[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
             CYBER SECURITY: PROTECTING YOUR SMALL BUSINESS

=======================================================================

                                HEARING

                               before the

               SUBCOMMITTEE ON HEALTHCARE AND TECHNOLOGY

                                 of the

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                            DECEMBER 1, 2011

                               __________


                                [GRAPHIC] [TIFF OMITTED] TONGRESS.#13
                               
           Small Business Committee Document Number 112-047

          Available via the GPO Website: http://www.fdsys.gov
            

                  U.S. GOVERNMENT PRINTING OFFICE
72-810                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001


                   HOUSE COMMITTEE ON SMALL BUSINESS

                     SAM GRAVES, Missouri, Chairman
                       ROSCOE BARTLETT, Maryland
                           STEVE CHABOT, Ohio
                            STEVE KING, Iowa
                         MIKE COFFMAN, Colorado
                     MICK MULVANEY, South Carolina
                         SCOTT TIPTON, Colorado
                         JEFF LANDRY, Louisiana
                   JAIME HERRERA BEUTLER, Washington
                          ALLEN WEST, Florida
                     RENEE ELLMERS, North Carolina
                          JOE WALSH, Illinois
                       LOU BARLETTA, Pennsylvania
                        RICHARD HANNA, New York
               NYDIA VELAZQUEZ, New York, Ranking Member
                         KURT SCHRADER, Oregon
                        MARK CRITZ, Pennsylvania
                      JASON ALTMIRE, Pennsylvania
                        YVETTE CLARKE, New York
                          JUDY CHU, California
                     DAVID CICILLINE, Rhode Island
                       CEDRIC RICHMOND, Louisiana
                        JANICE HAHN, California
                         GARY PETERS, Michigan
                          BILL OWENS, New York
                      BILL KEATING, Massachusetts

                      Lori Salley, Staff Director
                    Paul Sass, Deputy Staff Director
                     Barry Pineles, General Counsel
                  Michael Day, Minority Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page

                           OPENING STATEMENTS

Ellmers, Hon. Renee..............................................     1
Richmond, Hon. Cedric............................................     7

                               WITNESSES

The Hon. William M. ``Mac'' Thornberry, U.S. House of 
  Representatives (TX-13), Washington, DC........................     4
Mr. David Beam, Senior Vice President, North Carolina Electric 
  Membership Corporation, Raleigh, NC............................    11
Mr. Glenn Strebe, Chief Executive Officer, Air Academy Federal 
  Credit Union Colorado Springs, CO..............................    13
Dr. Phyllis A. Schneck, Chief Technology Officer Public Sector, 
  McAfee, Inc. Reston, VA........................................    15
Mr. Michael Kaiser, Executive Director, National Cyber Security 
  Alliance, Washington, DC.......................................    17

                                APPENDIX

Prepared Statements:
    The Hon. William M. ``Mac'' Thornberry, U.S. House of 
      Representatives (TX-13), Washington, DC....................    27
    Mr. David Beam, Senior Vice President, North Carolina 
      Electric Membership Corporation, Raleigh, NC...............    30
    Mr. Glenn Strebe, Chief Executive Officer, Air Academy 
      Federal Credit Union, Colorado Springs, CO.................    45
    Dr. Phyllis A. Schneck, Chief Technology Officer Public 
      Sector, McAfee, Inc. Reston, VA............................    69
    Mr. Michael Kaiser, Executive Director, National Cyber 
      Security Alliance, Washington, DC..........................    79
Questions for the Record:
    None
Answers for the Record:
    None
Additional Materials for the Record:
    CompTIA Statement for the Record.............................    93
    Recommendations of the House Republican Cybersecurity Task 
      Force......................................................   100


             CYBER SECURITY: PROTECTING YOUR SMALL BUSINESS

                              ----------                              


                       THURSDAY, DECEMBER 1, 2011

                  House of Representatives,
         Subcommittee on Healthcare and Technology,
                               Committee on Small Business,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 1:01 p.m., in 
Room 2360, Rayburn House Office Building, Hon. Renee Ellmers 
[chairwoman of the Subcommittee] presiding.
    Present: Representatives Ellmers, Tipton, and Richmond.
    Also Present: Representative Schilling.
    Chairwoman Ellmers. Good afternoon, everyone. I am going to 
go ahead and call this meeting to order. I would like to thank 
everyone for being here joining us today on this very important 
issue on cyber security. I would like to say a special thank 
you to Representative Mac Thornberry and our panel of witnesses 
that will be coming up in the second panel. We appreciate 
everyone's participation.
    Our Nation's digital infrastructure has become an essential 
part of our everyday lives. It is difficult to imagine a world 
without the Internet. It touches nearly every sector of the 
United States economy, and it is critical to our national 
security. According to the Federal Communications Commission, 
over 97 percent of small businesses utilize the Internet to 
increase their productivity and overall success.
    On Tuesday, The Wall Street Journal reported that the 
online sales for Cyber Monday rose to a record $1.25 billion. 
This is an increase of 22 percent from last year and marked the 
heaviest single day for online commerce ever. Despite this good 
economic news, the growth of the Internet technology and e-
commerce has also attracted a growing number of cyber criminals 
looking to steal sensitive information, including intellectual 
property and personal financial information. These attacks can 
be catastrophic, as you can imagine, leaving many businesses 
unable to recover. Especially our small businesses.
    Although we often hear about cyber attacks on large 
businesses and institutions, a recent report shows the majority 
of these attacks are on small firms. Small businesses generally 
have fewer resources available to monitor and combat cyber 
threats, making them easy targets for expert criminals. 
Moreover, the sophistication and scope of these attacks 
continue to grow at a rapid pace.
    A recent report from the Office of the National 
Counterintelligence Executive stated that tens of billions of 
dollars in trade secrets, intellectual property, and technology 
are being stolen each year by foreign nations like China and 
Russia. As the leader in producing intellectual property, the 
United States and small businesses will continue to be a 
primary target for cyber criminals seeking an economic 
advantage.
    Adding to the uncertainty is the difficulty in which one 
protects themselves online. Protecting our digital 
infrastructure is complex, and no one agency or private 
business can do it alone. It takes a true public-private 
partnership to identify, combat, and share information 
regarding these sophisticated cyber attacks.
    Both the administration and Congress have recognized the 
need to update certain laws and resources to better combat 
cyber threats. The broad range of issues being considered 
includes establishing a national standard of reporting a cyber 
breach, strengthening the criminal statutes, and requiring some 
private industries to develop cyber security plans.
    We have heard small businesses' concerns about the 
possibility of duplicative regulations, always regulations, as 
many industries already have procedures in place to protect 
third-party information. For example, a company in my district 
called Diversified Information Technologies, which digitally 
processes health care and insurance information, already 
provides full compliance based on the Health Insurance 
Portability and Accountability Act, or HIPAA. In considering 
legislation, we should look to harmonize these regulations to 
avoid any duplicative rules on small businesses.
    There is no question cyber security is a real and major 
threat to our Nation's economy, security, and everyday way of 
life. Moving forward, I am confident that we can identify the 
most efficient role of the public and private sectors to 
protect small businesses and our Nation against cyber attacks.
    Again, I want to thank all of our witnesses who are 
participating today. I look forward to hearing the testimony on 
how we can better assist small businesses against cyber 
attacks. I now yield to the Ranking Member Richmond for his 
opening statement.
    Mr. Richmond. Thank you to the chairwoman and thank you to 
everyone for coming to participate, especially to Congressman 
Thornberry, who heads the Cyber Security Task Force, and the 
recommendations that you all have made. So as a person was 
chair of Judiciary in the State legislature for 4 years, cyber 
security was under our umbrella, I can tell you that our States 
are not as aware as they should be of the risk that is posed, 
so it is a great thing that we are taking the lead on it and 
that your task force is doing what it is doing. So thank you 
for that.
    Internet and telecommunication technologies have not only 
changed how we communicate, but also how business is conducted. 
America's 23 million small businesses are some of the savviest 
users of technology by using the Internet to access new markets 
to grow and to diversify. In fact, small businesses are the 
driving forces behind further technological innovation, as they 
produce about 13 times more patents per employee. However, 
along with being connected comes being exposed to new threats. 
Cyber threats can come in many forms, but they are all 
devastating to both business owners and to their customers. A 
single attack can wipe out a small business, which is why cyber 
crime poses severe problems for small businesses that are not 
prepared to mitigate this kind of risk.
    According to studies, 40 percent of all threats are focused 
on firms with less than 500 employees and reveal that a total 
of nearly $86 billion annually is lost with companies incurring 
an average of $188,000 in losses. Sadly, some small companies 
fail to recognize the benefit of cyber security as an 
investment until it is too late.
    On the other hand, those firms that understand the 
importance of such an investment often lack the resources to 
implement an effective security system. The Federal 
Communications Commission, the Department of Homeland Security, 
and the National Institute of Standards and Technology, have 
all embarked on efforts to offer Federal programs designed to 
educate the public on computer security. It is worrisome that 
despite the rise in cyberterrorism over the past few years and 
the growing impact it has on small businesses, comprehensive 
cyber security policy remains illusive. With 1.2 million people 
employed at small companies in the New Orleans metropolitan 
area, it is important to ensure that they are protected against 
cyber crimes by keeping our Nation's cyber security, our cyber 
infrastructure incorruptible. That is why I am cosponsoring the 
Homeland Security Cyber and Physical Infrastructure Act as a 
way to strengthen our infrastructure through research, 
development, and establishment of innovative cyber security 
technology. Like every day Internet users, small firms are 
exposed to cyber attacks and vulnerable to their malicious 
effects.
    Today's hearing will give us an opportunity to review 
whether the increases in Federal investment in both financial 
and personnel resources will have an impact on a small firm's 
ability to mitigate their cyber risk. The testimony we hear 
today will help us better understand what role the government 
can play in educating the American public and the business 
community about the security risks and challenges they face. 
Your recommendations on the best ways to protect the Nation's 
small businesses from this growing threat will be useful as we 
move forward on addressing this issue. In advance of the 
testimony, I want to thank all the witnesses for both their 
participation and insight into this important topic. Thank you, 
and I yield back.
    Chairwoman Ellmers. Thank you to the ranking member. I will 
say that if committee members have an opening statement 
prepared, I ask that they be submitted for the record. I don't 
have to explain the timing lights to our first panel of 
witnesses. It is my pleasure now to introduce, again, 
Congressman Mac Thornberry, who is our first witness, and he is 
the Congressman of the 13th District in Texas. He currently 
serves as the vice chairman of the Armed Services Committee, 
where he also leads the Subcommittee on Emerging Threats. He 
continues to serve the House Permanent Select Committee on 
Intelligence as well.
    Earlier this year, Congressman Thornberry was tapped by the 
Speaker of the House and Majority Leader to spearhead a Cyber 
Security Task Force to guide House legislation action on this 
growing economic and national threat. On October 5th, the task 
force released their recommendations, which have been well 
received from Republicans and Democrats, the White House, 
private businesses and other organizations. Thank you for being 
here. We look forward to your testimony, Congressman.

   STATEMENT OF THE HON. MAC THORNBERRY, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Thornberry. Thank you, Madam Chairwoman and ranking 
member, Mr. Schilling. I appreciate the chance to be here. I 
have submitted a written testimony, and if it is all right, 
what I would like to do is just kind of summarize it into four 
points.
    One is, I appreciate you having this hearing. One of the 
major findings of our task force is that there is a tremendous 
gap in what is really happening and most people's awareness of 
what is happening. That is true in the population, it is true 
among Members of Congress, and our view is that first we have a 
responsibility to educate ourselves and then try to help our 
communities understand what a serious issue this is. I have 
recommended that the Speaker and Minority Leader have a 
classified briefing for all Members because I think all Members 
really need to get a better understanding of what we are 
facing.
    Also, just as a test case a few weeks ago, I took a cyber 
expert with me to my district, and in one town we had a special 
meeting of the Chamber of Commerce, in another town, it was a 
joint meeting of the Chamber of Commerce and the biggest 
service club just to talk about this issue. He could answer the 
technical questions, but just to try to raise awareness from 
small businesses in my area, and I hope maybe that is something 
that other Members may want to consider in the future.
    The second point I would make, and both of you have made it 
in your opening statements, small businesses are affected by 
this. No one should believe that because I am a small business 
in Amarillo, Texas, that I don't have to worry about it. It is 
simply not the case. What we also have come to learn is that 
not only are small businesses in the cross-hairs of those 
seeking to perpetrate crime and steal intellectual property, a 
lot of times small businesses are subcontractors that are used 
to get to larger contractors. A lot of times increasingly, in 
fact, lawyers and accountants are targets in order to get their 
clients' records. So there is some careful planning going on 
here, but small businesses are particularly in the cross-hairs, 
and every time they steal intellectual property from a small 
business, they are stealing jobs from the United States. So it 
is obviously a national security issue, but as both of you have 
rightly pointed out, it is also an economic issue that is very 
important.
    Third, I would say that this is a big, complicated issue 
that Congress cannot solve in a single bill, and we shouldn't 
try. I think you all have mentioned that it touches most 
aspects of our lives, most aspects of business life these days. 
Eighty-five, roughly, percent of the infrastructure we are 
talking about protecting is owned by the private sector. So 
government is not going to come in and solve all of this, but 
we can take steps to help protect the country, and obviously, 
that is what we need to do.
    Fourth and lastly, the task force you have both mentioned 
have made recommendations as far as a general framework on what 
Congress could do during this session of Congress, and that was 
the Speaker's instruction to us, don't try to solve all the 
problems in the world, but look at what we can do that will 
make a significant difference that could get passed during this 
session of Congress, and our recommendations have drawn on a 
lot of previous work that Members of both sides of the aisle 
have done, but I have been pleased at the bipartisan support, 
not only in the House, but from Senators, the White House has 
spoken positively of it, so I think there is a real opportunity 
to act here.
    There is lots of differences we have between the parties, 
between the different Houses of Congress on a variety of 
issues, but this is one where I think we can work together, and 
I think it is essential that we work together to try to begin 
to take those steps in the right direction. So, again, I 
appreciate your interest in it, and I will be happy to answer 
any questions that I can answer.
    Chairwoman Ellmers. Well, I definitely echo those comments 
about the importance of us all working together in a bipartisan 
manner on this issue, I think we all see the very important 
aspects of it.
    I just have a couple questions, and then I will yield to 
Mr. Richmond, the ranking member. My first question for you, 
Congressman, is the recent report from the National 
Counterintelligence Executive Agency revealed that China and 
Russia are behind a majority of cyber attacks, and that is 
obviously deeply, deeply disturbing. In your opinion, how does 
the small business, the small business that is out there right 
now dealing with all of the issues with the economy, how can 
these small businesses deal with these attacks right now, and 
what and how should the United States respond to this as a 
Nation?
    Mr. Thornberry. I would say two things, and they are really 
the central recommendations of our task force. Number one is 
what is called good hygiene. It is the basic things that we all 
know we should do but too often don't do, keeping our firewalls 
up to date, our virus protection up to date, not having our 
passwords underneath our mouse pads in our offices, which a 
defense contractor told me he just went and checked in one of 
his offices and found that was the case in a large number of 
his employees, and the task force received information from a 
variety of witnesses saying roughly three-fourths of the 
malicious stuff out there on the Internet could be stopped if 
we all did the basic stuff we know we are supposed to do. You 
know the reason they call it good hygiene because it is kind of 
like washing your hands and coughing in your sleeve and getting 
enough sleep and drinking enough water, the basic things that 
keep us healthy, it can keep the Internet healthy, too. So 
small businesses, you know, it doesn't take a lot of money, but 
you need to do the stuff you know you should do.
    Secondly, though, when you talk about Russia and China, if 
Russia and China is targeting somebody, good hygiene won't be 
enough, and so our second central recommendation is to update 
some laws to allow information sharing that where we can use 
especially Internet service providers to help defend us against 
these more sophisticated threats. And so I think you have got 
to do two prongs: Basic hygiene, but also update our laws so 
that we can bring all the resources of government and the 
private sector to bear against these more sophisticated 
threats.
    Chairwoman Ellmers. Thank you. My next question for you, 
there again, comes from our small business owners, and they are 
basically saying that, you know, one of the big issues, and we 
hear this repeatedly, is the threat of regulations and dual 
regulations, especially those industries defined as critical 
infrastructure. This is a two-part question here. First, has 
this issue been adequately addressed, and in your opinion, do 
you believe that small businesses should be subjected to the 
same regulations or Federal standards as larger businesses 
regarding cyber security compliance?
    Mr. Thornberry. It certainly has not been adequately 
addressed, and I think this gets to where there is a difference 
of opinion between the White House proposal that came out in 
May and the task force recommendation. The White House 
recommended basically that critical infrastructure businesses 
develop a cyber security plan which would be sent to the 
Department of Homeland Security for evaluation and kind of a 
thumbs up or thumbs down. Our view was that we ought to rely on 
existing regulators, so for the electric industry, FERC, and 
NERC and the existing regulators, the Nuclear Power Regulatory 
Commission for nuclear power plants, et cetera. In other words, 
these structures are in place, they help understand the fuller 
spectrum of what these businesses are dealing with, and they 
need to put a greater emphasis on cyber security.
    Now, we are going to have to work through how to do that, 
but I think I am concerned, as you mentioned, about layering 
additional regulations, particularly on small businesses that 
have a difficult time affording what they have got now.
    Chairwoman Ellmers. Thank you. Thank you for outlining 
that. There again, you know, having to report to more than one 
agency, each of these different duplicative just adds to the 
cost of doing business as well, so----
    My last question, in actually talking about Federal 
agencies, of course, Federal agencies play a key role in 
protecting against cyber attacks. Considering our committee, 
Small Business Committee and its jurisdiction, what do you 
think the appropriate role is for the Small Business 
Administration?
    Mr. Thornberry. My sense is the most valuable thing is the 
awareness and help small businesses have the tools to know how 
to defend themselves, and if you can do that where you don't 
have to go hiring an outside consultant or so forth, if you can 
just help direct small business to the kinds of things they 
need to do with that good hygiene we were talking about, I 
think that would be a tremendous help to small business, but 
again, when you help all those small businesses, you are also 
helping the whole Internet because you reduce the clutter that 
is out there, and that helps the more sophisticated entities 
target those more sophisticated threats.
    Chairwoman Ellmers. Thank you so much for answering my 
questions. I am going to yield now to Mr. Richmond for his 
questions.
    Mr. Richmond. Thank you, and I will try to start where you 
are leaving off when we talk about education and awareness as a 
cost-effective way to reduce our cyber breaches. The task force 
suggested the basic technology tools, industry best practices, 
and education could eliminate about 85 percent of the cyber 
threat. I think you just hit on most of it, but what else 
besides the good hygiene and the other recommendations can we 
do to further push for a reduction and further accomplish a 
reduction in cyber attacks?
    Mr. Thornberry. Well, one of the key areas, we believe, is 
that we need to provide some voluntary incentives so that as a 
CEO is trying to figure out where his money goes, that more of 
his attention and perhaps more of his money goes to defending 
that business against cyber attack.
    Now, again, there are some differences. There are some 
people who have made proposals on a more directive regulatory 
approach. Our view was you can't have one size that fits all, 
but a variety of incentives, whether it is the Tax Code, 
whether it is SEC regulations, which actually they came out 
with one a couple weeks ago that requires greater attention be 
paid to cyber.
    I think that sort of thing, we have got to elevate this 
issue in the consciousness not only of Members of Congress, the 
American people, but of businesses, and some incentives, 
financial incentives, I think--we think help accomplish that, 
even though we did not try to put out a laundry list of what 
they all are, and suggestions that you all may have, 
particularly for incentives that would be effective for small 
business, I think, would be very welcome as we move through 
this process.
    Mr. Richmond. Another thing, one of the recommendations was 
in the Federal procurement process, to require security 
technology processes and performance management in the 
government IT process. Since we are sitting on Small Business, 
one concern that immediately pops up is the cost associated 
with it and how would it put small businesses at a disadvantage 
compared to other businesses in the procurement process for 
government contracts.
    Mr. Thornberry. It is a good point. I think our view was, 
the government is a big customer, we ought to be a good big 
customer in what we buy, in other words buy things that are 
more secure, but also I think what one finds out is a lot of 
innovation in this area is being done by small business, 
innovation in enhanced security. So I think, if we can put a 
higher priority on security that small business, particularly 
small business innovators will benefit from that. They should, 
and I hope so.
    Mr. Richmond. I am glad you brought up the role that small 
businesses play in the technology aspect of it. The Federal 
Government is spending an enormous amount of money, and we are 
spending more every year, on cyber security. What niche, or 
what way do you see small businesses being able to participate 
on the technology side of helping us get ready, combat or fight 
off cyber attacks?
    Mr. Thornberry. I think we were just touching on it. A lot 
of the innovation that goes on is in small business start-up 
businesses, and the Federal Government in its procurement has 
to be nimble enough to take advantage of those advances, and 
that is obviously a challenge. And a second area that we 
touched on is, the Federal Government spends a lot of money on 
research in cyber. We ought to make sure the money we spend on 
research in cyber is not taking the place of money that private 
industry is spending on cyber. In other words, displacing some 
small business that is putting their resources out there, we 
ought to be complementary, more basic research that everybody 
can benefit from rather than researching things that, you know, 
that put a small business potentially out of business.
    Mr. Richmond. And just a few more. When you talked about 
information sharing earlier, of course it raises questions of 
privacy concerns. One question that would quickly pop up in my 
mind is in an information sharing arrangement, for the person 
whose information is then leaked or who has his life or 
business turned upside down because of it, how do we address 
liability in that question and who ultimately would bear the 
responsibility?
    Mr. Thornberry. It is, in many ways, kind of a central 
question to making this work, you are exactly right. What we 
recommended in the task force was creating a separate entity 
apart from government where information could be shared so 
that--and I will just take the car industry. For example, Ford 
and GM could bring their information to this place to share. 
They may want to sanitize that information so you don't have 
particular individuals' names and so forth, but they could 
bring the information that we are getting attacked from here, 
we are getting attacked from there, threat information could 
come together.
    At the same place you would have government classified 
information brought in so that you can have this whole fuller 
picture, at least, of the nature of the threat with appropriate 
classified safeguards so that we do not lose important national 
security information, and then ideally, that information could 
be acted upon by Internet service providers, so you accumulate 
this threat information, and AT&T and Verizon can use that 
information to protect big businesses and small businesses 
eventually, hopefully.
    I mean, that is kind of the concept that we talked about, 
but you are absolutely right that privacy has got to be built 
in every step of the way and that if we don't, the American 
people are not going to go for it, and we will not be able to 
advance cyber security.
    Mr. Richmond. And the last question is hopefully a short 
answer, but nowadays with iPads, iPhones, Androids, so between 
the smartphone and the tablet, they are becoming business 
instruments for many people, especially small businesses. What 
is your assessment of what cell phone companies and those 
companies are doing in terms of making sure that there are 
adequate safeguards in place for threats on those smart 
devices?
    Mr. Thornberry. As they multiply, the potential entry 
points for attacks of some sort multiply as well, and I don't 
think there has been nearly enough attention by the software 
companies, the hardware companies or us as individuals into 
safeguarding these little devices that we all carry around with 
us.
    But I will say, from the Armed Services Committee 
standpoint, we are going to start issuing some of these devices 
to soldiers in the field, and so we have got to figure out from 
a government standpoint how we make sure they are secure, and 
hopefully that can start a trend towards greater security for 
all of these devices.
    Mr. Richmond. And I am glad you mentioned that, and this 
will be the last question.
    Chairwoman Ellmers. That is fine.
    Mr. Richmond. What you just said scares me because I think 
of my smartphone and the fact that it has great capabilities 
where parents can use the GPS feature on their children's 
smartphone to see where they are, the first question in my mind 
becomes whether the technology is there, whether the companies 
have the ability to make sure that we are not giving away the 
coordinates and where our soldiers are, but, you know, so do 
you think that--and I know that our military and our leaders 
would address those things, but those types of concerns, we 
just have to make sure that those cell phone providers and 
those are very wary of those, especially as more and more--and 
we talked about troops, but especially as more and more 
children have cell phones, we have to worry about the cyber 
attacks. We also have to worry about our hardened criminals 
using technology to find our children and so forth.
    So that is one thing we have to keep pushing on our 
industries and our companies, to make sure that they understand 
to some extent there is a moral responsibility with making sure 
that the phones are as safe as possible in that respect. So 
thank you for what you do, Mac, and thank you to the Chairwoman 
for allowing me a little extra time. Thank you.
    Chairwoman Ellmers. Well, thank you. Those were excellent 
questions, excellent questions, and excellent responses. This 
is quite an opportunity today.
    At this time, I would like to recognize Mr. Schilling from 
Illinois, if he has any questions.
    Mr. Schilling. Yes, thank you, Chairwoman. I think I agree 
with Mac here, with Congressman Thornberry I should call him, 
is this is something that really needs to be addressed, and, 
you know, as I go into some of the hearings that we have been 
in, some of the briefings, you know, I don't really feel a 
sense of urgency out here in Washington, D.C. when it comes to 
the cyber attacks that we are already dealing with, and then 
the future ones that are coming, and being a small business 
owner myself, you know, of course, one of the things that I 
always fear is when I hear the government is going to get into 
and then they are going to throw something else upon my small 
business that is already struggling, things like that, so I 
think that is something we definitely need to work on.
    One of the things I was curious is, where is, like, 
leadership, for example, on maybe having briefings with the 
Democrats and Republicans here to where we can get the message? 
And I really appreciate, just the idea that you had of going 
out to the Chambers and speaking to the small businesses 
because this is a real threat, and I think down the road, this 
is going to be something that we are going to have to really 
pay a lot of attention to. So several different----
    Mr. Thornberry. I think there is a good chance it will 
happen. As I mentioned, I recommended to the Speaker, I know 
Jim Langevin talked to Mrs. Pelosi's office about jointly doing 
this. Obviously, I think you are right, generally there is not 
the sense of urgency. For people like the Speaker, the 
President, and the Majority Leader in the Senate who have had 
every day or every week get classified briefings, they are 
pretty fired up about this, and see the urgency of doing 
something. So I am hopeful we can do that, and I think it would 
help all Members to get a little fuller picture of what we face 
every day.
    Mr. Schilling. Very good. I do like the message you have, 
also when we do do something, is it something that is going to 
complement somebody that is already working on something, not 
trying to take something that maybe a small business is working 
on. So that is all I had. Thank you.
    Chairwoman Ellmers. Great. Thank you. At this time I would 
like to recognize Mr. Tipton from Colorado.
    Mr. Tipton. Thank you, Chairwoman, and Congressman, thanks 
for your leadership on this obviously very important issue. I 
haven't had an opportunity to obviously be able to go through 
your entire task force report, but in there, it states that 85 
percent of the issues, cyber issues can be cleaned up with 
hygiene, and I was wondering, is there a way to be able to 
really accomplish this without driving up some of the costs 
that small businesses are really going to be bearing? Any 
estimates on that?
    Mr. Thornberry. Well, I think you can do it with incentives 
and encouragement. Maybe you don't get all 85 percent. Maybe 
you get 80 percent. But I think increasingly, small businesses, 
like all businesses, are going to have to understand that if 
their customer records are stolen and misused, they may have 
some responsibility for that, and so I think we are better off 
in structuring things where it is self-interest to put a higher 
priority rather than government mandating how it should be 
done. Among other things, the threats move so quickly, there is 
no way the government can regulate in this area. It just 
evolves so fast. But as in some other areas, physical safety, 
for example, everybody has to have insurance, sometimes you 
have an insurance agent come and inspect your physical plant to 
determine your rates and so forth. That is the sort of 
incentive, I hope, that we can get going.
    Mr. Tipton. Great. And I apologize for being late, and if 
you have already answered this, but I was also curious where 
you had noted that a number of our small businesses are 
developing new technologies that are being hacked and the next 
day they know it is out on to the street, are there any 
estimates in terms of how much that is costing the U.S. 
economy?
    Mr. Thornberry. I don't know of any good estimates. You 
have a wide range of numbers about the value of the information 
being stolen every day, every year from our economy, but we did 
hear specific instances of small businesses who discovered that 
they were hacked and information, where there was a formula, a 
blueprint, something was taken from their computers, and a few 
months later that exact product shows up on our shores with 
``Made in China'' stamped on the back. Now the problem is they 
knew they were hacked. How many are out there that don't know 
that the information was ever stolen from them. So that is part 
of the reason we believe we have got to make this a bigger deal 
for everybody.
    Mr. Tipton. Exactly. Again, thank you for your leadership. 
Madam Chairman, yield back.
    Chairwoman Ellmers. Thank you. Again, I would like to thank 
Congressman Thornberry for his leadership and insight on this 
issue. We will continue to work closely with his office and the 
task force on developing legislation that assists small 
businesses in combating cyber security. Thank you so much. It 
was a pleasure.
    I would like to call the second panel now to the table.
    Wonderful, let's go ahead and get started. I would like to 
take the opportunity right now to just explain to you the 
timing lights. You will each have 5 minutes to deliver your 
testimony. The light will start out as green. When you have 1 
minute remaining, the light will turn yellow. Finally, it will 
turn red at the end of your 5 minutes, and I ask that you try 
to keep to that limit, if possible, although, you know, I am 
usually pretty flexible with that within reason. Within reason.
    Thank you all for being here. Again, this is a great 
opportunity. It was certainly wonderful to hear from 
Congressman Thornberry. He has done so much work on this, and 
now from the business aspect, you know, we get to hear your 
side of it. So, again, thank you so much for being here today.
    I am going to take the opportunity now to introduce our 
first witness, Mr. David Beam. Before I do, though, I do want 
to say that at some point we may be called for votes, and what 
we will do at that time is we will interrupt, we will kind of 
decide what time frame we are looking at, and then we will come 
back and pick up again later, okay?
    So our first witness is Mr. David Beam. He is the senior 
vice president of Corporate Strategies for the North Carolina 
Electric Membership Corporation in Raleigh, North Carolina. 
David has over 30 years of experience in the electric utility 
industry. In his current role, he oversees their energy risk 
management and regulatory compliance, including cyber security. 
David earned his Bachelor of Science in mechanical engineering 
from the University of Kentucky and his MBA from the University 
of North Carolina Chapel Hill. He is testifying on behalf of 
the National Rural Electric Cooperative Association.

STATEMENTS OF DAVID BEAM, SENIOR VICE PRESIDENT, NORTH CAROLINA 
  ELECTRIC MEMBERSHIP CORPORATION, ON BEHALF OF THE NATIONAL 
  RURAL ELECTRIC COOPERATIVE ASSOCIATION; GLENN STREBE, CHIEF 
EXECUTIVE OFFICER, AIR ACADEMY FEDERAL CREDIT UNION, ON BEHALF 
 OF THE NATIONAL ASSOCIATION OF FEDERAL CREDIT UNIONS; PHYLLIS 
 SCHNECK, CHIEF TECHNOLOGY OFFICER PUBLIC SECTOR, MCAFEE, INC, 
 ON BEHALF OF THE SOFTWARE & INFORMATION INDUSTRY ASSOCIATION; 
AND MICHAEL KAISER, EXECUTIVE DIRECTOR, NATIONAL CYBER SECURITY 
                            ALLIANCE

    Chairwoman Ellmers. Welcome, you have 5 minutes to present 
your testimony.

                    STATEMENT OF DAVID BEAM

    Mr. Beam. Chairman Ellmers, and Ranking Member Richmond, 
thank you for inviting me to testify on cyber security impacts 
on small businesses. My name is David Beam, and I am senior 
vice president of Corporate Strategy for North Carolina 
Electric Membership Corporation, or NCEMC. NCEMC is a 
generation and transmission cooperative providing wholesale 
power and other related services to 25 of the 26 electric 
cooperatives incorporated in North Carolina. NCEMC is 
responsible for reliability in cyber security compliance, for 
its own critical assets as well as those belonging to its 
members. These assets include generation and transmission 
facilities and the associated protection equipment and 
procedures. All of our distribution cooperatives that own NCEMC 
are small businesses. I would like to acknowledge the National 
Rural Electric Cooperative Association. NRECA is our national 
trade association representing over 900 cooperatives 
nationwide, providing electricity to 42 million consumers in 47 
States.
    Today I will cover the following: The bulk power system and 
how it is separate from the distribution system, the origin and 
purposes of the North American Electric Reliability 
Corporation, or NERC, how we comply with NERC reliability and 
cyber security standards, and our views on the potential 
impacts of new legislation. I would also like to commend the 
work of Speaker Boehner's Cyber Security Task Force and the 
leadership of Representative Mac Thornberry.
    Generally speaking, NERC's standards apply to the bulk 
power system which includes generation and transmission assets 
operated at voltages of 100 KV or higher. Distribution 
facilities receive power from the bulk power system and 
transmit it to retail consumers. Because outages at the 
distribution level generally do not pose a threat to the bulk 
power system, NERC standards don't typically apply to 
distribution lines and substations. Contrary to popular belief, 
hackers cannot easily access the telecommunications systems 
that overlay parts of the bulk power system. Utilities have 
comprehensive cyber security systems to protect against 
malicious attacks.
    Congress created a mandatory enforceable reliability 
standards regime for the bulk power system in the Energy Policy 
Act of 2005. NERC is an industry-funded, self-regulatory 
organization. Its purpose is to regulate reliability and cyber 
security standards. It also audits compliance and has 
enforcement authority over those standards. NERC and the 
Federal Energy Regulatory Commission or FERC can fine utilities 
that violate these standards and have done so. Additionally, 
FERC can direct NERC to develop new or revised reliability 
standards.
    Congress created a stakeholder-driven process, recognizing 
that utility owners and operators best know how to provide 
reliable electric service and how our complex systems are 
designed and operated. We want to preserve this process.
    NCEMC follows exacting procedures to ensure NERC 
compliance. Our goals are awareness and commitment to 
compliance by all employees, prompt detection, cessation, and 
reporting of violations, and effective remediation measures 
should violations occur. NCEMC has devoted significant 
financial and human resources to ensuring reliability in cyber 
security. We employ a full-time compliance coordinator whose 
sole responsibility is managing compliance with reliability and 
cyber security standards. In addition, NCEMC employs a 
compliance team of subject matter experts who are responsible 
for compliance with their assigned cyber security and 
reliability standards. NCEMC also uses outside contractors to 
audit and provide recommendations for improving our compliance 
program. Additionally, at least one employee for each 
distribution cooperative is responsible for compliance with 
reliability and cyber security standards.
    We employ strong defensive measures to protect our network 
and business systems. We have strict security guidelines for 
securing the network and systems, including policies that 
govern the access and use of its network and systems. NCEMC and 
NRECA believe NERC processes work very well. The process could 
be strengthened by narrowly targeted legislation that lets the 
Federal Government react quickly to severe, imminent cyber 
threats and increases timely actionable information flowing to 
utilities. Any new legislation should cover only assets and 
systems which are realistic targets of cyber threat and which 
could truly impact the bulk power system. Casting too wide a 
net could bring entities, like distribution co-ops and other 
small businesses, under potentially very burdensome regulatory 
requirements with little or no benefit to grid security.
    Thank you for the opportunity to testify today. I look 
forward to answering your questions.
    Chairwoman Ellmers. Thank you, Mr. Beam.
    Chairwoman Ellmers. I now yield to Congressman Tipton for 
the introduction of our next witness.
    Mr. Tipton. Thank you, Chairwoman. It is my pleasure today 
to be able to introduce Mr. Glenn Strebe. He is the chief 
executive officer of the Air Academy Federal Credit Union in 
Colorado Springs. He oversees full operations of nine credit 
unions, including oversight of their compliance and security 
issues. Glenn received his Bachelor of Science from the U.S. 
Air Force Academy, my son-in-law is also a graduate of the 
Academy, and an MBA from the Colorado State University. He is 
testifying on behalf of the National Association of Federal 
Credit Unions, and Glenn, welcome, and we look forward to your 
testimony.

                   STATEMENT OF GLENN STREBE

    Mr. Strebe. Thank you. Good afternoon. Chairwoman Ellmers, 
Ranking Member Richmond, and members of the subcommittee, my 
name is Glenn Strebe, and I am testifying today on behalf of 
the National Association of Federal Credit Unions, or NAFCU. 
Thank you for holding this important hearing. I appreciate the 
opportunity to share my views on cyber security and data 
security at our Nation's credit unions. NAFCU supports efforts 
to enact comprehensive data and cyber security measures to 
protect consumer data. Credit unions and other financial 
institutions already protect data consistent with the 
provisions of the 1999 Gramm-Leach-Bliley Act. Unfortunately, 
there is no comprehensive regulatory structure similar to what 
was put in place for financial institutions under Gramm-Leach-
Bliley for other entities that may handle sensitive personal 
and financial information. Consistent with Gramm-Leach-Bliley, 
the National Credit Union Administration established 
administrative, technical, and physical safeguards for credit 
unions to ensure the security, confidentiality, integrity, and 
proper disposal of consumer information and other records. 
Every credit union must develop and maintain an information 
security program to protect data. Additionally, the rules 
require third-party service providers that have access to 
credit union data take appropriate steps to protect the 
security and confidentiality of this information. Gramm-Leach-
Bliley and its implementing regulations have successfully 
limited data breaches among financial institutions. I have 
outlined the specifics of the Act in my written testimony.
    At Air Academy Federal Credit Union, we are relentless in 
our efforts to protect sensitive data. The increased reliance 
on Internet-based services has created new challenges and 
expenses over the past decade. With over a quarter of our 
members living out of State, a large number of our transactions 
are performed online. In order to address this growing trend, 
Air Academy has implemented and continues to execute security 
measures on many different levels, the details and costs of 
which are outlined in my written testimony. At Air Academy, we 
take cyber security seriously. We use an ethical hacker that 
tests our security measures, looking for hidden 
vulnerabilities. Our laptops and thumb drives are encrypted in 
case they fall into the wrong hands. We change penetration 
testing vendors as well as our service providers every 2 or 3 
years to avoid complacency and to keep a fresh set of eyes on 
our security system. While all of these steps are costly, they 
are best practices. Despite Air Academy's efforts, the 
inadequate security systems of other entities still leaves our 
members' data vulnerable to hackers and thieves.
    Everyone has heard about large national data breaches that 
impact millions of payment cards, but many breaches are small 
and on the local level. For example, in 2009, a local liquor 
store failed to protect card data because they claimed no 
liability. We suffered over $60,000 in losses. Data breaches 
are a serious problem for consumers and businesses.
    Financial institutions such as credit unions bear a 
significant burden as they incur steep losses in order to 
reestablish member confidence after a data breach occurs. NAFCU 
has developed a list of items we would like to see addressed in 
any data security bill. They are outlined in detail in my 
testimony and include: Payment of breach costs by breached 
entities; national standards for safekeeping of information; 
disclosing of data security policy at point of sale; requiring 
disclosure of the breached entity; enforcement of prohibitions 
on data retention; and timely notification of account servicer 
when a breach occurs.
    In conclusion, NAFCU supports new measures to protect 
consumers' financial data. Creating a comprehensive regulatory 
scheme for those entities that currently have none is critical. 
A safe harbor for financial institutions already in compliance 
with Gramm-Leach-Bliley should be included in any data security 
bill. Further, if more regulations are needed to address new 
concerns, it should be the functional regulators that are 
charged with promulgating new rules. Finally, any other party 
that holds sensitive information should be held liable when 
responsible for a data breach.
    Thank you again for the invitation to testify before you 
today. I would welcome any questions you may have.
    Chairwoman Ellmers. Thank you, Mr. Strebe.
    Chairwoman Ellmers. I now yield to Ranking Member Richmond 
for the introduction of our next witness.
    Mr. Richmond. Thank you, Madam Chairwoman. It is my 
pleasure and honor to introduce to everyone Dr. Phyllis 
Schneck, who is the chief technology officer for the public 
sector at McAfee, a leading provider of cyber security 
software. Ms. Schneck received her Ph.D. in computer science 
from Georgia Institute of Technology where she pioneered the 
field of information security and security-based high 
performance computing. In addition to her role at McAfee, she 
currently serves as the chairman of the board of directors of 
the National Cyber Forensics and Training Alliance. Ms. Schneck 
was named one of the top 25 women leaders in information 
security, and she also holds three patents in high performance 
and adaptive information security. Welcome, Ms. Schneck. I am 
sorry, Dr. Schneck.

                STATEMENT OF PHYLLIS A. SCHNECK

    Ms. Schneck. Thank you. Good afternoon, Chairwoman Ellmers, 
Ranking Member Richmond, and members of the subcommittee. I am 
Phyllis Schneck, vice president and chief technology officer 
for the global public sector for McAfee, testifying today on 
behalf of the Software & Information Industry Association. SIIA 
is the primary trade association of the software and digital 
information industry, with more than 500 members that develop 
software and electronic content for consumers, business, 
education, and the Internet. McAfee, Inc., protects businesses, 
consumers, and the public sector from cyber attacks, viruses, 
and a wide range of cyber security threats. We are the world's 
largest dedicated cyber security technology company and a 
proven force in combating the world's toughest security 
challenges. McAfee is a wholly owned subsidiary of the Intel 
Corporation.
    We appreciate the subcommittee's interest in cyber security 
as it affects small business, which plays such a large part in 
our Nation's economy. While small business falls prey to the 
same security risks as large business, most small firms cannot 
afford a dedicated security staff nor do they have a million 
dollar budget to purchase enterprise security solutions. 
Nevertheless, small companies must meet the same security and 
compliance requirements as Fortune 500 firms, just to remain in 
business.
    The importance of small business to the national economy 
cannot be overstated. According to the Small Business 
Administration, small firms represent 99.7 percent of all 
employer firms. They have generated 65 percent of new jobs over 
the past 17 years, and as Ranking Member Richmond mentioned 
earlier, they produce in order of magnitude more patents per 
employee than even the large patenting firms.
    Today's cyber threats are more sophisticated and targeted 
than ever. They are growing at an unprecedented rate. McAfee 
Labs finds, for example, that both malicious URLs and malware, 
they have grown almost sixfold in the past 2 years, and in 2010 
we saw more malware than in all of the years previously.
    One of the most insidious cyber attacks is a low level 
incursion, it sinks below the radar, quietly exploring and 
stealing the contents of the network. Security professionals 
call this an advanced persistent threat on an APT, and McAfee 
has uncovered several over the past year, the most recent, 
shady RAT, has been stealing valuable intellectual property 
from more than 70 organizations across 14 countries, including 
small firms in addition to government contractors, nonprofits, 
and government agencies. And this is not an isolated incident. 
A 2010 survey found that 60 percent of organizations report a 
chronic and recurring loss of sensitive information.
    More than a million small businesses and retailers were 
victims of some type of information theft in 2010, with 56 
percent of small and midsized businesses experiencing this type 
of banking related fraud in 2010 and 75 percent of it coming 
from online sources. Among small businesses falling prey to 
bank fraud, 61 percent were victimized more than once.
    We are only as secure as our weakest link. To further help 
small business, we recommend three guiding principles to make 
the cost of security most effective. Practice risk management 
first. Next, minimize the amount of sensitive information 
retained in the network; and, third, invest in the appropriate 
level of security.
    Finally, we have some policy recommendations. A heavily 
regulated approach would not necessarily make organizations 
more secure. It makes them more compliant. And it would stifle 
innovation. On the other hand, positive incentives and 
subsidies have a high probability of success in two ways: 
First, a higher chance of better actual outcome; and secondly, 
a higher probability of good legislative success. There are a 
variety of proposed approaches found on incentives, including 
the recommendations that we heard earlier from Representative 
Thornberry of the House Republican Cyber Security Task Force 
and some promising approaches on the Democratic side.
    We support the following approaches:
    Litigation and legal reform. Imposing limitations on 
liability for damages as well as for noneconomic loss would 
remove a serious obstacle to information security investment, 
such as the risk of being held responsible for losses 
notwithstanding a company's good faith investment in good cyber 
security.
    Public-private partnership on information sharing. 
Departments of Defense and Homeland Security manage many 
public-private partnerships, McAfee plays a key role in 
several. These partnerships ensure that senior corporate and 
government officials share vital information and best 
practices, and they are especially important for small 
businesses.
    Competition, scholarships, research and development help 
identify and recruit talented individuals that foster 
innovation in advanced basic and applied solutions and bring 
those individuals to the cyber security workforce.
    Tax incentives. Accelerated depreciation or refundable tax 
credits should be considered to encourage critical 
infrastructure industries to make additional investments in 
cyber security technologies, solutions, and human capital. The 
same approach could be effectively applied to small business.
    Insurance reforms. Because of the lack of actuarial data, 
government should consider implementing reinsurance programs to 
help underwrite the development of cyber security insurance 
programs, which could be phased out as insurance markets gain 
the cyber security coverage.
    In conclusion, let me emphasize that collaboration and 
cooperation between the public and private sector are key to 
addressing cyber security in a holistic way. Thank you for your 
interest, and I will be pleased to answer any questions.
    Chairwoman Ellmers. Thank you, Dr. Schneck.
    Chairwoman Ellmers. I have the opportunity now to introduce 
our last witness for today, Mr. Michael Kaiser. He is the 
executive director of the National Cyber Security Alliance, 
NCSA, in Washington, D.C. The NCSA is a nonprofit organization 
focused on educating and promoting awareness of safe cyber 
security practices to individuals, education institutions, and 
small businesses. They recently conducted a study analyzing 
small business cyber security practices. Welcome, Mr. Kaiser. 
You have 5 minutes for your testimony.

                  STATEMENT OF MICHAEL KAISER

    Mr. Kaiser. Thank you, Chairwoman Ellmers and Ranking 
Member Richmond, and members of the subcommittee. Thank you for 
the opportunity to testify today on this very important current 
state of cyber security in small business. My name is Michael 
Kaiser, and I am the executive director of the National Cyber 
Security Alliance. NCSA is a nonprofit organization, a public-
private partnership working with industry leaders, government, 
and nonprofits on education awareness issues in cyber security. 
NCSA's board of directors is comprised of representatives from 
18 companies, ADP, AT&T, Bank of America, Cisco, EMC, ESET, 
Facebook, General Dynamics Advanced Information Systems, 
Google, Intel, Lockheed Martin, McAfee, Microsoft, PayPal, 
SAIC, Symantec, Verizon and Visa.
    NCSA leads cyber security education and awareness in this 
country. We lead critical efforts, such as the STOP. THINK. 
CONNECT. campaign, which we developed with the Anti-phishing 
Working Group and industry and government and which the 
Department of Homeland Security leads in the Federal 
Government. We have developed National Cyber Security Awareness 
Month, we are working on Data Privacy Day, and we operate 
StaySafeOnline.org, our Web site. NTSA recently signed an MOU 
with the Department of Education and NIST to lead the National 
Cyber Security Education Council, a public-private partnership 
to address formal cyber security education from basic education 
all the way through to degrees and workforce training programs. 
We have a long track record in conducting surveys about the 
practices of individual small businesses and the state of cyber 
security in U.S. schools.
    In October, we released the results of a study conducted in 
conjunction with Symantec about the cyber security practices of 
small businesses. We found that businesses still don't have 
good practices and policies in place, allow risky behavior, and 
in general, fail to take a strategic approach to cyber 
security, leading unfortunately to a false sense of security. 
We found actually that businesses are becoming more reliant on 
the Internet. Two-thirds say that their business is dependent 
on the Internet for day-to-day operations and also two-thirds 
say they have become more dependent on the Internet in the last 
12 months. A majority, 57 percent, say that the loss of the 
Internet access for 48 straight hours during a regular business 
week would be disruptive to their business.
    We learned that businesses actually have critical 
information on hand. Sixty-nine percent report handling 
customer data, half deal in financial records and reports, one-
quarter have their own intellectual property, which we have 
been discussing a lot today, and actually one-fifth have the 
intellectual property of other people in their business, which 
I think is something we have to be concerned about as well.
    We discovered that small businesses aren't creating an 
environment that promotes cyber security. Seventy-seven percent 
do not have formal Internet security policies for employees, 
and nearly half of those don't even have informal cyber 
security policies for their employees. Sixty-three percent 
don't have policies that relate to the use of social networks 
in the workplace, and two-thirds allow the use of USB devices 
in the workplace. These are general risk factors that we are 
aware of.
    Unfortunately, these data show that the entire small 
business ecosystem is at risk, and we look at it that way a 
lot. We need to reach every small business with information 
that will help them protect their digital assets. Cyber 
criminals, as has been mentioned here, are well aware of these 
vulnerabilities, and small businesses have become a primary 
target for them. 40 percent of all targeted attacks are 
directed to businesses with less than 500 employees, and 
roughly 60 percent close within 6 months of a cyber attack. It 
is tough enough for small businesses to make and thrive, we 
shouldn't also be losing them to cyber criminals. There is no 
single government agency, nonprofit group that can take on--
company, government agency or nonprofit group that can take on 
this vast issue alone or reach every small business. Working 
together with a broad array of stakeholders, leveraging 
resources, sharing the responsibility is our best hope for 
success.
    Based on this thought of a collaborative approach, here are 
some ideas that we have about what we could do. Create a 
harmonized message in a campaign, like STOP. THINK. CONNECT. 
that can be deployed by key stakeholders. That would go a long 
way to clarifying for business owners what they need to do, and 
it would come from trusted sources.
    Align forces within the Federal Government to support small 
businesses. Many Federal agencies have an interest in helping 
small businesses grow and protect their digital assets. At 
minimum, the Small Business Administration, the Department of 
Commerce, the FTC, the FCC, the Department of Homeland Security 
should participate, but others such as the Department of 
Defense and the IRS that work and touch small businesses should 
be involved as well.
    Engage local communities in the effort. Small business 
owners are likely to listen to their local peers. A few 
forward-thinking communities, such as Washtenaw County, 
Michigan, San Diego, California, San Antonio, Texas, and 
Colorado Springs have started efforts to make their communities 
more cyber secure, and they have all prioritized small business 
as a key target in their communities to make that happen.
    Support education reform that leads to a more cyber capable 
workforce. We need a workforce in the 21st century that 
understands how to use technology safely, securely, ethically, 
and productively when they graduate high school or college.
    And encourage your colleagues, I think as Representative 
Thornberry has done, to make information available to small 
businesses in your district. Go out, talk with them, have a 
town hall on cyber security, and get the conversation going.
    Thank you for your time and attention to this issue, and I 
look forward to your questions.
    Chairwoman Ellmers. Thank you, Mr. Kaiser. We are going to 
go ahead and get started with some questions, and just so you 
know, we will be called for votes about 2:15, so what I am 
going to do is I am going to yield now to Mr. Tipton from 
Colorado for his questions.
    Mr. Tipton. Thank you, Madam Chair. Glenn, I would like to 
thank you for joining us. Once again, it is good to have a 
Coloradoan here and to be able to see you. I was disturbed a 
little bit, the stories that you had in your written testimony 
about the costs to your businesses in terms of the data breach 
from the other company, I believe it was a liquor company; is 
that right?
    Mr. Strebe. Yes, it was.
    Mr. Tipton. The mistake ended up costing you thousands of 
dollars for nothing you had no control over, and you also 
mentioned that you were only able to recover 35 percent of your 
incurred expenses. What additional steps would you recommend 
that Congress and this committee take to curb this phenomenon 
and without imposing burdensome regulations on small 
businesses?
    Mr. Strebe. As I mentioned in my verbal comments as well as 
in the written testimony, one of the things that does not occur 
out in the business world is the fact that there is no 
liability, there is no accountability. In the case of that 
liquor store, the police were involved in that case, and they 
themselves were confronting the liquor store, asking them, you 
know, What are you doing? They said, Well, we don't have any 
liability, so we are really not going to worry about it, and as 
a result of that it cost us over $60,000. What would I do? I 
would look for the opportunity to hold accountable, as I have 
written in testimony, hold accountable those businesses that 
have such a cavalier attitude.
    Mr. Tipton. I appreciate that. And Dr. Schneck, I believe 
in your comments you said that we have got to be very cautious 
that we just aren't in a manner of compliance as opposed to 
having the security. Would you like to expand on that a little 
bit because I think as small business people we often see, we 
spend a lot of time making sure we are complying as opposed to 
getting the job done.
    Ms. Schneck. Thank you. The problem with regulation is that 
it draws a box, it draws a box where they have to take the 
money and invest, and it does two things: Number one, it 
stifles innovation because if companies are only having to fill 
that box and invest in those X places, it doesn't leave a lot 
of room for advancing creativity, saying well, how else can we 
solve this problem that might be better because the regulation 
is this is what we have to buy, it is in this box.
    The second thing it does that can really hurt small 
businesses, it shows the adversary, the cyber adversary, 
everything that is outside of the box, and small business is 
already a target, as has been mentioned, not only a target to 
bounce into a larger enterprise, but small businesses, in many 
cases, are developing the intellectual property that could make 
the next jet engine and working on national security and 
holding private information, all kinds of ways.
    So they are holding the same intellectual property and 
harboring the same risk as a big company that can afford a 
dedicated team and the best security, but they can't afford, 
they don't have the extra money to do that to secure their 
piece, and at the same time what regulation would do is show 
the outline of the box and show the bad guy exactly where he 
can go straight into those small businesses that can't afford 
to protect it, so what we really need to do is incentivize, and 
as was mentioned by Representative Thornberry and some other 
colleagues, some good incentives for businesses to be able to 
target that investment upfront, make cyber security part of the 
corporate risk and go ahead, as I mentioned, and minimize the 
amount of information that is stored on their network. 
Compliance and regulation are not going to protect us.
    Mr. Tipton. So be very cautious about trying to have a one-
size-fits-all regulatory policy?
    Ms. Schneck. Exactly. Or anything that doesn't allow 
innovation.
    Mr. Tipton. Thank you so much. I yield back, Madam Chair.
    Chairwoman Ellmers. Thank you. I am going to go ahead and 
ask my questions now. This question I would like to ask the 
entire panel for your opinion. There is a variety of Federal 
agencies and organizations involved in combating cyber 
security, as you know. Do you think small businesses know where 
to go to get the best information and assistance and, if not, 
what recommendations do you have to help us get that 
information out? Starting with Mr. Kaiser.
    Mr. Kaiser. Yeah, you know, we take approach to all this, a 
similar approach across all education and awareness in cyber 
security on this issue, which is that we should not try to 
spend a lot of time trying to get, in this case, small 
businesses to trust other entities for new information. We 
should be going to the entities that they already trust and 
getting them to disseminate a very similar comprehensive 
harmonized message, so whether it is in their vertical of their 
industry or to a government agency that they already trust or 
back to a software provider on an ISP, if we can coordinate and 
harmonize that messaging, then they will just go to who they 
trust, and no matter where they go they will get the right 
message. I think that is really the work that we have to do at 
this level to support them at the lower levels.
    Ms. Schneck. I would definitely agree and echo those 
remarks. I would add that the cyber adversary is fast, shares 
information very well, already has trust, is often very well 
funded. So they can act without any legal boundaries, IP 
boundaries, and that is why they are winning. The very best 
thing that we can do as the good guys is match that and then go 
one step better. Since small business makes up 99.7 percent, I 
calculate that as part of the fabric, they are a large part of 
the cyber information and situational awareness that we will 
see, breaches, how they happen, what they are seeing. First and 
foremost, we would ask them to know who to call, whether it is 
a partnership of law enforcement or others that you trust, know 
who that is ahead of time so that you can all get together when 
you see something, and even build those relationships to 
determine steady state so you can understand an anomaly even 
when things are good.
    The second thing is work with those public-private 
partnerships, they are so important because not only do small 
businesses get access to people and resources that do have 
million dollar budgets to do things and see more things 
globally, but you also put information from that 99.7 percent 
of the fabric back into the pot that protects the entire 
fabric.
    We, again, only are as good as our weakest link. Our small 
businesses are so strong in the innovation, we can't let them 
be weak in the security just because of money, and we have to 
incentivize that spend and incentivize putting some of their 
resources into those partnerships.
    Mr. Strebe. I believe that the most basic level, working 
with some of your business customers or business owners to 
educate them on where they can find that information is very, 
very crucial. I can't really speak for everybody else out 
there. I can speak on behalf of our credit union. We have about 
a thousand business accounts, and we quite often, and we have a 
very professional IT staff, as the Doctor suggested, that if we 
have a member of ours or a small business of ours that asks us 
how do I do this or how do I do that, while we are not in the 
profession of trying to give them IT security advice, we 
recognize the fact that without them we have no meaning, and as 
a small credit union or not a small credit union, we are a 
medium-sized or a large credit union, as a credit union, we 
truly believe in trying to help our membership to the greatest 
extent possible, so I completely agree with the Doctor that if 
we can provide some framework information, some construct of 
where they can get the information, how they can get the 
information and from whom, that will be very, very valuable for 
us going forward.
    As a credit union, we will always help our membership, as I 
believe--while I can't speak for every credit union, I am 
pretty confident that I can speak for a lot of them that they 
would say any member of ours that wants a little bit of help in 
trying to understand some of the threats out there, we would 
definitely, definitely help them because we just feel that as a 
member-based organization, we need to do that.
    Mr. Beam. I would say the electric industry is a little 
different than some of the other small business groups in that 
we are currently regulated by the Federal Energy Regulatory 
Commission for reliability in cyber security, and so we have a 
clear place to go for clarification on cyber security issues. 
One thing I would like to emphasize as we consider new cyber 
security legislation is making sure you have that clear line of 
demarcation of one agency regulating one group and not having 
overlap. I think that will just cause confusion and really 
muddy the waters. But I would like to echo what some of the 
other panelists have said about the importance of the public-
private partnership and the information sharing. I think that 
is really the key to improving our cyber security rather than 
through regulations.
    Chairwoman Ellmers. Excellent. Thank you so much. I am now 
going to recognize Ranking Member Richmond for his questions.
    Mr. Richmond. And I think I will just start with Dr. 
Schneck on this. The question becomes, and we heard the 
Congressman talk about just general computer hygiene. If that 
accounts for about four out of five of the security breaches 
that we have, then do you think that it is worthwhile for us--
or whether it has merit or it is too cost prohibitive for us--
to require almost like we do with some public service 
announcements to remind people of these very simple things that 
they can do to keep their information secure. If we can cut out 
80 to 85 percent just by doing that, should we require, or do 
you have some ways that would incentivize people to provide 
that information when you go to Yahoo! or whatever you do 
online, to provide some of that simple hygiene information and 
to reinforce how important that is?
    Ms. Schneck. I absolutely agree that that basic hygiene 
will take care of a large percent of the issues. The analogy I 
would use is many years ago, Howard Schmidt used the analogy to 
seatbelts in cars and the process that it took to get people to 
use seatbelts. The other analogy that has been used is the 
forest fires. A lot of this goes back to education awareness 
that our colleagues at the NCSA do a great job of and others 
and certainly the credit unions that we have heard, but I want 
to also point out that that 20 percent is evil, that 20 percent 
that we can't catch with the hygiene that Representative 
Thornberry also mentioned. That is the part where very quiet 
attackers that don't want you to know that they are there, they 
are not looking for your bank information, they are looking to 
find exactly the people that sit on top of core intellectual 
property, whether it is recipes, oil field diagrams or diagrams 
for other parts, military, they will sit there until they find 
it, and they will send it home, and that is moving jobs, money, 
and markets across countries and companies, and that is the 
piece that we want to also incentivize companies and small 
companies, especially because they don't have extra money to 
invest in protecting that and to consider it part of the 
corporate risk, so I think it is twofold.
    One is it certainly is an awareness campaign, and NCSA has 
the Cyber Security Awareness Month with the government and does 
a lot of different things. I think we are a lot more--I sit on 
the ISPAB as well, and we were briefed on some of these 
efforts, and I think as a community we are a lot more aware now 
than we were before of cyber as an issue. I think this hearing 
is one example of that. But the other side is these very quiet 
attacks. We do need to incentivize our small businesses to 
protect what they have. What they have is key to our national 
security, and that can't be overstated.
    Mr. Richmond. Well, and part of my thinking was that if we 
can eliminate 60 to 80 percent strictly by information and 
being very creative, it would allow us and free up more money, 
more time, more energy to focus on those people who are going 
to try to do it no matter what all the time and are very 
sophisticated and evil with it. Anyone can answer this 
question, but how has cloud computing, I guess no pun intended, 
clouded our ability to protect ourselves? And I guess I just 
started to look at some of my new data in the office, and they 
talk about cloud computing, it just scares me to just have 
information floating out there. So how safe is it, and how has 
it complicated your jobs and our ability to keep the country 
safe?
    Ms. Schneck. I guess I will start. So the important thing 
is to protect data in motion, data at rest, and data in use. 
What cloud does is it outsources data processing, so it says 
that you are, to your point, you are sending your information 
somewhere else to be processed, and then it comes back so that 
you can view it, and the danger that people immediately sense 
is while it is not on my network and in transit and while the 
third party is holding it, is it protected? And these are the 
questions that have to get answered.
    The very, very beneficial side of cloud computing is that 
it is very efficient. You can package your computing processing 
power, you can have somebody else pay the bills for chilling 
the computing and doing the efficiencies, you can do high 
performance calculation, and the data comes back and it is a 
fraction of a price if you had a CPU on every machine, and that 
scales beautifully. So for small business, you can outsource a 
lot of your computing needs, and it ends up saving them a lot 
of money.
    The other side is they have to make sure when those data 
are in transit they are working with a third-party provider 
that is taking care of encrypting or protecting the identity or 
the data when it is in storage, when it is being processed, and 
certainly on its way back. A big advantage is that if you are 
using a good provider, whatever service it is, the high-end 
providers do have the million dollar budgets to secure things 
right, whereas the small businesses may not. So there are a lot 
of efficiencies and a lot of security built into cloud, even 
though it requires that we send our data offsite.
    Mr. Richmond. And this question would be for Mr. Kaiser. 
How important is it for us to deal with breach notification 
laws as opposed to the many different laws in the various 
States, and does it make sense and would it help the small 
business or businesses period for us to come up with a national 
standard for breach notification as opposed to having different 
laws in I think 48 States now that have them and small 
businesses that do business across State line having to, I 
would assume, to comply with all of them.
    Mr. Kaiser. Yeah, I think that at the end of the day, I 
think wherever we can have clarity for both businesses and 
consumers, that is a good thing, right, so people know what to 
expect when something happens and know what will happen if 
something happens, and how that gets accomplished I think could 
be done probably in a number of different ways, but I do think 
that clarity, you know, where, you know, because the data 
really lives everywhere because not only of cloud, but just the 
way the Internet works, you know, as a consumer, I am doing 
business with people all over the country when I am using the 
Internet, and small businesses are doing business all over the 
country. I think where we can have clarity about what will 
happen when a breach occurs and from both sides, both as a 
person whose information was lost and also as the person or 
business that lost the information, I think that is just 
helpful in general on a lot of these cyber issues, not only 
that, but also on education awareness, clarity about the 
message, those things help. It is kind of a confusing world out 
there, and there is a lot of different messages, so anything 
that helps that I think is good.
    Mr. Richmond. And my last question would be for Mr. Strebe, 
and that question would simply be, you mentioned the analogy--
the example of the liquor store that was very careless which 
exposed the credit union, I would assume, to I think you said 
$60,000 worth of repayments. Do you think legislation--is 
needed to clear up responsible parties or to figure out and 
help find who is responsible for data breaches and who shall 
reimburse the consumer at the end of the day or the person who 
sustains the loss?
    Mr. Strebe. I think with legislation you can create a 
framework that any small business can follow. When you look at 
things, we have talked about hygiene today. If they are not 
following simple hygiene and they are not doing a basic 
standard of care, I think responsibility can be held or 
liability can be pushed back on to a small business. If they 
take care of that or if they create or through legislation 
create a framework and create, you know, here is the exact 
things that you are going to do, and they follow that and they 
are not negligent, I think you could essentially hold them 
harmless for, you know, again, a due standard of care.
    Anytime somebody just completely thinks that data security 
and cyber security is off the radar screen for them and they 
think that they can push all of the responsibility back to us 
as a financial institution, I think that creates substantial 
challenges for us as a financial institution. In addition, I 
think it is really valuable from a reputation risk standpoint 
to understand that anytime there is some sort of compromise and 
we notify our members that what has happened, they 
automatically think it was us as a financial institution that 
was penetrated, and when that happens, we have to, we spend a 
lot of money trying to overcome that and trying to tell them 
that, well, it wasn't us, we can't disclose that to you, we 
can't make public who it actually was, and as a result of that, 
those costs are borne by us.
    So as I look forward, I do believe a construct or framework 
can create a basic standard of care that they are going to have 
to follow and things that they need to do, and if they are 
negligent in that, then they can be held responsible. You know, 
can you try to address every single item? I don't believe you 
can because, as was mentioned before, every time you try to 
solve one thing there are two more things that come on the 
horizon, and then you are just continuing to chase your tail. I 
just look at it and say there is some basic necessities in 
commerce today that have evolved over the past 10 years that a 
businessman really, really needs to grab hold of and make sure 
they are accomplishing.
    Mr. Richmond. Thank you, and I will yield back.
    Chairwoman Ellmers. I have one more question, and I am 
going to quickly, and it is all for the entire panel. Of 
course, we are hearing about the statistics of the frequency of 
the cyber attacks. In general, if you could give us an idea in 
your sector of business what that frequency is, how often, and 
how often do you receive information from the Federal or State 
government warning you of any particular upcoming threats that 
might be occurring? Starting with Mr. Kaiser.
    Mr. Kaiser. Yeah, we don't really deal in that kind of 
information between the industry and government, but I will 
say, just as a regular person who looks at the news every day, 
those threats, those attacks are happening all the time, and so 
we really need to be able to respond to them.
    Ms. Schneck. We see 66,000 new variants of malware every 
day in McAfee Labs, and that is only going up. And then if you 
take that and you look at the story across the sectors, those 
malware examples and variants are being used to do things such 
as steal the oil field exploration diagrams across the energy 
sector, and these are things that we have published.
    I think you ask a very important question, how much do we 
get from the government? Not much right now. And that could be 
because of framework, it could be because of the structure. We 
are active in, I would say, most of the major public-private 
partnerships, but the idea is that we actually share a lot more 
out with government. When we find things, we give as much to 
government, law enforcement, and all the way to State and local 
as we can, and looking at how we can do that more quickly, take 
the most actionable egregious information and get it to law 
enforcement faster is a challenge across, I believe, the entire 
business community, and the way this affects small business is 
that needs to get to them, and we are legally tied when it 
comes to sharing with the private sector. It is a little bit 
easier in some cases with government, but we need to get it 
back to those small businesses, and that is why from personal 
experience, I advocate that small businesses get with those 
partnerships.
    Mr. Strebe. In our case I cannot give you specific numbers. 
What I can tell you is, as a financial institution, we do this 
24/7/365 times, however many years are in the future. We always 
have to do this. We are getting, I don't want to say hit, 
because that sounds like somebody actually penetrates us. We 
always see--we have a fortress or a cyber fortress that is 
built around our financial institution, and we always see 
people coming from all around the world trying to find 
vulnerabilities in our system and IP addresses that are open 
and they can try to penetrate our system. 24/7/365 times the 
future, that is exactly how many times we see it. It is always 
happening.
    Mr. Beam. As far as notifications from the government, NERC 
has a advisory system where they send out alerts. We have 
received 40 of those since 2008. Of those, the majority were 
advisories that were just advising us of a potential issue. 
Only a handful were things that required us to take action, but 
we did take action on those, and none of those was an imminent 
threat. They were a potential threat that you needed to take 
action to prevent.
    On the business side, we have our system divided into two 
completely separate networks. One controls the electric system, 
and one is the business system. The electric system is 
completely separate from the Internet. There is no connection. 
And so we have had no outside traffic ever able to get on to 
that system and cause any kind of malicious attack.
    On the other side, in 2011 alone, we got 74 million emails 
hit the firewall. Of those, only 16 million got through, and 
those in our internal review processes only allowed 4 million 
through to the actual end users as legitimate emails. So as 
everybody else has said, we are constantly getting things that 
are malicious in one way or another, be it spam or whatever, 
but they are not necessarily attacks from a foreign government 
of that type. As far as anything that was actually directed to 
the electric system in a malicious way, we have never had an 
attack that we are aware of.
    Chairwoman Ellmers. Mr. Strebe, have you in your industry, 
in the financial credit union world, does the Federal or State 
level of government, do you get notifications that there are 
imminent threats?
    Mr. Strebe. If I waited until I got the information from 
them, it would be way too late.
    Chairwoman Ellmers. So you are on top of it ahead of time?
    Mr. Strebe. We quite often end up sharing what is happening 
in our institution with other folks that are out there, yeah. 
We can't wait. We know before everybody else does because it is 
real time for us.
    Chairwoman Ellmers. Thank you, thank you. I just wanted to 
make sure I clarified that.
    And again, thank you to all of our participants, you know, 
panel 1 and panel 2. This subcommittee will continue to closely 
follow this issue. I want you to be aware of that and know that 
we are going to be working on this very issue. It is clear that 
there is no one-size-fits-all policy for cyber security. I look 
forward to working with my colleagues to make sure small 
businesses have the resources available to combat cyber attacks 
while not adding to any duplicative regulatory burdens.
    I ask unanimous consent that Members have 5 legislative 
days to submit statements and supporting materials for the 
record. Without objection, so ordered. This hearing is now 
adjourned. [Whereupon, at 2:26 p.m., the subcommittee was 
adjourned.]
[GRAPHIC] [TIFF OMITTED] T2810A.001

[GRAPHIC] [TIFF OMITTED] T2810A.002

[GRAPHIC] [TIFF OMITTED] T2810A.003

[GRAPHIC] [TIFF OMITTED] T2810A.004

[GRAPHIC] [TIFF OMITTED] T2810A.005

[GRAPHIC] [TIFF OMITTED] T2810A.006

[GRAPHIC] [TIFF OMITTED] T2810A.007

[GRAPHIC] [TIFF OMITTED] T2810A.008

[GRAPHIC] [TIFF OMITTED] T2810A.009

[GRAPHIC] [TIFF OMITTED] T2810A.010

[GRAPHIC] [TIFF OMITTED] T2810A.011

[GRAPHIC] [TIFF OMITTED] T2810A.012

[GRAPHIC] [TIFF OMITTED] T2810A.013

[GRAPHIC] [TIFF OMITTED] T2810A.014

[GRAPHIC] [TIFF OMITTED] T2810A.015

[GRAPHIC] [TIFF OMITTED] T2810A.016

[GRAPHIC] [TIFF OMITTED] T2810A.017

[GRAPHIC] [TIFF OMITTED] T2810A.018

[GRAPHIC] [TIFF OMITTED] T2810A.019

[GRAPHIC] [TIFF OMITTED] T2810A.020

[GRAPHIC] [TIFF OMITTED] T2810A.021

[GRAPHIC] [TIFF OMITTED] T2810A.022

[GRAPHIC] [TIFF OMITTED] T2810A.023

[GRAPHIC] [TIFF OMITTED] T2810A.024

[GRAPHIC] [TIFF OMITTED] T2810A.025

[GRAPHIC] [TIFF OMITTED] T2810A.026

[GRAPHIC] [TIFF OMITTED] T2810A.027

[GRAPHIC] [TIFF OMITTED] T2810A.028

[GRAPHIC] [TIFF OMITTED] T2810A.029

[GRAPHIC] [TIFF OMITTED] T2810A.030

[GRAPHIC] [TIFF OMITTED] T2810A.031

[GRAPHIC] [TIFF OMITTED] T2810A.032

[GRAPHIC] [TIFF OMITTED] T2810A.033

[GRAPHIC] [TIFF OMITTED] T2810A.034

[GRAPHIC] [TIFF OMITTED] T2810A.035

[GRAPHIC] [TIFF OMITTED] T2810A.036

[GRAPHIC] [TIFF OMITTED] T2810A.037

[GRAPHIC] [TIFF OMITTED] T2810A.038

[GRAPHIC] [TIFF OMITTED] T2810A.039

[GRAPHIC] [TIFF OMITTED] T2810A.040

[GRAPHIC] [TIFF OMITTED] T2810A.041

[GRAPHIC] [TIFF OMITTED] T2810A.042

[GRAPHIC] [TIFF OMITTED] T2810A.043

[GRAPHIC] [TIFF OMITTED] T2810A.044

[GRAPHIC] [TIFF OMITTED] T2810A.045

[GRAPHIC] [TIFF OMITTED] T2810A.046

[GRAPHIC] [TIFF OMITTED] T2810A.047

[GRAPHIC] [TIFF OMITTED] T2810A.048

[GRAPHIC] [TIFF OMITTED] T2810A.049

[GRAPHIC] [TIFF OMITTED] T2810A.050

[GRAPHIC] [TIFF OMITTED] T2810A.051

[GRAPHIC] [TIFF OMITTED] T2810A.052

[GRAPHIC] [TIFF OMITTED] T2810A.053

[GRAPHIC] [TIFF OMITTED] T2810A.054

[GRAPHIC] [TIFF OMITTED] T2810A.055

[GRAPHIC] [TIFF OMITTED] T2810A.056

[GRAPHIC] [TIFF OMITTED] T2810A.057

[GRAPHIC] [TIFF OMITTED] T2810A.058

[GRAPHIC] [TIFF OMITTED] T2810A.059

[GRAPHIC] [TIFF OMITTED] T2810A.060

[GRAPHIC] [TIFF OMITTED] T2810A.061

[GRAPHIC] [TIFF OMITTED] T2810A.062

[GRAPHIC] [TIFF OMITTED] T2810A.063

[GRAPHIC] [TIFF OMITTED] T2810A.064

[GRAPHIC] [TIFF OMITTED] T2810A.065

[GRAPHIC] [TIFF OMITTED] T2810A.066

[GRAPHIC] [TIFF OMITTED] T2810A.067

[GRAPHIC] [TIFF OMITTED] T2810A.068

[GRAPHIC] [TIFF OMITTED] T2810A.069

[GRAPHIC] [TIFF OMITTED] T2810A.070

[GRAPHIC] [TIFF OMITTED] T2810A.071

[GRAPHIC] [TIFF OMITTED] T2810A.072

[GRAPHIC] [TIFF OMITTED] T2810A.073

[GRAPHIC] [TIFF OMITTED] T2810A.074

[GRAPHIC] [TIFF OMITTED] T2810A.075

[GRAPHIC] [TIFF OMITTED] T2810A.076

[GRAPHIC] [TIFF OMITTED] T2810A.077

[GRAPHIC] [TIFF OMITTED] T2810A.078

[GRAPHIC] [TIFF OMITTED] T2810A.079

[GRAPHIC] [TIFF OMITTED] T2810A.080

[GRAPHIC] [TIFF OMITTED] T2810A.081

[GRAPHIC] [TIFF OMITTED] T2810A.082

[GRAPHIC] [TIFF OMITTED] T2810A.083

[GRAPHIC] [TIFF OMITTED] T2810A.084

[GRAPHIC] [TIFF OMITTED] T2810A.085

[GRAPHIC] [TIFF OMITTED] T2810A.086

[GRAPHIC] [TIFF OMITTED] T2810A.087

[GRAPHIC] [TIFF OMITTED] T2810A.088

[GRAPHIC] [TIFF OMITTED] T2810A.089

[GRAPHIC] [TIFF OMITTED] T2810A.090

[GRAPHIC] [TIFF OMITTED] T2810A.091

[GRAPHIC] [TIFF OMITTED] T2810A.092

[GRAPHIC] [TIFF OMITTED] T2810A.093

[GRAPHIC] [TIFF OMITTED] T2810A.094

