[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]





                    CYBER THREATS TO CAPITAL MARKETS
                         AND CORPORATE ACCOUNTS

=======================================================================

                                HEARING

                               BEFORE THE

                  SUBCOMMITTEE ON CAPITAL MARKETS AND

                    GOVERNMENT SPONSORED ENTERPRISES

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                              JUNE 1, 2012

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 112-131





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








                  U.S. GOVERNMENT PRINTING OFFICE

76-102 PDF                WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001









                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                   SPENCER BACHUS, Alabama, Chairman

JEB HENSARLING, Texas, Vice          BARNEY FRANK, Massachusetts, 
    Chairman                             Ranking Member
PETER T. KING, New York              MAXINE WATERS, California
EDWARD R. ROYCE, California          CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma             LUIS V. GUTIERREZ, Illinois
RON PAUL, Texas                      NYDIA M. VELAZQUEZ, New York
DONALD A. MANZULLO, Illinois         MELVIN L. WATT, North Carolina
WALTER B. JONES, North Carolina      GARY L. ACKERMAN, New York
JUDY BIGGERT, Illinois               BRAD SHERMAN, California
GARY G. MILLER, California           GREGORY W. MEEKS, New York
SHELLEY MOORE CAPITO, West Virginia  MICHAEL E. CAPUANO, Massachusetts
SCOTT GARRETT, New Jersey            RUBEN HINOJOSA, Texas
RANDY NEUGEBAUER, Texas              WM. LACY CLAY, Missouri
PATRICK T. McHENRY, North Carolina   CAROLYN McCARTHY, New York
JOHN CAMPBELL, California            JOE BACA, California
MICHELE BACHMANN, Minnesota          STEPHEN F. LYNCH, Massachusetts
THADDEUS G. McCOTTER, Michigan       BRAD MILLER, North Carolina
KEVIN McCARTHY, California           DAVID SCOTT, Georgia
STEVAN PEARCE, New Mexico            AL GREEN, Texas
BILL POSEY, Florida                  EMANUEL CLEAVER, Missouri
MICHAEL G. FITZPATRICK,              GWEN MOORE, Wisconsin
    Pennsylvania                     KEITH ELLISON, Minnesota
LYNN A. WESTMORELAND, Georgia        ED PERLMUTTER, Colorado
BLAINE LUETKEMEYER, Missouri         JOE DONNELLY, Indiana
BILL HUIZENGA, Michigan              ANDRE CARSON, Indiana
SEAN P. DUFFY, Wisconsin             JAMES A. HIMES, Connecticut
NAN A. S. HAYWORTH, New York         GARY C. PETERS, Michigan
JAMES B. RENACCI, Ohio               JOHN C. CARNEY, Jr., Delaware
ROBERT HURT, Virginia
ROBERT J. DOLD, Illinois
DAVID SCHWEIKERT, Arizona
MICHAEL G. GRIMM, New York
FRANCISCO ``QUICO'' CANSECO, Texas
STEVE STIVERS, Ohio
STEPHEN LEE FINCHER, Tennessee

           James H. Clinger, Staff Director and Chief Counsel
  Subcommittee on Capital Markets and Government Sponsored Enterprises

                  SCOTT GARRETT, New Jersey, Chairman

DAVID SCHWEIKERT, Arizona, Vice      MAXINE WATERS, California, Ranking 
    Chairman                             Member
PETER T. KING, New York              GARY L. ACKERMAN, New York
EDWARD R. ROYCE, California          BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma             RUBEN HINOJOSA, Texas
DONALD A. MANZULLO, Illinois         STEPHEN F. LYNCH, Massachusetts
JUDY BIGGERT, Illinois               BRAD MILLER, North Carolina
JEB HENSARLING, Texas                CAROLYN B. MALONEY, New York
RANDY NEUGEBAUER, Texas              GWEN MOORE, Wisconsin
JOHN CAMPBELL, California            ED PERLMUTTER, Colorado
THADDEUS G. McCOTTER, Michigan       JOE DONNELLY, Indiana
KEVIN McCARTHY, California           ANDRE CARSON, Indiana
STEVAN PEARCE, New Mexico            JAMES A. HIMES, Connecticut
BILL POSEY, Florida                  GARY C. PETERS, Michigan
MICHAEL G. FITZPATRICK,              AL GREEN, Texas
    Pennsylvania                     KEITH ELLISON, Minnesota
NAN A. S. HAYWORTH, New York
ROBERT HURT, Virginia
MICHAEL G. GRIMM, New York
STEVE STIVERS, Ohio
ROBERT J. DOLD, Illinois

















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    June 1, 2012.................................................     1
Appendix:
    June 1, 2012.................................................    39

                               WITNESSES
                          Friday, June 1, 2012

Cantley, Michele B., Chief Information Security Officer, Regions 
  Bank, on behalf of the Financial Services Information Sharing 
  and Analysis Center............................................     4
Clancy, Mark G., Managing Director and Corporate Information 
  Security Officer, The Depository Trust & Clearing Corporation 
  (DTCC).........................................................     6
Graff, Mark, Vice President and Chief Information Security 
  Officer, NASDAQ OMX............................................     7
Smocer, Paul, President, BITS, Technology Policy Division of the 
  Financial Services Roundtable..................................     9
Weiss, Errol, Director, Cyber Intelligence Center, Citi, on 
  behalf of the Securities Industry and Financial Markets 
  Association (SIFMA)............................................    11
Woodhill, James R., Advocate, Government and Public Relations, 
  YourMoneyIsNotSafeInTheBank.org................................    12

                                APPENDIX

Prepared statements:
    Hurt, Hon. Robert............................................    40
    Cantley, Michele B...........................................    41
    Clancy, Mark G...............................................    64
    Graff, Mark..................................................    78
    Smocer, Paul.................................................    82
    Weiss, Errol.................................................    90
    Woodhill, James..............................................   100

              Additional Material Submitted for the Record

Schweikert, Hon. David:
    Written responses to questions submitted to Errol Weiss......   120

 
                    CYBER THREATS TO CAPITAL MARKETS
                         AND CORPORATE ACCOUNTS

                              ----------                              


                          Friday, June 1, 2012

             U.S. House of Representatives,
                Subcommittee on Capital Markets and
                  Government Sponsored Enterprises,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 9:35 a.m., in 
room 2128, Rayburn House Office Building, Hon. Scott Garrett 
[chairman of the subcommittee] presiding.
    Members present: Representatives Garrett, Schweikert, 
Manzullo, Biggert, Neugebauer, Posey, Hurt, Grimm, Stivers, 
Dold; Lynch, and Maloney.
    Chairman Garrett. Today's hearing of the Subcommittee on 
Capital Markets and Government Sponsored Enterprises is called 
to order. Today's hearing is entitled, ``Cyber Threats to 
Capital Markets and Corporate Accounts.'' I appreciate the 
entire panel being with us today, and I look forward to an 
interesting, albeit at times, a somewhat technical hearing. So 
I look forward to the entire testimony of the witnesses and the 
questions that will follow. At this time, we will move to 
opening statements.
    I yield myself 4 minutes.
    Again, what we are talking about today is cyber attacks and 
the threat of cyber attacks against our economic interests. As 
we learned from this panel, as well as from people who have 
visited our offices, and the media, this issue is a growing 
concern to many here on the committee. And so, a better 
understanding of the potential dangers that cyber criminals, if 
you will, pose to consumers, financial institutions, and 
government agencies will help improve our chances to avoid 
disruption in the financial markets. There have been a number 
of high-profile cyber attacks over the past several years. 
Known intrusions into public Web sites have occurred at the 
Department of Defense; the International Monetary Fund; and 
Booz Allen Hamilton.
    In December 2011, the U.S. Chamber of Commerce reported 
that its computer networks had been compromised and that 
confidential communications and industry positions were 
accessed. A lot of financial services providers are big 
targets, of course--according to legend, Willie Sutton said 
that he robbed banks ``because that's where the money is.'' 
Financial services businesses have been leaders in an effort to 
armor their data networks and to identify and deal with any 
actual breaches as quickly and as transparently as possible.
    The costs to business consumers are difficult to quantify, 
but we must ensure that we have the proper safeguards in place 
to thwart or minimize future attacks while simultaneously 
protecting the privacy of all the citizens. Consumer 
confidence, therefore, plays a significant role in any 
financial transaction or investment either by an individual or 
by a small business. Unfortunately, just as there have been 
numerous instances of identity theft out there where 
individuals have credit cards stolen or accounts looted, there 
has also been a significant rise in corporate account takeovers 
as well.
    Cyber threats come in many different shapes and sizes. We 
are all familiar with the threat of identity theft; I know 
about that. According to a recent Javelin strategy and research 
study, identity theft cost Americans $37 billion in 2010 alone. 
So today, I can't think of a less appetizing scenario than 
having someone other than myself accessing my personal banking 
information for their personal benefit.
    Additionally, there has been a significant increase in 
corporate account takeovers, which are essentially identity 
theft of a company instead of a business or an individual. 
Consequently, small businesses are seeking solutions to 
safeguard their information and their finances.
    Our financial markets and clearinghouses have largely been 
spared the high-profile attacks that have succeeded at some 
banks partially because of their hard work and partially 
because of the way they are constructed. But they are still 
vulnerable to denial of service attacks on public Web sites or 
on utilities that serve them.
    Fortunately, as we saw in the terrible attacks a decade ago 
in New York City, our markets are resilient, and I am confident 
they have only become more resilient and more reliable ever 
since. But it is important to let them tell their story today 
in their own words. And so, we are holding these hearings to 
discuss current and potential threats against our financial 
services industry and to discuss how we together can be better 
prepared against future attacks.
    We must remember that we always remain vigilant when we are 
protecting personal and financial information. So much of our 
economy is reliant on the Internet today that we must not be 
complacent in all of this. Our economy has always been a 
leading contributor to our national strength. We must ensure 
that it is protected against tomorrow's threats. So I thank you 
again for coming, and for your testimony which will follow, and 
at this point, I yield back and yield to the gentlelady from 
New York for 3 minutes.
    Mrs. Maloney. Thank you. I will be very, very brief. 
Certainly the security of our financial markets, our 
government, is incredibly important to our national and 
personal security, and today's hearing is part of a continuing 
oversight and dialogue we are having in Congress about the 
threats to our markets and the impact these attacks could have 
on our economy, on our individuals, and on our government. And 
with the rapid pace of technology and the growing number of 
threats across a wide range of businesses, both large and 
small, it is truly a huge, huge challenge and one that needs 
absolute total commitment and coordination between the public 
and the private sector to protect our markets, to protect 
individuals, and to protect our government.
    I do want to mention a recent report by Symantec, the 
``Internet Security Threat Report,'' which was excellent. It 
stated that half of our businesses in America, both big and 
small, were targeted by cyber attacks, and over 232 million 
identities were stolen in 2011, including my own. There is a 
``Carolyn Maloney'' running around Maryland. This is truly a 
wake-up call.
    In their report, they say that 5.5 billion total attacks 
were blocked in 2011. So not only do we have to look at ways to 
continue to block this, but we need to continue to look at ways 
to protect our capital markets and our industries, both public 
and private, the information that we have.
    I look forward to hearing from the witnesses today, and I 
yield back. Thank you.
    Chairman Garrett. Thank you. The gentlelady yields back. 
The gentleman from Arizona for 2 minutes.
    Mr. Schweikert. Thank you, Mr. Chairman. I will try to be 
fairly quick. What I am hoping to actually hear from the 
panel--actually, Mrs. Maloney, should I be worried that there 
is another one of you running around Maryland?
    Mrs. Maloney. There is. The FBI is looking for her.
    Mr. Schweikert. It is a combination of things. First off, 
right now, with the way we allocate liability, are we creating 
incentives or disincentives for some folks within, shall we 
say, the financial food chain to invest and others to not 
invest? This is sort of a side concern.
    Second of all, I would like to hear and understand how, 
throughout the industry, you coordinate talent, coordinate 
technology, and coordinate data and information of best 
practices. Third, I want you to either assuage me or agree with 
me; I am one of the Members of Congress who actually has a 
great concern that a growing governmental role in the whole 
issue of cyber attacks and data protection--that government so 
often becomes bureaucratic and moves so slowly that it will 
actually make reaction time worse, and therefore raise our 
exposure. That is a concern, and I would like some definition 
back of, in many ways, are we making it more difficult to react 
on an instant time? So with that, Mr. Chairman, I yield back.
    Chairman Garrett. Thank you. Mr. Dold is recognized now for 
2 minutes.
    Mr. Dold. Thank you. Mr. Chairman, I certainly appreciate 
you holding this hearing on a very important topic and I want 
to thank our witnesses for taking your time and joining us 
today. I believe our capital markets are a critical driver of 
our economy and our Nation's productivity, and our technology 
is the most advanced in the world. But today we are facing a 
constantly increasing threat of cyber crime and cyber 
intrusions. Sophisticated viruses and malware threaten our 
commercial businesses and individuals, costing us billions of 
dollars each and every year while also threatening our power 
grids and our national security.
    That is why it is so critical to focus on this issue and to 
strengthen the safety and integrity of our financial sector 
against cyber threats.
    Every day, literally hundreds of thousands of cyber threats 
hit our financial institutions. I think that is something that 
not many people really recognize, and it is something that we 
need to be prepared to act against.
    In that regard, I am confident that my colleagues and I 
share several bipartisan goals. First, we must maintain and 
improve our existing cybersecurity infrastructure and identify 
all cybersecurity breaches.
    Second, we must share all relevant cyber threat information 
to facilitate a fast and effective response. And we must do 
this in a way that does not unduly infringe upon privacy 
rights, consumer rights or the integrity of business contracts.
    Third, the private sector and the public sector must work 
together in leveraging existing institutions to evolve with the 
increasing cyber attack complexity.
    Finally, the private sector must be able to work 
confidently with law enforcement agencies to protect the 
existing systems while ensuring that sensitive information is 
handled securely and is used appropriately.
    Clearly, to maintain the public trust, the financial sector 
and government agencies must remain committed to protecting 
personal data and intellectual property. I want to thank you 
again for being here, and Mr. Chairman, I want to thank our 
witnesses for sharing their time, their testimony, and their 
experience with us today. That you so much. I yield back.
    Chairman Garrett. The gentleman yields back, and I echo 
those remaining comments of the gentleman to the panel as well, 
and seeing no other opening statements, I will now turn to our 
panel for your opening statements.
    As always, for those of you who have not been here before, 
you will be recognized for 5 minutes. Your complete written 
testimony will be made a part of the record, and you can 
summarize what you have in front of you.
    So, we will turn first to Ms. Cantley. Good morning. You 
are recognized for 5 minutes.

  STATEMENT OF MICHELE B. CANTLEY, CHIEF INFORMATION SECURITY 
  OFFICER, REGIONS BANK, ON BEHALF OF THE FINANCIAL SERVICES 
            INFORMATION SHARING AND ANALYSIS CENTER

    Ms. Cantley. Good morning. Chairman Garrett, Representative 
Maloney, and members of the subcommittee, my name is Michele 
Cantley. I am the chief information security officer for 
Regions Bank, and I am appearing today for the Financial 
Services Information Sharing & Analysis Center, FS-ISAC. I want 
to thank you for this opportunity to address the subcommittee 
on the important issue of corporate account takeover.
    I have been head of information security at Regions since 
2004. Regions is the 12th largest bank by deposits and loans 
and it serves customers in 16 States. Regions is a member of 
the FS-ISAC, an organization formed in 1999 by a Presidential 
order with the mission of protecting the financial services 
sector against cyber and physical threats and risk.
    Today, the FS-ISAC has more than 4,400 member organizations 
that represent the majority of the U.S. financial services 
industry.
    It is important to note that industry has spent much time 
and effort and has worked closely with its regulators and other 
interested parties to provide safe systems to its customers. 
The FS-ISAC is aware, through its information-sharing 
arrangements with both public and private sector organizations, 
that criminal actors are targeting our sector. Corporate 
account takeover is one method of attack. Corporate account 
takeover is the unauthorized use of online banking credentials 
typically obtained via malicious software, malware, that 
affects customers' computers, work stations, or networks. Cyber 
criminals continue to attack business customers' computers by 
phishing, which remains the most popular form of attack through 
malicious advertisements and by fraudulent messages on social 
media sites. In each case, the cyber criminals attempt to trick 
their victims into clicking on a bogus link that redirects the 
unknowing user to a server that then downloads malware onto the 
victim's computer.
    This software includes a program that captures the user's 
online banking credentials as he types them and allows the 
criminal to impersonate the customer and create fraudulent 
financial transactions.
    Over the past 2 years, losses experienced by financial 
institutions and their customers as a result of cyber-related 
fraud have declined even as the number of attacks has 
increased. The FS-ISAC and its members recognize the threat 
both to the affected institutions and to customer confidence 
posed by these criminal acts.
    In 2010, as part of our active efforts to counteract the 
threat of corporate account takeover, the FS-ISAC formed the 
account takeover task force. The task force consists of over 
120 individuals from financial firms and government agencies. 
Its recently completed report recommends three main areas of 
focus--prevention, detection, and response--in order to ensure 
and improve an effective defense against account takeover.
    The FS-ISAC and its membership have taken tremendous steps 
to limit cyber crime and corporate account takeover. 
Nonetheless, corporate account takeover attempts cannot be 
stopped solely by the financial institutions. All participants 
in the Internet ecosystem have roles to play. Banks, for 
instance, have no direct control over the end customer's 
computers nor can banks control what e-mails bank customers 
open or what Web sites they visit prior to accessing their 
online banking systems.
    Still, to increase the security of our customers' accounts, 
we must educate our customers on the risks, monitor for 
anomalous transactions, and stop fraudulent transactions we 
detect.
    Customers have a role to play in learning about these 
threats and practicing safe Internet habits. Internet service 
providers and e-mail providers can monitor traffic on their 
networks for much of this malware and alert their customers to 
these threats.
    Finally, the FS-ISAC believes that the private sector and 
government can continue to work together to improve Internet 
security. One area I would highlight is that law enforcement 
should continue to move aggressively against cyber criminals 
and that more work on international, legal, and diplomatic 
levels is needed so that all countries recognize this type of 
cyber crime.
    I look forward to any questions that you might have and 
thank you for the opportunity to appear before your 
subcommittee today.
    [The prepared statement of Ms. Cantley can be found on page 
41 of the appendix.]
    Chairman Garrett. And we thank you as well.
    Mr. Clancy, you are recognized for 5 minutes, and welcome.

 STATEMENT OF MARK G. CLANCY, MANAGING DIRECTOR AND CORPORATE 
 INFORMATION SECURITY OFFICER, THE DEPOSITORY TRUST & CLEARING 
                       CORPORATION (DTCC)

    Mr. Clancy. Good morning, Chairman Garrett and Ranking 
Member Waters. My name is Mark Clancy, and I am the corporate 
information security officer at the Depository Trust & Clearing 
Corporation. DTCC is a participant-owned and governed 
cooperative that serves as critical infrastructure for the U.S. 
capital markets and financial markets globally.
    Our operations and processes are essential to mitigating 
risk and ensuring the safe and efficient operation of the 
financial system. Cyber crime poses a significant threat to 
capital markets globally. A study by the U.S. Treasury found 
that cyber crime accounts for more revenue than international 
drug cartel income, running into the hundreds of billions of 
dollars annually.
    There are three main types of cyber attacks aimed at the 
financial sector. The first involves the theft of confidential 
data. In its most insidious form, cyber criminals take over the 
accounts of innocent victims globally and either directly steal 
funds or use the stolen credentials for market manipulation by 
what is called ``pump and dump'' scams. Their goal is to move 
the market in a stock by bidding against themselves and anyone 
else they can lure into the scam.
    In recent years, DTCC has also witnessed data theft in our 
industry involving highly sophisticated social engineering 
techniques that attempt to give foreign entities a competitive 
advantage in negotiations often related to winning bids for 
natural resources or beating the offering price for an 
acquisition of a company.
    The second type of attack involves compromising the 
integrity of the National Market System, NMS, in the United 
States. The goal of these cyber crimes is to grind the 
financial system to a halt and disrupt national economies. 
While there are no public reports of the NMS directly being 
impacted today, an attack on the Hong Kong Stock Exchange in 
2011 reinforced the dangers of this threat.
    The third type of attack involves compromising the 
integrity of financial data, which today exists overwhelmingly 
in digital form. These attacks have the potential to be the 
most catastrophic. For example, the European market for carbon 
credit trading was the victim of such an attack in January 2011 
when cyber criminals changed the ownership information of 
individual carbon credits. This resulted in the theft of 30 
million euros' worth of credits from the European emissions 
market and the closure of the EU Emissions Trading System for 
more than a week.
    While financial institutions have robust information 
security programs in place to protect their systems from cyber 
threats, these programs are not foolproof. A critical resource 
the industry relies upon to safeguard the system is information 
sharing between Federal agencies and financial institutions, 
most notably via the Financial Services Information Sharing and 
Analysis Center.
    I would like to focus on a successful but now defunct pilot 
program known as the Government Information Sharing Framework, 
GISF, which targeted cyber espionage. Under the program, 16 
financial services firms were granted access to advanced threat 
and attack data as well as classified technical and analytical 
data on threat identification and mitigation techniques. The 
GISF program provided the sector with access to actionable 
information to search for similar threat activity in their own 
networks, access to contextual information to better understand 
risk implications to various threats, the ability to adjust 
assessments of cyber espionage using quantifiable information 
that had previously been unavailable, and a better 
understanding of the need to develop standards to support the 
automation of sharing and consuming threat data.
    The GISF program drove innovation and new initiatives in 
the industry and helped reshape the sector's approach to 
assessing cyber espionage risks. It also prompted pilot firms, 
including DTCC, to revise best practices.
    Unfortunately, the program was effectively terminated in 
December 2011 for reasons that were unclear. Since then, more 
than five financial institutions have experienced threat 
activity from actors first identified through GISF reporting.
    Furthermore, an assessment by the FS-ISAC found that these 
threats will continue to increase in the future. Information 
sharing like that which occurred under GISF represents the most 
critical line of defense in managing and mitigating cyber risk 
today.
    DTCC strongly supports restarting GISF's program, removing 
its pilot status, and expanding its reach within the financial 
sector.
    As the sophistication and technological means of cyber 
criminals increases, the financial sector in government needs 
to move from a static ``one-size-fits-all'' framework to a 
risk-based one that incorporates the dynamic nature of 
cybersecurity threat landscape.
    While the public and private sectors have taken important 
steps in recent years to enhance collaboration, a greater 
degree of information sharing and trust is needed to ensure 
that all resources are working in concert to protect and defend 
the financial sector from cyber attack.
    DTCC stands ready to work in partnership with this 
committee, the Congress, and the Administration to harden the 
sector's defenses against cyber crimes.
    Thank you for your time.
    [The prepared statement of Mr. Clancy can be found on page 
64 of the appendix.]
    Chairman Garrett. I thank you, as well.
    Mr. Graff is recognized for 5 minutes. Welcome.

 STATEMENT OF MARK GRAFF, VICE PRESIDENT AND CHIEF INFORMATION 
                  SECURITY OFFICER, NASDAQ OMX

    Mr. Graff. Thank you, Chairman Garrett, Ranking Member 
Waters, and members of the subcommittee. My name is Mark Graff, 
and I am the vice president and chief information security 
officer (CISO) for NASDAQ OMX. Although I am new to NASDAQ OMX, 
having arrived just this past April, I am no newcomer to 
information security with about 25 years' experience serving 
both the industry and government. Most recently, I was head of 
cybersecurity at Lawrence Livermore National Laboratory which 
is not only one of the crown jewels of research in this 
country, but also the repository of some of the Nation's most 
important secrets, including nuclear weapons designs.
    I moved to NASDAQ OMX to help protect another part of 
America's critical infrastructure--its financial markets. I 
changed industries, but most of the challenges remain just the 
same.
    NASDAQ OMX is committed to a vigorous defense of its 
critical infrastructure, and as an expert in the methods used 
today to defend this Nation's most critical, most highly 
classified systems from attack, I can tell you that many of 
these same techniques and technologies are used to defend 
NASDAQ OMX.
    One key method at both institutions is the isolation of 
critical systems from the Internet at large. While many of the 
servicers who deliver to customers worldwide are housed on 
Internet facing Web servers, our trading and market systems are 
safely tucked away behind several layers of carefully arranged 
barriers, such as firewalls and network isolation zones. This 
is an important distinction to remember, and we should all keep 
this in mind when we hear about denial of service attacks 
against one institution or another. Any troublemaker can run up 
to the front door of a house and ring the doorbell over and 
over again--and that is what most denial of service attacks 
amount to--if sometimes despite our best efforts, our customers 
are unable to reach one of our outward facing Web sites for a 
few minutes as a result of this kind of vandalism, I ask us all 
to remember that it doesn't mean, in my homely analogy, that 
someone has broken into the house. Market systems remain 
secure.
    But we don't rely on isolation alone. We have a 
comprehensive information security program using a multi-
layered approach. For example, in developing software we treat 
information security as a critical element all the way through 
the life cycle of the software from design to implementation, 
and also in everyday use.
    These controls that I have talked about span our entire 
enterprise network. Our trading systems, though, are further 
protected by their overall resilient architecture. While these 
trading platforms, as I mentioned, are isolated from the rest 
of the network and from the Internet, the system also restricts 
the information that is allowed to be submitted to it through 
the use of a fixed set of formatted protocols that control 
inputs to the trading platform.
    It also is refreshed at the end of the trading day, every 
information trading system and no data is maintained in the 
trading platform beyond the trading day. This helps secure the 
trading markets which are so important to us.
    Now for all those steps, we do have serious concerns about 
the worldwide attacks on critical infrastructure that are being 
led not just by rogue hackers and organized crime but by 
national governments today. And it is our position that it is 
not reasonable to expect individual companies, no matter how 
large or sophisticated, to independently stave off cyber 
attacks that are coordinated and backed by a foreign 
government.
    So it is for this reason that we at NASDAQ OMX are very 
pleased that both Houses of Congress are looking at ways to 
protect our critical national infrastructure through improved 
sharing of information about cyber threats and vulnerabilities. 
We support the House passage of H.R. 3523, the Cyber 
Intelligence Sharing and Protection Act. Although there are 
some concerns about data privacy that certainly may be 
addressed, we think it is an excellent move forward in this 
area.
    NASDAQ OMX is and continues to be a willing partner with 
industry peers and government at every level, cooperating to 
protect the integrity of our critical infrastructure. And it 
would be my pleasure as NASDAQ OMX's new CISO to continue and 
expand such contacts and relationships.
    Thank you again for inviting me to testify.
    [The prepared statement of Mr. Graff can be found on page 
78 of the appendix.]
    Chairman Garrett. And thank you.
    Mr. Smocer is recognized for 5 minutes. Welcome to the 
panel.

 STATEMENT OF PAUL SMOCER, PRESIDENT, BITS, TECHNOLOGY POLICY 
         DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE

    Mr. Smocer. Thank you, Chairman Garrett, Representative 
Maloney, and members of the subcommittee. My name is Paul 
Smocer and I am the president of BITS, which is the technology 
policy division of the Financial Services Roundtable.
    As the recent passage of key legislation during cyber week 
indicates, the House clearly understands the importance of 
cybersecurity. Likewise, the financial services industry 
recognizes the serious and constantly evolving nature of cyber 
threats to its customers, its institutions, and the broader 
U.S. economy.
    Individual institutions conduct ongoing risk assessments to 
identify potential institutional and customer threats and to 
limit these risks for both their own operations and those of 
their key service providers. This includes providers of 
services such as clearings, settlements, and accounting within 
the capital markets environment.
    These assessments help assure that the institutions and 
financial infrastructure such as capital markets remain secure. 
In the battle over cybersecurity, however, no one institution 
can fight alone. Consequently, at the sector level, several 
collaborative efforts exist. The associations such as BITS and 
other institutions ban together to collectively identify cyber 
risk, and more importantly, to develop best practices to 
improve cybersecurity, reduce fraud, and improve resiliency. 
The largest of these industry collaborations is perhaps the 
sector's Financial Services Sector Coordinating Council, 
consisting of the major financial trade associations, the 
largest U.S.-based financial institutions, and key financial 
infrastructure participants.
    The Council works closely with its public sector partner, 
the Financial and Banking Information Infrastructure Committee. 
Chaired by the Treasury Department, this Committee includes 16 
government agencies with regulatory oversight for the financial 
sector including capital markets. Working together, Council and 
Committee members focus on key cybersecurity issues, including 
the ability to recover vital infrastructures impacted by cyber 
or physical incidents.
    The two groups sponsor industrywide resiliency exercises, 
the latest of which had a focus on the resiliency of the 
equities clearing and trading processes. BITS and other 
associations have also formed collaborative relationships with 
various law enforcement agencies to coordinate efforts in 
preventing and prosecuting cyber crime. The industry also 
conducts outreach efforts to other key sectors. One recent 
example is participation in the industry BOTNET group. This 
multi-industry, multi-stakeholder group is acting 
collaboratively to mitigate the problem of device takeovers by 
cyber criminals.
    These types of efforts are consistent with the financial 
services industry's recognition that today's cyber world is 
highly integrated and relies on multiple organizations and 
providers to effectively mitigate security risks. The industry 
also recognizes the importance of cybersecurity education. 
Consumers and businesses play a key role in cybersecurity and 
have a responsibility to protect themselves, though the 
industry and others have recognized that they often lack the 
skills and awareness to fully do so. As a result, institutions 
and associations have made significant educational investments.
    A key collaborative area of particular note is threat 
information sharing. Financial institutions currently share 
threat information via the FS-ISAC. Broader inter-industry and 
public-private information-sharing opportunities do remain. 
Because of the interdependency of sectors in key 
infrastructures such as capital markets, it is vital to share 
information across a broad swath of sectors to improve the 
responsiveness and the defense of all sectors.
    Maintaining the confidentiality of shared information, 
particularly between the private and public sectors, however, 
remains a concern. Organizations are concerned that revelation 
of information will impact their reputation and their 
customers' confidence. That is why the financial services 
industry was supportive of the passage of H.R. 3523 which, if 
enacted, offers additional protections to the confidentiality 
of shared information. We recognize that as H.R. 3523 was 
debated, legitimate concerns about protecting an individual's 
information and privacy were raised by several Members of the 
House.
    As you consider future cybersecurity legislation, however, 
we do urge you to consider solutions to allow sharing of this 
type of information under certain circumstances in a manner 
that protects individuals' privacy rights, but also facilitates 
their financial protection.
    There are legitimate reasons to share this information that 
benefits citizens. Sharing details about breached customer 
information and sharing it quickly would allow institutions to 
take action to prevent fraud against their commercial and 
retail customers.
    In closing, again, please accept my thanks for the 
opportunity to testify today. Cybersecurity is a vitally 
important issue for both the private and public sectors. 
Protecting companies, customers and infrastructures that 
support our economy is crucial. We commend the subcommittee for 
recognizing the importance of this subject and for your 
attention in the strengthening of the Nation's cybersecurity.
    [The prepared statement of Mr. Smocer can be found on page 
82 of the appendix.]
    Chairman Garrett. Thank you.
    Mr. Weiss, you are recognized for 5 minutes and welcome.

STATEMENT OF ERROL WEISS, DIRECTOR, CYBER INTELLIGENCE CENTER, 
   CITI, ON BEHALF OF THE SECURITIES INDUSTRY AND FINANCIAL 
                  MARKETS ASSOCIATION (SIFMA)

    Mr. Weiss. Good morning, Chairman Garrett, Representative 
Maloney, and members of the subcommittee. My name is Errol 
Weiss, and I am the director of Citi's Cyber Intelligence 
Center, which is responsible for collecting, analyzing, and 
exchanging threat intelligence to protect Citi's customers, our 
brand, global business operations, and technology 
infrastructure against threats worldwide.
    I am testifying on behalf of the Securities Industry and 
Financial Markets Association on how to safeguard the capital 
markets from emerging cyber threats.
    I will be focusing my testimony this morning on 
cybersecurity in the financial services sector and what we are 
currently doing to protect our infrastructure, and most 
importantly, our customers from cyber attacks. SIFMA supports 
the goals of the Administration and Congress to limit 
cybersecurity threats against the American people, businesses, 
and government through a more integrated approach. The increase 
in cyber intrusions and cyber crimes in the past decade is 
cause for great concern.
    SIFMA member firms are on the front lines defending against 
cyber threats to the financial markets, and we take this role 
very seriously. Consequently, SIFMA members currently comply 
with a number of stringent laws and regulations on the 
protection of personal data, including the Gramm-Leach-Bliley 
Act, the Fair Credit Reporting Act, and the Right to Financial 
Privacy Act. These laws and regulations are reinforced by 
regular, proactive review and audited by highly specialized 
regulators that are supported by the FFIEC, an interagency 
entity that issues data privacy and cybersecurity guidance and 
monitoring procedures.
    In addition, the financial services sector proactively 
founded the Financial Services Information Sharing and Analysis 
Center.
    Like Michele and Mark on this panel today, I currently 
serve on the FS-ISAC board of directors. We recognize that 
Congress shares our concerns regarding the Nation's current 
cybersecurity infrastructure.
    With respect to our industry, we believe it is important to 
keep the following five principles in mind: SIFMA recognizes 
the need for expanded information sharing with government 
agencies, including greater private sector access to threat 
data from Federal intelligence and law enforcement agencies; 
access to threat information must be administered in a manner 
that can provide broader cybersecurity protection without 
compromising ongoing investigations or the privacy of 
individual Americans; government agencies should leverage the 
existing ISACs and DHS US-CERT to facilitate two-way and cross-
sector public-private information sharing that will help 
financial institutions better protect themselves and ultimately 
protect our customers; and our current regulators are best 
suited for designating or regulating critical infrastructure.
    The Treasury Department, as our sector-specific agency, and 
the regulatory agencies, through the Financial and Banking 
Information Infrastructure Committee, should determine what is 
considered critical infrastructure. A one-size-fits-all 
approach is not the right regulatory solution. As the amount 
and sophistication of cyber attacks increases, the need for new 
technologies, expertise, and talented personnel to combat these 
threats becomes paramount. Our Nation's universities must focus 
on developing the next crop of talented information security 
professionals so that the financial services industry and the 
Nation can adequately protect itself from cyber attack.
    Because cybersecurity is a global problem, and cyber crimes 
frequently occur across borders, cooperation with international 
partners is critical to preventing, investigating, and 
prosecuting cyber crime. The United States should seek strong 
cooperation with foreign governments to improve cybersecurity 
and punish those that are responsible for cyber crimes.
    SIFMA believes a single uniform Federal breach notification 
standard would reduce administrative oversight, establish clear 
notification guidelines, and most importantly, reduce customer 
confusion. We have played a leadership role in developing 
policies, procedures, and technology to protect customer data, 
and we look forward to maintaining that role as the Nation 
upgrades its cyber defenses. Thank you, Chairman Garrett, 
Representative Maloney, and other members of the subcommittee 
for this opportunity to testify today on behalf of SIFMA.
    [The prepared statement of Mr. Weiss can be found on page 
90 of the appendix.]
    Chairman Garrett. I thank you.
    Mr. Woodhill, welcome. You are recognized for 5 minutes.

STATEMENT OF JAMES R. WOODHILL, ADVOCATE, GOVERNMENT AND PUBLIC 
           RELATIONS, YOURMONEYISNOTSAFEINTHEBANK.ORG

    Mr. Woodhill. Thank you. Mr. Chairman, Vice Chairman 
Schweikert, Congresswoman Maloney, and members of the 
subcommittee, when I asked how to be a good witness for you, my 
good friend Billy Tauzin, former chairman of the Energy and 
Commerce Committee, told me that I needed to do two things: be 
brief; and then be gone.
    But before I am gone, I should tell you what the problem is 
and offer you at least one decisive solution. Thank you for the 
opportunity to testify before you today on behalf of the 
victims and potential victims of corporate account takeovers.
    My name is Jim Woodhill. I am a serial entrepreneur in the 
information security space. I was recruited in December of 2009 
to be the advocate for the victims of this new and fast-growing 
cyber crime by Gartner Inc.'s Avivah Litan, the most prominent 
analyst in the space.
    I am here today because your money is not safe in the bank, 
not if you are an American church, school district, small 
business, or political campaign fund; not if you bank online 
using Microsoft Windows. Many of you on this committee have 
heard from victims in your districts.
    The shocking thing to victims is that their organizations 
being vulnerable is an official financial services industry 
policy known as shared responsibility, your personal accounts 
are safe, protected by Federal Reserve regulation E, but the 
status of commercial accounts has been the subject of dozens of 
lawsuits over State law. The consensus of cyber law experts is 
that shared responsibility will not hold up long term.
    Today, there have been over 500 victims, and at least $100 
million has been stolen. Sometimes, the bank makes full 
restitution, and sometimes, it reaches a settlement with the 
losses split with the victim. But in hundreds of cases, the 
bank has evoked shared responsibility and stuck the victim with 
the entire loss. More than one bankruptcy has resulted. The 
latest lawsuit was filed on May 17th by TRC operating company, 
a California energy producer. No matter whose pocket this money 
comes out of, the stolen moneys are funding enemy R&D. The 
thefts must stop.
    This crime wave did not have to happen. The regulators 
issued guidance in October of 2005 that would have stopped the 
crime. Even back then, necessary solutions were expensive to 
acquire and operate, quickly implemented, and enjoyed wide 
customer acceptance. But they weren't adopted in great numbers, 
so that regulators issued much more detailed supplemental 
guidance last year.
    If the solutions were available and the regulators had told 
the banks to use them, why did United Security Bank sign up 
last month to spend more on lawyers to defend the lawsuit than 
the $300,000 it would cost to reimburse TRC?
    The answer is simple. America's small and medium-sized 
banks still have not gotten the memo. Why not? Examples from 
medicine and public health show that even when life and death 
are at stake, it takes 20 years to get new information through 
a medical specialty. As for educating the general public about 
infectious threats well enough to stop them, public health 
experience shows that it just can't be done.
    Fortunately, account takeover can be stopped by the 
processors, the 13 big and smart organizations that actually 
run online banking on behalf of their 5,000 small clients, just 
as it has already been stopped by the very largest banks who 
are their own processors.
    Weighing alternatives, moving the risk of this crime and 
responsibility for stopping it to the processors is the 
victim's first choice if fast government is not in the loop. 
But there are other solutions that would work. If banks were 
required to fully disclose the risks of online banking, then 
those customers moving online could either accept those risks, 
turn off online banking or move their accounts to where they 
are safe. I think banks would quickly turn to their processors 
for protection rather than admit that money is not safe in 
their bank.
    Another alternative is that if fiduciaries of public funds, 
taxpayer money like city and State treasurers simply refuse to 
risk taxpayer dollars by depositing them in banks with any 
history of unreimbursed losses, then those banks would do the 
same thing.
    Regulation E could be extended to all accounts, but I 
oppose this because disclosure or public fiduciary action would 
accomplish the same thing and is more free-market-oriented.
    Whatever the Congress does, we urge you to do it soon, 
before there are more victims and more trust lost in the 
banking system. We must work to make cyberspace a safe 
neighborhood. Thank you for inviting me to testify.
    [The prepared statement of Mr. Woodhill can be found on 
page 100 of the appendix.]
    Chairman Garrett. Thank you also for your testimony and for 
being with us today. I thank the entire panel.
    We will turn to questions, and within my 5 minutes, I will 
start from the left and move down as far as I can go.
    Ms. Cantley, you note in your testimony that one of the 
recommendations deals with the issue of making changes to the 
suspicious activity report. Can you briefly dig into that a 
little bit and say what changes need to be done there?
    Ms. Cantley. Yes, sir, and I would add that those have 
already been implemented by FinCEN. FinCEN has already 
implemented the recommendations from the account takeover task 
force. When we looked at the suspicious activity report that 
financial institutions are required to file, we noted that 
account takeover was not clearly labeled as a form of 
suspicious activity, and we recommended to FinCEN that it be 
appropriately labeled, and that has been accomplished as of the 
end of last year.
    Chairman Garrett. So what is being done with that 
information then?
    Ms. Cantley. Now, when financial institutions have a 
situation of account takeover and they reported on the 
suspicious activity report, then FinCEN can use that to do 
their analysis and also--
    Chairman Garrett. What did they do before they had that 
little check-off box?
    Ms. Cantley. I beg your pardon?
    Chairman Garrett. What was being done before you had a 
little check-off box?
    Ms. Cantley. Before that, it was not clear what was the 
method of attack, Mr. Garrett. And so we felt it was 
appropriate that the industry, through FinCEN, could reflect 
the volume and size of account takeover appropriately and we 
felt the suspicious activity reporting process would be a good 
method for that.
    Chairman Garrett. Okay, thanks. Mr. Clancy, and actually 
others might want to chime in on this--there is talk in the 
testimony of you and others with regard to the sharing of 
information between institutions and the government as well. In 
order to do so, you have to have a high level of trust there 
and usually in life, you want to earn trust before you execute 
on it.
    Do you want to briefly talk about ways to do that, to 
evidence the trust and to enhance ways to share that 
information between the levels?
    Mr. Clancy. Thank you, Mr. Garrett. Trust, as you 
mentioned, is slow to build and fast to be lost. The way we 
have looked at it in the financial sector is we started with 
anonymous reporting through the FS-ISAC where you can 
essentially remove the details of who was impacted but give the 
facts so that others can take action based on those facts.
    With that community, there are some limitations. And what 
we saw as we did this is we started to get a small volume of 
activity, but when a core, small group of us got together who 
knew each other socially, knew each other professionally, and 
we started saying, here is what really happened with that 
report that we made, the greater richer context came out. And 
we built what we called a concentric ring model where we had 
people who were in the center, most who started out with one-
to-one personal relationships, we expand that network, that 
community shares with full attribution, that is what happened 
to me, this is what we did, this is what we didn't do, we 
distill out details of that, and honestly, share the broadest 
community in our sector and build those rings.
    Now, what we have done is we have built additional rings so 
we have started in 2011 an inner circle, if you would, called 
the Clearinghouse and Exchange Forum which is a subgroup of 
people like myself and Mr. Graff who are in the capital markets 
side of the industry and sharing information about attacks on 
us.
    As you get to know the people you are sharing with, you 
bring more people into that network and the network grows. It 
is a little bit like social media; the more friends you have, 
the more friends you get.
    Chairman Garrett. I have a bunch of questions, I have to 
get them all in.
    Speaking of social media, Mr. Graff, I read in the paper 
that there was a big thing with Facebook the other day. Do you 
want to just briefly, since you are here, tell us in your 
information that you have with regard to that transaction and 
that was reported: What the problem was, was there any 
cybersecurity aspect to that whatsoever, what is being done to 
make sure that doesn't happen again, and have the people 
involved been taken care of?
    Mr. Graff. Yes. Thank you, Congressman.
    As I think you note, my expertise is in cybersecurity and 
not in the trading systems, but what I know is that the 
Facebook IPO showed us a design flaw in the methods that are 
used to operate the IPO. It was a design that has been used 
successfully for years. Now, we have engineered a fix for that 
design. We are also taking a look at the processes we use to 
develop a software and test the software to see if we can 
improve those.
    In terms of cybersecurity and any potential involvement 
with the Facebook IPO, based on the information I have, which 
is substantial, there was no cybersecurity element in that IPO.
    Chairman Garrett. Thank you. I have additional questions, 
but my time has expired. I will now yield to the gentlelady 
from New York.
    Mrs. Maloney. I would like to ask Mr. Smocer or really 
anybody on the panel, when there is a cyber attack, how do you 
find out about it? Do your customers tell you about it? Does 
your internal division tell you? Does government tell you? How 
do you find out about it, and then what do you do? Do you 
report it to government so we are coordinating? Do you report 
it to other companies? How does it work now? We are hearing 
that half of the small and large companies are being attacked. 
How do you find out about it, and then what do you do about it?
    Mr. Smocer. The short answer to your question is yes, all 
those sources. The reality is that financial institutions are 
constantly monitoring their environment for indications of 
attack. So as Errol would tell you at Citi, and he is on the 
cyber intelligence side, so I will defer to him in a second 
here, but there are significant investments in monitoring tools 
to look at the environment to determine if there are attacks 
under way.
    Mrs. Maloney. These tools that you put in place, are they 
standards that are required by government? Are they standards 
that the private sector is putting in place? Are there any 
required standards? How are these standards being put in place? 
What are they? Are some companies going far above that with new 
technologies to protect this information?
    Mr. Smocer. The primary standard that is in place is an 
expectation from the regulatory agencies and it is within the 
GLBA, as well, the Gramm-Leach-Bliley Act, to have a strong 
risk assessment and risk management process in place.
    Regulation typically does not specify the exact tools that 
need to be used, and that, I think, is good because it 
recognizes that the environment is evolving fairly rapidly and 
the tool that worked yesterday may not work tomorrow. So it is 
largely up to the financial institutions to determine their 
best risk management practices.
    But I would quickly add that through the collaborations 
that we talked about earlier and frankly, most of us at this 
table have worked together over the last 5 to 10 years in terms 
of collaborative efforts, we do go through the process of 
identifying best practices that we would use and share 
information on tools that have been effective and try and 
enhance the industry beyond just our own institutions, and I 
will let Errol comment if he would like to.
    Mr. Weiss. Actually, I think you answered that really well.
    Mrs. Maloney. Thank you. I would like to ask Mr. Clancy 
from the Depository Trust & Clearing Corporation, you mentioned 
that three of DTCC's subsidiary companies have received notice 
from the FSOC that they are being considered as systemically 
important financial market utilities under the Wall Street 
Reform Act, and recognizing that the new risk management 
standards for the FSOC designated end user is still being 
developed, what is your expectation about the extent to which 
these standards will address information security issues?
    Mr. Clancy. I thank you, Mrs. Maloney.
    My expectation as it relates to the FSOC is their focus is 
very much on the financial aspects, so market risk, liquidity 
risk, and the like. It is uncertain to me whether or not they 
will delve into some of the cybersecurity issues. Those are 
substantially held in the existing frameworks that our 
regulatory agencies such as the Federal Reserve have, so my 
expectation is that is how it would be addressed.
    From a DTCC perspective, we have looked at the risk that 
those systems pose to the U.S. financial system and the global 
financial system and have been working to elevate our level of 
control and mitigation against those types of threats.
    Mrs. Maloney. In a general sense, when a cyber attack 
occurs, do you tell your customers, or if private information 
is extracted on some of your clients, what is the standard that 
you have? I guess, Mr. Weiss, informing people but keeping it 
private, how do you address this? Are there laws requiring any 
disclosure? Or what exactly happens?
    Mr. Weiss. Absolutely. If there is a breach of personally 
identifiable information, there certainly is regulation that 
requires us to provide that notification to customers.
    Mrs. Maloney. And just basically, what are the three things 
we have to do to make our country more secure? It is very 
unnerving to me to think that there are individuals and 
countries that have entire desks devoted into getting into 
private information in our financial markets and elsewhere, and 
what are the steps that private industry is taking to protect 
this, and I guess, Ms. Cantley, you play a key role in the 
coordination with government, how is that coordination working? 
Can it be improved on? How can we do better at protecting our 
companies, our individuals, and our country from this type of 
attack?
    Ms. Cantley. Thank you for that question.
    First off, we do have a high amount of public-private 
information sharing as has been noted in the oral and written 
testimony. I think we can do more. We would like the government 
to share more threat indicators that they have with us on a 
timely basis so that we can act on those and prevent cyber 
crime in our industry.
    We also would like to be in a position to share information 
safely with the government without having to go through the 
scrubbing steps so we would appreciate the opportunity for that 
to be exempted from the Freedom of Information Act. We would 
like some work done in the telecommunications industry. 
Currently carriers are required to, by law, deliver everything 
to the end user.
    The government we know knows that some of the traffic that 
is on our networks is malicious, and if they could give that to 
the telecommunications carriers, and they could be in a 
position to drop that traffic before it would be delivered to 
the end-user, then I think that would be an appropriate step 
forward.
    And then lastly, again, working internationally on legal 
and diplomatic levels so that when we say someone is a 
criminal, that individual is arrested, tried, and appropriately 
sentenced. Thank you.
    Mr. Garrett. I thank the gentlelady. And the gentleman from 
Arizona is now recognized.
    Mr. Schweikert. Thank you, Mr. Chairman. This is one of 
those occasions where it is an area of great interest, and 
there are a thousand questions and about 4 minutes and 50 
seconds to ask them.
    First, let's say Citi or a major institution, a regional 
money center bank is finding its systems under attack, someone 
is trying to somehow go up and down, how quickly does that get 
shared with others? Do you share it through government? Do you 
share it through the industry? Do you share it through the 
working groups? How quickly does that information get 
disseminated?
    Mr. Weiss. Actually, it gets shared very rapidly. It is not 
automated; there are humans who need to create the e-mails and 
messages, but it does happen very quickly. So in that case, 
through the FS-ISAC and the techniques and the trust that Mark 
and others talked about earlier about developing this over the 
past decade, we have been able to create the central rings of 
trust and to share that information quickly--
    Mr. Schweikert. But you hit on an important point there. 
Many of us have in the back of our head that there is an 
automated notification system saying hey, we are seeing this 
type of malware pinging our systems, boom, and that is 
electronically shared over some of the security centers. That 
is not how it works.
    Mr. Weiss. It is the first steps that we have taken is 
really to manually share that information, build that 
collaboration, and develop the threat indicators so we can 
share it with the broader audience and help protect our 
membership at large.
    We have recently taken steps in the past, literally in the 
past year, to build on automated methods so that we can share 
that information at network speed and protect ourselves at 
network speed so that we can take the humans out of the loop 
and get there. It requires significant investment and a lot of 
work to get there, but we have started that journey.
    Mr. Schweikert. To that point, how quickly is it moving?
    Mr. Weiss. It is moving, but again, it is going to take us 
time to get there. I don't have an answer as to when. I will 
get back to you.
    Mr. Schweikert. From some of the different organizations 
you spoke of that are out there, is this one of the areas they 
work on, automating the notification and the warning systems, 
and also it is not only the warning but here is the way to 
block the attack?
    Ms. Cantley. Yes, there are systems that exist today that 
do that automated blocking and many institutions have those in 
place across multiple sectors. What Errol is talking about, and 
what the FS-ISAC is driving and working with, the U.S. 
Government again is coming up with a standard template for that 
information so that it then feeds the systems that exist today 
and will come down the path.
    So we actually have a subcommittee that is addressing that 
taxonomy to move it forward. As Errol mentioned, though, that 
is going to require a capital investment, and this is one area 
where I think the government could assist us because we would 
like to cooperate together in moving that forward faster.
    Mr. Schweikert. And this is for anyone who would know the 
answer: How is the technology disparity between a money center 
institution, a financial trading platform, and my local 
community bank? How far behind are--is the local community bank 
more flexible? Are they more exposed? What do you see out there 
across the financial world?
    Mr. Graff. If I could, Congressman, let me try to address 
that.
    One thing I would like to--the point I would like to make 
is that, effectively, all the systems represented at this 
table, and, in fact, that systems that help Congress, they are 
all under attack all the time at some level. In contrast to the 
situation just a few years ago, today Internet attacks are a 
little bit like weather. We have a little bit more rain or a 
little bit less rain, sometimes there is a hurricane that comes 
at us, but, generally speaking, they are all under attack.
    I think, to get to the point of your question, the larger 
institutions that have more sophisticated staff typically will 
be less susceptible to sophisticated attacks. I think the 
smaller institutions, the local community institutions are at a 
disadvantage when it comes to defending against extraordinary 
attacks that perhaps have taken years to develop. And this is 
an area where government could assist, I think, quite 
effectively.
    Mr. Schweikert. And is there infrastructure within, sort 
of, your organizations for that data information, solution fix, 
patch fix, to be quickly disseminated all up and down that food 
chain?
    Mr. Clancy. There are two points. There is the 
dissemination piece, which I think groups are working to 
facilitate; then, there is the consumption piece. And what we 
found through the GISF program is that even for the large, 
complicated institutions, we had significant problems consuming 
threat data at the volume and frequency at which it arrived. 
That is going to be a big challenge for small institutions 
because they have one or two people who do this stuff, not--
    Mr. Schweikert. And, therefore, the need for sort of an 
automated platform--
    Mr. Clancy. Correct.
    Mr. Schweikert. --that builds the model.
    Mr. Clancy. And the service provider route, whether it is 
the telco or the firms that provide those institutions their 
financial products, are good ways to do that.
    Mr. Schweikert. Mr. Chairman, I see I am out of time. I 
look forward to another round. Thank you, sir.
    Chairman Garrett. Thank you.
    The gentlemen yields back. The gentleman from 
Massachusetts, Mr. Lynch, is recognized.
    Mr. Lynch. Thank you, Mr. Chairman. And I want to thank our 
witnesses for attending and helping this committee with its 
work.
    One of the other hats I wear is I am the co-chair of the 
Task Force on Terrorist Financing and Nonproliferation, so I 
work a lot with FinCEN, the Financial Crimes Enforcement 
Network. They do a terrific job on our behalf internationally, 
on behalf of Treasury and the American people. And they have 
done a good job, but they are working in a more limited 
environment than all of you.
    If--first of all, I want to try to understand. I know that 
the exchanges where you have more resources than some of these 
smaller institutions that Mr. Graff was talking about to 
protect themselves, where are we in terms of where we need to 
be with some of these smaller institutions, some of these local 
banks?
    We, as government, have put out there certain benchmarks 
where we want there to be minimal--at least minimal coverage 
and protection for some of these smaller institutions. But is 
that enough? Do we need to do more to require those smaller 
institutions to provide greater protection to their customers?
    And is there also a delta in terms of what we require the 
exchanges to do and where you think we need to be? Perhaps you 
do even more; I am sure that most of the big exchanges do more 
than the government requires. And so, I am trying to get a fix 
on where we are with the smaller and larger institutions and 
where we need to be.
    Ms. Cantley?
    Ms. Cantley. Thank you.
    Speaking on behalf of attempts to address the smaller 
institutions, the FS-ISAC thinks this is important. Part of our 
efforts, the last 2 years, have been strictly focused on 
education, both for customers and the smaller institutions. And 
we have held a number of seminars there.
    Another important step that we took, because we think it is 
critical to deal with the fact that most of these small and 
medium institutions use the same processors, so we built on the 
authentication guidance that came out in 2005 and then was 
updated last year and, actually, in some of our 
recommendations, got even more proscriptive to the service 
providers on, ``Here are things that you need to provide in 
your products that your institutions can take advantage of.''
    I would also like to point out to the committee, though, 
that I don't think additional regulation is the answer to this 
problem. I think the guidance that we have from the FFIEC is 
very good and it is applicable to all institutions. And it 
provides a method for dealing with these attacks in cost-
effective means for financial institutions of all size.
    Mr. Lynch. What I am trying to get at is, I am reading the 
New York Times here this morning, and it has a front-page story 
about how the President has accelerated and amplified the cyber 
war that we are having with Iran. And as Mr. Graff has pointed 
out, this is an incremental thing, where it is ongoing, there 
will always be these attacks. Sometimes we have a shower, and 
sometimes we have a hurricane.
    What I am concerned about is that a state actor or a quasi-
state actor could bring a significant part of the economy down 
or the financial services sector down, and that would cause 
great havoc at any time but especially right now where we are 
trying to build up a recovery.
    And are we anticipating that? Are we meeting that 
challenge?
    Mr. Weiss?
    Mr. Weiss. Yes, Congressman Lynch, I think one of the basic 
tenets of the FS-ISAC has been that we recognized a long time 
ago that all of the institutions in the banking and finance 
sector were elements of the chain and any one of those chain 
links represented a potential weakness. And one of the major 
tenets there was to be able to share incident information and 
share threat and vulnerability information with all of those 
members so that they can better protect themselves. And so that 
was, again, one of the basic tenets that we set out a long time 
ago to help those institutions, all the institutions.
    Mr. Lynch. Thank you.
    Mr. Graff?
    Mr. Graff. Yes, Congressman, a couple of quick points.
    One thing that I think would move us toward the situation 
you would like to see in terms of preparedness is more 
cooperation from computer manufacturers and software vendors in 
producing products that are perhaps easier to secure. And I say 
that as someone who used to work for a software manufacturer 
and computer vendor years ago. I have been beating that drum 
for a long time. There are a lot of issues, and it is a knotty 
problem. But I think if we make the systems with fewer 
vulnerabilities to begin with, then especially the smaller 
banks and other financial institutions would find themselves 
better placed.
    I also want to just point out quickly, in addition to 
information sharing, which is paramount, we don't have time for 
a lengthy discussion, but the supply chain problem, the threats 
of a supply chain attack are really, I think, perhaps the 
knottiest problem, the most serious issue that faces us, and 
the one that would be most susceptible to help from government. 
I have been working on it in the classified government sector 
for a long time, and I think it is one where the U.S. 
Government really could provide the most assistance.
    Mr. Lynch. Thank you. That is really helpful.
    I yield back, Mr. Chairman.
    Mr. Schweikert [presiding]. Chairwoman Biggert?
    Mrs. Biggert. Thank you, Mr. Chairman.
    And thank you all for being here. I have a couple of 
questions I hope I can get in.
    First of all, maybe, Ms. Cantley, you did address this a 
little bit, but I have a constituent who called several years 
ago, a CPA who had her own home business. She kept getting 
hacked into, and she kept trying to find the software. And it 
became very costly just for software. She would put another 
software in, and then she would be hacked again, and on and on.
    So what are some of the cost-effective measures that small 
businesses who do personal financial transactions online or via 
their smartphone, how can they minimize the risks of threat?
    Ms. Cantley. Specifically with customers who are using 
laptops or work stations to conduct business, small businesses, 
one of the recommendations that our industry has made to these 
customers is you can use a dedicated computer that you do not 
use for surfing the Internet or checking e-mail. The price of 
hardware and software has come down significantly, that this is 
a cheap insurance way for ensuring that you are save online 
until, as Mr. Graff pointed out, the industry can get to the 
point where some of the software in the supply chain is more 
robust.
    But also, I would like to commend companies like Microsoft 
who have stepped up to the plate and are now producing software 
that can remediate millions and millions of customers who are 
infected.
    Specifically, to the second part of your question, 
smartphones and other mobile devices are an emerging risk. And 
everyone at this table is listening to what is happening in 
other parts of the world and making sure that we are analyzing 
those threats and putting appropriate remediations in place and 
also working, again, on the education front to let people know 
of the risk there.
    The guidance that we have from the FFIEC, while it does not 
mention mobile phones, is applicable to that technology. So, 
again, no more regulation or guidance is needed there. We have 
what will work today, and, as the threats change, I anticipate 
that we will get additional guidance there.
    Mrs. Biggert. Okay.
    Then, are any of you familiar with ChicagoFIRST? This was 
something that was founded in 2003 by Chicago-area financial 
organizations, and it was to enhance the resilience of the 
Chicago financial community and critical infrastructure 
overall. And they have held a number of exercises exploring the 
threats, including cybersecurity threats, and focusing on 
preparedness.
    Mr. Clancy?
    Mr. Clancy. We are very familiar with ChicagoFIRST. They 
are what we call a regional coalition. So in the Financial 
Services Sector Coordinating Council (FSSCC) and the FS-ISAC, 
we partner with organizations like ChicagoFIRST. In fact, my 
institution, even though we are not based in Chicago, 
participated in a few of their exercises. And so, that 
community is one of our circles of trust.
    Mrs. Biggert. Great. Thank you.
    And then one more question. I think we worry about the 
government agencies adequately protecting the proprietary 
information of companies that voluntarily share security threat 
information. And the members of the European Union and the 
United States are in discussion about this, particularly as it 
relates to the G-SIFI banks or other financial firms, including 
insurance.
    Have any of you or your organizations been involved in 
these discussions with the United States and the international 
regulatory and standard-setting bodies?
    I guess I will have to seek the answer to that later on.
    Ms. Cantley, how does a small business entrepreneur--where 
do they go to get the information that they need? Is there a 
place online where they can go?
    Ms. Cantley. Yes, ma'am. Many financial institutions have 
information on their Web sites or they have held seminars for 
their customers.
    Also, the FS-ISAC, through its account takeover task force, 
has put together a number of joint bulletins which we have made 
available to our members. They can simply print those off and 
give those to their customers. And they include all the 
recommendations that we have for both consumers and businesses 
for operating safely in the online space.
    And then, as Paul Smocer mentioned, StaySafeOnline, which 
is a Web site that has a number of good recommendations.
    Mrs. Biggert. Thank you.
    I yield back.
    Mr. Schweikert. Thank you, Chairwoman Biggert.
    Mr. Dold?
    Mr. Dold. Thank you, Mr. Chairman. I certainly appreciate 
the time.
    Ms. Cantley, again, I am going to go to you first. And I 
certainly appreciate and agree that I am not sure we want 
additional regulations, but we are concerned, obviously, about 
cyber threat and trying to protect consumers, as well.
    So I guess my question to you is, what role should the 
government take in combating the attacks on the private sector 
or in private systems?
    Ms. Cantley. I think the key role that we are looking for 
from the financial services industry is that information 
sharing on a timely basis as unrestricted as the government can 
make it so that we can act upon it to protect our customers. 
And if the government has information about foreign actors as 
well as software vulnerabilities, we would like to be made 
aware of that.
    Mr. Dold. How quickly would you like to be made aware? What 
would be a timeline or a timeframe that you think would be 
appropriate?
    Ms. Cantley. As soon as they know about it, sir.
    Mr. Dold. Mr. Graff, I know you talked in your testimony 
before about--and I had mentioned before--there are hundreds of 
thousands of attacks that happen on financial institutions each 
and every day. You equated it to the rain. You equated it to 
somebody ringing the doorbell. I am not so concerned about 
somebody ringing the doorbell; I am concerned about somebody 
taking a crowbar to the side window or somebody going into the 
backdoor.
    So can you talk to me a little bit about how, for instance, 
the NASDAQ, you identify these threats that are coming in? 
Obviously, they are multiple and, obviously, at different 
sophisticated levels. What are you doing at NASDAQ to try to 
identify these?
    Mr. Graff. Yes, I would be happy to, Congressman.
    There are several ways to answer that, to approach that 
problem. I think one of the important steps is to become as 
aware as possible of who the potential actors are and what the 
most sophisticated attacks are that are out there. So we are 
very much interested in the kind of information sharing that we 
have been talking about today. So, information--first, we try 
to acquaint ourselves with who is attacking various financial 
institutions, to the best that we know or the best that the FBI 
can find out, and what tools they are using.
    Another approach is to try to build systems that can 
withstand, to use your analogy, the attack of a crowbar. We put 
a great deal of effort in to make sure that the critical 
systems are deeply isolated and are completely inaccessible to 
anyone coming from the outside except through very, very 
specific and very highly protected and regulated, specialized 
channels for the use of exchanging trading information. So one 
of the things we do, then, is to only allow a very narrow 
channel of communication into the trading systems that goes 
through several barriers that inspect it for appropriateness.
    And, for example, here is a point that may not be obvious. 
When you are talking about regulating information that flows to 
a network, there are two main ways you can do it. One is to 
constrain where the information comes from. We would call that 
the IP address, to be technical. And another way is to 
constrain what kind of information comes through. We could 
talk, therefore, about the network port it comes through. 
Firewalls do that both ways. We use several layers of firewalls 
to put the information that flows in and flows out through 
continually smaller and smaller filters to protect ourselves 
that way.
    Another point I would like to make in just a moment is 
that, if we think of the analogy of trying to protect inside 
our houses, our families and any precious items we might have, 
it is not necessary all the time to understand all the many 
ways somebody might try to get into the house. In many cases, 
the defenses we build are proof against many, many different 
kinds of attacks, even those we haven't yet anticipated. So we 
try to build as strong a ring of defenses as we can to make 
sure that we can defend successfully against unanticipated 
attacks as well.
    Mr. Dold. From each of your perspectives, I would be 
interested to find out, as we look at things that we are 
working on in the committee, what do you identify as the 
greatest threat that you are trying to deal with right now? And 
how can we in the Financial Services Committee in the United 
States Congress help by drafting legislation or highlighting 
some of the issues that are out there today? What do you view 
as the greatest threat that you are trying to deal with right 
now in terms of cybersecurity?
    Mr. Weiss, let's start with you.
    Mr. Weiss. I am going to go back to one of my tenets and 
really push on the international cooperation and essentially 
going after the bad guys and really getting the United States 
to pressure foreign governments that, if these governments want 
to compete, if they want to participate in the global economy, 
the barrier to entry, the cost of entry for them to participate 
is they need to demonstrate that they have enacted favorable 
cybersecurity legislation and demonstrate that they are 
actively prosecuting and punishing the people who are 
responsible for these cyber crimes.
    If I can get a little more technical, on the other side of 
the spectrum, the issue that we worry about today, certainly, 
is the advanced malware that we see today and the prevalence of 
it and it spreading not only to our customer computers but also 
now into the mobile space that we have mentioned as well today.
    Mr. Dold. Mr. Chairman, my time has expired. I yield back.
    Mr. Schweikert. Thank you, Mr. Dold.
    Mr. Stivers?
    Mr. Stivers. Thank you, Mr. Chairman.
    And I appreciate all of the witnesses being here and 
sharing your expertise with us.
    Ms. Cantley, earlier you talked about education and how 
that can help. Tell me, how much of this problem can be cured 
by good computer hygiene and good habits versus a much more 
active defense?
    Ms. Cantley. The Internet ecosystem requires a lot of 
players to act to make the Internet a safe place for financial 
commerce.
    Certainly, good computer hygiene is important. And 
Representative Maloney mentioned the Symantec report we have--
consumers and business customers who don't patch their 
computers and aren't even running antivirus software, much less 
antimalware software. So that is critical. So we have to get 
the message out to people that that is an important step.
    And then the industry, telecommunications and financial, 
have a part to play, as well as the software manufacturers, 
there.
    Mr. Stivers. At what point, Ms. Cantley, to follow up, at 
what point will the industry determine that they can't allow 
consumers who don't run antivirus software and maybe malware 
software to connect to your institutions and perform 
transactions?
    Ms. Cantley. That particular step, to interrogate a 
customer's computer, to do that requires agents that an 
institution would have to put on a customer's computer so that 
some institutions may choose to go down that road to make that 
decision.
    What I would say is to go back to the guidance that we have 
from the FFIEC that says, look at layered security, look at 
what you are doing to validate. Is that the customer at login? 
Do you think that customer is doing that transaction? And is 
this transaction in keeping with that customer's pattern of 
behavior?
    So there are things that we can do without necessarily 
looking at the wholesomeness of that particular customer's 
computer.
    Mr. Stivers. Great. Thank you.
    How many companies--and I guess this is probably for Ms. 
Cantley and the gentleman from BITS and maybe others who want 
to answer--use cyber insurance to help protect against 
liability? I know it is still in its infancy. What percent of 
folks out there use that?
    Mr. Smocer. I don't have a specific answer. We can probably 
get back to you.
    As you noted, it is in its, I would say its second infancy, 
because there was some talk about it a decade or so ago, and I 
think it had some issues. But I think it is growing again. I 
think institutions are looking at it, but I don't have an idea 
on the number specifically or a percentage.
    Mr. Stivers. Since it didn't really come up in anybody's 
testimony, does anybody believe that cyber insurance can be an 
important part of creating essentially new requirements on 
folks without laws that we would pass, but a much more dynamic 
model to ensure that risk management is approached in a smart 
way, like it is done on workers' comp and many other issues out 
there?
    Mr. Smocer. I would answer that in the sense that I think 
it could be helpful particularly in other sectors that may not 
be as regulated or may not pay as much attention to 
cybersecurity issues. I think it could be helpful in terms of, 
obviously, the underwriting, forcing some improvements in the 
process.
    Mr. Stivers. Thank you.
    Several of you have mentioned the CISPA, the Cyber 
Intelligence Sharing and Protection Act. Does it allow you to 
share or the government to share information about risks with 
you in a way that you think happens soon enough or efficiently 
enough? And I know that it is not completely passed yet, but in 
its current form. And are there changes any of you would 
recommend to that bill?
    Mr. Weiss. Congressman, what I would say on that one is 
that we certainly, as an industry, support any improvements 
that we can make to the public-private information sharing that 
is happening today. We have some great examples of it, but we 
can certainly use more of it.
    And taking advantage of things like the private-sector 
clearance program through DHS, for example, is another one to 
help get access to even more information from the intelligence 
agencies. But things that we can also do to enhance information 
sharing even between entities within the private sector that 
are currently either perceived or real barriers, from a legal 
perspective, that are preventing some of the information 
sharing from happening today, we think that legislation could 
address those kinds of issues as well.
    And then, we also would like to see the existing ISACs that 
are working well--for example, we have talked a lot about the 
FS-ISAC here today that has over a decades worth of trust-
building. We would like to see that those continue to be 
leveraged and not place any other additional hierarchy or any 
other essential clearinghouse of ISACs above that, that could 
potentially introduce more bureaucracy to it.
    Mr. Stivers. Thank you.
    Mr. Chairman, my time has expired.
    Mr. Schweikert. Thank you, Mr. Stivers.
    Mr. Neugebauer?
    Mr. Neugebauer. Thank you, Mr. Chairman.
    My subcommittee had a hearing a few months ago on the 
Office of Financial Research (OFR), which is this new entity 
that was created under Dodd-Frank to basically put as a 
clearinghouse or a storing house for a lot of financial data. 
And I was looking at some of our panelists today, and probably 
many of you are going to be providing some of that information.
    Mr. Clancy, what kinds of connectivity and what--one of the 
concerns we had--and this question came up during our hearing--
was how secure is all of this data that the OFR is going to be 
mining from the financial markets? Can you kind of elaborate on 
your discussions with OFR and whether you have concerns about 
their ability to protect that data?
    Mr. Clancy. Okay, and I am going to focus my comments on 
the protection as opposed to the disclosures made by OFR.
    But the protection--OFR, as part of Treasury, will fall 
under the Federal Information Security Management Act (FISMA) 
and they will have cybersecurity standards that will apply. 
Right? That is kind of the macro picture.
    The more brass-tacks view of it is, we have to work out 
ways to securely send the information that protects the 
information while it is in transit. The methods being used 
today are somewhat ad hoc, mainly because of the newness of OFR 
as an entity in that function. So that is an area that we need 
to work on.
    And then I think they need to look at, from a risk-
assessment perspective, the interest of other parties, 
including other nations, to getting into that data and defend 
it to that level of aggression.
    Mr. Neugebauer. Thank you.
    Mr. Graff?
    Mr. Graff. You put your finger, Congressman, on what I 
think is a central problem, which is, how do we share that 
information securely? And there are fairly sound methods I 
could talk about to protect it in transit. It is a challenge, 
but the technology is there.
    I think the more intense concern might be protecting it 
once it has arrived inside the Federal networks since they 
themselves, of course, are a very strong target. And that is, 
frankly, a concern of ours. We always want to work with the 
Federal agencies to make sure that the information we give them 
is sufficient but no more than they need and no more specific 
than they need.
    And, also, we like to hear assurances about the way that 
they protect those internal systems as well. I think that is an 
important problem.
    I am familiar with FISMA. It does encourage good security, 
but I think there is a lot of room for improvement there too.
    Mr. Neugebauer. Mr. Weiss?
    Mr. Weiss. I am sorry, Congressman, I am not familiar with 
that particular regulation.
    Mr. Neugebauer. Okay.
    I want to go back, then, to Mr. Clancy and Mr. Graff. So, 
basically, there are multiple aspects of that. The first is the 
transmission of the data. Second, once the data gets to OFR, 
how will it be protected? And then I guess the third piece of 
it and, I think, something that some of the market participants 
have brought up, is who will then have access to that data 
moving forward and how will they be able to use that data and 
access it?
    And those are areas that you have some concern in and are 
certainly--
    Mr. Clancy. Yes. I think access to the data itself is one 
of the key questions, both in terms of the appropriateness of 
what is done with the data, how it is used, where it is 
exported, as well as how you defend against it being misused.
    What we mentioned earlier on the panel is accounts are 
taken over. This happens to institutions and accounts inside. 
And so if someone at OFR's accounts were taken, access 
credentials were used, somebody else could potentially exploit 
the data that exists in those repositories. To that end, we 
would expect a high level of resilience to those types of 
attacks to be built into the design and system operation of the 
platforms used for the data analysis and mining by OFR.
    Mr. Neugebauer. Thank you for those comments.
    We are talking about market participants that provide 
financial services, and we are talking about those that use it. 
But, as well, I was going back to talking about small 
businesses and individuals, and their computers at home or 
their laptops. And there is a lot of discussion going on right 
now about using cloud-type systems to store your really 
sensitive data rather than storing it on your hard drives.
    I guess the question I have is, in your professional 
opinion, is my data more secure in a remote location or is it 
more secure on my computer?
    Mr. Clancy. Again, this is a simple example. I have a 
neighbor who is the CEO of an intellectual-property-based 
company. His IT group consists of two people. Anything he puts 
in the cloud will be better defended than he can do it himself. 
At my institution, however, we have significant skill and 
expertise and are a particularly interesting target. Our 
information in a public cloud would probably be very hard to 
defend with the basic level of service that most of the cloud 
providers offer.
    Mr. Neugebauer. Okay.
    Mr. Graff. I have to agree, Congressman. I think for the 
average person, their own home system is unlikely to be safe 
enough to give them the security they want. And it is a good 
practice in general, I think, to store that information with 
people who are professionally trained to do it. And, of course, 
one also can transfer some liability to them, as well, as they 
assume responsibility for the data. That is an important 
factor, too, I think.
    Mr. Neugebauer. So these providers have a much more robust 
infrastructure to protect your data than the individual at 
home, is that--
    Mr. Graff. Many of them would, sir, yes.
    Mr. Neugebauer. Yes.
    I thank the gentleman.
    Mr. Schweikert. Thank you. Thank you, Mr. Chairman.
    Mr. Manzullo?
    Mr. Manzullo. Thank you.
    I have a couple of questions as to the distinctions, if 
any, that occur on these cyber attacks. We are talking today 
about just banking online, is that correct? Or are we talking 
about accessing 401(k) information? So how broad does this get?
    Ms. Cantley. Cyber attacks are across our industry, so, 
yes, they could be going against your checking account, they 
could be addressed to your 401(k). We have had insurance 
companies report this. So it is not just that particular 
isolation.
    Mr. Manzullo. So is a 401(k)--that is identified by a 
Social Security number, is that correct?
    Mr. Clancy. A lot of the providers used to do that practice 
and have moved away from it, some of them more aggressively 
than others. And so the underlying, sort of, database entry is 
probably based on a Social Security number, but the 
authentication credentials are based on other data that is 
selected by the customer.
    Mr. Manzullo. Which means it is not covered?
    Mr. Clancy. The overall account is protected, but they are 
not using a Social Security number as the user name to sign on.
    Mr. Manzullo. Okay. All right. That answers my question on 
it.
    And then the issue, when at one time you would write a 
check, take it to a bank, and then not worry about covering it 
for a couple of days; of course, that has all stopped. It is 
done electronically now.
    What about these electronic transfers, as they were, 
between banks? Have these ever been hacked that you know of?
    Mr. Clancy. The platforms that perform the transfers have 
not, but, again, the access to accounts that authorize those 
platforms to perform a transaction, those front-end systems 
have been targeted.
    Mr. Manzullo. What about Social Security now that there are 
mandates that Social Security checks have to be deposited 
electronically into a person's checking account? Now that you 
have a Federal mandate, is that covered?
    Have there been instances where the Federal Government has 
gone to transfer a Social Security recipient's monthly check 
into a checking account and that the money has not showed up 
before it got into the actual account?
    Ms. Cantley. I am not aware of any instances of that, sir.
    Mr. Manzullo. Last year, on my e-mail account, someone came 
in, attacked the account, put out the statement that I was--
maybe, Judy, you got it--I was trapped in Britain and needed 
people to send $1,500. And another Member of Congress, who was 
a Democrat, called to see if I was okay. I thought that was 
very generous on his part. But they took all of my addresses 
and went in there, and I had to reconstruct that.
    Is this what we are talking about, or is this more intense 
than this?
    Mr. Clancy. We have been talking about things that cover 
that and things at higher intensity.
    That particular example is, unfortunately, a somewhat 
common scam. And what happens is that the access to your e-mail 
account--you were maybe at a hotel and you signed in, and that 
had a keylogger and it took your password. And what they are 
really doing is a technique called social engineering. They are 
trying to create a context that your fellow Members of Congress 
might have known you were in London, might have been unrelated 
to that, and were sympathetic and would then take an action, to 
send money, that they wouldn't have otherwise done. And that is 
the underlying technique that these bad guys are using, is that 
sort of driving your behavior based on provocative messages.
    Mr. Manzullo. Some of my colleagues would have liked me to 
stay in Britain, not be able to get back on it.
    I think the broader issue really is--Secretary Rubin said 
that he simply does not bank online. Maybe this would be a 
revival for the post office, if people--no, I am serious. We 
don't bank online, my wife and I don't bank online, because I 
have always been sort of old-fashioned and would rather put 
that stamp on there to get it out.
    But, Mr. Woodhill, until you stopped by the office 
yesterday, I always presumed that even commercial accounts were 
safe. And you make a reference in here to accounts from Members 
of Congress and their campaign funds.
    How pervasive is this? And should American people really 
take a look at whether or not it is worthwhile to bank online?
    Mr. Woodhill. Congressman, that is the threat that my 
victims group is trying to head off, that cyberspace will 
become such an unsafe neighborhood that Americans will just 
decide that they can't bank online.
    My fellow panelists have made the point for me that 
individuals and small businesses and your campaign fund can't 
possibly have the cybersecurity expertise to secure online 
banking on their end. I further submit to you that if community 
bankers in your district become cybersecurity experts and spend 
their time studying FS-ISAC bulletins instead of out making 
loans to move our economy forward, the bad guys have won even 
if they don't make off with a dime.
    So your money is not currently safe at the bank except at a 
small number of very large banks, probably Mr. Weiss' for 
example, that employ multilayer fraud controls and have really 
brilliant people monitoring them. Otherwise, it just matters--
it is whether you are randomly targeted, like your Yahoo 
account was. The same people who got to your Yahoo account 
could get, if you had commercial accounts and you were banking 
from that PC, they could get to your money.
    I do like the idea of buying a new PC to do online banking 
as a stimulus measure. However, as a $500 or $600 tax on our 
small organizations just for the privilege of using online 
banking, I am opposed.
    Mr. Manzullo. Thank you.
    Mr. Schweikert. Mr. Manzullo, I would have sent you money 
if I knew you were trapped in Europe.
    Mr. Manzullo. But there was another one that just came out 
this past week again.
    Mr. Schweikert. Were you trapped again?
    Mr. Manzullo. Well, no, I am not back stuck in Britain, but 
this one says, ``I have to share with you,'' this is TV 15. 
People click on it, and it is somebody selling a product at 
their house. And I guess the virus that went through again and 
didn't--I got back, 15 or 20 people saying you have been hacked 
into. I had answered a friend's e-mail, and I said, ``You have 
been hacked into,'' but I guess when I answered him, then I 
evidently picked up the virus myself.
    Mr. Schweikert. Your first mistake: Don't have friends.
    Mr. Manzullo. That is not hard when you are a politician.
    Mr. Schweikert. Ms. Cantley, there are a couple of 
questions I want to try to run through. One was given to me by 
the chairman, but one I have a personal interest in. And let's 
see if I can phrase it the proper way.
    A bot, we often--what we do is we will shut down the 
server. But there is legacy software still--or there is still 
software, often, out there in the world sitting on computers. 
And my understanding is, we will have the creative souls who 
will come in, set up anew, and hijack that. How much is that 
mechanic, because of the residency on computers around the 
world, also a threat?
    Ms. Cantley. I think that is a very large threat. And if 
you would allow me to defer to Mr. Weiss on this question, 
because he has been very active on the botnet takedown, sir.
    Mr. Schweikert. Mr. Weiss? And you might want to--am I 
phrasing it in the proper mechanics?
    Mr. Weiss. Yes, that is absolutely fine. And let me just 
elaborate on that a minute.
    So, just to really address that, one of the initiatives 
that we recently had within the financial services sector that 
we thought was a very proactive thing to do on behalf of our 
consumers to help them protect themselves was a partnership 
with the FS-ISAC and NACHA and others from the financial 
services sector partnered with Microsoft to go after three of 
the very dangerous botnets that were responsible for many of 
the account takeovers that we had in the industry.
    Mr. Schweikert. Now, just one point of reference. When we 
say ``go after,'' that is actually at the server level?
    Mr. Weiss. This was a civil action to go after the command 
and control infrastructure for those particular botnets.
    Mr. Schweikert. And the nature of my question is what is 
residency--
    Mr. Weiss. Right.
    Mr. Schweikert. --on individual computers and systems.
    Mr. Weiss. Right. So what we normally find is that when--we 
have talked a lot about all these e-mails that people are 
clicking on. When you click on one, you get infected with one 
of these variants. It is more than likely that is not the only 
thing that you have been infected with.
    So the thing that we took advantage of with this takedown 
project with Microsoft was that, now that we have the command 
and control infrastructure seized from the criminals, those 
computers are now phoning home or beaconing back to the good 
guys. So instead of being under the control of the bad guys at 
this point, those computers are--
    Mr. Schweikert. What you have done is a redirect.
    Mr. Weiss. Exactly. And the long-term hope here is that, as 
we continue to collect forensic evidence, we will at one point 
be able to clean those machines and get them back under the 
control of their owners.
    Mr. Schweikert. Okay. Interesting.
    There is one question that the chairman wanted me to ask, 
and he does this quite often. I am going to start with Mr. 
Woodhill.
    Quickly, tell me, if you were going to do one thing, what 
would it be, in cybersecurity?
    Mr. Woodhill. For my particular crime, we are blessed that 
it is easy to stop. The solutions are in place, so just move 
the responsibility, as, actually, Ms. Cantley spoke about, to 
the processors. She is working with the processors to implement 
the guidance.
    My number one is actually that we have to stop malware. If 
you look at all these attacks--on the Pentagon, on small 
businesses, on everybody--at the root of the attack is the fact 
that computers will run software that other people wrote who 
are not your friend. And we haven't figured out--the antivirus 
products have stopped working over 5 years ago. We haven't 
gotten them working again, and we can't detect the latest-model 
malware.
    Mr. Schweikert. Okay, so the threats of malware.
    Mr. Woodhill. We have to stop malware.
    Mr. Schweikert. Mr. Weiss?
    Mr. Weiss. I would go with, we have to keep the ball 
rolling on the information-sharing initiatives that we have in 
place today with the existing legislation that has been 
recently passed.
    Just to give you an example there, in June of 2011, the FS-
ISAC became the third of the 18 ISACs to maintain a regular 
presence on the NCCIC floor with DHS. And from that point going 
forward, we have had the ability, on a daily basis, to share 
threat vulnerability information between the sectors, between 
our partners with government. And we have made great strides in 
improving the relationship between the financial services 
sector and our government partners.
    Mr. Schweikert. Okay, so threat sharing.
    Mr. Weiss. Yes.
    Mr. Smocer. I would take it one step further and say threat 
analysis. So, a lot of data flowing back and forth. More could 
come from other sectors. But taking that data and analyzing it 
to know when you have the incident that really matters, or, 
more importantly, when you see the trend that is coming out, 
that you know you need to act sooner rather than later.
    Mr. Schweikert. Can I say threat analytics?
    Mr. Smocer. Yes.
    Mr. Graff. I would take a slightly different approach. I am 
very concerned about, to reiterate, the supply chain problem--
that is to say, the possibility that computer manufacturers or 
other nation-states may actually be able to introduce pieces of 
hardware or software into computer routers, network servers, 
even network cables, to be able to manipulate the computers 
that way, in a way that individual companies really aren't 
equipped to detect.
    And there are methods inside the Federal Government right 
now in the intelligence sector that are working on this 
problem. And perhaps if we could get some of the benefit of 
those--
    Mr. Schweikert. So, expansion of physical barriers. Are you 
speaking of, like, sonic walls or--
    Mr. Graff. Yes. It is a problem both in hardware and 
software, but I think the more pernicious problem is, in fact, 
hardware coming out of something that appears to be a router 
but actually has specialized chips in it. Very concerning.
    Mr. Schweikert. Forgive me for going so over my time, but 
Mr. Clancy?
    Mr. Clancy. It would be very simple. Take the program I 
mentioned, GISF, which does both threat sharing and threat 
analysis, and make sure that it continues and expands.
    Ms. Cantley. And engage the telecommunications industry in 
this discussion to help.
    Mr. Schweikert. Okay. Can you give me a little more 
definition there?
    Ms. Cantley. Yes, sir. Our telecommunications industry, 
because of the fact that they pass this traffic between us, 
between our customers and us, and between other sectors, are in 
a situation in our infrastructure where they see this traffic. 
And if they were given the authority to dump it, that would get 
rid of a lot of this.
    Mr. Schweikert. All right. Thank you.
    The gentlewoman from New York?
    Mrs. Maloney. Thank you very much.
    And thank you to all the panelists.
    Last year, the SEC came out with a guidance that financial 
firms had to disclose the cost of material cyber attacks and 
include a description of relevant insurance coverage to 
shareholders.
    How common is the use of cyber insurance by financial 
institutions now? Do they have this type of insurance now? Can 
someone answer? How common is it?
    Mr. Clancy. It is not very common. And in my institution, 
the question is, who would insure me against $1.66 quadrillion 
worth of transactions? That is the challenge.
    Mrs. Maloney. What factors are considered in determining 
whether or not an institution has a cyber risk?
    Ms. Cantley. The same factors that are used that are part 
of Gramm-Leach-Bliley and SOCs and all the other guidelines 
that we have are used to evaluate cyber risk, and going through 
that application process.
    Mrs. Maloney. There have been some reports about ``pump and 
dump.'' I would like to ask those of you in the private sector, 
what steps has the private sector taken, or Federal regulators, 
to prevent so-called ``pump and dump,'' these scams where 
thieves try to move the market by running up the price of a 
security with buy-and-sell orders in accounts they have taken 
over? How common is this practice? I have read about it in the 
paper. Is it common? Is it very uncommon?
    Mr. Clancy. I don't have a sense as to frequency. It 
certainly happens enough that there has been a group put 
together that is called the National Cyber Forensics Training 
Alliance out in Pittsburgh, Pennsylvania, which is a 
collaboration of private sector entities and law enforcement 
partners, where information specifically to those types of 
crimes is shared and then acted upon in law enforcement and 
then potentially referencing back to activity that is being 
worked through FinCEN.
    Mrs. Maloney. And I would like to ask Citi, Mr. Weiss, your 
great bank was the subject of a very high-profile cyber attack 
in 2011. Can you tell us what changes Citi has made since then 
to protect your cybersecurity systems? What is different now?
    Mr. Weiss. Sure. That breach that you referenced in May of 
2011 impacted our credit card operations business only, and no 
personally identifiable information was disclosed as a result 
of that breach.
    Since then, we have had many lessons learned and we have 
invested millions of dollars and a lot of people's time to 
improve the monitoring and detection systems that we have in 
place today to ensure that kind of a breach does not happen 
again.
    Mrs. Maloney. Okay.
    I would like to ask SIFMA or anyone who is familiar with 
their practices, SIFMA supports Federal preemption of State 
laws related to breach disclosures and notification. What 
specific differences in State laws pose challenges for SIFMA? 
And can you explain why you favor preemption?
    Mr. Weiss. I will take a first crack at that one.
    The issue that I think we really have, one of the major 
ones for us, is being able to reconcile the more than 50 
different State laws and local regulations that we have to deal 
with when it comes to notification. It is a time-consuming 
process to figure out which ones apply, what notifications we 
have to provide, when, and how much.
    And just the consolidation to a national breach-
notification standard that we could rely on would eliminate 
that administrative overhead, that burden, allow us to turn 
around these notifications much more quickly, and, we think, 
end the confusion that the customers are getting today when 
they receive multiple notifications, different formats, and 
different remediation standards.
    Mrs. Maloney. I would like to ask Mr. Woodhill: In your 
testimony, you make it clear that you believe that account 
takeovers continue to be a challenge at financial institutions. 
To what extent could regulatory changes address your concerns? 
Or is legislation--or what actions are needed to address the 
problems that you perceive are there?
    Mr. Woodhill. Of course, if you read my bio, you would know 
I am not exactly a fan of regulation.
    Mrs. Maloney. Yes.
    Mr. Woodhill. In this particular case, to stop this crime 
by a date certain and that be close in, it appears that a 
small--or actually will reduce the net amount of regulation, 
because it will take the FFIEC guidance and not make these poor 
community bankers study it, but, as Ms. Cantley said, put that 
responsibility, those risks on their processor that is running 
the IP, that it is a huge organization and has a top security 
staff now.
    In one case, Representative, the bank had the necessary 
fraud controls in place, was paying for them to the processor, 
just was unaware of it. They were getting fraud alerts; they 
just didn't know to look at them. And that bank has spent a 
million dollars on legal fees to defend the notion that they 
weren't responsible for transfers that they were getting these 
red alerts from their processor about.
    Mrs. Maloney. My time has expired. Thank you.
    Mr. Schweikert. Thank you.
    Chairwoman Biggert?
    Mrs. Biggert. Thank you, Mr. Chairman.
    Following up on this a little bit, Ms. Cantley, there is a 
survey that is described in your written testimony which notes 
that there is a significant drop in commercial account 
takeovers between 2009 and 2010. To what do you attribute this 
large reduction in fraud?
    Ms. Cantley. The answer may surprise you, Congresswoman. 
When we polled our members with our most recent survey, they 
said that customer education was the most specific driver to 
that.
    Mrs. Biggert. Okay. Any idea about current fraud trends 
regarding corporate account takeovers?
    Ms. Cantley. That survey was specific to a corporate 
account takeover.
    Mrs. Biggert. Okay. Thank you.
    Mr. Smocer, in your testimony, in the list of various 
committees and information-sharing groups that you have in 
there, it seems like there might be too many of these groups, 
each slightly different, so that we might have a lot of 
information flowing back and forth, but potentially the correct 
information may never get to the right place.
    Is it possible to--should we be streamlining information 
sharing even as we seek to improve the flow of information?
    Mr. Smocer. I think the answer is probably at two levels. 
In terms of a lot of the initiatives that we take around best 
practices and improvements in resiliency, I think we do work 
very closely together across a number of the organizations and 
associations that we have. And we do try to make sure that each 
of us is focusing on key areas and we are not wasting resources 
in terms of time and effort.
    Specific to information sharing, I think within our 
industry we are doing a good job at the sharing through the 
ISAC, centering all that information on the ISAC. I think when 
we start to think about sharing between sectors and sharing 
between the public and private sector, having some of the 
standards that Mr. Weiss mentioned earlier in terms of how that 
data gets formatted, how we can look at it collectively will be 
important. Because I do think there is a risk that so much data 
will come in from so many different sources that we will miss 
the answer in the analysis and we won't be able to do it well.
    Mrs. Biggert. Thank you.
    And then just a quick question. We have been talking so 
much about what is happening with people who have been hacking 
in or attacking. And I think, Mr. Clancy, early on you said 
something about enforcement.
    Maybe this is beyond the scope, but how many of these 
people get caught? Or do they? What happens? What is the 
penalty, and what happens?
    Mr. Clancy. I don't have a specific answer on how many 
people get caught. But I think the way to think of the problem 
is, the attacks happen in a time scale of seconds, minutes, and 
hours, and the law enforcement activity, while very important, 
happens on a scale of months and years.
    And so I think the challenge that we have as a sector is 
the difference between those two points and the way you respond 
to them. The minute, second, hours front, you have to focus on 
mitigation. Mitigation is stopping an event from occurring, 
stopping it from expanding, and preventing others from being 
similarly targeted. And that is why we focus so much on 
information sharing.
    Mrs. Biggert. Would anybody else like to--okay.
    I yield back. Thank you.
    Mr. Schweikert. Thank you, Mrs. Biggert.
    Mr. Stivers?
    Mr. Stivers. Thank you, Mr. Chairman.
    My question, I guess, is for Ms. Cantley and Mr. Weiss. 
Under Regulation E, consumers get third-party liability 
protection up to--they can't lose more than $50 for 
unauthorized electronic transfers. And I know some people have 
talked about expanding that to business customers to help 
protect small businesses from these account takeovers. That 
would essentially shift the liability to the financial 
institutions and potentially, I suppose, make the small 
businesses less interested in some of their protection, 
although I guess Reg E does require them to immediately notify, 
which would maybe benefit the system.
    Is that a good idea or a bad idea?
    Ms. Cantley. Currently, commercial and small business 
customers are covered in every State by UCC 4A. And we feel 
that that has stood the test of time in addressing this issue.
    Mr. Stivers. What is the coverage amount under UCC--
    Ms. Cantley. That the standards need to be commercially 
reasonable.
    Mr. Stivers. Mr. Weiss, do you want to--
    Mr. Weiss. I really have nothing else to add to what 
Michele stated.
    Mr. Stivers. Looks like Mr. Woodhill--go ahead, sir?
    Mr. Woodhill. If I may, what ``commercially reasonable'' 
means as a matter of law has been the subject of 12 lawsuits. 
Two of them were settling for 100 cents on the dollar just as 
soon as the bank saw what the judge had to say in its denial of 
their preliminary--motion for preliminary finding for the 
defendant. One was actually won, at least so far, by the bank, 
and one was won by the victim.
    The consensus at the big security conference this past 
spring, the consensus among cyber law experts was that, given 
the new 2011 guidance, going forward UCC 4A will be found 
currently to mean that the banks are liable. Our victims group 
has deep concerns about making small bankers liable for risks 
that they can't really understand and they can't really manage. 
So we would like to see those risks and responsibilities moved 
to these big processor organizations.
    Because it is possible that small banks would have to hold 
additional capital against the possibility that these large, 
manned accounts might have to do a refund because the big 
transfers were fraudulent, not going back 90 days. And this is 
just--this is too much for a small business, too much for small 
banks.
    Mr. Stivers. Thank you very much.
    I yield back.
    Mr. Schweikert. And one last--Mr. Manzullo will be our last 
questioner of the panel. And I do appreciate your patience, but 
this is an interesting area with lots and lots of layers.
    Mr. Manzullo?
    Mr. Manzullo. Thank you.
    I bought a new computer a couple of years ago, and the 
store recommended ``X'' company antivirus software. And for 
different amounts, you got different coverage. Does this stuff 
work?
    Mr. Clancy. It works to a point. And so, the challenge has 
been that the attackers innovate, and they run their attack 
software against the commercial products--all of them, not just 
the one you bought, but the one that everybody else buys and so 
on and so forth--and they make sure their attack code is 
resilient to detection. And so, it is a cat-and-mouse game.
    So, on the day that they create the software and send it, 
does your commercial tool that you bought or even the free 
tools that you use find it? Very often not. Does it 2 weeks 
later? Yes, very often it does. So there is this window-of-time 
problem that is very hard to address, and the attackers will 
continue to innovate.
    Mr. Manzullo. But it is worthwhile to buy some type of 
protection?
    Mr. Clancy. Yes. You are much better off with it than you 
are without it, but it is not a perfect defense.
    Mr. Manzullo. When my account got hacked into last year and 
my contact lists were stolen, I called a representative from 
this company--and I don't want to give the name of the company. 
It is a fairly responsible company; it just wouldn't be fair to 
name them publicly. But the lady said that because the 
information on the e-mail account was not stored in my PC but 
somewhere--I don't know if the word is the ``cloud'' or 
wherever else it was, is that this antispyware, whatever it is, 
was unable to protect it.
    You are nodding. Maybe you could explain to me what she 
tried to explain to me on the phone.
    Mr. Clancy. Sure.
    Mr. Manzullo. What happened there?
    Mr. Clancy. Essentially what happened, most probably--
obviously, I am just basing it on what you said--is that the 
sign-in ID, the username and password you use to get into your 
mailbox, was compromised, and the bad guy logged in from some 
other system to that system in the cloud to pretend that they 
were you to send out these e-mails. Right? Or using a system to 
do that on their behalf, as opposed to actually attacking your 
own personal laptop or computer that you were using. And 
because their credential was stolen, it appeared to that mail 
provider as you signing in with your password so it must have 
been you. Right? So the client tool on your PC didn't come into 
play because it was external to you.
    Now, it would have potentially prevented the fact that that 
sign-in to your e-mail account was taken in the first place if 
that actually occurred when you were using your computer and 
not something perhaps when you were traveling or on another 
machine.
    Mr. Woodhill. But the question is, how did your log-on ID 
and password get compromised? The typical way is because they 
had malware on your PC that watched you enter your user ID and 
password, stole it, and transmitted it to the bad guys to use 
in that scam.
    There are other attack modes, however. You can recover a 
user ID and password on Yahoo by knowing some challenge 
questions that they can research about you. So there are other 
possibilities, but almost always it is malware.
    Mr. Manzullo. The reason I ask the question is that, is it 
an option to take and download what is in the cloud now 
directly onto your PC? And would that make it more secure? Or 
would that--the lady said it would actually open up everything 
else on the PC to that attack.
    Mr. Woodhill. Congressman, it would make it less secure, 
because the testimony here among the experts is that you can't 
secure your home PC. The Pentagon can't secure its desktop PCs. 
So it would be two places you could be attacked, not just one. 
And you could lose your PC, it could be physically stolen in a 
robbery of your house, and then the data would be on your hard 
disk.
    Mr. Manzullo. The final question is, do you remember--I 
guess it still goes on, with the robo-calling of the 
telephones, where computers would generate a list of seven 
numbers and then actually come up with a combination that it 
will ring? Do people who do this take a look at somebody's name 
and then try to figure out different combinations of that? How 
individual is this in the hacking that takes place? Or is it 
mostly on a broad base so that everybody gets hacked at one 
time?
    Oh, no, that is not correct because the Crystal Lake School 
District got hacked and had $340,000, and it was just their 
district that they hacked into.
    Mr. Clancy. I would say both. There are what we call 
commodity attacks that are broadly targeted based on an e-mail 
list that was found, whether your name is posted on a Web site 
or what not, based on people just trawling the Internet looking 
for identity. And then there are targeted attacks that are very 
convincing that are very personalized to the individual. And 
you have sophisticated criminals doing those attacks and more 
basic feeder farm team criminals doing the more commodity 
widespread things. So you have both.
    Mr. Manzullo. So then the Yahoo--my account is Yahoo--or 
Gmail, whatever it is, you really shouldn't have your name on 
that address. Would that be correct? Such as 
``[email protected].''
    Mr. Woodhill. Actually, if you look at who lost money, it 
is random. Your school district was just randomly unlucky. 
Every time banks sign someone up like your school district for 
online banking, they get a kind of reverse lottery ticket, that 
if their number is selected by the criminals, they lose 
$300,000, as Crystal Lake does.
    And so in studies of the victimization patterns, it doesn't 
matter if your name is included or not, you are just randomly 
unlucky to end up with malware on your PC and getting your 
money stolen. So those kinds of things--the criminals try 
everything. They try every attack every which way, so you can't 
defend yourself.
    Mr. Manzullo. Thank you.
    Mr. Schweikert. Thank you, Mr. Manzullo.
    And thank you to the panel. This was interesting, and I 
have the feeling we are going to be spending a lot more time on 
this subject over the years to come.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection--I am always worried someone is 
going to walk in and just object at that moment--the hearing 
record will remain open for 30 days for the Members to submit 
written questions to these witnesses and to place their 
responses in the record.
    I can almost assure you there were two or three Members up 
here who had technical questions that will be coming to you.
    Thank you for your participation.
    This hearing is adjourned.
    [Whereupon, at 11:40 a.m., the hearing was adjourned.]






                            A P P E N D I X



                              June 1, 2012




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



