrators and organized crime. Who is most involved in the 
attacks on our financial services, our banking and cyber 
infrastructure, and how are we doing stopping them and 
arresting them and bringing them to justice? Maybe we can start 
with the FBI or whoever feels most comfortable with that.
    Mr. Snow. Yes, sir. I would say right now that the largest 
threat to the financial services institutes and institutions is 
from the criminal organized crime group and realm, at least 
where we have the most information pointing to a specific 
adversary.
    Mr. Carney. Are those domestic or offshore organizations?
    Mr. Snow. Many offshore, sir, that we see.
    Mr. Carney. Most offshore, or how would you break that down 
as a percentage?
    Mr. Snow. I would say it is probably a 90-10 split, maybe 
an 80-20 split.
    Mr. Carney. But overwhelmingly mostly offshore then?
    Mr. Snow. Yes, sir. And it is important to make a 
distinction, and the distinction would be those that are doing 
organized criminal groups for profit, and then the hacktivists. 
So we see a lot of hacktivists who are still worldwide. We have 
been identifying many here within the United States, but they 
are not the real threat to the financial institutions and 
organizations. They are a harassing threat. They cost a lot of 
money, they do a lot of damage to the systems, but they are not 
the ones that I guess are damaging the economic stability.
    Mr. Carney. So how are we doing stopping them and arresting 
them, whoever is the best one to answer that question, and 
what, if anything, do we need to bolster our efforts there?
    Mr. Snow. I will make the first comment, sir, and then turn 
it over to Mr. Smith.
    As he stated previously, I think we are doing a good job, 
especially in the international relations with other countries, 
working the imbeds, the electronic crime task forces, all the 
efforts that the United States has as we move from the domestic 
side out internationally. I think we are doing a good job and a 
much better job than we have in the past 2 years.
    The thing that concerns me is that it is still a reactive 
mode, so I am trying to find a forensic evaluation of a 
financial institution. There have been many cases where we have 
actually gone out to doors and knocked on them and said, here 
is what we saw in our investigation, and you are already a 
target through reconnaissance. Here is what you need to fix 
yourselves. But I think we need as a government a much more 
robust effort in that fashion.
    Mr. Carney. So do you actually arrest these people, find 
them, or do you just stop them?
    Mr. Snow. We try to arrest them for the deterrence effect. 
The problem is some countries--and it is a force 
multiplication--some countries want to prosecute their own 
individuals, their citizens who reside there. Depending on what 
treaty or MLAT agreement we have, many may be subject to 
extradition or not, and others may want to address the issue of 
their citizens within their domain themselves.
    Mr. Smith. I would agree with Mr. Snow. It just really 
depends on the country and the level of cooperation. We have 
had cases in the Secret Service that were very significant, 
that were large enough that we actually, through some of our 
undercover operations, were able to lure that individual out of 
their home country and bring them to the United States in order 
to be arrested. So it just depends. Each one is sort of an 
individual case and an individual plan, if you will, to go 
after them.
    Mr. Carney. So there is not a pattern there. Are there 
countries that you would want to point out publicly that are 
problematic, or is that something you would rather not say 
publicly?
    Mr. Smith. I wouldn't want to do it individually, but I 
would say, as we mentioned earlier, a lot of our liaison 
efforts are in that Eastern European area and also the Baltic 
region, and that is specifically why we opened our office in 
Tallinn, Estonia.
    Mr. Carney. Is there anything that you would like to add?
    Mr. Schaffer. Congressman, one of the things that I would 
say is that from a National Protection and Programs Directorate 
part of DHS, recognizing Secret Service is another part, our 
focus is on network defense. The attribution pieces we leave to 
the law enforcement folks for the most part. But what we do try 
to do is make sure that we are taking the knowledge from one 
incident within the financial services sector and making it 
available to the rest of the sector. And in some cases, we have 
even had the opportunity to bring in an entity that was 
experiencing an issue that we had seen some months before at 
another entity and correct those two entities in a way that 
wouldn't have been possible but for government being able to 
know about both of the incidents and being able to connect the 
dots.
    Mr. Carney. I see my time is up. I want to thank you again, 
and please feel free to contact us if there is something we can 
do to help in those efforts. Thanks for those efforts.
    Chairwoman Capito. Thank you.
    Mr. Luetkemeyer for 5 minutes for questions.
    Mr. Luetkemeyer. Thank you, Madam Chairwoman.
    Thank you, gentlemen, for being here today.
    A lot of questions I was going to ask you have already been 
asked this morning, so I will try and be brief here.
    I am just kind of curious. With regard to financial 
institutions, are most of the thefts done with inside help, or 
are they mostly done from the outside?
    Mr. Smith. It is really a combination. I would say most are 
from the outside. But, again, the insider threat study that was 
conducted several years ago, which we would be happy to share 
with you, showed that there is a certain amount of that. And 
certainly, an insider has access to a lot more information than 
the outsider. But I think probably in sheer numbers, there are 
more outside.
    Mr. Luetkemeyer. What do you see as the most exposed? Are 
the big banks the ones that are mostly attacked, or medium-
sized, small banks, because perhaps they are not as 
sophisticated with their security network? What do you see?
    Mr. Smith. That is one of the things that the Verizon study 
points out, that a few years ago it was the larger financial 
sector banks and corporations, but because now they have had 
time to react to a lot of these sorts of things, we are seeing 
that more smaller institutions and smaller businesses have 
become their target. And so we are seeing more of that in this 
most recent study.
    Mr. Luetkemeyer. Whenever you see that smaller institutions 
are being attacked, why are they so connected? It would make 
sense to me that they could--because they are not as large, and 
they are probably not as integrated, the need for integration 
probably isn't as great, couldn't they have a separate system 
that would be inaccessible so that their basic information 
could be retained and not accessible versus allowing full 
access to everything? I am pretty naive when it comes to this 
sort of stuff, so bear with me here.
    Mr. Smith. No, I agree. And I think that they will now have 
time to react. I think we are all human. Until you become a 
victim, you don't pay a lot of attention to it, so I guess it 
was something that was not quite at the forefront of their 
thinking. Again, it was the larger institutions that were 
suffering these losses and these hacks, but now in the last 
year we have seen these smaller institutions become more 
vulnerable. So I think there are certainly precautions that 
they can take and should take and probably will do exactly what 
you are saying in the coming years.
    Mr. Luetkemeyer. I doubt that you guys want to answer this 
question, so I will just make a comment. If you want to comment 
on it, you are welcome to. But from the national security 
standpoint, whenever somebody is trying to hack in, wouldn't it 
make sense that when they hack in, it would automatically 
trigger a virus going back the other way so you destroy the 
guys on the other end?
    Maybe you already do that and you don't want to tell me 
about it. That is fine. It would make sense to me to make sure 
you make life as miserable on the other end as they make it for 
us on our end.
    Thank you, gentlemen. I appreciate it.
    Thank you, Madam Chairwoman. I yield back the balance of my 
time.
    Chairwoman Capito. Mr. Green from Texas for 5 minutes.
    Mr. Green. Thank you, Madam Chairwoman. I especially thank 
you and the ranking member for allowing me to participate in 
this hearing. It is exceedingly important that we have this 
opportunity to explore these issues, and I thank you very much.
    To the members of this panel and the next, I thank you for 
appearing here today.
    The intelligence that I have received and perhaps has been 
shared bears repeating if it has: $388 billion lost last year 
to cyber crime, $114 billion in the United States alone; 1 
million new cyber victims per day, that is very daunting; and 
54 percent of these cyber crimes can be easily prevented, 
according to what has been shared with me.
    Notwithstanding these stats, I do believe that we will 
prevail, and I say this to you because I am confident that when 
we moved from coins to paper, someone and some people said, my 
God, that paper will never work, it is too easy to duplicate. 
Then when we moved from paper to checks, someone said, our 
checks are too easy to write, it will never work. As we moved 
into the plastic era, there were always people who thought that 
plastic would never compete with paper. But the truth is we 
have been successful, and I think we will be successful with 
these efforts and these endeavors, notwithstanding statistics 
that are daunting.
    I am confident that privacy is something that you have 
considered, and it is a real issue, and my hope is that the 
champions of privacy, those who wake up every morning and they 
eat and they sleep privacy, my hope is that they have been 
included within those who are part of this avant-garde effort. 
My belief is that you have done it, but I will just ask anyone 
who would like to respond to tell me about the efforts to bring 
in the organizations that make it their daily responsibility to 
protect the privacy rights of Americans. Are they involved?
    Mr. Schaffer. Congressman, indeed we have made an effort to 
include the privacy community in many of the efforts that we 
have under way at the Department of Homeland Security. Many of 
the systems that we deploy, like the intrusion detection 
systems and intrusion prevention technologies that are being 
deployed for the government networks, we have done privacy 
impact assessments that have been made publicly available. We 
have briefed those in the privacy community. We have brought 
the privacy community in to look at a lot of what we are doing 
programmatically.
    We also have privacy officials within the Department who 
are tasked with making sure that, in fact, as we go forward on 
cybersecurity issues, we are looking at the privacy 
implications of those issues and making sure that they are 
addressed as we go forward in many of these areas. So we have 
spent a lot of energy trying to ensure that privacy is 
considered at each step of the process.
    Mr. Green. Thank you.
    Let me move quickly to tools. I trust that we are giving 
you the necessary tools that you need timely. Are there tools 
that you need, laws that you need from Congress, or is there 
something that we should be doing or paying special attention 
to so as to make your efforts successful?
    Mr. Smith. If I could, Congressman, I would respond to that 
and I would just say that, yes, we are receiving, I think, the 
support that we need. But one thing I would like to highlight 
is that the Administration has proposed data breach legislation 
that goes a long way toward improving some of these things that 
you are talking about, and certainly would aid law enforcement 
if this sort of legislative package were passed.
    Mr. Green. Thank you.
    And finally, extradition. I know that one of the big 
problems that you have is that the person who commits the 
dastardly deed is in some distant place beyond our borders, and 
if prosecuted may not be extradited to this country. I know 
that is a real concern for you. Could you just elaborate on it 
for just a moment, please, as my time is expiring?
    Mr. Smith. Just to follow up again, it really depends on 
the individual country, and that is why we try our very best 
with our liaison efforts, the agents. We have 74 agents 
overseas assigned to different countries, and they work every 
day toward trying to improve those kinds of relationships. 
Again, we could give you a specific briefing outside of this 
forum if you would like on kind of our successes or negatives 
there.
    Mr. Green. Thank you very much. Because my time is about to 
expire and I am an interloper, let me just thank all of you and 
thank the Chair again because my time is up. Thank you very 
much.
    Chairwoman Capito. Thank you.
    Mr. Pearce from New Mexico for 5 minutes.
    Mr. Pearce. Thank you, Madam Chairwoman.
    If I could get each one of you to kind of give me an idea, 
just a percent, what percent of the cases that come across your 
desk do you actually prosecute, and then what percent do you 
actually convict? Just a rough guess.
    Mr. Schaffer. I can go first, because my answer is easiest. 
We don't have law enforcement authority within my part of DHS, 
so we are not in that business. I was a Federal prosecutor at 
one point on these issues back at the Justice Department, but 
these gentlemen have the ball on this one, sir.
    Mr. Smith. It is sort of a splintered answer, if you will, 
because we obviously have jurisdiction in a number of areas. I 
can tell you that we arrested over 1,200 people for cyber-
related crimes last year, and that resulted in a loss of about 
$500 million, and we think we prevented about $7 billion in 
loss just in Secret Service cases. But I could certainly get 
you our exact number in terms of both arrest and conviction.
    Mr. Pearce. We are, say, saving $7 billion out of $388 
billion. That is modest.
    Mr. Smith. Yes, it is.
    Mr. Snow. Yes, sir. I would echo the same. I can always 
come back with the actual numbers for you later on. My 
portfolio runs everything from intrusions down to Internet 
fraud. Many, many cases are prosecuted at a high level, NSM 
images, child exploitation, some of the intellectual property 
rights. And some of the national security stuff, for obvious 
reasons, does not reach that same threshold of prosecution. And 
then on the criminal side, I think we have had success, but I 
would have to get you the actual numbers.
    Mr. Pearce. Mr. Schaffer, what do you all do with them when 
you get them, when you find them? What do you do with them, 
since you don't prosecute them?
    Mr. Schaffer. Yes, sir. We have representatives from both 
the FBI and the Secret Service on our watch floor, so law 
enforcement is coordinated with us, and we work with them on 
the issues that we discover that are reported in to our 
processes. It is a coordinated effort
    Mr. Pearce. You refer them over?
    Mr. Schaffer. Yes, sir.
    Mr. Pearce. So if we have a pretty small, modest 
prosecution rate and an even smaller conviction rate, what is 
our awareness rate? What percent are we aware that is going on, 
and what do we don't even have a clue is coming in the attacks? 
Is that large, small?
    Mr. Schaffer. Sir, I think that one I can address, which is 
we know what we know about, and the reporting--there is no 
requirement currently for private-sector entities to report 
when these incidents occur, at least from a DHS perspective. We 
work in partnership. We get a lot of reporting from the private 
sector when incidents occur, and we work with our law 
enforcement partners, and we get awareness through that, and we 
get awareness--
    Mr. Pearce. Excuse me, my question is that we don't know 
what is even occurring. You wait for a report to come in after 
somebody discovers that it has happened, and I am asking, how 
many attacks are coming in, how many attempts are coming in 
that we don't even know about? Do we actually have a chance to 
prosecute a very small percentage of that? If so, then the 
magnitude of the problem is much bigger. I don't want to get 
much deeper into it. I think I understand.
    Has the Treasury, Mr. Smith, ever lost money? Have they 
been hacked like an individual? Has anybody been in there 
borrowing money?
    Mr. Smith. Not to my knowledge, Congressman.
    Mr. Pearce. Okay, just checking.
    How many times have you individuals sat down at the table 
together, the three of you, before this meeting today?
    Mr. Snow. I would put it up at about 150 to 200 times.
    Mr. Pearce. So the agencies are cooperating, and we are not 
all chasing the same guys?
    Mr. Snow. No, sir. Sometimes we have meetings even when we 
don't want to have meetings.
    Mr. Pearce. That is nice.
    How many attempts have been made on the electrical grid? Do 
you all track that?
    Mr. Schaffer. Again, sir, we know that there have been 
attempts made. We know about instances when various parts of 
the electric grid have been subject to attack. I can't tell you 
how many attacks have occurred that we don't know about, but I 
do know that has been happening.
    Mr. Pearce. Have we seen blackouts because of those 
attacks?
    Mr. Schaffer. I can't speak to specific blackouts in the 
United States that are caused by a cyberattack at this point.
    Mr. Pearce. My belief might be that our greatest threat 
would be the interruption of electrical services. It would 
affect everything in the country immediately. Is that the 
perception you all talk about? Would you all perceive that to 
be an accurate or inaccurate statement? And then, what are we 
doing to protect that grid?
    Mr. Snow. Sir, I would say that is an accurate statement. I 
would say that is a big concern, industrial control systems, 
data systems, process control systems. I will put a kudo in to 
the Department of Homeland Security which has a very robust 
response capability. They have trained most of our cyberaction 
team individuals for response on that issue itself. And I can 
tell you in no uncertain terms that when a blackout happens, my 
BlackBerry goes off, and one of my first calls is back over to 
DHS, and whether it is overseas, through one of the legal 
attaches or one of the domestic offices, those people are woken 
up to get your contacts and find out exactly what that is.
    Mr. Pearce. I appreciate each one of you, and I appreciate 
especially that you have been cooperating together and working 
across those jurisdictional lines. That is a frustrating thing 
from this side, when agencies don't even talk to each other and 
you have similar threats or the same threats.
    But thank you, Madam Chairwoman, for your indulgence.
    Chairwoman Capito. Thank you.
    I want to thank all of the Members, and I want to thank the 
members of this panel. The first panel is dismissed.
    I do want to make a quick comment. We have talked about 
what threats there are to individuals. I mentioned in my 
opening statement that I thought I was one of these folks. I 
think I certainly have been. But certainly, whether my 
MasterCard has been compromised pales in comparison of what 
could happen to our country if a financial cyber crime of a 
large scale is perpetrated. And I don't think we really think 
about it in terms like that.
    I want to thank you. I know you think about it like that, 
and I am glad you are thinking about it in those terms, because 
it could really seize up our country. It could go into things 
like electrical interruption and everything else. Because I 
don't think we really, at least speaking for myself, have a 
total concept of all of the financial business that is 
conducted over the electronic payment systems and through our 
computers.
    So thank you very much for doing this. I know it is very 
complicated, and I know you are chasing a lot of 20-year-olds 
at the same time sometimes in these cyber crimes, and that is 
difficult. So I appreciate your forthrightness and your 
testimony. And I would like to call up our second panel of 
witnesses. So thank you all very much.
    At this time, I would like to welcome our second panel of 
witnesses. I appreciate you gentlemen coming today to educate 
us on this very important issue.
    I will introduce each of you individually for the purpose 
of giving a 5-minute statement. I think you heard me mention 
earlier that we have your written statements for the record, 
and we will try to keep our opening statements to the 5-minute 
deadline.
    Our first witness is Mr. William B. Nelson, who is 
president and chief executive officer of the Financial Services 
Information Sharing & Analysis Center. Welcome.

 STATEMENT OF WILLIAM B. NELSON, PRESIDENT AND CHIEF EXECUTIVE 
OFFICER, THE FINANCIAL SERVICES INFORMATION SHARING & ANALYSIS 
                        CENTER (FS-ISAC)

    Mr. Nelson. Thank you, Madam Chairwoman and Ranking Member 
Maloney. Thank you for inviting us here today.
    The FS-ISAC was formed in 1999 in response to the 1998 
Presidential Decision Directive 63 that called for the public 
and private sector to work together to address cyberthreats to 
the Nation's critical infrastructures. After 9/11, in response 
to the Homeland Security Presidential Directive 7 in the 
Homeland Security Act, FS-ISAC expanded its role to encompass 
physical threats to our sector also.
    FS-ISAC is a 501(c)(6) nonprofit organization that is 
funded entirely by its member firms and sponsors. In 2004, 
there were only 68 members of the FS-ISAC, mostly larger 
financial institutions. Since that time, the membership has 
expanded to over 4,200 organizations, including commercial 
banks and credit unions of all sizes, brokerage firms, 
insurance companies, payment processors, and over 30 trade 
associations representing the majority of the U.S. financial 
services sector.
    The FS-ISAC works closely with various government agencies. 
I think you heard in the prior panel who we work with. A 
complete list of the FS-ISAC sharing services are included in 
my written testimony. I am going to highlight a couple of those 
key services.
    I think one of the key ones is the delivery of timely, 
relevant, and actionable cyber and physical email alerts from 
various sources--actually, hundreds of sources. We have an 
anonymous and attributable online submission capability to 
facilitate member sharing of threats and attacks. We operate an 
email list-serve supporting attributable information exchange 
by various special interest groups. Surveys allow members to 
request information regarding security best practices at other 
organizations. And then, we have a biweekly threat information 
call. We have emergency threat or incident notifications and 
conference calls. And we have special projects to address 
specific risk issues, such as the Account Takeover Task Force, 
which was mentioned in the earlier panel.
    We have implemented a number of programs in partnership 
with DHS and other government agencies. We have, actually, 
representation on the National Cybersecurity and Communications 
Integration Center, the NCCIC, watch floor. These are FS-ISAC 
representatives cleared at a Top Secret/Sensitive 
Compartmentalized Information level, or TS/SCI.
    It should be noted that the FS-ISAC has worked closely with 
DHS, the U.S. Treasury, the FBI, the Secret Service, and other 
government partners to obtain over 250 Secret-level clearances 
and a number of TS/SCI clearances for a number of key 
personnel.
    An example of a successful instance of government and 
financial services sector information-sharing occurred on 
October 24, 2009, when the FBI, the FS-ISAC, and an 
organization called NACHA, the rulemaking body for the ACH, 
released a joint bulletin concerning account takeover attacks 
targeting businesses and corporate customers. Some of those--
actually, details of those recommendations are not included in 
my testimony, but they included: initiation of ACH and wire 
transfers under dual control; reconciling all banking 
transactions on a daily basis; implementing customer awareness 
programs; actually implementing fraud detection and mitigation 
best practices, including anomaly detection; and out-of-band 
authentication of transactions.
    It is my understanding that the OCC is not here today, but 
I would like to talk about the recent FFIEC supplemental 
guidance on Internet banking authentication. It incorporates 
many of the defense-in-depth recommendations that were included 
in our bulletin with the FBI and a number of important new 
regulatory provisions. It calls for, actually, annual risk 
assessments by financial institutions. It now distinguishes 
between retail and commercial accounts, actually raising the 
bar of minimum controls for all accounts and recognizing that 
commercial accounts pose a higher level of risk. It also 
insists that financial institutions have layered security for 
consumer accounts.
    I think the thing to point out is, this goes into effect in 
January 2012. And they use the word ``guidance,'' but it is 
actually a requirement. All financial institutions were 
required to adhere to this.
    I also in my written testimony talk about the Account 
Takeover Task Force. We had over 120 individuals from 35 
financial firms, 10 industry associations and processors, plus 
representatives from 7 government agencies participate in that 
task force. And they developed a number of important 
deliverables, including--major deliverables, including how to 
respond, prevent, and detect different types of cyber attacks.
    Lastly, I just wanted to mention we have conducted a cyber 
attack payment exercise in 2010. We are planning another one 
this year in November.
    And, with that, I just want to wrap up and conclude that I 
think before 2009, the corporate and consumer public knew very 
little about the risk of cyber crime. I think that joint 
bulletin was the beginning of a massive educational effort that 
has been somewhat effective in raising awareness of financial 
institutions and their customers of cyber crime attacks. Since 
then, we have worked with the FBI, the U.S. Secret Service, and 
DHS to issue new bulletins. This cyber attack exercise, the 
FFIEC supplemental guidance, and the deliverables of the 
Account Takeover Task Force have all played important roles in 
increasing that awareness. I think today more financial 
institutions and their customers are now aware of how to 
detect, prevent, and respond to malicious and criminal 
activities resulting from online attacks.
    Thank you again for this opportunity to present this 
testimony, and I look forward to your questions. Thank you.
    [The prepared statement of Mr. Nelson can be found on page 
64 0f the appendix.]
    Chairwoman Capito. Thank you.
    Our second witness is Mr. Bryan Sartin, director, 
investigative response, for Verizon.
    Welcome.

STATEMENT OF A. BRYAN SARTIN, DIRECTOR, INVESTIGATIVE RESPONSE, 
                            VERIZON

    Mr. Sartin. Chairwoman Capito, Ranking Member Maloney, and 
members of the subcommittee, thank you for the opportunity to 
testify here. My name is Bryan Sartin, and I am director of 
investigative response at Verizon.
    Verizon is a global provider of communication services. Our 
data network spans 6 continents and 150 countries. As detailed 
in my written statement, we engage in a wide range of 
activities to enhance cybersecurity both for ourselves and for 
our customers.
    Investigative Response is a specialized group of IT 
investigators who handle more than 200 cases each year, 
including many highly visible data breaches. Our findings are 
documented in a Verizon ``Data Breach Investigations Report.'' 
It encompasses more than 1,700 data breaches over 7 years of 
research. It is a study about security failures and the lessons 
we can learn from them.
    This report provides valuable guidance for corporate and 
government entities on effective ways to secure their networks, 
including financial services firms. The report utilizes an 
information-sharing framework that we developed called Verizon 
Enterprise Risk Incident Sharing, or the VERIS framework, which 
we have published as an open-source initiative.
    There are five points that I would like to share with the 
subcommittee today.
    Point one: Although the consequences of cyber attacks may 
vary depending on the target, there is little variance in cyber 
risks and threats by sector. Hospitality, retail, and financial 
services are the top three sectors in terms of data-breach 
victims. Cyber criminals are after data they can easily convert 
into cash. More than 90 percent of electronic crimes are, in 
fact, financially motivated. Retailers and financial services 
entities have the largest quantities of targeted data types, 
namely credit card, debit card, and PIN information that we see 
targeted in nearly 80 percent of our cases.
    While those two sectors will continue to be key targets of 
electronic crimes, they do not face a unique cybersecurity 
threat. Cyber threats are neither sector-specific nor unique; 
they are mostly opportunistic and blind to industry.
    Point two: Electronic crimes generally do not involve 
complexity or innovation. Nine of the top 10 hacking methods 
are, in fact, very simple. For example, criminal exploitation 
of default or easily guessable credentials accounted for nearly 
two-thirds of our cases. Many devices come with default user 
names, such as ``Admin'' or ``Password1,'' and, if left 
unchanged, these default credentials offer cyber thieves often 
easy entry points into potential victim systems.
    Point three: The most fundamental security controls make 
the most effective countermeasures. Over 70 percent of 
criminals' points of intrusion are through victims' own remote-
access facilities. It is not that the technologies are flawed. 
Instead, it is the manner in which they are deployed and the 
way they are configured. Most criminal entry can be prevented 
if a second factor for authentication is required. For example, 
if a system requires a username and password and the additional 
requirements of a hardware or software token, it would prevent 
most remote-access intrusions that we see.
    Now, making it difficult for criminals to exfiltrate stolen 
information is another simple but highly effective way to 
prevent data breaches.
    Point four: There is often a significant time lag between 
when a breach occurs, when data theft actually occurs, and when 
the victim finds out. The timeframe from initial point of entry 
to the first instance of data theft is more often measured in 
days, weeks, or months as opposed to minutes or hours. On 
average, it takes victims more than 6 months to discover that 
they have been hacked into. Even after 6 months, almost 9 out 
of 10 victims did not make that discovery on their own; they 
found out from third parties. Significant improvement in data-
breach detection is badly needed.
    Point Five: Closer cooperation between victims and law 
enforcement could reduce the overall numbers of electronic 
crimes. Greater information-sharing has improved our ability to 
identify criminals conclusively, and that is critical to 
successful prosecution and, in turn, has had a huge impact in 
reducing cyber crimes.
    The greatest obstacle to cooperative information-sharing is 
the reluctance of victims to engage law enforcement for fear of 
fines, penalties, and litigation. And reasonable protections 
from litigation and regulatory fines would encourage victims' 
cooperation with law enforcement that would improve the odds of 
successful prosecution and reduce the overall numbers of 
overall electronic crimes.
    In conclusion, cyber attacks represent very real threats to 
our economic prosperity and our Nation's security. While many 
public- and private-sector remediation activities have been 
highly effective, our investigations indicate that greater 
vigilance is required.
    The data-breach report lays out several recommendations 
which, if implemented, would improve the cybersecurity posture 
of financial services firms specifically and of all entities 
more generally. Overall, every entity must identify a set of 
essential controls and ensure their implementation consistently 
and without exception. More advanced controls can be 
implemented as necessary. Achieve ``essential'' first and worry 
about ``excellent'' later.
    Madam Chairwoman, thank you again for this opportunity. I 
look forward to answering any questions you may have.
    [The prepared statement of Mr. Sartin can be found on page 
101 of the appendix.]
    Chairwoman Capito. Thank you.
    Our third witness is Mr. Brian Tillett, chief security 
strategist, public sector group, Symantec.
    Welcome.

 STATEMENT OF BRIAN TILLETT, CHIEF SECURITY STRATEGIST, PUBLIC 
                     SECTOR GROUP, SYMANTEC

    Mr. Tillett. Thank you.
    Chairwoman Capito, Ranking Member Maloney, and members of 
the subcommittee, thank you for the opportunity to appear 
before you today as the subcommittee considers cybersecurity 
and threats to the financial sector.
    My name, again, is Brian Tillett, and I am the chief 
security strategist for the Public Sector Group at Symantec. 
Symantec is the world's information security leader, with a 
footprint of more than 200,000 sensors in more than 200 
countries and territories which track malicious activity 
globally 24 hours a day, 365 days a year. We refer to this as 
the Symantec Global Intelligence Network.
    At Symantec, we are committed to assuring the security, 
availability, and integrity of our consumer, enterprise, and 
government customers' sensitive information. Concurrently, 
protection of critical infrastructure in all sectors is a top 
priority for us.
    In my testimony today, I will provide the committee with an 
abridged analysis of the threat landscape, an assessment of 
threats in the financial sector, and risk-mitigation measures 
for addressing those threats.
    The threats landscape is constantly evolving. In the most 
recent ``Symantec Internet Security Threat Report,'' which we 
publish annually, we observed significant shifts in 2010. The 
volume and sophistication of threat activity increased more 
than 19 percent over 2009, with Symantec identifying more than 
286 million variations of malicious software, or malware. To 
put it in another perspective, that is a staggering 9 per 
second. These included threats to social networking sites and 
their users, mobile devices, and targeted phishing attacks. 
Symantec intelligence quarterly reports indicate that these 
trends are continuing at an accelerated pace through 2011.
    We have observed an ominous change that has swept across 
the Internet. The threat landscape, once dominated by worms and 
viruses developed by irresponsible hackers, is now being ruled 
by a new breed of cyber criminals. Just last week, we released 
the ``2011 Symantec Norton Cyber Crime Report,'' where we 
calculated the cost of global cyber crime at $114 billion 
annually. We also calculated that lost time due to recovery and 
impact on personal lives was an additional $274 billion 
worldwide. With an annual combined cost of $388 billion, cyber 
crime costs are significantly more than the global black market 
of marijuana, cocaine, and heroin combined.
    We also have been monitoring an array of threats specific 
to the financial sector for many years, including ATM heists, 
banking trojans, and botnets. These threats will only continue 
to mature and increase as society becomes more dependent on 
technology for financial and banking needs.
    Let's address a snapshot of the recent trends. We have 
talked a considerable amount about botnets already, so I am 
going to skip through some of the background on this, but I 
wanted to add some more context: that botnet owners are often 
known to rent the use of their botnet to other users. And they 
will do this in an effort so they can perpetrate malicious 
activity, also reinforcing the fact that you do not have to be 
an uber-hacker in order to perpetrate malicious activity. We 
saw evidence of this in the denial-of-service attacks on the 
payment card industry after WikiLeaks events last year.
    One such botnet targeting the financial services industry 
is called Qakbot. It is a sophisticated malware that has been 
spreading through shared networks, thumb drives and infected 
Web pages since 2009. Among other things, where it is trying to 
steal financial information, one of the things it likes to do 
is it will hide the log-out button when you are actually signed 
into your favorite financial institution, perhaps Bank of 
America, and it will actually intercept that log-out 
transaction, and phone home to its command-and-control 
infrastructure server, and say you can now log in using the 
credentials that someone else is using. That is another 
characteristic of the Qakbot botnet.
    Trojan horses are another type of malware that is designed 
to look like a valid or beneficial application, or perhaps an 
app that you would put on your mobile device, and sometimes 
even act the way that they are expected. At the same time, they 
introduce a hidden malware into the enterprise designed to seek 
sensitive financial and other high-value info and exfiltrate 
that from the enterprise in a covert fashion.
    As more users download and install third-party applications 
for mobile devices, the opportunity for installing malicious 
applications is also increasing. There will likely be more 
threats created for these devices as people increasingly use 
them for sensitive transactions such as online shopping and 
banking.
    As a sign that the mobile space is starting to garner more 
attention from cybercriminals, there was a 42 percent increase 
in the number of reported new mobile operating system threats 
and vulnerabilities from 2009 to 2010. We also see that 
increasing, as our study in 2011 shows.
    There is no one-step program for mitigating risks to the 
financial sector, and while it is leaps and bounds ahead when 
it comes to security, there are still steps that need to be 
taken to lessen the impact and prevent future attacks. In our 
written testimony, we have provided recommendations on how to 
better protect critical systems from cyberattack. Embracing new 
technologies and other technological improvements are 
necessary, but they must be paired with increased education and 
awareness.
    In addition, there has been progress over the years to 
advance information-sharing among critical infrastructure 
sector partners and the government. Private-sector alliances 
such as the National Cyber Forensics and Training Alliance and 
the Financial Services Information Sharing & Analysis Center 
have done a commendable job of creating mechanisms to share 
intelligence among industry and between industry and 
government.
    Successful mitigation of the threats to the financial 
sector depends on this continued communication; however, 
information must be shared in a timely and actionable manner. 
There are still significant impediments to government sharing 
information with industry, including classification 
designation, legal restrictions, and competitive advantage 
concerns.
    I applaud the committee's commitment to this critical topic 
and its leadership on information security issues. As the 
threats we face today escalate, we must continue our 
informationcentric cybersecurity strategy, improve information-
sharing mechanisms, and increase awareness in education. 
Symantec looks forward to continuing to work with Congress and 
our partners to address these important issues.
    Thank you again.
    [The prepared statement of Mr. Tillett can be found on page 
149 of the appendix.]
    Chairwoman Capito. Thank you, Mr. Tillett.
    Our fourth witness is Mr. Greg Garcia, partnership 
executive for cybersecurity and identity management, Bank of 
America.
    Welcome, Mr. Garcia.

      STATEMENT OF GREG GARCIA, PARTNERSHIP EXECUTIVE FOR 
     CYBERSECURITY AND IDENTITY MANAGEMENT, BANK OF AMERICA

    Mr. Garcia. Thank you, Chairwoman Capito, Ranking Member 
Maloney, and members of the subcommittee. I am Greg Garcia, 
partnership executive for cybersecurity and identity management 
at Bank of America. I also serve as co-chair of the 
cybersecurity committee of the Financial Services Sector 
Coordinating Council.
    Thanks again for inviting me to discuss cybersecurity with 
the committee. I will provide a quick overview of the 
cybersecurity threat environment; how Bank of America manages 
security to protect our company, our customers and our 
shareholders; and how we partner with industry and government 
to mitigate the cyber risk.
    As you know, the global financial system operates on a vast 
network of information and communications technology. Trillions 
of dollars in transactions flow across the network globally on 
a daily basis. It is our responsibility to ensure the swift 
delivery of those services wherever we do business, to secure 
the data and networks that enable them, and to prevent 
unauthorized access that could lead to fraud, identity theft, 
data loss, or system downtime.
    At Bank of America, we are laser-focused on cybersecurity. 
In discussing how we manage this challenge, it is useful to 
break it down into two interrelated components: one, our 
customer facing policies and activities; and two, our 
enterprise-level security. Of primary importance to us is 
securing our customer financial information. We take this very 
seriously, and we invest heavily to protect our customers, and 
we deliver a range of services to secure their transactions and 
to keep our consumers whole, such as fraud monitoring and zero 
dollar liability guarantee.
    In addition, we offer more than 50 kinds of alerts to our 
customers to choose from, including alerts that will notify you 
if there is irregular activity on your account. In fact, 
Javelin Research designated Bank of America number one, best in 
class, in security and privacy for online for our consumers for 
the fifth year in a row, and we are quite proud of that. We 
have done a lot to achieve that.
    We also continue to educate our customers with many tips 
about what they can do online to protect themselves online and 
in the mobile environment, and we offer additional tools such 
as antivirus protection for them to use.
    We continually warn our customers about phishing--you have 
heard a lot about that already--which remains one of the most 
widely used and effective attack methods by cybercriminals. 
Those are simply targeted emails that look legitimate, but they 
trick receivers into clicking on malicious links or entering 
personal information, and these are difficult to spot and to 
prevent. But again, with our awareness regime program, 
customers who are victims of fraud are not liable for 
fraudulent transactions, and they are protected with the zero 
liability guarantee.
    Our customer-facing security strength relies on many of the 
standards of practice that protect and enable our broader 
enterprise. Our security strategy is designed to protect 
critical nonpublic data, intellectual property, and operational 
availability and continuity. It is in all of these areas that 
we work very closely with our regulators to ensure that we 
apply, maintain, and constantly measure all the necessary 
security controls across the enterprise.
    Much of our work in security is aimed at addressing the 
increasingly sophisticated threats from well-organized and 
funded groups that you have heard about earlier today, and to 
stay ahead, we are continually investing in new tools and new 
capabilities and the highest standards of practice commensurate 
with the financial sector status as critical national 
infrastructure.
    We are on alert 24 hours a day, 7 days a week. 
Fundamentally, our cybersecurity program is based on a 
combination of people, process, and technology. Let me just 
summarize what that means in high points.
    Across the company, all employees receive annual training 
on the importance of information protection, the policies and 
methods that the bank uses, and the responsibilities of every 
employee. We have an information security team of experts who 
have past careers in law enforcement, the military, security, 
and high technology innovation. We operate under detailed, 
rigorous information security policies with a program designed 
to protect the security and confidentiality of customer and 
client information, and we are concerned about the life cycle 
of that information from acquisition to use and from storage to 
disposal. And as we are a global company, and the threat is 
global in nature, we are building this protective capability 
wherever we do business.
    A few quick words about partnerships: A critical element of 
a mature cybersecurity program is our investment in 
partnerships. At Bank of America, we are sharing information 
and best practices across the financial and other critical 
sectors and with the government to gain the broadest view of 
the threat landscape. We do this to get collectively smarter 
and better at protecting assets and critical information.
    For example, you have heard about them in previous 
statements. We are partnering with the Financial Services 
Sector Coordinating Council, or FSSCC, the FS-ISAC, the 
Treasury Department's Office of Financial Services Critical 
Infrastructure, Homeland Security, and various law enforcement 
partners globally. These are essential elements in our ability 
to protect our company, our customers, and our shareholders. 
They are an opportunity for us to improve our own internal 
security capabilities and to extend our expertise to other 
partners. As Under Secretary Schaffer said, no one entity has 
all the information. It takes teamwork to bring all the pieces 
together.
    So I am proud to say that Bank of America focuses a 
tremendous amount of resources and energy to stay ahead of the 
cybersecurity challenge, and we are continually making the 
necessary investments in developing new tools, processes, and 
expertise to meet the challenge.
    I will conclude my remarks, Madam Chairwoman, and I would 
be happy to answer questions.
    [The prepared statement of Mr. Garcia can be found on page 
54 of the appendix.]
    Chairwoman Capito. Thank you.
    Our next witness is Dr. Greg Shannon, chief scientist, 
Carnegie Mellon University's Software Engineering Institute 
CERT Program.
    Welcome.

  STATEMENT OF GREGORY E. SHANNON, CHIEF SCIENTIST, CARNEGIE 
MELLON UNIVERSITY'S SOFTWARE ENGINEERING INSTITUTE CERT PROGRAM

    Mr. Shannon. Thank you, Chairwoman Capito, Ranking Member 
Maloney, and subcommittee members. I am honored to testify on 
the evolving cybersecurity threat to the financial community.
    CERT was created in 1988 in response to the Morris worm 
incident, and we have grown into a national asset in 
cybersecurity with 200 staff, most of whom are cleared, 
supporting the operational and R&D needs of our mostly 
government customers.
    When DHS created US-CERT, it called upon CERT to contribute 
cybersecurity expertise. Through US-CERT, we work jointly with 
DHS mitigating cybersecurity threats. Please note that US-CERT 
and DHS work together closely, but are distinct partners who 
have different roles in providing cybersecurity to the Nation.
    To achieve CERT's cybersecurity mission, we engage both 
public and private communities to create mutable technologies, 
apply them to real problems, and amplify their impact by 
promoting broad national and international adoption.
    In response to your opening comments, we work with 
government customers to find practicable solutions to problems 
like protecting sensitive information that has been aggregated, 
such as that considered by the Dodd-Frank legislation. 
Similarly, over 200 computer security incident response teams 
around the world at the national and sector level can trace a 
pedigree back to the DOD-sponsored CERT program at Carnegie 
Mellon.
    Our solutions stem from long-standing collaboration and 
trusted relationships. Those associations give us the 
opportunity to access real data for our research and 
development, which in turn enable usproduce operationally 
viable cybersecurity solutions for the country.
    We know that understanding a cybersecurity threat is more 
than just anecdotes and scare tactics. We know the threat is 
real and it is evolving, because for--as one example, CERT 
catalogs over 250,000 instances of malware artifacts each 
month. As you might imagine, at this volume it is difficult to 
determine in real time the operational relevance of each 
artifact. Unsurprisingly the limits in our technical abilities 
coincide with the steady corporatization of cybersecurity 
attacks, as we have heard today.
    In reference to Mr. Smith's earlier testimony, I just want 
to acknowledge our work at insider threat and refer you to our 
testimony there.
    The financial sector needs networks that are secure and 
resilient in order to mitigate escalating cyberthreats. As 
software vulnerabilities continue to grow at an alarming rate, 
it is imperative that we build security into the software 
development process to root out the problem at the beginning 
instead of responding to the consequences.
    CERT, taking a comprehensive approach to limiting 
vulnerabilities and other software defects, created new 
international coding standards, developed in coordination with 
security researchers and software developers, which, when 
applied, result in more secure systems. There is no magic 
bullet. Systems will fail, and we need to ensure that business 
goals are met and critical business functions are sustained 
despite the presence of cyberattacks. Systems must be 
resilient. Improving survivability in the presence of 
cyberattacks also improves the ability of businesses to survive 
accidents and systems failures that are not malicious.
    Through our collaboration with the financial community, 
CERT has a definition for operational resilience management 
known as CERT-RMM, and we are quite proud to have worked with 
the broader community in creating that.
    When a cyberattack does occur, we need the forensic ability 
to locate the source of the attack and limit the damage, 
sometimes in minutes or seconds, as discussed earlier. As you 
are aware, computer forensics labs are constrained by the lack 
of resources and unable to handle the overwhelming increases in 
volumes of data that need to be examined for evidence; for 
example, hundreds of terabytes of data captured at data centers 
by law enforcement.
    Partnering with Federal agencies and law enforcement, CERT 
is creating solutions to enable organizations to accelerate the 
tempo of investigations, as well as boost computational 
analysis of the data. CERT is currently working on a new 
incident analysis framework which speeds up the velocity of 
investigations and allows for faster and more adaptive defense 
and mitigation opportunities otherwise not available in near 
real time.
    These examples of CERT's work highlight the need for 
leadership and support from the government in policy 
discussions about research and about how research can support 
sound policy decisions in cybersecurity. Research is only as 
good as the data it is created from, and currently, researchers 
have limited access to data. To better combat the cyberthreat, 
we must maintain better situational awareness, otherwise 
policymakers and experts are left to speculate about what is 
the right data to share. Achieving this enhanced situational 
awareness will require continued research on network data and 
the cooperation of the financial community.
    The credit card fraud detection capabilities that were 
referred to in opening remarks is a good example of public-
private research and development that started 20 years ago in 
the financial community, and I think can serve as an example of 
addressing issues in cybersecurity.
    I realize information-sharing on this scale tends to 
exacerbate an already contentious relationship between security 
and privacy. This is an unhealthy condition, and our 
adversaries are exploiting it. In an ever more interconnected 
world, anonymity is being redefined, and, without security, 
there is no privacy.
    We at CERT look forward to working with the Federal 
community and staff and other stakeholders to improve the 
security and survivability of our national assets.
    Thank you.
    [The prepared statement of Dr. Shannon can be found on page 
118 of the appendix.]
    Chairwoman Capito. Thank you.
    Our final witness is Mr. Marc Rotenberg, executive 
director, Electronic Payment Information Center.
    Welcome.

STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, THE ELECTRONIC 
               PRIVACY INFORMATION CENTER (EPIC)

    Mr. Rotenberg. Madam Chairwoman, Ranking Member Maloney, 
thank you for the opportunity to be here today.
    EPIC was established to focus on emerging privacy and civil 
liberties issues. In fact, the first issue that we took on was 
the availability of the strong technique for data security 
encryption, because we understood that this was critical for 
the development of the Internet and its use as a platform for 
commerce.
    I also wanted to thank the subcommittee for your interest 
in this issue and acknowledge the important work of the 
witnesses on the first panel on the law enforcement side 
protecting the interests of American consumers.
    I would say from the consumer perspective, this is one of 
the most critical issues people face today. As the earlier 
witnesses have stated, the loss in dollar amounts are very 
high. According to the Privacy Rights Clearinghouse, over the 
last several years, more than 500 million records containing 
sensitive personal information have been lost in data breaches.
    We know in addition to the recent hacks of financial 
institutions, there are also non-financial institutions that 
contain a great deal of sensitive financial information. For 
example, the Sony PlayStation Network, which was compromised, 
contained credit card record information, and contained 
unencrypted password files that were accessed. These are very 
sensitive and significant issues.
    And then, of course, most recently involving the so-called 
Comodo hacker, the digital certificates which provide the basis 
for a lot of the trust and confidence in the online environment 
were compromised as well. These are the techniques that make it 
possible for a person to go to a Web site that says Google or 
Yahoo or Skype and be assured that it is, in fact, the Web site 
of the company that is being represented.
    So the urgency here is clearly quite significant, and if 
this is not enough to worry about, I would suggest to the 
subcommittee as well that you may also need to look at the 
cybersecurity implications of moving more commercial data, more 
of the government's data, and more consumer data into the cloud 
computing environment. One of the practical consequences of the 
migration of this sensitive personal information is that it 
will be more difficult for consumers and government agencies 
and businesses to be aware when this kind of activity occurs 
because it will no longer be the data that is in their 
possession.
    Now, in my prepared statement I offered a few suggestions 
of legislative principles. I understand the hearing is not 
primarily focused on legislation, but I would like you to 
consider that when consumers turn over their personal 
information to financial institutions, there is actually very 
little that they can do at that point to safeguard their 
information, and that is the reason that we have recommended to 
other committees and would recommend to this committee as well 
that you consider strong legislative safeguards to protect the 
information of consumers that is now in the possession of 
financial institutions.
    So, for example, we favor an opt-in standard so that people 
are aware when their personal information is disclosed to 
others. We favor strong breach notification so that people know 
when these kinds of incidents have occurred. We think it is 
important also that States remain free to develop their own 
legislation to protect consumers.
    There is oftentimes an effort in this area to establish a 
so-called national standard, but one of the practical problems 
because the threats are so quickly evolving is that a single 
national standard, unless it operates as a baseline, may 
actually not be adequate to deal with some of the new threats.
    California, for example, had to recently amend its breach 
notification law so that people would be more fully informed 
about some of the risks if their personal information was 
disclosed, and what additional steps they might take to protect 
their information. I think it is also interesting that in the 
California law, there was an obligation on institutions in the 
financial services sector that suffer a breach to notify the 
State attorney general so that the State attorney general would 
have a clearer picture across the State of a pattern of 
breaches that had occurred, and what additional efforts the 
States may need to take.
    I think that is actually a very helpful approach going 
forward, as you think about cybersecurity, how do you get a 
good assessment of where the risks are, what the harms are, and 
what additional steps might be taken.
    So, again, I am grateful for the opportunity to testify 
today. I would say for American consumers, the protection of 
their financial information has to be one of the top concerns.
    [The prepared statement of Mr. Rotenberg can be found on 
page 88 of the appendix.]
    Chairwoman Capito. I couldn't agree more, and that is a 
good place to stop.
    I want to thank all of you for your testimony. I am going 
to begin the questions.
    Mr. Garcia, first of all, I would like to thank you and 
Bank of America for coming forward in this particular panel, 
realizing that acknowledging security breaches are difficult 
for competing entities. And Mr. Rotenberg talked about 
retailers, same issue. If you are perceived to be a company 
that has a weak cybersecurity wall or breaches of personal 
information, you are obviously going to lose customers or lose 
people who come into your store or wherever. You have received 
an award, your bank has, and you are obviously on top of this.
    When a breach occurs, no matter what the magnitude, what 
are you actually required to do in terms of notifying your 
customer, or notifying the FBI, or notifying Mr. Nelson's 
organization? I am assuming you are one of his members. What 
are you required at this point to do?
    Mr. Garcia. We have a number of requirements on a per- 
State basis, of course. Where we operate, there are State 
breach notification laws. Also, under the FFIEC, as was 
mentioned by Bill Nelson, there are requirements whenever we 
have an event, we notify our regulators.
    Chairwoman Capito. Your regulators.
    Mr. Garcia. Correct. So we have a very well-defined, 
tightly scripted set of requirements and routines for when we 
have a breach and how we work with law enforcement, what we do 
with that information internally and--
    Chairwoman Capito. What about with your customer? Does the 
customer have to opt into being notified, or you are required 
to notify them no matter what?
    Mr. Garcia. Not no matter what. We work with law 
enforcement. When an investigation is under way, we want to be 
sure that we don't flood customers with false information. So 
we want to be sure that they have confidence that their 
information is being well handled. But the important thing is 
making sure we provide the customer accurate and actionable 
information, if something actually has occurred.
    Chairwoman Capito. I am not going to ask about mobile 
devices, but I am very curious about them. I think that is 
probably a signal of my age, wondering, gosh, we are going to 
be able to actually carry that around and do all those kinds of 
things? But I think you all have voiced a concern about where 
that is going to lead, and I think from the last panel, he 
mentioned that we need to be on the front end of that in terms 
of trying to prevent fraud, rather than reacting to it once it 
occurs, because we know it is going to occur. Somebody said 52 
percent more threats to the mobile--I think that might have 
been you, Mr. Tillett.
    In the Dodd-Frank Act--and I don't know if you are familiar 
with this--an Office of Financial Research was created. 
According to the Treasury, the mission is to ``improve the 
quality of financial data available to policymakers, and 
facilitate more robust and sophisticated analysis of the 
financial system.'' If this new office is going to be tasked 
with gathering significant financial information from across 
the Nation, are we creating a very fertile ground and huge 
target for hackers, in your opinion? Dr. Shannon?
    Mr. Shannon. Thank you.
    There are many targets already out there. As we have heard 
in the testimony, there are many sources for hackers to attack. 
Clearly, an aggregated collection of data offers potentially 
even more of a target, but what should be considered is what is 
the right information to put into that. You don't need to have 
a fishing expedition in terms of collecting anything and 
everything, but clearly, a certain level of fidelity about 
cases, if you are trying to get an overall situation awareness, 
is important. On the other hand, if you are trying to use it 
for oversight of specific organizations or individuals, that is 
a different animal.
    Chairwoman Capito. So what I am hearing you saying is there 
are all kinds of other opportunities out there, so this one 
particular one doesn't create a new and better opportunity. Am 
I hearing you correctly?
    Mr. Shannon. Correct. There are lots of good opportunities, 
and in various sectors they are creating other opportunities, 
if you will, but using the right security protections won't be 
the issue. It will be probably more of some of the privacy 
issue.
    Mr. Rotenberg. I actually do share your concern. I am not 
familiar with the specific provisions of the legislation. I 
think general reporting requirements are important and useful, 
but the collection of sensitive data can create new risks, and 
we have recommended, for example, techniques to anonymize or 
de-identify or minimize data collection so as to reduce those 
risks. So I think there is a way to do it, but I think it has 
to be done with some sensitivity about the data that is being 
collected.
    Chairwoman Capito. Okay. Now, let me ask you, Mr. Nelson's 
organization, I have just established that Bank of America is 
one of your members. Is Verizon one of your members?
    Mr. Nelson. No. We are just financial services 
organizations, but they have been a sponsor of ours in the 
past, and Symantec.
    Chairwoman Capito. I am drumming up your membership here. 
And then do you share your data with--and I think you said this 
in your testimony--with the FBI, the folks we saw in panel one? 
Is there really a coordination between the private sector and 
the government sector and law enforcement that--and I am not 
disputing their testimony, I certainly thought it was 
excellent, but would you corroborate that testimony?
    Mr. Nelson. Yes. I think it really kicked off in 2009. I 
remember being summoned by the FBI--and I don't know when--if 
you have ever been summoned by the FBI and not given a reason 
why, I was a little worried. But I showed up, and I was in a 
room with about 20 agents. I think Gordon Snow was there, his 
other deputies were there, and they described this situation, 
and it was this commercial account takeover situation. And they 
said, we knew about commercial account takeover, but we didn't 
realize it had become an epidemic. They had 85 cases they were 
investigating. They were adding 10 a week, and they said, we 
need to get something out to the industry. We don't want to 
compromise our investigations, but we need you, the FS-ISAC, to 
help us with this.
    And I brought NACHA in, which is the rulemaking body for 
the ACH network, because mostly these involved ACH 
transactions. The losses were pretty high. Businesses were 
affected, school districts, municipalities. We ended up--what 
we used to tell people when they got attacked, we told banks to 
tell their customers, is don't click on that link. That wasn't 
good enough. So we spent 3 weeks--our threat intelligence 
committee volunteers--working with the FBI, working with 
NACHA's legal staff, and came up with a whole series of pretty 
in-depth layer defense recommendations. Those become the basis 
really for FFIEC supplemental guidance in June. So I think that 
cooperation was pretty obvious.
    In July and August, I gave three different presentations to 
bank regulating groups that were having conferences at the 
FDIC, where I spoke to over 500 bank regulators about what we 
are doing, but also about what they have to do in terms of 
their own guidance. So I think the cooperation has been there.
    In terms of actual information-sharing and operational 
information-sharing--
    Chairwoman Capito. I am kind of at the end of my time here.
    Mr. Nelson. Never mind.
    Chairwoman Capito. Okay.
    Mrs. Maloney.
    Mrs. Maloney. I thank all of you for your hard work and 
your testimony today.
    After 9/11, we created across this country, or the law 
enforcement did, antiterrorism task forces on the local level 
to react and share information. The prior panel said that there 
were 24 task forces created in our country now on a regional 
level to share information. So I would like to ask first Mr. 
Garcia, or anyone on the panel, if any of you are participating 
in these tasks forces that they mentioned, and how do they 
work? Are they working?
    So Mr. Garcia first, and anyone else who may be 
participating. I assume you are from New York. New York has to 
have one of these task forces, and I would like to hear your 
comments on it.
    Mr. Garcia. That is a very good question. Thank you for 
asking it.
    What was referred to at that time, I believe, was the 
Secret Service, which sponsors the Electronic Crimes Task 
Force. We have Bank of America associates who participate in 
those forums where they gather with government and industry 
representatives to discuss threats, vulnerabilities, and best 
practices.
    The FBI, similarly, has a program called InfraGard with 
chapters all over the country, including in New York, where the 
same type of activity happens. So this is all for the good 
where we have law enforcement, government agencies, and the 
private sector sharing what they know.
    Greg Schaffer also alluded to the National Communications 
and Cyber Integration Center, the NCCIC, which is a 24-by-7 
watch and warning center located in Arlington, hosted by DHS. 
The FS-ISAC has a seat on the NCCIC, and it is a watch floor 
with government agencies and private sector, including 
information technology and communications, the people who are 
sharing information real-time about what is happening on their 
networks, how are we responding to it, where is it coming from, 
what is the method, and what do we do about it, and we do it 
jointly.
    So I think the partnership framework is getting more and 
more mature every year, and it can only get better from here. 
And Bank of America is very actively engaged in as many 
partnerships as we can to get better for ourselves and to help 
the broader ecosystem.
    Mrs. Maloney. You mentioned the Secret Service had their 
task force, the FBI had their task force. Would it be a better 
model if you followed what the intelligence system is doing in 
our country and have the task forces integrating everyone in 
the same room from the local up to the top, in your opinion?
    Mr. Garcia. I believe that is really the mission and 
objective of the NCCIC, the National Cyber and Communications 
Integration Center, at DHS, and it is just getting started, and 
it is getting developed with more members, more standards of 
practice, and I think it is maturing very well.
    Mrs. Maloney. I did want to comment on Mr. Rotenberg's 
comments that we do need to protect the privacy, and that we 
need to take steps in that direction.
    I would like to ask the panel, even though it is not a 
legislative one today, a group of legislative proposals were 
put forward by the Administration in this area. I would like to 
ask you, have you read it? Are you aware of it? Are there any 
proposals that you think are particularly worthy?
    Mr. Shannon. I will just make one simple comment here. The 
safe harbor provisions for sharing data so that organizations 
and individuals can do the right thing, as they are responding, 
time is usually of the essence in many of these incidences, 
especially national security ones, and safe harbor-type 
provisions, I think, enable people to do that right thing, and 
we certainly support that.
    Mr. Tillett. I would like to add to that the actionable 
intelligence that needs to be shared. We have a number of 
different public-private relationships which are sharing this 
information. So actionable intelligence and real-time 
intelligence is of high importance on this, but I think often 
what we see is we don't need to reinvent the wheel. We just 
need to make it work better, we need to speak a common 
language. And I think that those initiatives are in process 
amongst many of these private-public relationships, but we 
absolutely need to embrace and endorse that so we are not 
speaking past each other and we are not speaking above each 
other. We all understand a common language about the current 
threat.
    Mrs. Maloney. In terms of technology, do you think any 
foreign country has superior technology in this whole form of 
hacking and protection, or are we leading the way in this area? 
What is your opinion, anyone?
    Mr. Shannon. As mentioned in the data breach report, a lot 
of the at-scale for these cybercriminals, it is using fairly 
simple techniques. But I believe in other venues, the specific 
capabilities can be addressed, but they haven't taken us down 
significantly yet. So I see that as a good sign. The stock 
market operates, the press operates--
    Mrs. Maloney. And they have to now talk about a cyberattack 
that would stop our communications--yes, Mr. Sartin?
    Mr. Sartin. I was just going to add to that about the 
international perspective. We do see variances in knowledge 
about security, implementation. We see variances in the 
technologies that are adopted from one country to the next, 
generally whether it is the people who process the technology, 
the combination of that. I don't necessarily see that one 
country is necessarily better prepared than any other. It comes 
down to individual data breach victims.
    Mrs. Maloney. Thank you. My time has expired. It has been 
very insightful. Thank you for your hard work, all of you, and 
your presentation today. Thank you.
    Chairwoman Capito. Thank you.
    I have one additional question for Mr. Nelson regarding 
notification of breaches and other cyber crimes. I understand 
there is an update to FinCEN's suspicious activity report form. 
Do you think this will help law enforcement better understand 
the cyberthreat?
    Mr. Nelson. Yes. I think today it is not really identified. 
FinCEN's commercial account takeover is--you don't have a box 
you can check on the form today to indicate what that is. I 
think we could actually have a better idea--in my report, I 
have some information about a survey we did, and 77 
institutions responded, but that is not the whole industry. So 
if SARs reports could indicate those types of attack, the 
different types of attacks, what the losses actually were, we 
would have a better understanding what the losses were and the 
losses that were prevented. In many cases, the losses--funds 
don't go out the door, or if they do, the receiving institution 
returns the money.
    Chairwoman Capito. I, too, want to thank all of the 
witnesses, and I have to say one last thing myself. From an 
individual standpoint, I think we have to be patient as 
Americans to realize that there are a lot of people out there 
trying to protect our financial information, our personal 
information, and when we receive, like we all have, those phone 
calls where we will try to use your card or whatever, and you 
are locked out, we have a tendency to lose our patience and 
become very frustrated, and many times these efforts are going 
forward to try to protect us as individuals and us as families.
    And I don't know that my statement is going to do any good 
towards that. Maybe I am talking to myself here a little bit, 
but I think we all need to remind ourselves that it is not 
quite as simple as it looks. It is not as easy as it looks to 
reach into your pocket, and you forget about all the 
infrastructure that is going on behind you.
    This concludes our hearing. The Chair notes that some 
members may have additional questions for this panel which they 
may wish to submit in writing. Without objection, the hearing 
record will remain open for 30 days for members to submit 
written questions to these witnesses and to place their 
responses in the record.
    I appreciate you all very much for coming in, and we are 
very interested in the topic. And with that, the hearing is 
adjourned.
    [Whereupon, at 12:48 p.m., the hearing was adjourned.]


                            A P P E N D I X



                           September 14, 2011


[GRAPHIC] [TIFF OMITTED] T2601.001

[GRAPHIC] [TIFF OMITTED] T2601.002

[GRAPHIC] [TIFF OMITTED] T2601.003

[GRAPHIC] [TIFF OMITTED] T2601.004

[GRAPHIC] [TIFF OMITTED] T2601.005

[GRAPHIC] [TIFF OMITTED] T2601.006

[GRAPHIC] [TIFF OMITTED] T2601.007

[GRAPHIC] [TIFF OMITTED] T2601.008

[GRAPHIC] [TIFF OMITTED] T2601.009

[GRAPHIC] [TIFF OMITTED] T2601.010

[GRAPHIC] [TIFF OMITTED] T2601.011

[GRAPHIC] [TIFF OMITTED] T2601.012

[GRAPHIC] [TIFF OMITTED] T2601.013

[GRAPHIC] [TIFF OMITTED] T2601.014

[GRAPHIC] [TIFF OMITTED] T2601.015

[GRAPHIC] [TIFF OMITTED] T2601.016

[GRAPHIC] [TIFF OMITTED] T2601.017

[GRAPHIC] [TIFF OMITTED] T2601.018

[GRAPHIC] [TIFF OMITTED] T2601.019

[GRAPHIC] [TIFF OMITTED] T2601.020

[GRAPHIC] [TIFF OMITTED] T2601.021

[GRAPHIC] [TIFF OMITTED] T2601.022

[GRAPHIC] [TIFF OMITTED] T2601.023

[GRAPHIC] [TIFF OMITTED] T2601.024

[GRAPHIC] [TIFF OMITTED] T2601.025

[GRAPHIC] [TIFF OMITTED] T2601.026

[GRAPHIC] [TIFF OMITTED] T2601.027

[GRAPHIC] [TIFF OMITTED] T2601.028

[GRAPHIC] [TIFF OMITTED] T2601.029

[GRAPHIC] [TIFF OMITTED] T2601.030

[GRAPHIC] [TIFF OMITTED] T2601.031

[GRAPHIC] [TIFF OMITTED] T2601.032

[GRAPHIC] [TIFF OMITTED] T2601.033

[GRAPHIC] [TIFF OMITTED] T2601.034

[GRAPHIC] [TIFF OMITTED] T2601.035

[GRAPHIC] [TIFF OMITTED] T2601.036

[GRAPHIC] [TIFF OMITTED] T2601.037

[GRAPHIC] [TIFF OMITTED] T2601.038

[GRAPHIC] [TIFF OMITTED] T2601.039

[GRAPHIC] [TIFF OMITTED] T2601.040

[GRAPHIC] [TIFF OMITTED] T2601.041

[GRAPHIC] [TIFF OMITTED] T2601.042

[GRAPHIC] [TIFF OMITTED] T2601.043

[GRAPHIC] [TIFF OMITTED] T2601.044

[GRAPHIC] [TIFF OMITTED] T2601.045

[GRAPHIC] [TIFF OMITTED] T2601.046

[GRAPHIC] [TIFF OMITTED] T2601.047

[GRAPHIC] [TIFF OMITTED] T2601.048

[GRAPHIC] [TIFF OMITTED] T2601.049

[GRAPHIC] [TIFF OMITTED] T2601.050

[GRAPHIC] [TIFF OMITTED] T2601.051

[GRAPHIC] [TIFF OMITTED] T2601.052

[GRAPHIC] [TIFF OMITTED] T2601.053

[GRAPHIC] [TIFF OMITTED] T2601.054

[GRAPHIC] [TIFF OMITTED] T2601.055

[GRAPHIC] [TIFF OMITTED] T2601.056

[GRAPHIC] [TIFF OMITTED] T2601.057

[GRAPHIC] [TIFF OMITTED] T2601.058

[GRAPHIC] [TIFF OMITTED] T2601.059

[GRAPHIC] [TIFF OMITTED] T2601.060

[GRAPHIC] [TIFF OMITTED] T2601.061

[GRAPHIC] [TIFF OMITTED] T2601.062

[GRAPHIC] [TIFF OMITTED] T2601.063

[GRAPHIC] [TIFF OMITTED] T2601.064

[GRAPHIC] [TIFF OMITTED] T2601.065

[GRAPHIC] [TIFF OMITTED] T2601.066

[GRAPHIC] [TIFF OMITTED] T2601.067

[GRAPHIC] [TIFF OMITTED] T2601.068

[GRAPHIC] [TIFF OMITTED] T2601.069

[GRAPHIC] [TIFF OMITTED] T2601.070

[GRAPHIC] [TIFF OMITTED] T2601.071

[GRAPHIC] [TIFF OMITTED] T2601.072

[GRAPHIC] [TIFF OMITTED] T2601.073

[GRAPHIC] [TIFF OMITTED] T2601.074

[GRAPHIC] [TIFF OMITTED] T2601.075

[GRAPHIC] [TIFF OMITTED] T2601.076

[GRAPHIC] [TIFF OMITTED] T2601.077

[GRAPHIC] [TIFF OMITTED] T2601.078

[GRAPHIC] [TIFF OMITTED] T2601.079

[GRAPHIC] [TIFF OMITTED] T2601.080

[GRAPHIC] [TIFF OMITTED] T2601.081

[GRAPHIC] [TIFF OMITTED] T2601.082

[GRAPHIC] [TIFF OMITTED] T2601.083

[GRAPHIC] [TIFF OMITTED] T2601.084

[GRAPHIC] [TIFF OMITTED] T2601.085

[GRAPHIC] [TIFF OMITTED] T2601.086

[GRAPHIC] [TIFF OMITTED] T2601.087

[GRAPHIC] [TIFF OMITTED] T2601.088

[GRAPHIC] [TIFF OMITTED] T2601.089

[GRAPHIC] [TIFF OMITTED] T2601.090

[GRAPHIC] [TIFF OMITTED] T2601.091

[GRAPHIC] [TIFF OMITTED] T2601.092

[GRAPHIC] [TIFF OMITTED] T2601.093

[GRAPHIC] [TIFF OMITTED] T2601.094

[GRAPHIC] [TIFF OMITTED] T2601.095

[GRAPHIC] [TIFF OMITTED] T2601.096

[GRAPHIC] [TIFF OMITTED] T2601.097

[GRAPHIC] [TIFF OMITTED] T2601.098

[GRAPHIC] [TIFF OMITTED] T2601.099

[GRAPHIC] [TIFF OMITTED] T2601.100

[GRAPHIC] [TIFF OMITTED] T2601.101

[GRAPHIC] [TIFF OMITTED] T2601.102

[GRAPHIC] [TIFF OMITTED] T2601.103

[GRAPHIC] [TIFF OMITTED] T2601.104

[GRAPHIC] [TIFF OMITTED] T2601.105

[GRAPHIC] [TIFF OMITTED] T2601.106

