[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] CYBER SECURITY: PROTECTING YOUR SMALL BUSINESS ======================================================================= HEARING before the SUBCOMMITTEE ON HEALTHCARE AND TECHNOLOGY of the COMMITTEE ON SMALL BUSINESS UNITED STATES HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ HEARING HELD DECEMBER 1, 2011 __________ [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 Small Business Committee Document Number 112-047 Available via the GPO Website: http://www.fdsys.gov U.S. GOVERNMENT PRINTING OFFICE 72-810 WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 HOUSE COMMITTEE ON SMALL BUSINESS SAM GRAVES, Missouri, Chairman ROSCOE BARTLETT, Maryland STEVE CHABOT, Ohio STEVE KING, Iowa MIKE COFFMAN, Colorado MICK MULVANEY, South Carolina SCOTT TIPTON, Colorado JEFF LANDRY, Louisiana JAIME HERRERA BEUTLER, Washington ALLEN WEST, Florida RENEE ELLMERS, North Carolina JOE WALSH, Illinois LOU BARLETTA, Pennsylvania RICHARD HANNA, New York NYDIA VELAZQUEZ, New York, Ranking Member KURT SCHRADER, Oregon MARK CRITZ, Pennsylvania JASON ALTMIRE, Pennsylvania YVETTE CLARKE, New York JUDY CHU, California DAVID CICILLINE, Rhode Island CEDRIC RICHMOND, Louisiana JANICE HAHN, California GARY PETERS, Michigan BILL OWENS, New York BILL KEATING, Massachusetts Lori Salley, Staff Director Paul Sass, Deputy Staff Director Barry Pineles, General Counsel Michael Day, Minority Staff Director C O N T E N T S ---------- Page OPENING STATEMENTS Ellmers, Hon. Renee.............................................. 1 Richmond, Hon. Cedric............................................ 7 WITNESSES The Hon. William M. ``Mac'' Thornberry, U.S. House of Representatives (TX-13), Washington, DC........................ 4 Mr. David Beam, Senior Vice President, North Carolina Electric Membership Corporation, Raleigh, NC............................ 11 Mr. Glenn Strebe, Chief Executive Officer, Air Academy Federal Credit Union Colorado Springs, CO.............................. 13 Dr. Phyllis A. Schneck, Chief Technology Officer Public Sector, McAfee, Inc. Reston, VA........................................ 15 Mr. Michael Kaiser, Executive Director, National Cyber Security Alliance, Washington, DC....................................... 17 APPENDIX Prepared Statements: The Hon. William M. ``Mac'' Thornberry, U.S. House of Representatives (TX-13), Washington, DC.................... 27 Mr. David Beam, Senior Vice President, North Carolina Electric Membership Corporation, Raleigh, NC............... 30 Mr. Glenn Strebe, Chief Executive Officer, Air Academy Federal Credit Union, Colorado Springs, CO................. 45 Dr. Phyllis A. Schneck, Chief Technology Officer Public Sector, McAfee, Inc. Reston, VA............................ 69 Mr. Michael Kaiser, Executive Director, National Cyber Security Alliance, Washington, DC.......................... 79 Questions for the Record: None Answers for the Record: None Additional Materials for the Record: CompTIA Statement for the Record............................. 93 Recommendations of the House Republican Cybersecurity Task Force...................................................... 100 CYBER SECURITY: PROTECTING YOUR SMALL BUSINESS ---------- THURSDAY, DECEMBER 1, 2011 House of Representatives, Subcommittee on Healthcare and Technology, Committee on Small Business, Washington, DC. The Subcommittee met, pursuant to call, at 1:01 p.m., in Room 2360, Rayburn House Office Building, Hon. Renee Ellmers [chairwoman of the Subcommittee] presiding. Present: Representatives Ellmers, Tipton, and Richmond. Also Present: Representative Schilling. Chairwoman Ellmers. Good afternoon, everyone. I am going to go ahead and call this meeting to order. I would like to thank everyone for being here joining us today on this very important issue on cyber security. I would like to say a special thank you to Representative Mac Thornberry and our panel of witnesses that will be coming up in the second panel. We appreciate everyone's participation. Our Nation's digital infrastructure has become an essential part of our everyday lives. It is difficult to imagine a world without the Internet. It touches nearly every sector of the United States economy, and it is critical to our national security. According to the Federal Communications Commission, over 97 percent of small businesses utilize the Internet to increase their productivity and overall success. On Tuesday, The Wall Street Journal reported that the online sales for Cyber Monday rose to a record $1.25 billion. This is an increase of 22 percent from last year and marked the heaviest single day for online commerce ever. Despite this good economic news, the growth of the Internet technology and e- commerce has also attracted a growing number of cyber criminals looking to steal sensitive information, including intellectual property and personal financial information. These attacks can be catastrophic, as you can imagine, leaving many businesses unable to recover. Especially our small businesses. Although we often hear about cyber attacks on large businesses and institutions, a recent report shows the majority of these attacks are on small firms. Small businesses generally have fewer resources available to monitor and combat cyber threats, making them easy targets for expert criminals. Moreover, the sophistication and scope of these attacks continue to grow at a rapid pace. A recent report from the Office of the National Counterintelligence Executive stated that tens of billions of dollars in trade secrets, intellectual property, and technology are being stolen each year by foreign nations like China and Russia. As the leader in producing intellectual property, the United States and small businesses will continue to be a primary target for cyber criminals seeking an economic advantage. Adding to the uncertainty is the difficulty in which one protects themselves online. Protecting our digital infrastructure is complex, and no one agency or private business can do it alone. It takes a true public-private partnership to identify, combat, and share information regarding these sophisticated cyber attacks. Both the administration and Congress have recognized the need to update certain laws and resources to better combat cyber threats. The broad range of issues being considered includes establishing a national standard of reporting a cyber breach, strengthening the criminal statutes, and requiring some private industries to develop cyber security plans. We have heard small businesses' concerns about the possibility of duplicative regulations, always regulations, as many industries already have procedures in place to protect third-party information. For example, a company in my district called Diversified Information Technologies, which digitally processes health care and insurance information, already provides full compliance based on the Health Insurance Portability and Accountability Act, or HIPAA. In considering legislation, we should look to harmonize these regulations to avoid any duplicative rules on small businesses. There is no question cyber security is a real and major threat to our Nation's economy, security, and everyday way of life. Moving forward, I am confident that we can identify the most efficient role of the public and private sectors to protect small businesses and our Nation against cyber attacks. Again, I want to thank all of our witnesses who are participating today. I look forward to hearing the testimony on how we can better assist small businesses against cyber attacks. I now yield to the Ranking Member Richmond for his opening statement. Mr. Richmond. Thank you to the chairwoman and thank you to everyone for coming to participate, especially to Congressman Thornberry, who heads the Cyber Security Task Force, and the recommendations that you all have made. So as a person was chair of Judiciary in the State legislature for 4 years, cyber security was under our umbrella, I can tell you that our States are not as aware as they should be of the risk that is posed, so it is a great thing that we are taking the lead on it and that your task force is doing what it is doing. So thank you for that. Internet and telecommunication technologies have not only changed how we communicate, but also how business is conducted. America's 23 million small businesses are some of the savviest users of technology by using the Internet to access new markets to grow and to diversify. In fact, small businesses are the driving forces behind further technological innovation, as they produce about 13 times more patents per employee. However, along with being connected comes being exposed to new threats. Cyber threats can come in many forms, but they are all devastating to both business owners and to their customers. A single attack can wipe out a small business, which is why cyber crime poses severe problems for small businesses that are not prepared to mitigate this kind of risk. According to studies, 40 percent of all threats are focused on firms with less than 500 employees and reveal that a total of nearly $86 billion annually is lost with companies incurring an average of $188,000 in losses. Sadly, some small companies fail to recognize the benefit of cyber security as an investment until it is too late. On the other hand, those firms that understand the importance of such an investment often lack the resources to implement an effective security system. The Federal Communications Commission, the Department of Homeland Security, and the National Institute of Standards and Technology, have all embarked on efforts to offer Federal programs designed to educate the public on computer security. It is worrisome that despite the rise in cyberterrorism over the past few years and the growing impact it has on small businesses, comprehensive cyber security policy remains illusive. With 1.2 million people employed at small companies in the New Orleans metropolitan area, it is important to ensure that they are protected against cyber crimes by keeping our Nation's cyber security, our cyber infrastructure incorruptible. That is why I am cosponsoring the Homeland Security Cyber and Physical Infrastructure Act as a way to strengthen our infrastructure through research, development, and establishment of innovative cyber security technology. Like every day Internet users, small firms are exposed to cyber attacks and vulnerable to their malicious effects. Today's hearing will give us an opportunity to review whether the increases in Federal investment in both financial and personnel resources will have an impact on a small firm's ability to mitigate their cyber risk. The testimony we hear today will help us better understand what role the government can play in educating the American public and the business community about the security risks and challenges they face. Your recommendations on the best ways to protect the Nation's small businesses from this growing threat will be useful as we move forward on addressing this issue. In advance of the testimony, I want to thank all the witnesses for both their participation and insight into this important topic. Thank you, and I yield back. Chairwoman Ellmers. Thank you to the ranking member. I will say that if committee members have an opening statement prepared, I ask that they be submitted for the record. I don't have to explain the timing lights to our first panel of witnesses. It is my pleasure now to introduce, again, Congressman Mac Thornberry, who is our first witness, and he is the Congressman of the 13th District in Texas. He currently serves as the vice chairman of the Armed Services Committee, where he also leads the Subcommittee on Emerging Threats. He continues to serve the House Permanent Select Committee on Intelligence as well. Earlier this year, Congressman Thornberry was tapped by the Speaker of the House and Majority Leader to spearhead a Cyber Security Task Force to guide House legislation action on this growing economic and national threat. On October 5th, the task force released their recommendations, which have been well received from Republicans and Democrats, the White House, private businesses and other organizations. Thank you for being here. We look forward to your testimony, Congressman. STATEMENT OF THE HON. MAC THORNBERRY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Thornberry. Thank you, Madam Chairwoman and ranking member, Mr. Schilling. I appreciate the chance to be here. I have submitted a written testimony, and if it is all right, what I would like to do is just kind of summarize it into four points. One is, I appreciate you having this hearing. One of the major findings of our task force is that there is a tremendous gap in what is really happening and most people's awareness of what is happening. That is true in the population, it is true among Members of Congress, and our view is that first we have a responsibility to educate ourselves and then try to help our communities understand what a serious issue this is. I have recommended that the Speaker and Minority Leader have a classified briefing for all Members because I think all Members really need to get a better understanding of what we are facing. Also, just as a test case a few weeks ago, I took a cyber expert with me to my district, and in one town we had a special meeting of the Chamber of Commerce, in another town, it was a joint meeting of the Chamber of Commerce and the biggest service club just to talk about this issue. He could answer the technical questions, but just to try to raise awareness from small businesses in my area, and I hope maybe that is something that other Members may want to consider in the future. The second point I would make, and both of you have made it in your opening statements, small businesses are affected by this. No one should believe that because I am a small business in Amarillo, Texas, that I don't have to worry about it. It is simply not the case. What we also have come to learn is that not only are small businesses in the cross-hairs of those seeking to perpetrate crime and steal intellectual property, a lot of times small businesses are subcontractors that are used to get to larger contractors. A lot of times increasingly, in fact, lawyers and accountants are targets in order to get their clients' records. So there is some careful planning going on here, but small businesses are particularly in the cross-hairs, and every time they steal intellectual property from a small business, they are stealing jobs from the United States. So it is obviously a national security issue, but as both of you have rightly pointed out, it is also an economic issue that is very important. Third, I would say that this is a big, complicated issue that Congress cannot solve in a single bill, and we shouldn't try. I think you all have mentioned that it touches most aspects of our lives, most aspects of business life these days. Eighty-five, roughly, percent of the infrastructure we are talking about protecting is owned by the private sector. So government is not going to come in and solve all of this, but we can take steps to help protect the country, and obviously, that is what we need to do. Fourth and lastly, the task force you have both mentioned have made recommendations as far as a general framework on what Congress could do during this session of Congress, and that was the Speaker's instruction to us, don't try to solve all the problems in the world, but look at what we can do that will make a significant difference that could get passed during this session of Congress, and our recommendations have drawn on a lot of previous work that Members of both sides of the aisle have done, but I have been pleased at the bipartisan support, not only in the House, but from Senators, the White House has spoken positively of it, so I think there is a real opportunity to act here. There is lots of differences we have between the parties, between the different Houses of Congress on a variety of issues, but this is one where I think we can work together, and I think it is essential that we work together to try to begin to take those steps in the right direction. So, again, I appreciate your interest in it, and I will be happy to answer any questions that I can answer. Chairwoman Ellmers. Well, I definitely echo those comments about the importance of us all working together in a bipartisan manner on this issue, I think we all see the very important aspects of it. I just have a couple questions, and then I will yield to Mr. Richmond, the ranking member. My first question for you, Congressman, is the recent report from the National Counterintelligence Executive Agency revealed that China and Russia are behind a majority of cyber attacks, and that is obviously deeply, deeply disturbing. In your opinion, how does the small business, the small business that is out there right now dealing with all of the issues with the economy, how can these small businesses deal with these attacks right now, and what and how should the United States respond to this as a Nation? Mr. Thornberry. I would say two things, and they are really the central recommendations of our task force. Number one is what is called good hygiene. It is the basic things that we all know we should do but too often don't do, keeping our firewalls up to date, our virus protection up to date, not having our passwords underneath our mouse pads in our offices, which a defense contractor told me he just went and checked in one of his offices and found that was the case in a large number of his employees, and the task force received information from a variety of witnesses saying roughly three-fourths of the malicious stuff out there on the Internet could be stopped if we all did the basic stuff we know we are supposed to do. You know the reason they call it good hygiene because it is kind of like washing your hands and coughing in your sleeve and getting enough sleep and drinking enough water, the basic things that keep us healthy, it can keep the Internet healthy, too. So small businesses, you know, it doesn't take a lot of money, but you need to do the stuff you know you should do. Secondly, though, when you talk about Russia and China, if Russia and China is targeting somebody, good hygiene won't be enough, and so our second central recommendation is to update some laws to allow information sharing that where we can use especially Internet service providers to help defend us against these more sophisticated threats. And so I think you have got to do two prongs: Basic hygiene, but also update our laws so that we can bring all the resources of government and the private sector to bear against these more sophisticated threats. Chairwoman Ellmers. Thank you. My next question for you, there again, comes from our small business owners, and they are basically saying that, you know, one of the big issues, and we hear this repeatedly, is the threat of regulations and dual regulations, especially those industries defined as critical infrastructure. This is a two-part question here. First, has this issue been adequately addressed, and in your opinion, do you believe that small businesses should be subjected to the same regulations or Federal standards as larger businesses regarding cyber security compliance? Mr. Thornberry. It certainly has not been adequately addressed, and I think this gets to where there is a difference of opinion between the White House proposal that came out in May and the task force recommendation. The White House recommended basically that critical infrastructure businesses develop a cyber security plan which would be sent to the Department of Homeland Security for evaluation and kind of a thumbs up or thumbs down. Our view was that we ought to rely on existing regulators, so for the electric industry, FERC, and NERC and the existing regulators, the Nuclear Power Regulatory Commission for nuclear power plants, et cetera. In other words, these structures are in place, they help understand the fuller spectrum of what these businesses are dealing with, and they need to put a greater emphasis on cyber security. Now, we are going to have to work through how to do that, but I think I am concerned, as you mentioned, about layering additional regulations, particularly on small businesses that have a difficult time affording what they have got now. Chairwoman Ellmers. Thank you. Thank you for outlining that. There again, you know, having to report to more than one agency, each of these different duplicative just adds to the cost of doing business as well, so---- My last question, in actually talking about Federal agencies, of course, Federal agencies play a key role in protecting against cyber attacks. Considering our committee, Small Business Committee and its jurisdiction, what do you think the appropriate role is for the Small Business Administration? Mr. Thornberry. My sense is the most valuable thing is the awareness and help small businesses have the tools to know how to defend themselves, and if you can do that where you don't have to go hiring an outside consultant or so forth, if you can just help direct small business to the kinds of things they need to do with that good hygiene we were talking about, I think that would be a tremendous help to small business, but again, when you help all those small businesses, you are also helping the whole Internet because you reduce the clutter that is out there, and that helps the more sophisticated entities target those more sophisticated threats. Chairwoman Ellmers. Thank you so much for answering my questions. I am going to yield now to Mr. Richmond for his questions. Mr. Richmond. Thank you, and I will try to start where you are leaving off when we talk about education and awareness as a cost-effective way to reduce our cyber breaches. The task force suggested the basic technology tools, industry best practices, and education could eliminate about 85 percent of the cyber threat. I think you just hit on most of it, but what else besides the good hygiene and the other recommendations can we do to further push for a reduction and further accomplish a reduction in cyber attacks? Mr. Thornberry. Well, one of the key areas, we believe, is that we need to provide some voluntary incentives so that as a CEO is trying to figure out where his money goes, that more of his attention and perhaps more of his money goes to defending that business against cyber attack. Now, again, there are some differences. There are some people who have made proposals on a more directive regulatory approach. Our view was you can't have one size that fits all, but a variety of incentives, whether it is the Tax Code, whether it is SEC regulations, which actually they came out with one a couple weeks ago that requires greater attention be paid to cyber. I think that sort of thing, we have got to elevate this issue in the consciousness not only of Members of Congress, the American people, but of businesses, and some incentives, financial incentives, I think--we think help accomplish that, even though we did not try to put out a laundry list of what they all are, and suggestions that you all may have, particularly for incentives that would be effective for small business, I think, would be very welcome as we move through this process. Mr. Richmond. Another thing, one of the recommendations was in the Federal procurement process, to require security technology processes and performance management in the government IT process. Since we are sitting on Small Business, one concern that immediately pops up is the cost associated with it and how would it put small businesses at a disadvantage compared to other businesses in the procurement process for government contracts. Mr. Thornberry. It is a good point. I think our view was, the government is a big customer, we ought to be a good big customer in what we buy, in other words buy things that are more secure, but also I think what one finds out is a lot of innovation in this area is being done by small business, innovation in enhanced security. So I think, if we can put a higher priority on security that small business, particularly small business innovators will benefit from that. They should, and I hope so. Mr. Richmond. I am glad you brought up the role that small businesses play in the technology aspect of it. The Federal Government is spending an enormous amount of money, and we are spending more every year, on cyber security. What niche, or what way do you see small businesses being able to participate on the technology side of helping us get ready, combat or fight off cyber attacks? Mr. Thornberry. I think we were just touching on it. A lot of the innovation that goes on is in small business start-up businesses, and the Federal Government in its procurement has to be nimble enough to take advantage of those advances, and that is obviously a challenge. And a second area that we touched on is, the Federal Government spends a lot of money on research in cyber. We ought to make sure the money we spend on research in cyber is not taking the place of money that private industry is spending on cyber. In other words, displacing some small business that is putting their resources out there, we ought to be complementary, more basic research that everybody can benefit from rather than researching things that, you know, that put a small business potentially out of business. Mr. Richmond. And just a few more. When you talked about information sharing earlier, of course it raises questions of privacy concerns. One question that would quickly pop up in my mind is in an information sharing arrangement, for the person whose information is then leaked or who has his life or business turned upside down because of it, how do we address liability in that question and who ultimately would bear the responsibility? Mr. Thornberry. It is, in many ways, kind of a central question to making this work, you are exactly right. What we recommended in the task force was creating a separate entity apart from government where information could be shared so that--and I will just take the car industry. For example, Ford and GM could bring their information to this place to share. They may want to sanitize that information so you don't have particular individuals' names and so forth, but they could bring the information that we are getting attacked from here, we are getting attacked from there, threat information could come together. At the same place you would have government classified information brought in so that you can have this whole fuller picture, at least, of the nature of the threat with appropriate classified safeguards so that we do not lose important national security information, and then ideally, that information could be acted upon by Internet service providers, so you accumulate this threat information, and AT&T and Verizon can use that information to protect big businesses and small businesses eventually, hopefully. I mean, that is kind of the concept that we talked about, but you are absolutely right that privacy has got to be built in every step of the way and that if we don't, the American people are not going to go for it, and we will not be able to advance cyber security. Mr. Richmond. And the last question is hopefully a short answer, but nowadays with iPads, iPhones, Androids, so between the smartphone and the tablet, they are becoming business instruments for many people, especially small businesses. What is your assessment of what cell phone companies and those companies are doing in terms of making sure that there are adequate safeguards in place for threats on those smart devices? Mr. Thornberry. As they multiply, the potential entry points for attacks of some sort multiply as well, and I don't think there has been nearly enough attention by the software companies, the hardware companies or us as individuals into safeguarding these little devices that we all carry around with us. But I will say, from the Armed Services Committee standpoint, we are going to start issuing some of these devices to soldiers in the field, and so we have got to figure out from a government standpoint how we make sure they are secure, and hopefully that can start a trend towards greater security for all of these devices. Mr. Richmond. And I am glad you mentioned that, and this will be the last question. Chairwoman Ellmers. That is fine. Mr. Richmond. What you just said scares me because I think of my smartphone and the fact that it has great capabilities where parents can use the GPS feature on their children's smartphone to see where they are, the first question in my mind becomes whether the technology is there, whether the companies have the ability to make sure that we are not giving away the coordinates and where our soldiers are, but, you know, so do you think that--and I know that our military and our leaders would address those things, but those types of concerns, we just have to make sure that those cell phone providers and those are very wary of those, especially as more and more--and we talked about troops, but especially as more and more children have cell phones, we have to worry about the cyber attacks. We also have to worry about our hardened criminals using technology to find our children and so forth. So that is one thing we have to keep pushing on our industries and our companies, to make sure that they understand to some extent there is a moral responsibility with making sure that the phones are as safe as possible in that respect. So thank you for what you do, Mac, and thank you to the Chairwoman for allowing me a little extra time. Thank you. Chairwoman Ellmers. Well, thank you. Those were excellent questions, excellent questions, and excellent responses. This is quite an opportunity today. At this time, I would like to recognize Mr. Schilling from Illinois, if he has any questions. Mr. Schilling. Yes, thank you, Chairwoman. I think I agree with Mac here, with Congressman Thornberry I should call him, is this is something that really needs to be addressed, and, you know, as I go into some of the hearings that we have been in, some of the briefings, you know, I don't really feel a sense of urgency out here in Washington, D.C. when it comes to the cyber attacks that we are already dealing with, and then the future ones that are coming, and being a small business owner myself, you know, of course, one of the things that I always fear is when I hear the government is going to get into and then they are going to throw something else upon my small business that is already struggling, things like that, so I think that is something we definitely need to work on. One of the things I was curious is, where is, like, leadership, for example, on maybe having briefings with the Democrats and Republicans here to where we can get the message? And I really appreciate, just the idea that you had of going out to the Chambers and speaking to the small businesses because this is a real threat, and I think down the road, this is going to be something that we are going to have to really pay a lot of attention to. So several different---- Mr. Thornberry. I think there is a good chance it will happen. As I mentioned, I recommended to the Speaker, I know Jim Langevin talked to Mrs. Pelosi's office about jointly doing this. Obviously, I think you are right, generally there is not the sense of urgency. For people like the Speaker, the President, and the Majority Leader in the Senate who have had every day or every week get classified briefings, they are pretty fired up about this, and see the urgency of doing something. So I am hopeful we can do that, and I think it would help all Members to get a little fuller picture of what we face every day. Mr. Schilling. Very good. I do like the message you have, also when we do do something, is it something that is going to complement somebody that is already working on something, not trying to take something that maybe a small business is working on. So that is all I had. Thank you. Chairwoman Ellmers. Great. Thank you. At this time I would like to recognize Mr. Tipton from Colorado. Mr. Tipton. Thank you, Chairwoman, and Congressman, thanks for your leadership on this obviously very important issue. I haven't had an opportunity to obviously be able to go through your entire task force report, but in there, it states that 85 percent of the issues, cyber issues can be cleaned up with hygiene, and I was wondering, is there a way to be able to really accomplish this without driving up some of the costs that small businesses are really going to be bearing? Any estimates on that? Mr. Thornberry. Well, I think you can do it with incentives and encouragement. Maybe you don't get all 85 percent. Maybe you get 80 percent. But I think increasingly, small businesses, like all businesses, are going to have to understand that if their customer records are stolen and misused, they may have some responsibility for that, and so I think we are better off in structuring things where it is self-interest to put a higher priority rather than government mandating how it should be done. Among other things, the threats move so quickly, there is no way the government can regulate in this area. It just evolves so fast. But as in some other areas, physical safety, for example, everybody has to have insurance, sometimes you have an insurance agent come and inspect your physical plant to determine your rates and so forth. That is the sort of incentive, I hope, that we can get going. Mr. Tipton. Great. And I apologize for being late, and if you have already answered this, but I was also curious where you had noted that a number of our small businesses are developing new technologies that are being hacked and the next day they know it is out on to the street, are there any estimates in terms of how much that is costing the U.S. economy? Mr. Thornberry. I don't know of any good estimates. You have a wide range of numbers about the value of the information being stolen every day, every year from our economy, but we did hear specific instances of small businesses who discovered that they were hacked and information, where there was a formula, a blueprint, something was taken from their computers, and a few months later that exact product shows up on our shores with ``Made in China'' stamped on the back. Now the problem is they knew they were hacked. How many are out there that don't know that the information was ever stolen from them. So that is part of the reason we believe we have got to make this a bigger deal for everybody. Mr. Tipton. Exactly. Again, thank you for your leadership. Madam Chairman, yield back. Chairwoman Ellmers. Thank you. Again, I would like to thank Congressman Thornberry for his leadership and insight on this issue. We will continue to work closely with his office and the task force on developing legislation that assists small businesses in combating cyber security. Thank you so much. It was a pleasure. I would like to call the second panel now to the table. Wonderful, let's go ahead and get started. I would like to take the opportunity right now to just explain to you the timing lights. You will each have 5 minutes to deliver your testimony. The light will start out as green. When you have 1 minute remaining, the light will turn yellow. Finally, it will turn red at the end of your 5 minutes, and I ask that you try to keep to that limit, if possible, although, you know, I am usually pretty flexible with that within reason. Within reason. Thank you all for being here. Again, this is a great opportunity. It was certainly wonderful to hear from Congressman Thornberry. He has done so much work on this, and now from the business aspect, you know, we get to hear your side of it. So, again, thank you so much for being here today. I am going to take the opportunity now to introduce our first witness, Mr. David Beam. Before I do, though, I do want to say that at some point we may be called for votes, and what we will do at that time is we will interrupt, we will kind of decide what time frame we are looking at, and then we will come back and pick up again later, okay? So our first witness is Mr. David Beam. He is the senior vice president of Corporate Strategies for the North Carolina Electric Membership Corporation in Raleigh, North Carolina. David has over 30 years of experience in the electric utility industry. In his current role, he oversees their energy risk management and regulatory compliance, including cyber security. David earned his Bachelor of Science in mechanical engineering from the University of Kentucky and his MBA from the University of North Carolina Chapel Hill. He is testifying on behalf of the National Rural Electric Cooperative Association. STATEMENTS OF DAVID BEAM, SENIOR VICE PRESIDENT, NORTH CAROLINA ELECTRIC MEMBERSHIP CORPORATION, ON BEHALF OF THE NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION; GLENN STREBE, CHIEF EXECUTIVE OFFICER, AIR ACADEMY FEDERAL CREDIT UNION, ON BEHALF OF THE NATIONAL ASSOCIATION OF FEDERAL CREDIT UNIONS; PHYLLIS SCHNECK, CHIEF TECHNOLOGY OFFICER PUBLIC SECTOR, MCAFEE, INC, ON BEHALF OF THE SOFTWARE & INFORMATION INDUSTRY ASSOCIATION; AND MICHAEL KAISER, EXECUTIVE DIRECTOR, NATIONAL CYBER SECURITY ALLIANCE Chairwoman Ellmers. Welcome, you have 5 minutes to present your testimony. STATEMENT OF DAVID BEAM Mr. Beam. Chairman Ellmers, and Ranking Member Richmond, thank you for inviting me to testify on cyber security impacts on small businesses. My name is David Beam, and I am senior vice president of Corporate Strategy for North Carolina Electric Membership Corporation, or NCEMC. NCEMC is a generation and transmission cooperative providing wholesale power and other related services to 25 of the 26 electric cooperatives incorporated in North Carolina. NCEMC is responsible for reliability in cyber security compliance, for its own critical assets as well as those belonging to its members. These assets include generation and transmission facilities and the associated protection equipment and procedures. All of our distribution cooperatives that own NCEMC are small businesses. I would like to acknowledge the National Rural Electric Cooperative Association. NRECA is our national trade association representing over 900 cooperatives nationwide, providing electricity to 42 million consumers in 47 States. Today I will cover the following: The bulk power system and how it is separate from the distribution system, the origin and purposes of the North American Electric Reliability Corporation, or NERC, how we comply with NERC reliability and cyber security standards, and our views on the potential impacts of new legislation. I would also like to commend the work of Speaker Boehner's Cyber Security Task Force and the leadership of Representative Mac Thornberry. Generally speaking, NERC's standards apply to the bulk power system which includes generation and transmission assets operated at voltages of 100 KV or higher. Distribution facilities receive power from the bulk power system and transmit it to retail consumers. Because outages at the distribution level generally do not pose a threat to the bulk power system, NERC standards don't typically apply to distribution lines and substations. Contrary to popular belief, hackers cannot easily access the telecommunications systems that overlay parts of the bulk power system. Utilities have comprehensive cyber security systems to protect against malicious attacks. Congress created a mandatory enforceable reliability standards regime for the bulk power system in the Energy Policy Act of 2005. NERC is an industry-funded, self-regulatory organization. Its purpose is to regulate reliability and cyber security standards. It also audits compliance and has enforcement authority over those standards. NERC and the Federal Energy Regulatory Commission or FERC can fine utilities that violate these standards and have done so. Additionally, FERC can direct NERC to develop new or revised reliability standards. Congress created a stakeholder-driven process, recognizing that utility owners and operators best know how to provide reliable electric service and how our complex systems are designed and operated. We want to preserve this process. NCEMC follows exacting procedures to ensure NERC compliance. Our goals are awareness and commitment to compliance by all employees, prompt detection, cessation, and reporting of violations, and effective remediation measures should violations occur. NCEMC has devoted significant financial and human resources to ensuring reliability in cyber security. We employ a full-time compliance coordinator whose sole responsibility is managing compliance with reliability and cyber security standards. In addition, NCEMC employs a compliance team of subject matter experts who are responsible for compliance with their assigned cyber security and reliability standards. NCEMC also uses outside contractors to audit and provide recommendations for improving our compliance program. Additionally, at least one employee for each distribution cooperative is responsible for compliance with reliability and cyber security standards. We employ strong defensive measures to protect our network and business systems. We have strict security guidelines for securing the network and systems, including policies that govern the access and use of its network and systems. NCEMC and NRECA believe NERC processes work very well. The process could be strengthened by narrowly targeted legislation that lets the Federal Government react quickly to severe, imminent cyber threats and increases timely actionable information flowing to utilities. Any new legislation should cover only assets and systems which are realistic targets of cyber threat and which could truly impact the bulk power system. Casting too wide a net could bring entities, like distribution co-ops and other small businesses, under potentially very burdensome regulatory requirements with little or no benefit to grid security. Thank you for the opportunity to testify today. I look forward to answering your questions. Chairwoman Ellmers. Thank you, Mr. Beam. Chairwoman Ellmers. I now yield to Congressman Tipton for the introduction of our next witness. Mr. Tipton. Thank you, Chairwoman. It is my pleasure today to be able to introduce Mr. Glenn Strebe. He is the chief executive officer of the Air Academy Federal Credit Union in Colorado Springs. He oversees full operations of nine credit unions, including oversight of their compliance and security issues. Glenn received his Bachelor of Science from the U.S. Air Force Academy, my son-in-law is also a graduate of the Academy, and an MBA from the Colorado State University. He is testifying on behalf of the National Association of Federal Credit Unions, and Glenn, welcome, and we look forward to your testimony. STATEMENT OF GLENN STREBE Mr. Strebe. Thank you. Good afternoon. Chairwoman Ellmers, Ranking Member Richmond, and members of the subcommittee, my name is Glenn Strebe, and I am testifying today on behalf of the National Association of Federal Credit Unions, or NAFCU. Thank you for holding this important hearing. I appreciate the opportunity to share my views on cyber security and data security at our Nation's credit unions. NAFCU supports efforts to enact comprehensive data and cyber security measures to protect consumer data. Credit unions and other financial institutions already protect data consistent with the provisions of the 1999 Gramm-Leach-Bliley Act. Unfortunately, there is no comprehensive regulatory structure similar to what was put in place for financial institutions under Gramm-Leach- Bliley for other entities that may handle sensitive personal and financial information. Consistent with Gramm-Leach-Bliley, the National Credit Union Administration established administrative, technical, and physical safeguards for credit unions to ensure the security, confidentiality, integrity, and proper disposal of consumer information and other records. Every credit union must develop and maintain an information security program to protect data. Additionally, the rules require third-party service providers that have access to credit union data take appropriate steps to protect the security and confidentiality of this information. Gramm-Leach- Bliley and its implementing regulations have successfully limited data breaches among financial institutions. I have outlined the specifics of the Act in my written testimony. At Air Academy Federal Credit Union, we are relentless in our efforts to protect sensitive data. The increased reliance on Internet-based services has created new challenges and expenses over the past decade. With over a quarter of our members living out of State, a large number of our transactions are performed online. In order to address this growing trend, Air Academy has implemented and continues to execute security measures on many different levels, the details and costs of which are outlined in my written testimony. At Air Academy, we take cyber security seriously. We use an ethical hacker that tests our security measures, looking for hidden vulnerabilities. Our laptops and thumb drives are encrypted in case they fall into the wrong hands. We change penetration testing vendors as well as our service providers every 2 or 3 years to avoid complacency and to keep a fresh set of eyes on our security system. While all of these steps are costly, they are best practices. Despite Air Academy's efforts, the inadequate security systems of other entities still leaves our members' data vulnerable to hackers and thieves. Everyone has heard about large national data breaches that impact millions of payment cards, but many breaches are small and on the local level. For example, in 2009, a local liquor store failed to protect card data because they claimed no liability. We suffered over $60,000 in losses. Data breaches are a serious problem for consumers and businesses. Financial institutions such as credit unions bear a significant burden as they incur steep losses in order to reestablish member confidence after a data breach occurs. NAFCU has developed a list of items we would like to see addressed in any data security bill. They are outlined in detail in my testimony and include: Payment of breach costs by breached entities; national standards for safekeeping of information; disclosing of data security policy at point of sale; requiring disclosure of the breached entity; enforcement of prohibitions on data retention; and timely notification of account servicer when a breach occurs. In conclusion, NAFCU supports new measures to protect consumers' financial data. Creating a comprehensive regulatory scheme for those entities that currently have none is critical. A safe harbor for financial institutions already in compliance with Gramm-Leach-Bliley should be included in any data security bill. Further, if more regulations are needed to address new concerns, it should be the functional regulators that are charged with promulgating new rules. Finally, any other party that holds sensitive information should be held liable when responsible for a data breach. Thank you again for the invitation to testify before you today. I would welcome any questions you may have. Chairwoman Ellmers. Thank you, Mr. Strebe. Chairwoman Ellmers. I now yield to Ranking Member Richmond for the introduction of our next witness. Mr. Richmond. Thank you, Madam Chairwoman. It is my pleasure and honor to introduce to everyone Dr. Phyllis Schneck, who is the chief technology officer for the public sector at McAfee, a leading provider of cyber security software. Ms. Schneck received her Ph.D. in computer science from Georgia Institute of Technology where she pioneered the field of information security and security-based high performance computing. In addition to her role at McAfee, she currently serves as the chairman of the board of directors of the National Cyber Forensics and Training Alliance. Ms. Schneck was named one of the top 25 women leaders in information security, and she also holds three patents in high performance and adaptive information security. Welcome, Ms. Schneck. I am sorry, Dr. Schneck. STATEMENT OF PHYLLIS A. SCHNECK Ms. Schneck. Thank you. Good afternoon, Chairwoman Ellmers, Ranking Member Richmond, and members of the subcommittee. I am Phyllis Schneck, vice president and chief technology officer for the global public sector for McAfee, testifying today on behalf of the Software & Information Industry Association. SIIA is the primary trade association of the software and digital information industry, with more than 500 members that develop software and electronic content for consumers, business, education, and the Internet. McAfee, Inc., protects businesses, consumers, and the public sector from cyber attacks, viruses, and a wide range of cyber security threats. We are the world's largest dedicated cyber security technology company and a proven force in combating the world's toughest security challenges. McAfee is a wholly owned subsidiary of the Intel Corporation. We appreciate the subcommittee's interest in cyber security as it affects small business, which plays such a large part in our Nation's economy. While small business falls prey to the same security risks as large business, most small firms cannot afford a dedicated security staff nor do they have a million dollar budget to purchase enterprise security solutions. Nevertheless, small companies must meet the same security and compliance requirements as Fortune 500 firms, just to remain in business. The importance of small business to the national economy cannot be overstated. According to the Small Business Administration, small firms represent 99.7 percent of all employer firms. They have generated 65 percent of new jobs over the past 17 years, and as Ranking Member Richmond mentioned earlier, they produce in order of magnitude more patents per employee than even the large patenting firms. Today's cyber threats are more sophisticated and targeted than ever. They are growing at an unprecedented rate. McAfee Labs finds, for example, that both malicious URLs and malware, they have grown almost sixfold in the past 2 years, and in 2010 we saw more malware than in all of the years previously. One of the most insidious cyber attacks is a low level incursion, it sinks below the radar, quietly exploring and stealing the contents of the network. Security professionals call this an advanced persistent threat on an APT, and McAfee has uncovered several over the past year, the most recent, shady RAT, has been stealing valuable intellectual property from more than 70 organizations across 14 countries, including small firms in addition to government contractors, nonprofits, and government agencies. And this is not an isolated incident. A 2010 survey found that 60 percent of organizations report a chronic and recurring loss of sensitive information. More than a million small businesses and retailers were victims of some type of information theft in 2010, with 56 percent of small and midsized businesses experiencing this type of banking related fraud in 2010 and 75 percent of it coming from online sources. Among small businesses falling prey to bank fraud, 61 percent were victimized more than once. We are only as secure as our weakest link. To further help small business, we recommend three guiding principles to make the cost of security most effective. Practice risk management first. Next, minimize the amount of sensitive information retained in the network; and, third, invest in the appropriate level of security. Finally, we have some policy recommendations. A heavily regulated approach would not necessarily make organizations more secure. It makes them more compliant. And it would stifle innovation. On the other hand, positive incentives and subsidies have a high probability of success in two ways: First, a higher chance of better actual outcome; and secondly, a higher probability of good legislative success. There are a variety of proposed approaches found on incentives, including the recommendations that we heard earlier from Representative Thornberry of the House Republican Cyber Security Task Force and some promising approaches on the Democratic side. We support the following approaches: Litigation and legal reform. Imposing limitations on liability for damages as well as for noneconomic loss would remove a serious obstacle to information security investment, such as the risk of being held responsible for losses notwithstanding a company's good faith investment in good cyber security. Public-private partnership on information sharing. Departments of Defense and Homeland Security manage many public-private partnerships, McAfee plays a key role in several. These partnerships ensure that senior corporate and government officials share vital information and best practices, and they are especially important for small businesses. Competition, scholarships, research and development help identify and recruit talented individuals that foster innovation in advanced basic and applied solutions and bring those individuals to the cyber security workforce. Tax incentives. Accelerated depreciation or refundable tax credits should be considered to encourage critical infrastructure industries to make additional investments in cyber security technologies, solutions, and human capital. The same approach could be effectively applied to small business. Insurance reforms. Because of the lack of actuarial data, government should consider implementing reinsurance programs to help underwrite the development of cyber security insurance programs, which could be phased out as insurance markets gain the cyber security coverage. In conclusion, let me emphasize that collaboration and cooperation between the public and private sector are key to addressing cyber security in a holistic way. Thank you for your interest, and I will be pleased to answer any questions. Chairwoman Ellmers. Thank you, Dr. Schneck. Chairwoman Ellmers. I have the opportunity now to introduce our last witness for today, Mr. Michael Kaiser. He is the executive director of the National Cyber Security Alliance, NCSA, in Washington, D.C. The NCSA is a nonprofit organization focused on educating and promoting awareness of safe cyber security practices to individuals, education institutions, and small businesses. They recently conducted a study analyzing small business cyber security practices. Welcome, Mr. Kaiser. You have 5 minutes for your testimony. STATEMENT OF MICHAEL KAISER Mr. Kaiser. Thank you, Chairwoman Ellmers and Ranking Member Richmond, and members of the subcommittee. Thank you for the opportunity to testify today on this very important current state of cyber security in small business. My name is Michael Kaiser, and I am the executive director of the National Cyber Security Alliance. NCSA is a nonprofit organization, a public- private partnership working with industry leaders, government, and nonprofits on education awareness issues in cyber security. NCSA's board of directors is comprised of representatives from 18 companies, ADP, AT&T, Bank of America, Cisco, EMC, ESET, Facebook, General Dynamics Advanced Information Systems, Google, Intel, Lockheed Martin, McAfee, Microsoft, PayPal, SAIC, Symantec, Verizon and Visa. NCSA leads cyber security education and awareness in this country. We lead critical efforts, such as the STOP. THINK. CONNECT. campaign, which we developed with the Anti-phishing Working Group and industry and government and which the Department of Homeland Security leads in the Federal Government. We have developed National Cyber Security Awareness Month, we are working on Data Privacy Day, and we operate StaySafeOnline.org, our Web site. NTSA recently signed an MOU with the Department of Education and NIST to lead the National Cyber Security Education Council, a public-private partnership to address formal cyber security education from basic education all the way through to degrees and workforce training programs. We have a long track record in conducting surveys about the practices of individual small businesses and the state of cyber security in U.S. schools. In October, we released the results of a study conducted in conjunction with Symantec about the cyber security practices of small businesses. We found that businesses still don't have good practices and policies in place, allow risky behavior, and in general, fail to take a strategic approach to cyber security, leading unfortunately to a false sense of security. We found actually that businesses are becoming more reliant on the Internet. Two-thirds say that their business is dependent on the Internet for day-to-day operations and also two-thirds say they have become more dependent on the Internet in the last 12 months. A majority, 57 percent, say that the loss of the Internet access for 48 straight hours during a regular business week would be disruptive to their business. We learned that businesses actually have critical information on hand. Sixty-nine percent report handling customer data, half deal in financial records and reports, one- quarter have their own intellectual property, which we have been discussing a lot today, and actually one-fifth have the intellectual property of other people in their business, which I think is something we have to be concerned about as well. We discovered that small businesses aren't creating an environment that promotes cyber security. Seventy-seven percent do not have formal Internet security policies for employees, and nearly half of those don't even have informal cyber security policies for their employees. Sixty-three percent don't have policies that relate to the use of social networks in the workplace, and two-thirds allow the use of USB devices in the workplace. These are general risk factors that we are aware of. Unfortunately, these data show that the entire small business ecosystem is at risk, and we look at it that way a lot. We need to reach every small business with information that will help them protect their digital assets. Cyber criminals, as has been mentioned here, are well aware of these vulnerabilities, and small businesses have become a primary target for them. 40 percent of all targeted attacks are directed to businesses with less than 500 employees, and roughly 60 percent close within 6 months of a cyber attack. It is tough enough for small businesses to make and thrive, we shouldn't also be losing them to cyber criminals. There is no single government agency, nonprofit group that can take on-- company, government agency or nonprofit group that can take on this vast issue alone or reach every small business. Working together with a broad array of stakeholders, leveraging resources, sharing the responsibility is our best hope for success. Based on this thought of a collaborative approach, here are some ideas that we have about what we could do. Create a harmonized message in a campaign, like STOP. THINK. CONNECT. that can be deployed by key stakeholders. That would go a long way to clarifying for business owners what they need to do, and it would come from trusted sources. Align forces within the Federal Government to support small businesses. Many Federal agencies have an interest in helping small businesses grow and protect their digital assets. At minimum, the Small Business Administration, the Department of Commerce, the FTC, the FCC, the Department of Homeland Security should participate, but others such as the Department of Defense and the IRS that work and touch small businesses should be involved as well. Engage local communities in the effort. Small business owners are likely to listen to their local peers. A few forward-thinking communities, such as Washtenaw County, Michigan, San Diego, California, San Antonio, Texas, and Colorado Springs have started efforts to make their communities more cyber secure, and they have all prioritized small business as a key target in their communities to make that happen. Support education reform that leads to a more cyber capable workforce. We need a workforce in the 21st century that understands how to use technology safely, securely, ethically, and productively when they graduate high school or college. And encourage your colleagues, I think as Representative Thornberry has done, to make information available to small businesses in your district. Go out, talk with them, have a town hall on cyber security, and get the conversation going. Thank you for your time and attention to this issue, and I look forward to your questions. Chairwoman Ellmers. Thank you, Mr. Kaiser. We are going to go ahead and get started with some questions, and just so you know, we will be called for votes about 2:15, so what I am going to do is I am going to yield now to Mr. Tipton from Colorado for his questions. Mr. Tipton. Thank you, Madam Chair. Glenn, I would like to thank you for joining us. Once again, it is good to have a Coloradoan here and to be able to see you. I was disturbed a little bit, the stories that you had in your written testimony about the costs to your businesses in terms of the data breach from the other company, I believe it was a liquor company; is that right? Mr. Strebe. Yes, it was. Mr. Tipton. The mistake ended up costing you thousands of dollars for nothing you had no control over, and you also mentioned that you were only able to recover 35 percent of your incurred expenses. What additional steps would you recommend that Congress and this committee take to curb this phenomenon and without imposing burdensome regulations on small businesses? Mr. Strebe. As I mentioned in my verbal comments as well as in the written testimony, one of the things that does not occur out in the business world is the fact that there is no liability, there is no accountability. In the case of that liquor store, the police were involved in that case, and they themselves were confronting the liquor store, asking them, you know, What are you doing? They said, Well, we don't have any liability, so we are really not going to worry about it, and as a result of that it cost us over $60,000. What would I do? I would look for the opportunity to hold accountable, as I have written in testimony, hold accountable those businesses that have such a cavalier attitude. Mr. Tipton. I appreciate that. And Dr. Schneck, I believe in your comments you said that we have got to be very cautious that we just aren't in a manner of compliance as opposed to having the security. Would you like to expand on that a little bit because I think as small business people we often see, we spend a lot of time making sure we are complying as opposed to getting the job done. Ms. Schneck. Thank you. The problem with regulation is that it draws a box, it draws a box where they have to take the money and invest, and it does two things: Number one, it stifles innovation because if companies are only having to fill that box and invest in those X places, it doesn't leave a lot of room for advancing creativity, saying well, how else can we solve this problem that might be better because the regulation is this is what we have to buy, it is in this box. The second thing it does that can really hurt small businesses, it shows the adversary, the cyber adversary, everything that is outside of the box, and small business is already a target, as has been mentioned, not only a target to bounce into a larger enterprise, but small businesses, in many cases, are developing the intellectual property that could make the next jet engine and working on national security and holding private information, all kinds of ways. So they are holding the same intellectual property and harboring the same risk as a big company that can afford a dedicated team and the best security, but they can't afford, they don't have the extra money to do that to secure their piece, and at the same time what regulation would do is show the outline of the box and show the bad guy exactly where he can go straight into those small businesses that can't afford to protect it, so what we really need to do is incentivize, and as was mentioned by Representative Thornberry and some other colleagues, some good incentives for businesses to be able to target that investment upfront, make cyber security part of the corporate risk and go ahead, as I mentioned, and minimize the amount of information that is stored on their network. Compliance and regulation are not going to protect us. Mr. Tipton. So be very cautious about trying to have a one- size-fits-all regulatory policy? Ms. Schneck. Exactly. Or anything that doesn't allow innovation. Mr. Tipton. Thank you so much. I yield back, Madam Chair. Chairwoman Ellmers. Thank you. I am going to go ahead and ask my questions now. This question I would like to ask the entire panel for your opinion. There is a variety of Federal agencies and organizations involved in combating cyber security, as you know. Do you think small businesses know where to go to get the best information and assistance and, if not, what recommendations do you have to help us get that information out? Starting with Mr. Kaiser. Mr. Kaiser. Yeah, you know, we take approach to all this, a similar approach across all education and awareness in cyber security on this issue, which is that we should not try to spend a lot of time trying to get, in this case, small businesses to trust other entities for new information. We should be going to the entities that they already trust and getting them to disseminate a very similar comprehensive harmonized message, so whether it is in their vertical of their industry or to a government agency that they already trust or back to a software provider on an ISP, if we can coordinate and harmonize that messaging, then they will just go to who they trust, and no matter where they go they will get the right message. I think that is really the work that we have to do at this level to support them at the lower levels. Ms. Schneck. I would definitely agree and echo those remarks. I would add that the cyber adversary is fast, shares information very well, already has trust, is often very well funded. So they can act without any legal boundaries, IP boundaries, and that is why they are winning. The very best thing that we can do as the good guys is match that and then go one step better. Since small business makes up 99.7 percent, I calculate that as part of the fabric, they are a large part of the cyber information and situational awareness that we will see, breaches, how they happen, what they are seeing. First and foremost, we would ask them to know who to call, whether it is a partnership of law enforcement or others that you trust, know who that is ahead of time so that you can all get together when you see something, and even build those relationships to determine steady state so you can understand an anomaly even when things are good. The second thing is work with those public-private partnerships, they are so important because not only do small businesses get access to people and resources that do have million dollar budgets to do things and see more things globally, but you also put information from that 99.7 percent of the fabric back into the pot that protects the entire fabric. We, again, only are as good as our weakest link. Our small businesses are so strong in the innovation, we can't let them be weak in the security just because of money, and we have to incentivize that spend and incentivize putting some of their resources into those partnerships. Mr. Strebe. I believe that the most basic level, working with some of your business customers or business owners to educate them on where they can find that information is very, very crucial. I can't really speak for everybody else out there. I can speak on behalf of our credit union. We have about a thousand business accounts, and we quite often, and we have a very professional IT staff, as the Doctor suggested, that if we have a member of ours or a small business of ours that asks us how do I do this or how do I do that, while we are not in the profession of trying to give them IT security advice, we recognize the fact that without them we have no meaning, and as a small credit union or not a small credit union, we are a medium-sized or a large credit union, as a credit union, we truly believe in trying to help our membership to the greatest extent possible, so I completely agree with the Doctor that if we can provide some framework information, some construct of where they can get the information, how they can get the information and from whom, that will be very, very valuable for us going forward. As a credit union, we will always help our membership, as I believe--while I can't speak for every credit union, I am pretty confident that I can speak for a lot of them that they would say any member of ours that wants a little bit of help in trying to understand some of the threats out there, we would definitely, definitely help them because we just feel that as a member-based organization, we need to do that. Mr. Beam. I would say the electric industry is a little different than some of the other small business groups in that we are currently regulated by the Federal Energy Regulatory Commission for reliability in cyber security, and so we have a clear place to go for clarification on cyber security issues. One thing I would like to emphasize as we consider new cyber security legislation is making sure you have that clear line of demarcation of one agency regulating one group and not having overlap. I think that will just cause confusion and really muddy the waters. But I would like to echo what some of the other panelists have said about the importance of the public- private partnership and the information sharing. I think that is really the key to improving our cyber security rather than through regulations. Chairwoman Ellmers. Excellent. Thank you so much. I am now going to recognize Ranking Member Richmond for his questions. Mr. Richmond. And I think I will just start with Dr. Schneck on this. The question becomes, and we heard the Congressman talk about just general computer hygiene. If that accounts for about four out of five of the security breaches that we have, then do you think that it is worthwhile for us-- or whether it has merit or it is too cost prohibitive for us-- to require almost like we do with some public service announcements to remind people of these very simple things that they can do to keep their information secure. If we can cut out 80 to 85 percent just by doing that, should we require, or do you have some ways that would incentivize people to provide that information when you go to Yahoo! or whatever you do online, to provide some of that simple hygiene information and to reinforce how important that is? Ms. Schneck. I absolutely agree that that basic hygiene will take care of a large percent of the issues. The analogy I would use is many years ago, Howard Schmidt used the analogy to seatbelts in cars and the process that it took to get people to use seatbelts. The other analogy that has been used is the forest fires. A lot of this goes back to education awareness that our colleagues at the NCSA do a great job of and others and certainly the credit unions that we have heard, but I want to also point out that that 20 percent is evil, that 20 percent that we can't catch with the hygiene that Representative Thornberry also mentioned. That is the part where very quiet attackers that don't want you to know that they are there, they are not looking for your bank information, they are looking to find exactly the people that sit on top of core intellectual property, whether it is recipes, oil field diagrams or diagrams for other parts, military, they will sit there until they find it, and they will send it home, and that is moving jobs, money, and markets across countries and companies, and that is the piece that we want to also incentivize companies and small companies, especially because they don't have extra money to invest in protecting that and to consider it part of the corporate risk, so I think it is twofold. One is it certainly is an awareness campaign, and NCSA has the Cyber Security Awareness Month with the government and does a lot of different things. I think we are a lot more--I sit on the ISPAB as well, and we were briefed on some of these efforts, and I think as a community we are a lot more aware now than we were before of cyber as an issue. I think this hearing is one example of that. But the other side is these very quiet attacks. We do need to incentivize our small businesses to protect what they have. What they have is key to our national security, and that can't be overstated. Mr. Richmond. Well, and part of my thinking was that if we can eliminate 60 to 80 percent strictly by information and being very creative, it would allow us and free up more money, more time, more energy to focus on those people who are going to try to do it no matter what all the time and are very sophisticated and evil with it. Anyone can answer this question, but how has cloud computing, I guess no pun intended, clouded our ability to protect ourselves? And I guess I just started to look at some of my new data in the office, and they talk about cloud computing, it just scares me to just have information floating out there. So how safe is it, and how has it complicated your jobs and our ability to keep the country safe? Ms. Schneck. I guess I will start. So the important thing is to protect data in motion, data at rest, and data in use. What cloud does is it outsources data processing, so it says that you are, to your point, you are sending your information somewhere else to be processed, and then it comes back so that you can view it, and the danger that people immediately sense is while it is not on my network and in transit and while the third party is holding it, is it protected? And these are the questions that have to get answered. The very, very beneficial side of cloud computing is that it is very efficient. You can package your computing processing power, you can have somebody else pay the bills for chilling the computing and doing the efficiencies, you can do high performance calculation, and the data comes back and it is a fraction of a price if you had a CPU on every machine, and that scales beautifully. So for small business, you can outsource a lot of your computing needs, and it ends up saving them a lot of money. The other side is they have to make sure when those data are in transit they are working with a third-party provider that is taking care of encrypting or protecting the identity or the data when it is in storage, when it is being processed, and certainly on its way back. A big advantage is that if you are using a good provider, whatever service it is, the high-end providers do have the million dollar budgets to secure things right, whereas the small businesses may not. So there are a lot of efficiencies and a lot of security built into cloud, even though it requires that we send our data offsite. Mr. Richmond. And this question would be for Mr. Kaiser. How important is it for us to deal with breach notification laws as opposed to the many different laws in the various States, and does it make sense and would it help the small business or businesses period for us to come up with a national standard for breach notification as opposed to having different laws in I think 48 States now that have them and small businesses that do business across State line having to, I would assume, to comply with all of them. Mr. Kaiser. Yeah, I think that at the end of the day, I think wherever we can have clarity for both businesses and consumers, that is a good thing, right, so people know what to expect when something happens and know what will happen if something happens, and how that gets accomplished I think could be done probably in a number of different ways, but I do think that clarity, you know, where, you know, because the data really lives everywhere because not only of cloud, but just the way the Internet works, you know, as a consumer, I am doing business with people all over the country when I am using the Internet, and small businesses are doing business all over the country. I think where we can have clarity about what will happen when a breach occurs and from both sides, both as a person whose information was lost and also as the person or business that lost the information, I think that is just helpful in general on a lot of these cyber issues, not only that, but also on education awareness, clarity about the message, those things help. It is kind of a confusing world out there, and there is a lot of different messages, so anything that helps that I think is good. Mr. Richmond. And my last question would be for Mr. Strebe, and that question would simply be, you mentioned the analogy-- the example of the liquor store that was very careless which exposed the credit union, I would assume, to I think you said $60,000 worth of repayments. Do you think legislation--is needed to clear up responsible parties or to figure out and help find who is responsible for data breaches and who shall reimburse the consumer at the end of the day or the person who sustains the loss? Mr. Strebe. I think with legislation you can create a framework that any small business can follow. When you look at things, we have talked about hygiene today. If they are not following simple hygiene and they are not doing a basic standard of care, I think responsibility can be held or liability can be pushed back on to a small business. If they take care of that or if they create or through legislation create a framework and create, you know, here is the exact things that you are going to do, and they follow that and they are not negligent, I think you could essentially hold them harmless for, you know, again, a due standard of care. Anytime somebody just completely thinks that data security and cyber security is off the radar screen for them and they think that they can push all of the responsibility back to us as a financial institution, I think that creates substantial challenges for us as a financial institution. In addition, I think it is really valuable from a reputation risk standpoint to understand that anytime there is some sort of compromise and we notify our members that what has happened, they automatically think it was us as a financial institution that was penetrated, and when that happens, we have to, we spend a lot of money trying to overcome that and trying to tell them that, well, it wasn't us, we can't disclose that to you, we can't make public who it actually was, and as a result of that, those costs are borne by us. So as I look forward, I do believe a construct or framework can create a basic standard of care that they are going to have to follow and things that they need to do, and if they are negligent in that, then they can be held responsible. You know, can you try to address every single item? I don't believe you can because, as was mentioned before, every time you try to solve one thing there are two more things that come on the horizon, and then you are just continuing to chase your tail. I just look at it and say there is some basic necessities in commerce today that have evolved over the past 10 years that a businessman really, really needs to grab hold of and make sure they are accomplishing. Mr. Richmond. Thank you, and I will yield back. Chairwoman Ellmers. I have one more question, and I am going to quickly, and it is all for the entire panel. Of course, we are hearing about the statistics of the frequency of the cyber attacks. In general, if you could give us an idea in your sector of business what that frequency is, how often, and how often do you receive information from the Federal or State government warning you of any particular upcoming threats that might be occurring? Starting with Mr. Kaiser. Mr. Kaiser. Yeah, we don't really deal in that kind of information between the industry and government, but I will say, just as a regular person who looks at the news every day, those threats, those attacks are happening all the time, and so we really need to be able to respond to them. Ms. Schneck. We see 66,000 new variants of malware every day in McAfee Labs, and that is only going up. And then if you take that and you look at the story across the sectors, those malware examples and variants are being used to do things such as steal the oil field exploration diagrams across the energy sector, and these are things that we have published. I think you ask a very important question, how much do we get from the government? Not much right now. And that could be because of framework, it could be because of the structure. We are active in, I would say, most of the major public-private partnerships, but the idea is that we actually share a lot more out with government. When we find things, we give as much to government, law enforcement, and all the way to State and local as we can, and looking at how we can do that more quickly, take the most actionable egregious information and get it to law enforcement faster is a challenge across, I believe, the entire business community, and the way this affects small business is that needs to get to them, and we are legally tied when it comes to sharing with the private sector. It is a little bit easier in some cases with government, but we need to get it back to those small businesses, and that is why from personal experience, I advocate that small businesses get with those partnerships. Mr. Strebe. In our case I cannot give you specific numbers. What I can tell you is, as a financial institution, we do this 24/7/365 times, however many years are in the future. We always have to do this. We are getting, I don't want to say hit, because that sounds like somebody actually penetrates us. We always see--we have a fortress or a cyber fortress that is built around our financial institution, and we always see people coming from all around the world trying to find vulnerabilities in our system and IP addresses that are open and they can try to penetrate our system. 24/7/365 times the future, that is exactly how many times we see it. It is always happening. Mr. Beam. As far as notifications from the government, NERC has a advisory system where they send out alerts. We have received 40 of those since 2008. Of those, the majority were advisories that were just advising us of a potential issue. Only a handful were things that required us to take action, but we did take action on those, and none of those was an imminent threat. They were a potential threat that you needed to take action to prevent. On the business side, we have our system divided into two completely separate networks. One controls the electric system, and one is the business system. The electric system is completely separate from the Internet. There is no connection. And so we have had no outside traffic ever able to get on to that system and cause any kind of malicious attack. On the other side, in 2011 alone, we got 74 million emails hit the firewall. Of those, only 16 million got through, and those in our internal review processes only allowed 4 million through to the actual end users as legitimate emails. So as everybody else has said, we are constantly getting things that are malicious in one way or another, be it spam or whatever, but they are not necessarily attacks from a foreign government of that type. As far as anything that was actually directed to the electric system in a malicious way, we have never had an attack that we are aware of. Chairwoman Ellmers. Mr. Strebe, have you in your industry, in the financial credit union world, does the Federal or State level of government, do you get notifications that there are imminent threats? Mr. Strebe. If I waited until I got the information from them, it would be way too late. Chairwoman Ellmers. So you are on top of it ahead of time? Mr. Strebe. We quite often end up sharing what is happening in our institution with other folks that are out there, yeah. We can't wait. We know before everybody else does because it is real time for us. Chairwoman Ellmers. Thank you, thank you. I just wanted to make sure I clarified that. And again, thank you to all of our participants, you know, panel 1 and panel 2. This subcommittee will continue to closely follow this issue. I want you to be aware of that and know that we are going to be working on this very issue. It is clear that there is no one-size-fits-all policy for cyber security. I look forward to working with my colleagues to make sure small businesses have the resources available to combat cyber attacks while not adding to any duplicative regulatory burdens. I ask unanimous consent that Members have 5 legislative days to submit statements and supporting materials for the record. Without objection, so ordered. This hearing is now adjourned. [Whereupon, at 2:26 p.m., the subcommittee was adjourned.] [GRAPHIC] [TIFF OMITTED] T2810A.001 [GRAPHIC] [TIFF OMITTED] T2810A.002 [GRAPHIC] [TIFF OMITTED] T2810A.003 [GRAPHIC] [TIFF OMITTED] T2810A.004 [GRAPHIC] [TIFF OMITTED] T2810A.005 [GRAPHIC] [TIFF OMITTED] T2810A.006 [GRAPHIC] [TIFF OMITTED] T2810A.007 [GRAPHIC] [TIFF OMITTED] T2810A.008 [GRAPHIC] [TIFF OMITTED] T2810A.009 [GRAPHIC] [TIFF OMITTED] T2810A.010 [GRAPHIC] [TIFF OMITTED] T2810A.011 [GRAPHIC] [TIFF OMITTED] T2810A.012 [GRAPHIC] [TIFF OMITTED] T2810A.013 [GRAPHIC] [TIFF OMITTED] T2810A.014 [GRAPHIC] [TIFF OMITTED] T2810A.015 [GRAPHIC] [TIFF OMITTED] T2810A.016 [GRAPHIC] [TIFF OMITTED] T2810A.017 [GRAPHIC] [TIFF OMITTED] T2810A.018 [GRAPHIC] [TIFF OMITTED] T2810A.019 [GRAPHIC] [TIFF OMITTED] T2810A.020 [GRAPHIC] [TIFF OMITTED] T2810A.021 [GRAPHIC] [TIFF OMITTED] T2810A.022 [GRAPHIC] [TIFF OMITTED] T2810A.023 [GRAPHIC] [TIFF OMITTED] T2810A.024 [GRAPHIC] [TIFF OMITTED] T2810A.025 [GRAPHIC] [TIFF OMITTED] T2810A.026 [GRAPHIC] [TIFF OMITTED] T2810A.027 [GRAPHIC] [TIFF OMITTED] T2810A.028 [GRAPHIC] [TIFF OMITTED] T2810A.029 [GRAPHIC] [TIFF OMITTED] T2810A.030 [GRAPHIC] [TIFF OMITTED] T2810A.031 [GRAPHIC] [TIFF OMITTED] T2810A.032 [GRAPHIC] [TIFF OMITTED] T2810A.033 [GRAPHIC] [TIFF OMITTED] T2810A.034 [GRAPHIC] [TIFF OMITTED] T2810A.035 [GRAPHIC] [TIFF OMITTED] T2810A.036 [GRAPHIC] [TIFF OMITTED] T2810A.037 [GRAPHIC] [TIFF OMITTED] T2810A.038 [GRAPHIC] [TIFF OMITTED] T2810A.039 [GRAPHIC] [TIFF OMITTED] T2810A.040 [GRAPHIC] [TIFF OMITTED] T2810A.041 [GRAPHIC] [TIFF OMITTED] T2810A.042 [GRAPHIC] [TIFF OMITTED] T2810A.043 [GRAPHIC] [TIFF OMITTED] T2810A.044 [GRAPHIC] [TIFF OMITTED] T2810A.045 [GRAPHIC] [TIFF OMITTED] T2810A.046 [GRAPHIC] [TIFF OMITTED] T2810A.047 [GRAPHIC] [TIFF OMITTED] T2810A.048 [GRAPHIC] [TIFF OMITTED] T2810A.049 [GRAPHIC] [TIFF OMITTED] T2810A.050 [GRAPHIC] [TIFF OMITTED] T2810A.051 [GRAPHIC] [TIFF OMITTED] T2810A.052 [GRAPHIC] [TIFF OMITTED] T2810A.053 [GRAPHIC] [TIFF OMITTED] T2810A.054 [GRAPHIC] [TIFF OMITTED] T2810A.055 [GRAPHIC] [TIFF OMITTED] T2810A.056 [GRAPHIC] [TIFF OMITTED] T2810A.057 [GRAPHIC] [TIFF OMITTED] T2810A.058 [GRAPHIC] [TIFF OMITTED] T2810A.059 [GRAPHIC] [TIFF OMITTED] T2810A.060 [GRAPHIC] [TIFF OMITTED] T2810A.061 [GRAPHIC] [TIFF OMITTED] T2810A.062 [GRAPHIC] [TIFF OMITTED] T2810A.063 [GRAPHIC] [TIFF OMITTED] T2810A.064 [GRAPHIC] [TIFF OMITTED] T2810A.065 [GRAPHIC] [TIFF OMITTED] T2810A.066 [GRAPHIC] [TIFF OMITTED] T2810A.067 [GRAPHIC] [TIFF OMITTED] T2810A.068 [GRAPHIC] [TIFF OMITTED] T2810A.069 [GRAPHIC] [TIFF OMITTED] T2810A.070 [GRAPHIC] [TIFF OMITTED] T2810A.071 [GRAPHIC] [TIFF OMITTED] T2810A.072 [GRAPHIC] [TIFF OMITTED] T2810A.073 [GRAPHIC] [TIFF OMITTED] T2810A.074 [GRAPHIC] [TIFF OMITTED] T2810A.075 [GRAPHIC] [TIFF OMITTED] T2810A.076 [GRAPHIC] [TIFF OMITTED] T2810A.077 [GRAPHIC] [TIFF OMITTED] T2810A.078 [GRAPHIC] [TIFF OMITTED] T2810A.079 [GRAPHIC] [TIFF OMITTED] T2810A.080 [GRAPHIC] [TIFF OMITTED] T2810A.081 [GRAPHIC] [TIFF OMITTED] T2810A.082 [GRAPHIC] [TIFF OMITTED] T2810A.083 [GRAPHIC] [TIFF OMITTED] T2810A.084 [GRAPHIC] [TIFF OMITTED] T2810A.085 [GRAPHIC] [TIFF OMITTED] T2810A.086 [GRAPHIC] [TIFF OMITTED] T2810A.087 [GRAPHIC] [TIFF OMITTED] T2810A.088 [GRAPHIC] [TIFF OMITTED] T2810A.089 [GRAPHIC] [TIFF OMITTED] T2810A.090 [GRAPHIC] [TIFF OMITTED] T2810A.091 [GRAPHIC] [TIFF OMITTED] T2810A.092 [GRAPHIC] [TIFF OMITTED] T2810A.093 [GRAPHIC] [TIFF OMITTED] T2810A.094