[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
CYBER SECURITY: PROTECTING YOUR SMALL BUSINESS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON HEALTHCARE AND TECHNOLOGY
of the
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
HEARING HELD
DECEMBER 1, 2011
__________
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Small Business Committee Document Number 112-047
Available via the GPO Website: http://www.fdsys.gov
U.S. GOVERNMENT PRINTING OFFICE
72-810 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
HOUSE COMMITTEE ON SMALL BUSINESS
SAM GRAVES, Missouri, Chairman
ROSCOE BARTLETT, Maryland
STEVE CHABOT, Ohio
STEVE KING, Iowa
MIKE COFFMAN, Colorado
MICK MULVANEY, South Carolina
SCOTT TIPTON, Colorado
JEFF LANDRY, Louisiana
JAIME HERRERA BEUTLER, Washington
ALLEN WEST, Florida
RENEE ELLMERS, North Carolina
JOE WALSH, Illinois
LOU BARLETTA, Pennsylvania
RICHARD HANNA, New York
NYDIA VELAZQUEZ, New York, Ranking Member
KURT SCHRADER, Oregon
MARK CRITZ, Pennsylvania
JASON ALTMIRE, Pennsylvania
YVETTE CLARKE, New York
JUDY CHU, California
DAVID CICILLINE, Rhode Island
CEDRIC RICHMOND, Louisiana
JANICE HAHN, California
GARY PETERS, Michigan
BILL OWENS, New York
BILL KEATING, Massachusetts
Lori Salley, Staff Director
Paul Sass, Deputy Staff Director
Barry Pineles, General Counsel
Michael Day, Minority Staff Director
C O N T E N T S
----------
Page
OPENING STATEMENTS
Ellmers, Hon. Renee.............................................. 1
Richmond, Hon. Cedric............................................ 7
WITNESSES
The Hon. William M. ``Mac'' Thornberry, U.S. House of
Representatives (TX-13), Washington, DC........................ 4
Mr. David Beam, Senior Vice President, North Carolina Electric
Membership Corporation, Raleigh, NC............................ 11
Mr. Glenn Strebe, Chief Executive Officer, Air Academy Federal
Credit Union Colorado Springs, CO.............................. 13
Dr. Phyllis A. Schneck, Chief Technology Officer Public Sector,
McAfee, Inc. Reston, VA........................................ 15
Mr. Michael Kaiser, Executive Director, National Cyber Security
Alliance, Washington, DC....................................... 17
APPENDIX
Prepared Statements:
The Hon. William M. ``Mac'' Thornberry, U.S. House of
Representatives (TX-13), Washington, DC.................... 27
Mr. David Beam, Senior Vice President, North Carolina
Electric Membership Corporation, Raleigh, NC............... 30
Mr. Glenn Strebe, Chief Executive Officer, Air Academy
Federal Credit Union, Colorado Springs, CO................. 45
Dr. Phyllis A. Schneck, Chief Technology Officer Public
Sector, McAfee, Inc. Reston, VA............................ 69
Mr. Michael Kaiser, Executive Director, National Cyber
Security Alliance, Washington, DC.......................... 79
Questions for the Record:
None
Answers for the Record:
None
Additional Materials for the Record:
CompTIA Statement for the Record............................. 93
Recommendations of the House Republican Cybersecurity Task
Force...................................................... 100
CYBER SECURITY: PROTECTING YOUR SMALL BUSINESS
----------
THURSDAY, DECEMBER 1, 2011
House of Representatives,
Subcommittee on Healthcare and Technology,
Committee on Small Business,
Washington, DC.
The Subcommittee met, pursuant to call, at 1:01 p.m., in
Room 2360, Rayburn House Office Building, Hon. Renee Ellmers
[chairwoman of the Subcommittee] presiding.
Present: Representatives Ellmers, Tipton, and Richmond.
Also Present: Representative Schilling.
Chairwoman Ellmers. Good afternoon, everyone. I am going to
go ahead and call this meeting to order. I would like to thank
everyone for being here joining us today on this very important
issue on cyber security. I would like to say a special thank
you to Representative Mac Thornberry and our panel of witnesses
that will be coming up in the second panel. We appreciate
everyone's participation.
Our Nation's digital infrastructure has become an essential
part of our everyday lives. It is difficult to imagine a world
without the Internet. It touches nearly every sector of the
United States economy, and it is critical to our national
security. According to the Federal Communications Commission,
over 97 percent of small businesses utilize the Internet to
increase their productivity and overall success.
On Tuesday, The Wall Street Journal reported that the
online sales for Cyber Monday rose to a record $1.25 billion.
This is an increase of 22 percent from last year and marked the
heaviest single day for online commerce ever. Despite this good
economic news, the growth of the Internet technology and e-
commerce has also attracted a growing number of cyber criminals
looking to steal sensitive information, including intellectual
property and personal financial information. These attacks can
be catastrophic, as you can imagine, leaving many businesses
unable to recover. Especially our small businesses.
Although we often hear about cyber attacks on large
businesses and institutions, a recent report shows the majority
of these attacks are on small firms. Small businesses generally
have fewer resources available to monitor and combat cyber
threats, making them easy targets for expert criminals.
Moreover, the sophistication and scope of these attacks
continue to grow at a rapid pace.
A recent report from the Office of the National
Counterintelligence Executive stated that tens of billions of
dollars in trade secrets, intellectual property, and technology
are being stolen each year by foreign nations like China and
Russia. As the leader in producing intellectual property, the
United States and small businesses will continue to be a
primary target for cyber criminals seeking an economic
advantage.
Adding to the uncertainty is the difficulty in which one
protects themselves online. Protecting our digital
infrastructure is complex, and no one agency or private
business can do it alone. It takes a true public-private
partnership to identify, combat, and share information
regarding these sophisticated cyber attacks.
Both the administration and Congress have recognized the
need to update certain laws and resources to better combat
cyber threats. The broad range of issues being considered
includes establishing a national standard of reporting a cyber
breach, strengthening the criminal statutes, and requiring some
private industries to develop cyber security plans.
We have heard small businesses' concerns about the
possibility of duplicative regulations, always regulations, as
many industries already have procedures in place to protect
third-party information. For example, a company in my district
called Diversified Information Technologies, which digitally
processes health care and insurance information, already
provides full compliance based on the Health Insurance
Portability and Accountability Act, or HIPAA. In considering
legislation, we should look to harmonize these regulations to
avoid any duplicative rules on small businesses.
There is no question cyber security is a real and major
threat to our Nation's economy, security, and everyday way of
life. Moving forward, I am confident that we can identify the
most efficient role of the public and private sectors to
protect small businesses and our Nation against cyber attacks.
Again, I want to thank all of our witnesses who are
participating today. I look forward to hearing the testimony on
how we can better assist small businesses against cyber
attacks. I now yield to the Ranking Member Richmond for his
opening statement.
Mr. Richmond. Thank you to the chairwoman and thank you to
everyone for coming to participate, especially to Congressman
Thornberry, who heads the Cyber Security Task Force, and the
recommendations that you all have made. So as a person was
chair of Judiciary in the State legislature for 4 years, cyber
security was under our umbrella, I can tell you that our States
are not as aware as they should be of the risk that is posed,
so it is a great thing that we are taking the lead on it and
that your task force is doing what it is doing. So thank you
for that.
Internet and telecommunication technologies have not only
changed how we communicate, but also how business is conducted.
America's 23 million small businesses are some of the savviest
users of technology by using the Internet to access new markets
to grow and to diversify. In fact, small businesses are the
driving forces behind further technological innovation, as they
produce about 13 times more patents per employee. However,
along with being connected comes being exposed to new threats.
Cyber threats can come in many forms, but they are all
devastating to both business owners and to their customers. A
single attack can wipe out a small business, which is why cyber
crime poses severe problems for small businesses that are not
prepared to mitigate this kind of risk.
According to studies, 40 percent of all threats are focused
on firms with less than 500 employees and reveal that a total
of nearly $86 billion annually is lost with companies incurring
an average of $188,000 in losses. Sadly, some small companies
fail to recognize the benefit of cyber security as an
investment until it is too late.
On the other hand, those firms that understand the
importance of such an investment often lack the resources to
implement an effective security system. The Federal
Communications Commission, the Department of Homeland Security,
and the National Institute of Standards and Technology, have
all embarked on efforts to offer Federal programs designed to
educate the public on computer security. It is worrisome that
despite the rise in cyberterrorism over the past few years and
the growing impact it has on small businesses, comprehensive
cyber security policy remains illusive. With 1.2 million people
employed at small companies in the New Orleans metropolitan
area, it is important to ensure that they are protected against
cyber crimes by keeping our Nation's cyber security, our cyber
infrastructure incorruptible. That is why I am cosponsoring the
Homeland Security Cyber and Physical Infrastructure Act as a
way to strengthen our infrastructure through research,
development, and establishment of innovative cyber security
technology. Like every day Internet users, small firms are
exposed to cyber attacks and vulnerable to their malicious
effects.
Today's hearing will give us an opportunity to review
whether the increases in Federal investment in both financial
and personnel resources will have an impact on a small firm's
ability to mitigate their cyber risk. The testimony we hear
today will help us better understand what role the government
can play in educating the American public and the business
community about the security risks and challenges they face.
Your recommendations on the best ways to protect the Nation's
small businesses from this growing threat will be useful as we
move forward on addressing this issue. In advance of the
testimony, I want to thank all the witnesses for both their
participation and insight into this important topic. Thank you,
and I yield back.
Chairwoman Ellmers. Thank you to the ranking member. I will
say that if committee members have an opening statement
prepared, I ask that they be submitted for the record. I don't
have to explain the timing lights to our first panel of
witnesses. It is my pleasure now to introduce, again,
Congressman Mac Thornberry, who is our first witness, and he is
the Congressman of the 13th District in Texas. He currently
serves as the vice chairman of the Armed Services Committee,
where he also leads the Subcommittee on Emerging Threats. He
continues to serve the House Permanent Select Committee on
Intelligence as well.
Earlier this year, Congressman Thornberry was tapped by the
Speaker of the House and Majority Leader to spearhead a Cyber
Security Task Force to guide House legislation action on this
growing economic and national threat. On October 5th, the task
force released their recommendations, which have been well
received from Republicans and Democrats, the White House,
private businesses and other organizations. Thank you for being
here. We look forward to your testimony, Congressman.
STATEMENT OF THE HON. MAC THORNBERRY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Thornberry. Thank you, Madam Chairwoman and ranking
member, Mr. Schilling. I appreciate the chance to be here. I
have submitted a written testimony, and if it is all right,
what I would like to do is just kind of summarize it into four
points.
One is, I appreciate you having this hearing. One of the
major findings of our task force is that there is a tremendous
gap in what is really happening and most people's awareness of
what is happening. That is true in the population, it is true
among Members of Congress, and our view is that first we have a
responsibility to educate ourselves and then try to help our
communities understand what a serious issue this is. I have
recommended that the Speaker and Minority Leader have a
classified briefing for all Members because I think all Members
really need to get a better understanding of what we are
facing.
Also, just as a test case a few weeks ago, I took a cyber
expert with me to my district, and in one town we had a special
meeting of the Chamber of Commerce, in another town, it was a
joint meeting of the Chamber of Commerce and the biggest
service club just to talk about this issue. He could answer the
technical questions, but just to try to raise awareness from
small businesses in my area, and I hope maybe that is something
that other Members may want to consider in the future.
The second point I would make, and both of you have made it
in your opening statements, small businesses are affected by
this. No one should believe that because I am a small business
in Amarillo, Texas, that I don't have to worry about it. It is
simply not the case. What we also have come to learn is that
not only are small businesses in the cross-hairs of those
seeking to perpetrate crime and steal intellectual property, a
lot of times small businesses are subcontractors that are used
to get to larger contractors. A lot of times increasingly, in
fact, lawyers and accountants are targets in order to get their
clients' records. So there is some careful planning going on
here, but small businesses are particularly in the cross-hairs,
and every time they steal intellectual property from a small
business, they are stealing jobs from the United States. So it
is obviously a national security issue, but as both of you have
rightly pointed out, it is also an economic issue that is very
important.
Third, I would say that this is a big, complicated issue
that Congress cannot solve in a single bill, and we shouldn't
try. I think you all have mentioned that it touches most
aspects of our lives, most aspects of business life these days.
Eighty-five, roughly, percent of the infrastructure we are
talking about protecting is owned by the private sector. So
government is not going to come in and solve all of this, but
we can take steps to help protect the country, and obviously,
that is what we need to do.
Fourth and lastly, the task force you have both mentioned
have made recommendations as far as a general framework on what
Congress could do during this session of Congress, and that was
the Speaker's instruction to us, don't try to solve all the
problems in the world, but look at what we can do that will
make a significant difference that could get passed during this
session of Congress, and our recommendations have drawn on a
lot of previous work that Members of both sides of the aisle
have done, but I have been pleased at the bipartisan support,
not only in the House, but from Senators, the White House has
spoken positively of it, so I think there is a real opportunity
to act here.
There is lots of differences we have between the parties,
between the different Houses of Congress on a variety of
issues, but this is one where I think we can work together, and
I think it is essential that we work together to try to begin
to take those steps in the right direction. So, again, I
appreciate your interest in it, and I will be happy to answer
any questions that I can answer.
Chairwoman Ellmers. Well, I definitely echo those comments
about the importance of us all working together in a bipartisan
manner on this issue, I think we all see the very important
aspects of it.
I just have a couple questions, and then I will yield to
Mr. Richmond, the ranking member. My first question for you,
Congressman, is the recent report from the National
Counterintelligence Executive Agency revealed that China and
Russia are behind a majority of cyber attacks, and that is
obviously deeply, deeply disturbing. In your opinion, how does
the small business, the small business that is out there right
now dealing with all of the issues with the economy, how can
these small businesses deal with these attacks right now, and
what and how should the United States respond to this as a
Nation?
Mr. Thornberry. I would say two things, and they are really
the central recommendations of our task force. Number one is
what is called good hygiene. It is the basic things that we all
know we should do but too often don't do, keeping our firewalls
up to date, our virus protection up to date, not having our
passwords underneath our mouse pads in our offices, which a
defense contractor told me he just went and checked in one of
his offices and found that was the case in a large number of
his employees, and the task force received information from a
variety of witnesses saying roughly three-fourths of the
malicious stuff out there on the Internet could be stopped if
we all did the basic stuff we know we are supposed to do. You
know the reason they call it good hygiene because it is kind of
like washing your hands and coughing in your sleeve and getting
enough sleep and drinking enough water, the basic things that
keep us healthy, it can keep the Internet healthy, too. So
small businesses, you know, it doesn't take a lot of money, but
you need to do the stuff you know you should do.
Secondly, though, when you talk about Russia and China, if
Russia and China is targeting somebody, good hygiene won't be
enough, and so our second central recommendation is to update
some laws to allow information sharing that where we can use
especially Internet service providers to help defend us against
these more sophisticated threats. And so I think you have got
to do two prongs: Basic hygiene, but also update our laws so
that we can bring all the resources of government and the
private sector to bear against these more sophisticated
threats.
Chairwoman Ellmers. Thank you. My next question for you,
there again, comes from our small business owners, and they are
basically saying that, you know, one of the big issues, and we
hear this repeatedly, is the threat of regulations and dual
regulations, especially those industries defined as critical
infrastructure. This is a two-part question here. First, has
this issue been adequately addressed, and in your opinion, do
you believe that small businesses should be subjected to the
same regulations or Federal standards as larger businesses
regarding cyber security compliance?
Mr. Thornberry. It certainly has not been adequately
addressed, and I think this gets to where there is a difference
of opinion between the White House proposal that came out in
May and the task force recommendation. The White House
recommended basically that critical infrastructure businesses
develop a cyber security plan which would be sent to the
Department of Homeland Security for evaluation and kind of a
thumbs up or thumbs down. Our view was that we ought to rely on
existing regulators, so for the electric industry, FERC, and
NERC and the existing regulators, the Nuclear Power Regulatory
Commission for nuclear power plants, et cetera. In other words,
these structures are in place, they help understand the fuller
spectrum of what these businesses are dealing with, and they
need to put a greater emphasis on cyber security.
Now, we are going to have to work through how to do that,
but I think I am concerned, as you mentioned, about layering
additional regulations, particularly on small businesses that
have a difficult time affording what they have got now.
Chairwoman Ellmers. Thank you. Thank you for outlining
that. There again, you know, having to report to more than one
agency, each of these different duplicative just adds to the
cost of doing business as well, so----
My last question, in actually talking about Federal
agencies, of course, Federal agencies play a key role in
protecting against cyber attacks. Considering our committee,
Small Business Committee and its jurisdiction, what do you
think the appropriate role is for the Small Business
Administration?
Mr. Thornberry. My sense is the most valuable thing is the
awareness and help small businesses have the tools to know how
to defend themselves, and if you can do that where you don't
have to go hiring an outside consultant or so forth, if you can
just help direct small business to the kinds of things they
need to do with that good hygiene we were talking about, I
think that would be a tremendous help to small business, but
again, when you help all those small businesses, you are also
helping the whole Internet because you reduce the clutter that
is out there, and that helps the more sophisticated entities
target those more sophisticated threats.
Chairwoman Ellmers. Thank you so much for answering my
questions. I am going to yield now to Mr. Richmond for his
questions.
Mr. Richmond. Thank you, and I will try to start where you
are leaving off when we talk about education and awareness as a
cost-effective way to reduce our cyber breaches. The task force
suggested the basic technology tools, industry best practices,
and education could eliminate about 85 percent of the cyber
threat. I think you just hit on most of it, but what else
besides the good hygiene and the other recommendations can we
do to further push for a reduction and further accomplish a
reduction in cyber attacks?
Mr. Thornberry. Well, one of the key areas, we believe, is
that we need to provide some voluntary incentives so that as a
CEO is trying to figure out where his money goes, that more of
his attention and perhaps more of his money goes to defending
that business against cyber attack.
Now, again, there are some differences. There are some
people who have made proposals on a more directive regulatory
approach. Our view was you can't have one size that fits all,
but a variety of incentives, whether it is the Tax Code,
whether it is SEC regulations, which actually they came out
with one a couple weeks ago that requires greater attention be
paid to cyber.
I think that sort of thing, we have got to elevate this
issue in the consciousness not only of Members of Congress, the
American people, but of businesses, and some incentives,
financial incentives, I think--we think help accomplish that,
even though we did not try to put out a laundry list of what
they all are, and suggestions that you all may have,
particularly for incentives that would be effective for small
business, I think, would be very welcome as we move through
this process.
Mr. Richmond. Another thing, one of the recommendations was
in the Federal procurement process, to require security
technology processes and performance management in the
government IT process. Since we are sitting on Small Business,
one concern that immediately pops up is the cost associated
with it and how would it put small businesses at a disadvantage
compared to other businesses in the procurement process for
government contracts.
Mr. Thornberry. It is a good point. I think our view was,
the government is a big customer, we ought to be a good big
customer in what we buy, in other words buy things that are
more secure, but also I think what one finds out is a lot of
innovation in this area is being done by small business,
innovation in enhanced security. So I think, if we can put a
higher priority on security that small business, particularly
small business innovators will benefit from that. They should,
and I hope so.
Mr. Richmond. I am glad you brought up the role that small
businesses play in the technology aspect of it. The Federal
Government is spending an enormous amount of money, and we are
spending more every year, on cyber security. What niche, or
what way do you see small businesses being able to participate
on the technology side of helping us get ready, combat or fight
off cyber attacks?
Mr. Thornberry. I think we were just touching on it. A lot
of the innovation that goes on is in small business start-up
businesses, and the Federal Government in its procurement has
to be nimble enough to take advantage of those advances, and
that is obviously a challenge. And a second area that we
touched on is, the Federal Government spends a lot of money on
research in cyber. We ought to make sure the money we spend on
research in cyber is not taking the place of money that private
industry is spending on cyber. In other words, displacing some
small business that is putting their resources out there, we
ought to be complementary, more basic research that everybody
can benefit from rather than researching things that, you know,
that put a small business potentially out of business.
Mr. Richmond. And just a few more. When you talked about
information sharing earlier, of course it raises questions of
privacy concerns. One question that would quickly pop up in my
mind is in an information sharing arrangement, for the person
whose information is then leaked or who has his life or
business turned upside down because of it, how do we address
liability in that question and who ultimately would bear the
responsibility?
Mr. Thornberry. It is, in many ways, kind of a central
question to making this work, you are exactly right. What we
recommended in the task force was creating a separate entity
apart from government where information could be shared so
that--and I will just take the car industry. For example, Ford
and GM could bring their information to this place to share.
They may want to sanitize that information so you don't have
particular individuals' names and so forth, but they could
bring the information that we are getting attacked from here,
we are getting attacked from there, threat information could
come together.
At the same place you would have government classified
information brought in so that you can have this whole fuller
picture, at least, of the nature of the threat with appropriate
classified safeguards so that we do not lose important national
security information, and then ideally, that information could
be acted upon by Internet service providers, so you accumulate
this threat information, and AT&T and Verizon can use that
information to protect big businesses and small businesses
eventually, hopefully.
I mean, that is kind of the concept that we talked about,
but you are absolutely right that privacy has got to be built
in every step of the way and that if we don't, the American
people are not going to go for it, and we will not be able to
advance cyber security.
Mr. Richmond. And the last question is hopefully a short
answer, but nowadays with iPads, iPhones, Androids, so between
the smartphone and the tablet, they are becoming business
instruments for many people, especially small businesses. What
is your assessment of what cell phone companies and those
companies are doing in terms of making sure that there are
adequate safeguards in place for threats on those smart
devices?
Mr. Thornberry. As they multiply, the potential entry
points for attacks of some sort multiply as well, and I don't
think there has been nearly enough attention by the software
companies, the hardware companies or us as individuals into
safeguarding these little devices that we all carry around with
us.
But I will say, from the Armed Services Committee
standpoint, we are going to start issuing some of these devices
to soldiers in the field, and so we have got to figure out from
a government standpoint how we make sure they are secure, and
hopefully that can start a trend towards greater security for
all of these devices.
Mr. Richmond. And I am glad you mentioned that, and this
will be the last question.
Chairwoman Ellmers. That is fine.
Mr. Richmond. What you just said scares me because I think
of my smartphone and the fact that it has great capabilities
where parents can use the GPS feature on their children's
smartphone to see where they are, the first question in my mind
becomes whether the technology is there, whether the companies
have the ability to make sure that we are not giving away the
coordinates and where our soldiers are, but, you know, so do
you think that--and I know that our military and our leaders
would address those things, but those types of concerns, we
just have to make sure that those cell phone providers and
those are very wary of those, especially as more and more--and
we talked about troops, but especially as more and more
children have cell phones, we have to worry about the cyber
attacks. We also have to worry about our hardened criminals
using technology to find our children and so forth.
So that is one thing we have to keep pushing on our
industries and our companies, to make sure that they understand
to some extent there is a moral responsibility with making sure
that the phones are as safe as possible in that respect. So
thank you for what you do, Mac, and thank you to the Chairwoman
for allowing me a little extra time. Thank you.
Chairwoman Ellmers. Well, thank you. Those were excellent
questions, excellent questions, and excellent responses. This
is quite an opportunity today.
At this time, I would like to recognize Mr. Schilling from
Illinois, if he has any questions.
Mr. Schilling. Yes, thank you, Chairwoman. I think I agree
with Mac here, with Congressman Thornberry I should call him,
is this is something that really needs to be addressed, and,
you know, as I go into some of the hearings that we have been
in, some of the briefings, you know, I don't really feel a
sense of urgency out here in Washington, D.C. when it comes to
the cyber attacks that we are already dealing with, and then
the future ones that are coming, and being a small business
owner myself, you know, of course, one of the things that I
always fear is when I hear the government is going to get into
and then they are going to throw something else upon my small
business that is already struggling, things like that, so I
think that is something we definitely need to work on.
One of the things I was curious is, where is, like,
leadership, for example, on maybe having briefings with the
Democrats and Republicans here to where we can get the message?
And I really appreciate, just the idea that you had of going
out to the Chambers and speaking to the small businesses
because this is a real threat, and I think down the road, this
is going to be something that we are going to have to really
pay a lot of attention to. So several different----
Mr. Thornberry. I think there is a good chance it will
happen. As I mentioned, I recommended to the Speaker, I know
Jim Langevin talked to Mrs. Pelosi's office about jointly doing
this. Obviously, I think you are right, generally there is not
the sense of urgency. For people like the Speaker, the
President, and the Majority Leader in the Senate who have had
every day or every week get classified briefings, they are
pretty fired up about this, and see the urgency of doing
something. So I am hopeful we can do that, and I think it would
help all Members to get a little fuller picture of what we face
every day.
Mr. Schilling. Very good. I do like the message you have,
also when we do do something, is it something that is going to
complement somebody that is already working on something, not
trying to take something that maybe a small business is working
on. So that is all I had. Thank you.
Chairwoman Ellmers. Great. Thank you. At this time I would
like to recognize Mr. Tipton from Colorado.
Mr. Tipton. Thank you, Chairwoman, and Congressman, thanks
for your leadership on this obviously very important issue. I
haven't had an opportunity to obviously be able to go through
your entire task force report, but in there, it states that 85
percent of the issues, cyber issues can be cleaned up with
hygiene, and I was wondering, is there a way to be able to
really accomplish this without driving up some of the costs
that small businesses are really going to be bearing? Any
estimates on that?
Mr. Thornberry. Well, I think you can do it with incentives
and encouragement. Maybe you don't get all 85 percent. Maybe
you get 80 percent. But I think increasingly, small businesses,
like all businesses, are going to have to understand that if
their customer records are stolen and misused, they may have
some responsibility for that, and so I think we are better off
in structuring things where it is self-interest to put a higher
priority rather than government mandating how it should be
done. Among other things, the threats move so quickly, there is
no way the government can regulate in this area. It just
evolves so fast. But as in some other areas, physical safety,
for example, everybody has to have insurance, sometimes you
have an insurance agent come and inspect your physical plant to
determine your rates and so forth. That is the sort of
incentive, I hope, that we can get going.
Mr. Tipton. Great. And I apologize for being late, and if
you have already answered this, but I was also curious where
you had noted that a number of our small businesses are
developing new technologies that are being hacked and the next
day they know it is out on to the street, are there any
estimates in terms of how much that is costing the U.S.
economy?
Mr. Thornberry. I don't know of any good estimates. You
have a wide range of numbers about the value of the information
being stolen every day, every year from our economy, but we did
hear specific instances of small businesses who discovered that
they were hacked and information, where there was a formula, a
blueprint, something was taken from their computers, and a few
months later that exact product shows up on our shores with
``Made in China'' stamped on the back. Now the problem is they
knew they were hacked. How many are out there that don't know
that the information was ever stolen from them. So that is part
of the reason we believe we have got to make this a bigger deal
for everybody.
Mr. Tipton. Exactly. Again, thank you for your leadership.
Madam Chairman, yield back.
Chairwoman Ellmers. Thank you. Again, I would like to thank
Congressman Thornberry for his leadership and insight on this
issue. We will continue to work closely with his office and the
task force on developing legislation that assists small
businesses in combating cyber security. Thank you so much. It
was a pleasure.
I would like to call the second panel now to the table.
Wonderful, let's go ahead and get started. I would like to
take the opportunity right now to just explain to you the
timing lights. You will each have 5 minutes to deliver your
testimony. The light will start out as green. When you have 1
minute remaining, the light will turn yellow. Finally, it will
turn red at the end of your 5 minutes, and I ask that you try
to keep to that limit, if possible, although, you know, I am
usually pretty flexible with that within reason. Within reason.
Thank you all for being here. Again, this is a great
opportunity. It was certainly wonderful to hear from
Congressman Thornberry. He has done so much work on this, and
now from the business aspect, you know, we get to hear your
side of it. So, again, thank you so much for being here today.
I am going to take the opportunity now to introduce our
first witness, Mr. David Beam. Before I do, though, I do want
to say that at some point we may be called for votes, and what
we will do at that time is we will interrupt, we will kind of
decide what time frame we are looking at, and then we will come
back and pick up again later, okay?
So our first witness is Mr. David Beam. He is the senior
vice president of Corporate Strategies for the North Carolina
Electric Membership Corporation in Raleigh, North Carolina.
David has over 30 years of experience in the electric utility
industry. In his current role, he oversees their energy risk
management and regulatory compliance, including cyber security.
David earned his Bachelor of Science in mechanical engineering
from the University of Kentucky and his MBA from the University
of North Carolina Chapel Hill. He is testifying on behalf of
the National Rural Electric Cooperative Association.
STATEMENTS OF DAVID BEAM, SENIOR VICE PRESIDENT, NORTH CAROLINA
ELECTRIC MEMBERSHIP CORPORATION, ON BEHALF OF THE NATIONAL
RURAL ELECTRIC COOPERATIVE ASSOCIATION; GLENN STREBE, CHIEF
EXECUTIVE OFFICER, AIR ACADEMY FEDERAL CREDIT UNION, ON BEHALF
OF THE NATIONAL ASSOCIATION OF FEDERAL CREDIT UNIONS; PHYLLIS
SCHNECK, CHIEF TECHNOLOGY OFFICER PUBLIC SECTOR, MCAFEE, INC,
ON BEHALF OF THE SOFTWARE & INFORMATION INDUSTRY ASSOCIATION;
AND MICHAEL KAISER, EXECUTIVE DIRECTOR, NATIONAL CYBER SECURITY
ALLIANCE
Chairwoman Ellmers. Welcome, you have 5 minutes to present
your testimony.
STATEMENT OF DAVID BEAM
Mr. Beam. Chairman Ellmers, and Ranking Member Richmond,
thank you for inviting me to testify on cyber security impacts
on small businesses. My name is David Beam, and I am senior
vice president of Corporate Strategy for North Carolina
Electric Membership Corporation, or NCEMC. NCEMC is a
generation and transmission cooperative providing wholesale
power and other related services to 25 of the 26 electric
cooperatives incorporated in North Carolina. NCEMC is
responsible for reliability in cyber security compliance, for
its own critical assets as well as those belonging to its
members. These assets include generation and transmission
facilities and the associated protection equipment and
procedures. All of our distribution cooperatives that own NCEMC
are small businesses. I would like to acknowledge the National
Rural Electric Cooperative Association. NRECA is our national
trade association representing over 900 cooperatives
nationwide, providing electricity to 42 million consumers in 47
States.
Today I will cover the following: The bulk power system and
how it is separate from the distribution system, the origin and
purposes of the North American Electric Reliability
Corporation, or NERC, how we comply with NERC reliability and
cyber security standards, and our views on the potential
impacts of new legislation. I would also like to commend the
work of Speaker Boehner's Cyber Security Task Force and the
leadership of Representative Mac Thornberry.
Generally speaking, NERC's standards apply to the bulk
power system which includes generation and transmission assets
operated at voltages of 100 KV or higher. Distribution
facilities receive power from the bulk power system and
transmit it to retail consumers. Because outages at the
distribution level generally do not pose a threat to the bulk
power system, NERC standards don't typically apply to
distribution lines and substations. Contrary to popular belief,
hackers cannot easily access the telecommunications systems
that overlay parts of the bulk power system. Utilities have
comprehensive cyber security systems to protect against
malicious attacks.
Congress created a mandatory enforceable reliability
standards regime for the bulk power system in the Energy Policy
Act of 2005. NERC is an industry-funded, self-regulatory
organization. Its purpose is to regulate reliability and cyber
security standards. It also audits compliance and has
enforcement authority over those standards. NERC and the
Federal Energy Regulatory Commission or FERC can fine utilities
that violate these standards and have done so. Additionally,
FERC can direct NERC to develop new or revised reliability
standards.
Congress created a stakeholder-driven process, recognizing
that utility owners and operators best know how to provide
reliable electric service and how our complex systems are
designed and operated. We want to preserve this process.
NCEMC follows exacting procedures to ensure NERC
compliance. Our goals are awareness and commitment to
compliance by all employees, prompt detection, cessation, and
reporting of violations, and effective remediation measures
should violations occur. NCEMC has devoted significant
financial and human resources to ensuring reliability in cyber
security. We employ a full-time compliance coordinator whose
sole responsibility is managing compliance with reliability and
cyber security standards. In addition, NCEMC employs a
compliance team of subject matter experts who are responsible
for compliance with their assigned cyber security and
reliability standards. NCEMC also uses outside contractors to
audit and provide recommendations for improving our compliance
program. Additionally, at least one employee for each
distribution cooperative is responsible for compliance with
reliability and cyber security standards.
We employ strong defensive measures to protect our network
and business systems. We have strict security guidelines for
securing the network and systems, including policies that
govern the access and use of its network and systems. NCEMC and
NRECA believe NERC processes work very well. The process could
be strengthened by narrowly targeted legislation that lets the
Federal Government react quickly to severe, imminent cyber
threats and increases timely actionable information flowing to
utilities. Any new legislation should cover only assets and
systems which are realistic targets of cyber threat and which
could truly impact the bulk power system. Casting too wide a
net could bring entities, like distribution co-ops and other
small businesses, under potentially very burdensome regulatory
requirements with little or no benefit to grid security.
Thank you for the opportunity to testify today. I look
forward to answering your questions.
Chairwoman Ellmers. Thank you, Mr. Beam.
Chairwoman Ellmers. I now yield to Congressman Tipton for
the introduction of our next witness.
Mr. Tipton. Thank you, Chairwoman. It is my pleasure today
to be able to introduce Mr. Glenn Strebe. He is the chief
executive officer of the Air Academy Federal Credit Union in
Colorado Springs. He oversees full operations of nine credit
unions, including oversight of their compliance and security
issues. Glenn received his Bachelor of Science from the U.S.
Air Force Academy, my son-in-law is also a graduate of the
Academy, and an MBA from the Colorado State University. He is
testifying on behalf of the National Association of Federal
Credit Unions, and Glenn, welcome, and we look forward to your
testimony.
STATEMENT OF GLENN STREBE
Mr. Strebe. Thank you. Good afternoon. Chairwoman Ellmers,
Ranking Member Richmond, and members of the subcommittee, my
name is Glenn Strebe, and I am testifying today on behalf of
the National Association of Federal Credit Unions, or NAFCU.
Thank you for holding this important hearing. I appreciate the
opportunity to share my views on cyber security and data
security at our Nation's credit unions. NAFCU supports efforts
to enact comprehensive data and cyber security measures to
protect consumer data. Credit unions and other financial
institutions already protect data consistent with the
provisions of the 1999 Gramm-Leach-Bliley Act. Unfortunately,
there is no comprehensive regulatory structure similar to what
was put in place for financial institutions under Gramm-Leach-
Bliley for other entities that may handle sensitive personal
and financial information. Consistent with Gramm-Leach-Bliley,
the National Credit Union Administration established
administrative, technical, and physical safeguards for credit
unions to ensure the security, confidentiality, integrity, and
proper disposal of consumer information and other records.
Every credit union must develop and maintain an information
security program to protect data. Additionally, the rules
require third-party service providers that have access to
credit union data take appropriate steps to protect the
security and confidentiality of this information. Gramm-Leach-
Bliley and its implementing regulations have successfully
limited data breaches among financial institutions. I have
outlined the specifics of the Act in my written testimony.
At Air Academy Federal Credit Union, we are relentless in
our efforts to protect sensitive data. The increased reliance
on Internet-based services has created new challenges and
expenses over the past decade. With over a quarter of our
members living out of State, a large number of our transactions
are performed online. In order to address this growing trend,
Air Academy has implemented and continues to execute security
measures on many different levels, the details and costs of
which are outlined in my written testimony. At Air Academy, we
take cyber security seriously. We use an ethical hacker that
tests our security measures, looking for hidden
vulnerabilities. Our laptops and thumb drives are encrypted in
case they fall into the wrong hands. We change penetration
testing vendors as well as our service providers every 2 or 3
years to avoid complacency and to keep a fresh set of eyes on
our security system. While all of these steps are costly, they
are best practices. Despite Air Academy's efforts, the
inadequate security systems of other entities still leaves our
members' data vulnerable to hackers and thieves.
Everyone has heard about large national data breaches that
impact millions of payment cards, but many breaches are small
and on the local level. For example, in 2009, a local liquor
store failed to protect card data because they claimed no
liability. We suffered over $60,000 in losses. Data breaches
are a serious problem for consumers and businesses.
Financial institutions such as credit unions bear a
significant burden as they incur steep losses in order to
reestablish member confidence after a data breach occurs. NAFCU
has developed a list of items we would like to see addressed in
any data security bill. They are outlined in detail in my
testimony and include: Payment of breach costs by breached
entities; national standards for safekeeping of information;
disclosing of data security policy at point of sale; requiring
disclosure of the breached entity; enforcement of prohibitions
on data retention; and timely notification of account servicer
when a breach occurs.
In conclusion, NAFCU supports new measures to protect
consumers' financial data. Creating a comprehensive regulatory
scheme for those entities that currently have none is critical.
A safe harbor for financial institutions already in compliance
with Gramm-Leach-Bliley should be included in any data security
bill. Further, if more regulations are needed to address new
concerns, it should be the functional regulators that are
charged with promulgating new rules. Finally, any other party
that holds sensitive information should be held liable when
responsible for a data breach.
Thank you again for the invitation to testify before you
today. I would welcome any questions you may have.
Chairwoman Ellmers. Thank you, Mr. Strebe.
Chairwoman Ellmers. I now yield to Ranking Member Richmond
for the introduction of our next witness.
Mr. Richmond. Thank you, Madam Chairwoman. It is my
pleasure and honor to introduce to everyone Dr. Phyllis
Schneck, who is the chief technology officer for the public
sector at McAfee, a leading provider of cyber security
software. Ms. Schneck received her Ph.D. in computer science
from Georgia Institute of Technology where she pioneered the
field of information security and security-based high
performance computing. In addition to her role at McAfee, she
currently serves as the chairman of the board of directors of
the National Cyber Forensics and Training Alliance. Ms. Schneck
was named one of the top 25 women leaders in information
security, and she also holds three patents in high performance
and adaptive information security. Welcome, Ms. Schneck. I am
sorry, Dr. Schneck.
STATEMENT OF PHYLLIS A. SCHNECK
Ms. Schneck. Thank you. Good afternoon, Chairwoman Ellmers,
Ranking Member Richmond, and members of the subcommittee. I am
Phyllis Schneck, vice president and chief technology officer
for the global public sector for McAfee, testifying today on
behalf of the Software & Information Industry Association. SIIA
is the primary trade association of the software and digital
information industry, with more than 500 members that develop
software and electronic content for consumers, business,
education, and the Internet. McAfee, Inc., protects businesses,
consumers, and the public sector from cyber attacks, viruses,
and a wide range of cyber security threats. We are the world's
largest dedicated cyber security technology company and a
proven force in combating the world's toughest security
challenges. McAfee is a wholly owned subsidiary of the Intel
Corporation.
We appreciate the subcommittee's interest in cyber security
as it affects small business, which plays such a large part in
our Nation's economy. While small business falls prey to the
same security risks as large business, most small firms cannot
afford a dedicated security staff nor do they have a million
dollar budget to purchase enterprise security solutions.
Nevertheless, small companies must meet the same security and
compliance requirements as Fortune 500 firms, just to remain in
business.
The importance of small business to the national economy
cannot be overstated. According to the Small Business
Administration, small firms represent 99.7 percent of all
employer firms. They have generated 65 percent of new jobs over
the past 17 years, and as Ranking Member Richmond mentioned
earlier, they produce in order of magnitude more patents per
employee than even the large patenting firms.
Today's cyber threats are more sophisticated and targeted
than ever. They are growing at an unprecedented rate. McAfee
Labs finds, for example, that both malicious URLs and malware,
they have grown almost sixfold in the past 2 years, and in 2010
we saw more malware than in all of the years previously.
One of the most insidious cyber attacks is a low level
incursion, it sinks below the radar, quietly exploring and
stealing the contents of the network. Security professionals
call this an advanced persistent threat on an APT, and McAfee
has uncovered several over the past year, the most recent,
shady RAT, has been stealing valuable intellectual property
from more than 70 organizations across 14 countries, including
small firms in addition to government contractors, nonprofits,
and government agencies. And this is not an isolated incident.
A 2010 survey found that 60 percent of organizations report a
chronic and recurring loss of sensitive information.
More than a million small businesses and retailers were
victims of some type of information theft in 2010, with 56
percent of small and midsized businesses experiencing this type
of banking related fraud in 2010 and 75 percent of it coming
from online sources. Among small businesses falling prey to
bank fraud, 61 percent were victimized more than once.
We are only as secure as our weakest link. To further help
small business, we recommend three guiding principles to make
the cost of security most effective. Practice risk management
first. Next, minimize the amount of sensitive information
retained in the network; and, third, invest in the appropriate
level of security.
Finally, we have some policy recommendations. A heavily
regulated approach would not necessarily make organizations
more secure. It makes them more compliant. And it would stifle
innovation. On the other hand, positive incentives and
subsidies have a high probability of success in two ways:
First, a higher chance of better actual outcome; and secondly,
a higher probability of good legislative success. There are a
variety of proposed approaches found on incentives, including
the recommendations that we heard earlier from Representative
Thornberry of the House Republican Cyber Security Task Force
and some promising approaches on the Democratic side.
We support the following approaches:
Litigation and legal reform. Imposing limitations on
liability for damages as well as for noneconomic loss would
remove a serious obstacle to information security investment,
such as the risk of being held responsible for losses
notwithstanding a company's good faith investment in good cyber
security.
Public-private partnership on information sharing.
Departments of Defense and Homeland Security manage many
public-private partnerships, McAfee plays a key role in
several. These partnerships ensure that senior corporate and
government officials share vital information and best
practices, and they are especially important for small
businesses.
Competition, scholarships, research and development help
identify and recruit talented individuals that foster
innovation in advanced basic and applied solutions and bring
those individuals to the cyber security workforce.
Tax incentives. Accelerated depreciation or refundable tax
credits should be considered to encourage critical
infrastructure industries to make additional investments in
cyber security technologies, solutions, and human capital. The
same approach could be effectively applied to small business.
Insurance reforms. Because of the lack of actuarial data,
government should consider implementing reinsurance programs to
help underwrite the development of cyber security insurance
programs, which could be phased out as insurance markets gain
the cyber security coverage.
In conclusion, let me emphasize that collaboration and
cooperation between the public and private sector are key to
addressing cyber security in a holistic way. Thank you for your
interest, and I will be pleased to answer any questions.
Chairwoman Ellmers. Thank you, Dr. Schneck.
Chairwoman Ellmers. I have the opportunity now to introduce
our last witness for today, Mr. Michael Kaiser. He is the
executive director of the National Cyber Security Alliance,
NCSA, in Washington, D.C. The NCSA is a nonprofit organization
focused on educating and promoting awareness of safe cyber
security practices to individuals, education institutions, and
small businesses. They recently conducted a study analyzing
small business cyber security practices. Welcome, Mr. Kaiser.
You have 5 minutes for your testimony.
STATEMENT OF MICHAEL KAISER
Mr. Kaiser. Thank you, Chairwoman Ellmers and Ranking
Member Richmond, and members of the subcommittee. Thank you for
the opportunity to testify today on this very important current
state of cyber security in small business. My name is Michael
Kaiser, and I am the executive director of the National Cyber
Security Alliance. NCSA is a nonprofit organization, a public-
private partnership working with industry leaders, government,
and nonprofits on education awareness issues in cyber security.
NCSA's board of directors is comprised of representatives from
18 companies, ADP, AT&T, Bank of America, Cisco, EMC, ESET,
Facebook, General Dynamics Advanced Information Systems,
Google, Intel, Lockheed Martin, McAfee, Microsoft, PayPal,
SAIC, Symantec, Verizon and Visa.
NCSA leads cyber security education and awareness in this
country. We lead critical efforts, such as the STOP. THINK.
CONNECT. campaign, which we developed with the Anti-phishing
Working Group and industry and government and which the
Department of Homeland Security leads in the Federal
Government. We have developed National Cyber Security Awareness
Month, we are working on Data Privacy Day, and we operate
StaySafeOnline.org, our Web site. NTSA recently signed an MOU
with the Department of Education and NIST to lead the National
Cyber Security Education Council, a public-private partnership
to address formal cyber security education from basic education
all the way through to degrees and workforce training programs.
We have a long track record in conducting surveys about the
practices of individual small businesses and the state of cyber
security in U.S. schools.
In October, we released the results of a study conducted in
conjunction with Symantec about the cyber security practices of
small businesses. We found that businesses still don't have
good practices and policies in place, allow risky behavior, and
in general, fail to take a strategic approach to cyber
security, leading unfortunately to a false sense of security.
We found actually that businesses are becoming more reliant on
the Internet. Two-thirds say that their business is dependent
on the Internet for day-to-day operations and also two-thirds
say they have become more dependent on the Internet in the last
12 months. A majority, 57 percent, say that the loss of the
Internet access for 48 straight hours during a regular business
week would be disruptive to their business.
We learned that businesses actually have critical
information on hand. Sixty-nine percent report handling
customer data, half deal in financial records and reports, one-
quarter have their own intellectual property, which we have
been discussing a lot today, and actually one-fifth have the
intellectual property of other people in their business, which
I think is something we have to be concerned about as well.
We discovered that small businesses aren't creating an
environment that promotes cyber security. Seventy-seven percent
do not have formal Internet security policies for employees,
and nearly half of those don't even have informal cyber
security policies for their employees. Sixty-three percent
don't have policies that relate to the use of social networks
in the workplace, and two-thirds allow the use of USB devices
in the workplace. These are general risk factors that we are
aware of.
Unfortunately, these data show that the entire small
business ecosystem is at risk, and we look at it that way a
lot. We need to reach every small business with information
that will help them protect their digital assets. Cyber
criminals, as has been mentioned here, are well aware of these
vulnerabilities, and small businesses have become a primary
target for them. 40 percent of all targeted attacks are
directed to businesses with less than 500 employees, and
roughly 60 percent close within 6 months of a cyber attack. It
is tough enough for small businesses to make and thrive, we
shouldn't also be losing them to cyber criminals. There is no
single government agency, nonprofit group that can take on--
company, government agency or nonprofit group that can take on
this vast issue alone or reach every small business. Working
together with a broad array of stakeholders, leveraging
resources, sharing the responsibility is our best hope for
success.
Based on this thought of a collaborative approach, here are
some ideas that we have about what we could do. Create a
harmonized message in a campaign, like STOP. THINK. CONNECT.
that can be deployed by key stakeholders. That would go a long
way to clarifying for business owners what they need to do, and
it would come from trusted sources.
Align forces within the Federal Government to support small
businesses. Many Federal agencies have an interest in helping
small businesses grow and protect their digital assets. At
minimum, the Small Business Administration, the Department of
Commerce, the FTC, the FCC, the Department of Homeland Security
should participate, but others such as the Department of
Defense and the IRS that work and touch small businesses should
be involved as well.
Engage local communities in the effort. Small business
owners are likely to listen to their local peers. A few
forward-thinking communities, such as Washtenaw County,
Michigan, San Diego, California, San Antonio, Texas, and
Colorado Springs have started efforts to make their communities
more cyber secure, and they have all prioritized small business
as a key target in their communities to make that happen.
Support education reform that leads to a more cyber capable
workforce. We need a workforce in the 21st century that
understands how to use technology safely, securely, ethically,
and productively when they graduate high school or college.
And encourage your colleagues, I think as Representative
Thornberry has done, to make information available to small
businesses in your district. Go out, talk with them, have a
town hall on cyber security, and get the conversation going.
Thank you for your time and attention to this issue, and I
look forward to your questions.
Chairwoman Ellmers. Thank you, Mr. Kaiser. We are going to
go ahead and get started with some questions, and just so you
know, we will be called for votes about 2:15, so what I am
going to do is I am going to yield now to Mr. Tipton from
Colorado for his questions.
Mr. Tipton. Thank you, Madam Chair. Glenn, I would like to
thank you for joining us. Once again, it is good to have a
Coloradoan here and to be able to see you. I was disturbed a
little bit, the stories that you had in your written testimony
about the costs to your businesses in terms of the data breach
from the other company, I believe it was a liquor company; is
that right?
Mr. Strebe. Yes, it was.
Mr. Tipton. The mistake ended up costing you thousands of
dollars for nothing you had no control over, and you also
mentioned that you were only able to recover 35 percent of your
incurred expenses. What additional steps would you recommend
that Congress and this committee take to curb this phenomenon
and without imposing burdensome regulations on small
businesses?
Mr. Strebe. As I mentioned in my verbal comments as well as
in the written testimony, one of the things that does not occur
out in the business world is the fact that there is no
liability, there is no accountability. In the case of that
liquor store, the police were involved in that case, and they
themselves were confronting the liquor store, asking them, you
know, What are you doing? They said, Well, we don't have any
liability, so we are really not going to worry about it, and as
a result of that it cost us over $60,000. What would I do? I
would look for the opportunity to hold accountable, as I have
written in testimony, hold accountable those businesses that
have such a cavalier attitude.
Mr. Tipton. I appreciate that. And Dr. Schneck, I believe
in your comments you said that we have got to be very cautious
that we just aren't in a manner of compliance as opposed to
having the security. Would you like to expand on that a little
bit because I think as small business people we often see, we
spend a lot of time making sure we are complying as opposed to
getting the job done.
Ms. Schneck. Thank you. The problem with regulation is that
it draws a box, it draws a box where they have to take the
money and invest, and it does two things: Number one, it
stifles innovation because if companies are only having to fill
that box and invest in those X places, it doesn't leave a lot
of room for advancing creativity, saying well, how else can we
solve this problem that might be better because the regulation
is this is what we have to buy, it is in this box.
The second thing it does that can really hurt small
businesses, it shows the adversary, the cyber adversary,
everything that is outside of the box, and small business is
already a target, as has been mentioned, not only a target to
bounce into a larger enterprise, but small businesses, in many
cases, are developing the intellectual property that could make
the next jet engine and working on national security and
holding private information, all kinds of ways.
So they are holding the same intellectual property and
harboring the same risk as a big company that can afford a
dedicated team and the best security, but they can't afford,
they don't have the extra money to do that to secure their
piece, and at the same time what regulation would do is show
the outline of the box and show the bad guy exactly where he
can go straight into those small businesses that can't afford
to protect it, so what we really need to do is incentivize, and
as was mentioned by Representative Thornberry and some other
colleagues, some good incentives for businesses to be able to
target that investment upfront, make cyber security part of the
corporate risk and go ahead, as I mentioned, and minimize the
amount of information that is stored on their network.
Compliance and regulation are not going to protect us.
Mr. Tipton. So be very cautious about trying to have a one-
size-fits-all regulatory policy?
Ms. Schneck. Exactly. Or anything that doesn't allow
innovation.
Mr. Tipton. Thank you so much. I yield back, Madam Chair.
Chairwoman Ellmers. Thank you. I am going to go ahead and
ask my questions now. This question I would like to ask the
entire panel for your opinion. There is a variety of Federal
agencies and organizations involved in combating cyber
security, as you know. Do you think small businesses know where
to go to get the best information and assistance and, if not,
what recommendations do you have to help us get that
information out? Starting with Mr. Kaiser.
Mr. Kaiser. Yeah, you know, we take approach to all this, a
similar approach across all education and awareness in cyber
security on this issue, which is that we should not try to
spend a lot of time trying to get, in this case, small
businesses to trust other entities for new information. We
should be going to the entities that they already trust and
getting them to disseminate a very similar comprehensive
harmonized message, so whether it is in their vertical of their
industry or to a government agency that they already trust or
back to a software provider on an ISP, if we can coordinate and
harmonize that messaging, then they will just go to who they
trust, and no matter where they go they will get the right
message. I think that is really the work that we have to do at
this level to support them at the lower levels.
Ms. Schneck. I would definitely agree and echo those
remarks. I would add that the cyber adversary is fast, shares
information very well, already has trust, is often very well
funded. So they can act without any legal boundaries, IP
boundaries, and that is why they are winning. The very best
thing that we can do as the good guys is match that and then go
one step better. Since small business makes up 99.7 percent, I
calculate that as part of the fabric, they are a large part of
the cyber information and situational awareness that we will
see, breaches, how they happen, what they are seeing. First and
foremost, we would ask them to know who to call, whether it is
a partnership of law enforcement or others that you trust, know
who that is ahead of time so that you can all get together when
you see something, and even build those relationships to
determine steady state so you can understand an anomaly even
when things are good.
The second thing is work with those public-private
partnerships, they are so important because not only do small
businesses get access to people and resources that do have
million dollar budgets to do things and see more things
globally, but you also put information from that 99.7 percent
of the fabric back into the pot that protects the entire
fabric.
We, again, only are as good as our weakest link. Our small
businesses are so strong in the innovation, we can't let them
be weak in the security just because of money, and we have to
incentivize that spend and incentivize putting some of their
resources into those partnerships.
Mr. Strebe. I believe that the most basic level, working
with some of your business customers or business owners to
educate them on where they can find that information is very,
very crucial. I can't really speak for everybody else out
there. I can speak on behalf of our credit union. We have about
a thousand business accounts, and we quite often, and we have a
very professional IT staff, as the Doctor suggested, that if we
have a member of ours or a small business of ours that asks us
how do I do this or how do I do that, while we are not in the
profession of trying to give them IT security advice, we
recognize the fact that without them we have no meaning, and as
a small credit union or not a small credit union, we are a
medium-sized or a large credit union, as a credit union, we
truly believe in trying to help our membership to the greatest
extent possible, so I completely agree with the Doctor that if
we can provide some framework information, some construct of
where they can get the information, how they can get the
information and from whom, that will be very, very valuable for
us going forward.
As a credit union, we will always help our membership, as I
believe--while I can't speak for every credit union, I am
pretty confident that I can speak for a lot of them that they
would say any member of ours that wants a little bit of help in
trying to understand some of the threats out there, we would
definitely, definitely help them because we just feel that as a
member-based organization, we need to do that.
Mr. Beam. I would say the electric industry is a little
different than some of the other small business groups in that
we are currently regulated by the Federal Energy Regulatory
Commission for reliability in cyber security, and so we have a
clear place to go for clarification on cyber security issues.
One thing I would like to emphasize as we consider new cyber
security legislation is making sure you have that clear line of
demarcation of one agency regulating one group and not having
overlap. I think that will just cause confusion and really
muddy the waters. But I would like to echo what some of the
other panelists have said about the importance of the public-
private partnership and the information sharing. I think that
is really the key to improving our cyber security rather than
through regulations.
Chairwoman Ellmers. Excellent. Thank you so much. I am now
going to recognize Ranking Member Richmond for his questions.
Mr. Richmond. And I think I will just start with Dr.
Schneck on this. The question becomes, and we heard the
Congressman talk about just general computer hygiene. If that
accounts for about four out of five of the security breaches
that we have, then do you think that it is worthwhile for us--
or whether it has merit or it is too cost prohibitive for us--
to require almost like we do with some public service
announcements to remind people of these very simple things that
they can do to keep their information secure. If we can cut out
80 to 85 percent just by doing that, should we require, or do
you have some ways that would incentivize people to provide
that information when you go to Yahoo! or whatever you do
online, to provide some of that simple hygiene information and
to reinforce how important that is?
Ms. Schneck. I absolutely agree that that basic hygiene
will take care of a large percent of the issues. The analogy I
would use is many years ago, Howard Schmidt used the analogy to
seatbelts in cars and the process that it took to get people to
use seatbelts. The other analogy that has been used is the
forest fires. A lot of this goes back to education awareness
that our colleagues at the NCSA do a great job of and others
and certainly the credit unions that we have heard, but I want
to also point out that that 20 percent is evil, that 20 percent
that we can't catch with the hygiene that Representative
Thornberry also mentioned. That is the part where very quiet
attackers that don't want you to know that they are there, they
are not looking for your bank information, they are looking to
find exactly the people that sit on top of core intellectual
property, whether it is recipes, oil field diagrams or diagrams
for other parts, military, they will sit there until they find
it, and they will send it home, and that is moving jobs, money,
and markets across countries and companies, and that is the
piece that we want to also incentivize companies and small
companies, especially because they don't have extra money to
invest in protecting that and to consider it part of the
corporate risk, so I think it is twofold.
One is it certainly is an awareness campaign, and NCSA has
the Cyber Security Awareness Month with the government and does
a lot of different things. I think we are a lot more--I sit on
the ISPAB as well, and we were briefed on some of these
efforts, and I think as a community we are a lot more aware now
than we were before of cyber as an issue. I think this hearing
is one example of that. But the other side is these very quiet
attacks. We do need to incentivize our small businesses to
protect what they have. What they have is key to our national
security, and that can't be overstated.
Mr. Richmond. Well, and part of my thinking was that if we
can eliminate 60 to 80 percent strictly by information and
being very creative, it would allow us and free up more money,
more time, more energy to focus on those people who are going
to try to do it no matter what all the time and are very
sophisticated and evil with it. Anyone can answer this
question, but how has cloud computing, I guess no pun intended,
clouded our ability to protect ourselves? And I guess I just
started to look at some of my new data in the office, and they
talk about cloud computing, it just scares me to just have
information floating out there. So how safe is it, and how has
it complicated your jobs and our ability to keep the country
safe?
Ms. Schneck. I guess I will start. So the important thing
is to protect data in motion, data at rest, and data in use.
What cloud does is it outsources data processing, so it says
that you are, to your point, you are sending your information
somewhere else to be processed, and then it comes back so that
you can view it, and the danger that people immediately sense
is while it is not on my network and in transit and while the
third party is holding it, is it protected? And these are the
questions that have to get answered.
The very, very beneficial side of cloud computing is that
it is very efficient. You can package your computing processing
power, you can have somebody else pay the bills for chilling
the computing and doing the efficiencies, you can do high
performance calculation, and the data comes back and it is a
fraction of a price if you had a CPU on every machine, and that
scales beautifully. So for small business, you can outsource a
lot of your computing needs, and it ends up saving them a lot
of money.
The other side is they have to make sure when those data
are in transit they are working with a third-party provider
that is taking care of encrypting or protecting the identity or
the data when it is in storage, when it is being processed, and
certainly on its way back. A big advantage is that if you are
using a good provider, whatever service it is, the high-end
providers do have the million dollar budgets to secure things
right, whereas the small businesses may not. So there are a lot
of efficiencies and a lot of security built into cloud, even
though it requires that we send our data offsite.
Mr. Richmond. And this question would be for Mr. Kaiser.
How important is it for us to deal with breach notification
laws as opposed to the many different laws in the various
States, and does it make sense and would it help the small
business or businesses period for us to come up with a national
standard for breach notification as opposed to having different
laws in I think 48 States now that have them and small
businesses that do business across State line having to, I
would assume, to comply with all of them.
Mr. Kaiser. Yeah, I think that at the end of the day, I
think wherever we can have clarity for both businesses and
consumers, that is a good thing, right, so people know what to
expect when something happens and know what will happen if
something happens, and how that gets accomplished I think could
be done probably in a number of different ways, but I do think
that clarity, you know, where, you know, because the data
really lives everywhere because not only of cloud, but just the
way the Internet works, you know, as a consumer, I am doing
business with people all over the country when I am using the
Internet, and small businesses are doing business all over the
country. I think where we can have clarity about what will
happen when a breach occurs and from both sides, both as a
person whose information was lost and also as the person or
business that lost the information, I think that is just
helpful in general on a lot of these cyber issues, not only
that, but also on education awareness, clarity about the
message, those things help. It is kind of a confusing world out
there, and there is a lot of different messages, so anything
that helps that I think is good.
Mr. Richmond. And my last question would be for Mr. Strebe,
and that question would simply be, you mentioned the analogy--
the example of the liquor store that was very careless which
exposed the credit union, I would assume, to I think you said
$60,000 worth of repayments. Do you think legislation--is
needed to clear up responsible parties or to figure out and
help find who is responsible for data breaches and who shall
reimburse the consumer at the end of the day or the person who
sustains the loss?
Mr. Strebe. I think with legislation you can create a
framework that any small business can follow. When you look at
things, we have talked about hygiene today. If they are not
following simple hygiene and they are not doing a basic
standard of care, I think responsibility can be held or
liability can be pushed back on to a small business. If they
take care of that or if they create or through legislation
create a framework and create, you know, here is the exact
things that you are going to do, and they follow that and they
are not negligent, I think you could essentially hold them
harmless for, you know, again, a due standard of care.
Anytime somebody just completely thinks that data security
and cyber security is off the radar screen for them and they
think that they can push all of the responsibility back to us
as a financial institution, I think that creates substantial
challenges for us as a financial institution. In addition, I
think it is really valuable from a reputation risk standpoint
to understand that anytime there is some sort of compromise and
we notify our members that what has happened, they
automatically think it was us as a financial institution that
was penetrated, and when that happens, we have to, we spend a
lot of money trying to overcome that and trying to tell them
that, well, it wasn't us, we can't disclose that to you, we
can't make public who it actually was, and as a result of that,
those costs are borne by us.
So as I look forward, I do believe a construct or framework
can create a basic standard of care that they are going to have
to follow and things that they need to do, and if they are
negligent in that, then they can be held responsible. You know,
can you try to address every single item? I don't believe you
can because, as was mentioned before, every time you try to
solve one thing there are two more things that come on the
horizon, and then you are just continuing to chase your tail. I
just look at it and say there is some basic necessities in
commerce today that have evolved over the past 10 years that a
businessman really, really needs to grab hold of and make sure
they are accomplishing.
Mr. Richmond. Thank you, and I will yield back.
Chairwoman Ellmers. I have one more question, and I am
going to quickly, and it is all for the entire panel. Of
course, we are hearing about the statistics of the frequency of
the cyber attacks. In general, if you could give us an idea in
your sector of business what that frequency is, how often, and
how often do you receive information from the Federal or State
government warning you of any particular upcoming threats that
might be occurring? Starting with Mr. Kaiser.
Mr. Kaiser. Yeah, we don't really deal in that kind of
information between the industry and government, but I will
say, just as a regular person who looks at the news every day,
those threats, those attacks are happening all the time, and so
we really need to be able to respond to them.
Ms. Schneck. We see 66,000 new variants of malware every
day in McAfee Labs, and that is only going up. And then if you
take that and you look at the story across the sectors, those
malware examples and variants are being used to do things such
as steal the oil field exploration diagrams across the energy
sector, and these are things that we have published.
I think you ask a very important question, how much do we
get from the government? Not much right now. And that could be
because of framework, it could be because of the structure. We
are active in, I would say, most of the major public-private
partnerships, but the idea is that we actually share a lot more
out with government. When we find things, we give as much to
government, law enforcement, and all the way to State and local
as we can, and looking at how we can do that more quickly, take
the most actionable egregious information and get it to law
enforcement faster is a challenge across, I believe, the entire
business community, and the way this affects small business is
that needs to get to them, and we are legally tied when it
comes to sharing with the private sector. It is a little bit
easier in some cases with government, but we need to get it
back to those small businesses, and that is why from personal
experience, I advocate that small businesses get with those
partnerships.
Mr. Strebe. In our case I cannot give you specific numbers.
What I can tell you is, as a financial institution, we do this
24/7/365 times, however many years are in the future. We always
have to do this. We are getting, I don't want to say hit,
because that sounds like somebody actually penetrates us. We
always see--we have a fortress or a cyber fortress that is
built around our financial institution, and we always see
people coming from all around the world trying to find
vulnerabilities in our system and IP addresses that are open
and they can try to penetrate our system. 24/7/365 times the
future, that is exactly how many times we see it. It is always
happening.
Mr. Beam. As far as notifications from the government, NERC
has a advisory system where they send out alerts. We have
received 40 of those since 2008. Of those, the majority were
advisories that were just advising us of a potential issue.
Only a handful were things that required us to take action, but
we did take action on those, and none of those was an imminent
threat. They were a potential threat that you needed to take
action to prevent.
On the business side, we have our system divided into two
completely separate networks. One controls the electric system,
and one is the business system. The electric system is
completely separate from the Internet. There is no connection.
And so we have had no outside traffic ever able to get on to
that system and cause any kind of malicious attack.
On the other side, in 2011 alone, we got 74 million emails
hit the firewall. Of those, only 16 million got through, and
those in our internal review processes only allowed 4 million
through to the actual end users as legitimate emails. So as
everybody else has said, we are constantly getting things that
are malicious in one way or another, be it spam or whatever,
but they are not necessarily attacks from a foreign government
of that type. As far as anything that was actually directed to
the electric system in a malicious way, we have never had an
attack that we are aware of.
Chairwoman Ellmers. Mr. Strebe, have you in your industry,
in the financial credit union world, does the Federal or State
level of government, do you get notifications that there are
imminent threats?
Mr. Strebe. If I waited until I got the information from
them, it would be way too late.
Chairwoman Ellmers. So you are on top of it ahead of time?
Mr. Strebe. We quite often end up sharing what is happening
in our institution with other folks that are out there, yeah.
We can't wait. We know before everybody else does because it is
real time for us.
Chairwoman Ellmers. Thank you, thank you. I just wanted to
make sure I clarified that.
And again, thank you to all of our participants, you know,
panel 1 and panel 2. This subcommittee will continue to closely
follow this issue. I want you to be aware of that and know that
we are going to be working on this very issue. It is clear that
there is no one-size-fits-all policy for cyber security. I look
forward to working with my colleagues to make sure small
businesses have the resources available to combat cyber attacks
while not adding to any duplicative regulatory burdens.
I ask unanimous consent that Members have 5 legislative
days to submit statements and supporting materials for the
record. Without objection, so ordered. This hearing is now
adjourned. [Whereupon, at 2:26 p.m., the subcommittee was
adjourned.]
[GRAPHIC] [TIFF OMITTED] T2810A.001
[GRAPHIC] [TIFF OMITTED] T2810A.002
[GRAPHIC] [TIFF OMITTED] T2810A.003
[GRAPHIC] [TIFF OMITTED] T2810A.004
[GRAPHIC] [TIFF OMITTED] T2810A.005
[GRAPHIC] [TIFF OMITTED] T2810A.006
[GRAPHIC] [TIFF OMITTED] T2810A.007
[GRAPHIC] [TIFF OMITTED] T2810A.008
[GRAPHIC] [TIFF OMITTED] T2810A.009
[GRAPHIC] [TIFF OMITTED] T2810A.010
[GRAPHIC] [TIFF OMITTED] T2810A.011
[GRAPHIC] [TIFF OMITTED] T2810A.012
[GRAPHIC] [TIFF OMITTED] T2810A.013
[GRAPHIC] [TIFF OMITTED] T2810A.014
[GRAPHIC] [TIFF OMITTED] T2810A.015
[GRAPHIC] [TIFF OMITTED] T2810A.016
[GRAPHIC] [TIFF OMITTED] T2810A.017
[GRAPHIC] [TIFF OMITTED] T2810A.018
[GRAPHIC] [TIFF OMITTED] T2810A.019
[GRAPHIC] [TIFF OMITTED] T2810A.020
[GRAPHIC] [TIFF OMITTED] T2810A.021
[GRAPHIC] [TIFF OMITTED] T2810A.022
[GRAPHIC] [TIFF OMITTED] T2810A.023
[GRAPHIC] [TIFF OMITTED] T2810A.024
[GRAPHIC] [TIFF OMITTED] T2810A.025
[GRAPHIC] [TIFF OMITTED] T2810A.026
[GRAPHIC] [TIFF OMITTED] T2810A.027
[GRAPHIC] [TIFF OMITTED] T2810A.028
[GRAPHIC] [TIFF OMITTED] T2810A.029
[GRAPHIC] [TIFF OMITTED] T2810A.030
[GRAPHIC] [TIFF OMITTED] T2810A.031
[GRAPHIC] [TIFF OMITTED] T2810A.032
[GRAPHIC] [TIFF OMITTED] T2810A.033
[GRAPHIC] [TIFF OMITTED] T2810A.034
[GRAPHIC] [TIFF OMITTED] T2810A.035
[GRAPHIC] [TIFF OMITTED] T2810A.036
[GRAPHIC] [TIFF OMITTED] T2810A.037
[GRAPHIC] [TIFF OMITTED] T2810A.038
[GRAPHIC] [TIFF OMITTED] T2810A.039
[GRAPHIC] [TIFF OMITTED] T2810A.040
[GRAPHIC] [TIFF OMITTED] T2810A.041
[GRAPHIC] [TIFF OMITTED] T2810A.042
[GRAPHIC] [TIFF OMITTED] T2810A.043
[GRAPHIC] [TIFF OMITTED] T2810A.044
[GRAPHIC] [TIFF OMITTED] T2810A.045
[GRAPHIC] [TIFF OMITTED] T2810A.046
[GRAPHIC] [TIFF OMITTED] T2810A.047
[GRAPHIC] [TIFF OMITTED] T2810A.048
[GRAPHIC] [TIFF OMITTED] T2810A.049
[GRAPHIC] [TIFF OMITTED] T2810A.050
[GRAPHIC] [TIFF OMITTED] T2810A.051
[GRAPHIC] [TIFF OMITTED] T2810A.052
[GRAPHIC] [TIFF OMITTED] T2810A.053
[GRAPHIC] [TIFF OMITTED] T2810A.054
[GRAPHIC] [TIFF OMITTED] T2810A.055
[GRAPHIC] [TIFF OMITTED] T2810A.056
[GRAPHIC] [TIFF OMITTED] T2810A.057
[GRAPHIC] [TIFF OMITTED] T2810A.058
[GRAPHIC] [TIFF OMITTED] T2810A.059
[GRAPHIC] [TIFF OMITTED] T2810A.060
[GRAPHIC] [TIFF OMITTED] T2810A.061
[GRAPHIC] [TIFF OMITTED] T2810A.062
[GRAPHIC] [TIFF OMITTED] T2810A.063
[GRAPHIC] [TIFF OMITTED] T2810A.064
[GRAPHIC] [TIFF OMITTED] T2810A.065
[GRAPHIC] [TIFF OMITTED] T2810A.066
[GRAPHIC] [TIFF OMITTED] T2810A.067
[GRAPHIC] [TIFF OMITTED] T2810A.068
[GRAPHIC] [TIFF OMITTED] T2810A.069
[GRAPHIC] [TIFF OMITTED] T2810A.070
[GRAPHIC] [TIFF OMITTED] T2810A.071
[GRAPHIC] [TIFF OMITTED] T2810A.072
[GRAPHIC] [TIFF OMITTED] T2810A.073
[GRAPHIC] [TIFF OMITTED] T2810A.074
[GRAPHIC] [TIFF OMITTED] T2810A.075
[GRAPHIC] [TIFF OMITTED] T2810A.076
[GRAPHIC] [TIFF OMITTED] T2810A.077
[GRAPHIC] [TIFF OMITTED] T2810A.078
[GRAPHIC] [TIFF OMITTED] T2810A.079
[GRAPHIC] [TIFF OMITTED] T2810A.080
[GRAPHIC] [TIFF OMITTED] T2810A.081
[GRAPHIC] [TIFF OMITTED] T2810A.082
[GRAPHIC] [TIFF OMITTED] T2810A.083
[GRAPHIC] [TIFF OMITTED] T2810A.084
[GRAPHIC] [TIFF OMITTED] T2810A.085
[GRAPHIC] [TIFF OMITTED] T2810A.086
[GRAPHIC] [TIFF OMITTED] T2810A.087
[GRAPHIC] [TIFF OMITTED] T2810A.088
[GRAPHIC] [TIFF OMITTED] T2810A.089
[GRAPHIC] [TIFF OMITTED] T2810A.090
[GRAPHIC] [TIFF OMITTED] T2810A.091
[GRAPHIC] [TIFF OMITTED] T2810A.092
[GRAPHIC] [TIFF OMITTED] T2810A.093
[GRAPHIC] [TIFF OMITTED] T2810A.094
�