[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]




                               before the


                                 OF THE

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES


                             FIRST SESSION


                              HEARING HELD
                             MARCH 21, 2013



            Small Business Committee Document Number 113-008
              Available via the GPO Website: www.fdsys.gov



80-172                    WASHINGTON : 2013 
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 


                     SAM GRAVES, Missouri, Chairman
                           STEVE CHABOT, Ohio
                            STEVE KING, Iowa
                         MIKE COFFMAN, Colorado
                       BLAINE LUETKEMER, Missour
                     MICK MULVANEY, South Carolina
                         SCOTT TIPTON, Colorado
                   JAIME HERRERA BEUTLER, Washington
                        RICHARD HANNA, New York
                         TIM HUELSKAMP, Kansas
                       DAVID SCHWEIKERT, Arizona
                       KERRY BENTIVOLIO, Michigan
                        CHRIS COLLINS, New York
                        TOM RICE, South Carolina
               NYDIA VELAZQUEZ, New York, Ranking Member
                         KURT SCHRADER, Oregon
                        YVETTE CLARKE, New York
                          JUDY CHU, California
                        JANICE HAHN, California
                     DONALD PAYNE, JR., New Jersey
                          GRACE MENG, New York
                        BRAD SCHNEIDER, Illinois
                          RON BARBER, Arizona
                    ANN McLANE KUSTER, New Hampshire
                        PATRICK MURPHY, Florida

                      Lori Salley, Staff Director
                    Paul Sass, Deputy Staff Director
                      Barry Pineles, Chief Counsel
                  Michael Day, Minority Staff Director

                            C O N T E N T S

                           OPENING STATEMENTS

Hon. Chris Collins...............................................     1
Hon. Janice Hahn.................................................     2


William H. Weber, Senior Vice President, General Counsel, 
  Cbeyond, Atlanta, GA, on behalf of COMPTEL.....................     4
Justin Freeman, Corporate Counsel, Rackspace, San Antonio, TX, on 
  behalf of the Application Developers Alliance..................     6
Dan Shapero, Founder, ClikCloud, on behalf of CompTIA............     8
Phyllis A. Schneck, Ph.D., Chief Technology Officer Public 
  Sector, McAfee, Inc., Reston, VA...............................     9


Prepared Statements:
    William H. Weber, Senior Vice President, General Counsel, 
      Cbeyond, Atlanta, GA, on behalf of COMPTEL.................    17
    Justin Freeman, Corporate Counsel, Rackspace, San Antonio, 
      TX, on behalf of the Application Developers Alliance.......    24
    Dan Shapero, Founder, ClikCloud, on behalf of CompTIA........    43
    Phyllis A. Schneck, Ph.D., Chief Technology Officer Public 
      Sector, McAfee, Inc., Reston, VA...........................    49
Questions for the Record:
Answers for the Record:
Additional Material for the Record:
    NTCA - The Rural Broadband Association.......................    57
    NAFCU - National Association of Federal Credit Unions........    59


                        Thursday, March 21, 2013

                  House of Representatives,
               Committee on Small Business,
             Subcommittee on Health and Technology,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 10:00 a.m., in 
Room 2360, Rayburn House Office Building. Hon. Chris Collins 
[chairman of the subcommittee] presiding.
    Present: Representatives Collins, Luetkemeyer, Hahn and 
    Chairman COLLINS. Good morning. The hearing will come to 
    We are going to have votes called sometime in the next--
between the next five minutes and the next 30 minutes, at which 
point we will have to adjourn for maybe a half an hour and then 
we will come back, but just to put everyone on notice. We are 
not too sure; it could be as early as 10:05 and as late as 
10:30 that we are going to be voting on the budget today.
    I want to welcome our new members to the Subcommittee, 
especially Ranking Member Hahn. I look forward to working with 
you and all of our members during the 113th Congress. I also 
want to give special thanks to our panel of witnesses for 
taking time away from your full-time jobs and making the trip 
to Washington for this important hearing, and I certainly also 
want to welcome the high school students today who are seeing 
how democracy works. Welcome.
    Our nation's digital infrastructure has become an essential 
component of how small businesses operate and compete in the 
21st century. It provides access to a variety of innovative 
tools and resources to help reduce costs and increase 
productivity. E-mail, social media, online sales, and global 
video conferencing are just a few of the examples. New 
innovations and capabilities are being developed every day as a 
result of the Internet, and this means new jobs for Main Street 
America, new tools for small business. The rapid development in 
information technology is truly fascinating to watch. A couple 
of the most dynamic industries that have emerged are cloud 
computing and mobile applications. It is now easier than ever 
for small businesses to store and access their information from 
anywhere in the world without purchasing thousands of dollars 
in IT equipment. In addition, the boom in mobile applications 
is a great success story for both entrepreneurs looking to 
create the next best app and for small businesses that use 
them. From mobile banking to online marketing there is a 
plethora of applications available to help small business firms 
increase productivity. In considering the NCAA tournaments set 
to tip off any minute now, I am sure there may be some even in 
this room who may stream the games from an application on their 
mobile device.
    Unfortunately, the growth of information technology has 
also attracted a growing number of cyber criminals looking to 
steal sensitive information, including intellectual property 
and personal financial information. These attacks can be 
catastrophic, leaving many small businesses unable to recover. 
A recent report shows that nearly 60 percent of small 
businesses will close within six months of a cyber-attack. The 
recent string of cyber-attacks on high profile companies is a 
stark reminder of the current threat, and although small 
businesses do not make the headlines, a recent report shows 
that 20 percent of cyber-attacks are on small firms with less 
than 250 employees. Small businesses generally have fewer 
resources available to monitor and combat cyber threats, making 
them easy targets for expert criminals. In addition, many of 
these firms have a false sense of security, and they believe 
they are immune from a possible cyber-attack. The same report 
shows that 77 percent of small firms believe they are safe from 
a cyber-attack, even though 87 percent of those firms do not 
have a written security policy in place.
    There is clearly a gap in education and resources. 
Moreover, the sophistication and scope of these attacks 
continues to grow at a rapid pace. A report by the Office of 
National Counterintelligence Executive indicated that tens of 
billions of dollars in trade secrets, intellectual property, 
and technology are being stolen each year by foreign nations 
like China and Russia. These are not rogue hackers. They are 
foreign governments engaged in complex cyber espionage with a 
mission to steal our trade secrets and intellectual property. 
As the leader in producing intellectual property, the United 
States and small businesses will continue to be a primary 
target for cyber criminals seeking an economic advantage.
    Protecting our digital infrastructure is complex and no one 
federal agency or private business can do it alone. It takes a 
true public-private partnership to identify, combat, and share 
information regarding the sophisticated cyber-attacks. As we 
consider new cyber legislation, we must work to identify the 
correct balance between imposing new onerous regulations for 
small business and protecting proprietary information and our 
digital infrastructure.
    Again, I want to thank our witnesses for participating 
today. I look forward to hearing how we can better assist small 
businesses in utilizing new technologies while protecting them 
against cyber-attacks. I will now yield to Ranking Member Hahn 
for her opening statement.
    Ms. HAHN. Thank you, Chairman Collins. I am proud to be 
serving as a ranking member of this Subcommittee, and I know 
that there is a lot of work that we can do together to empower 
our small businesses to put technology to work for them and to 
help them access all the resources that are available to them 
to strengthen their businesses hire, and grow. And of course, 
while the Internet and new information technology offers 
tremendous possibilities for our small business, as you said, 
it exposes them to cyber threats that can be particularly 
difficult for them to counter. Developing new innovations is 
fundamental to our prosperity in the 21st century, but even 
more essential is enabling the nation's small firms to adopt 
these new technologies and become even more successful and 
efficient. Over the next decade, we can expect the growth of 
this field to produce good-paying jobs for millions of 
Americans. The number of jobs dependent on technology is 
expected to grow, creating opportunities for large and small 
companies in every sector of the U.S. economy.
    Internet and telecommunication technologies have not only 
changed how we communicate, but also how business is conducted. 
America's 23 million small businesses are some of the savviest 
users of technology by using the Internet to access new markets 
to grow and diversify. In fact, small businesses are the 
driving forces behind further technological innovation as they 
produce about 13 times more patents per employee than other 
businesses. For the established small business, modern 
technology can expand a firm's client base using a company 
website, social networking, or other forms of online 
advertising. Firms can utilize voice and video communication as 
a low cost method to connect with customers around the world 
and reach previously untapped markets. They can store data 
online, access office productivity tools, and even improve the 
energy efficiency of their business.
    Yet for all the benefits technology brings to the equation, 
it also creates more challenges for small business owners, 
consumers, developers, and vendors. One such challenge is 
cybersecurity because being connected also means being exposed 
to new threats. Cyber threats can come in many forms but they 
are all devastating to both business owners and their 
customers. A single attack can wipe out a small business, which 
is why cyber crime poses severe problems for small businesses 
that are not prepared to mitigate this kind of risk. According 
to studies, 40 percent of all threats are focused on firms with 
less than 500 employees and reveal that a total of nearly $86 
billion is lost with companies incurring an average of $188,000 
in losses. Sadly, some small companies fail to recognize the 
benefit of cybersecurity as an investment until it is too late. 
On the other hand, those firms that understand the importance 
of such an investment often lack the resources to implement and 
effective security system.
    The testimony we hear today will not only highlight the 
variety of opportunities created by new technology but it will 
also help to better protect the nation's small businesses from 
growing cyber threat. This Congress, the strengths and 
weaknesses of comprehensive cybersecurity, including issues of 
privacy and notification, will once again receive significant 
consideration. Small businesses have much at stake in how this 
debate plays out. It is my hope that today's discussion will 
shed light on what these policies mean for online 
    In advance of the testimony I want to thank all of the 
witnesses for their participation and insights into this 
important topic. Thank you, Mr. Chairman, and I yield back my 
    Chairman COLLINS. Thank you. Before we get started and hear 
testimony from our four witnesses I would like to take a moment 
and explain the timing lights for everyone. You each have five 
minutes to deliver your testimony. The light will start out as 
green. When there is one minute remaining, the light will turn 
yellow, and finally, it will turn red at the end of your five 
minutes. And if we can stick to that time limit we would 
certainly appreciate that.
    Our first witness is Mr. William Weber. Bill is the senior 
vice president and general counsel for Cbeyond in Atlanta, 
Georgia. Cbeyond is a communications service company that 
provides specialized services, including Internet and cloud 
computing exclusively to the small businesses nationwide. Bill 
received his B.A. from the U.S. Naval Academy and his J.D. from 
the University of Georgia. He spent 12 years in the Marine 
Corps. Thank you for your service. He is testifying on behalf 
of COMPTEL, that is a trade organization. Thank you and 
welcome. You have five minutes to present your testimony.

                          MCAFEE, INC.


    Mr. WEBER. Mr. Chairman, Ranking Member Hahn, Distinguished 
Members, thanks very much for the opportunity to speak with you 
today about what is an incredibly important issue for small 
businesses across the United States.
    My company, Cbeyond, represents 60,000 small businesses and 
that is the only group of companies that we represent. We do 
not represent large enterprises or microbusinesses. So we have 
a lot of experience in dealing with the kinds of security 
issues that they face. But I wanted to start out today to talk 
to you a little bit about cloud services, what they really are, 
and how they are being used by small businesses today because 
it is easy to get confused about what kind of cloud services 
small businesses are utilizing.
    When people talk about cloud services, there are three 
kinds that they will talk about. Software is a service, and 
there are a lot of consumer-focused cloud services. 
Technically, software is a service. Netflix is a one. Facebook 
is another. Small businesses tend to use software as a service 
provider such as Salesforce.com to help run their sales force.
    You also have platform as a service, which is much more 
complex. Small businesses tend not to use it. It is kind of an 
operating system in the cloud. And then the people that we have 
here talking today are primarily going to be discussing 
infrastructure as a service. When you hear people in the cloud 
industry talk about infrastructure as a service, what we mean 
is taking things that in the past were physically located on a 
business's premises and moving them off the premises somewhere. 
And I think giving you a concrete example of a business that 
might do this would be helpful.
    Let us take a typical small business that we might serve, 
like a doctor's office. They have got three physicians working. 
They have got staff people, 10 PCs, and they very likely have a 
server on their premises. When we say a server, it is just 
simply a computer that does not necessarily have a monitor 
hooked up to it but that the other doctors and administrative 
staff could access their billing software on that server that 
would be located on their premises. And that would be connected 
into their premises network via Ethernet cables like you see 
all over the place. There is a green one right here. You 
probably have some in the desk in front of you.
    When we talk about infrastructure as a service, what we are 
really talking about is taking that server and if you can 
imagine extending that Ethernet cable 250 miles into a data 
center, and now instead of sitting on the premises, that 
server, with all their billing software on it, customer records 
on it, is sitting in a data center. And instead of having to 
buy that as a capital expenditure for the company, that server 
is rented from a company like mine, Cbeyond or Rackspace or any 
of the other companies that provide servers in the cloud.
    Now, what are the advantages of doing that? Well, some of 
the advantages are the small business can preserve capital. 
Instead of having to do a $2,000 or $3,000 outlay to buy that 
server they can rent it by the month from us. Physically, it is 
much more secure. It is in a datacenter that has all the most 
up-to-date firefighting equipment and power backups and 
everything you can imagine to protect it physically. So those 
are two of the major advantages they get. Do they get security 
advantages? They do get security advantages because we can move 
not only servers off their premises, we can move firewall 
devices off their premises and they can rent those from us. We 
can move storage devices off their premises and they can rent 
those from us. So from a security perspective, rather than 
being responsible for maintaining the cybersecurity that server 
themselves, which they are not professionals doing--they want 
to run a doctor's office and that is what they are professional 
at--they shift that burden to the cloud provider, and we are 
experts in that--maintaining the firewalls, maintaining the 
operating system, making sure virus software is kept up-to-date 
and doing all those things for them. So it sounds like a 
complex thing but if you do think about it as simply moving 
that server that is on your premises into the cloud and letting 
people who do nothing for their job but think about security 
for those things maintain it, it can be of tremendous value to 
small business. Thank you.
    Chairman COLLINS. I think we can do one more witness and 
the two of us will jog down to the floor to vote.
    Thank you, Mr. Weber. I think that was a good explanation 
of what cloud computing is all about. Maybe we can have some 
questions on that later.
    Our next witness is Mr. Justin Freeman, corporate counsel 
for Rackspace. Rackspace is a global leader in providing cloud 
computing services for all types of businesses, including 
mobile applications for small firms. Justin has expertise in 
both the legal and technical areas of the rapidly expanding 
field of cloud computing law. In his role he oversees complex 
technical agreements and directs their public policy strategy. 
He received his J.D. from Southern Methodist University and is 
a certified information privacy professional. He is testifying 
on behalf of the Application Developers Alliance. Thank you for 
being here. We look forward to your testimony.


    Mr. FREEMAN. Thank you, Chairman Collins and Ranking Member 
Hahn and the rest of the Committee members.
    On behalf of both myself and Rackspace and the Application 
Developers Alliance, thank you for your time today and for this 
opportunity to discuss contemporary cybersecurity challenges, 
which are all the more difficult for our small business 
community to address.
    I would like to begin by providing a little bit of 
background on Rackspace hosting founded in 1998 and 
headquartered in San Antonio. With our focus on fanatical 
support, which is a fierce commitment to a customer-oriented 
set of core values, we have grown rapidly and currently serve 
more than 170,000 customers across 120 countries. Rackspace 
focuses on providing the cloud infrastructure and support 
technologies, which enable businesses both large and small--
especially small these days--to benefit from the cost savings 
that cloud computing provides.
    Our latest focus is on open stack, an open source cloud 
platform which we jointly developed with NASA. Open cloud 
technologies are at the forefront of this information 
technology revolution. They make previously inaccessible 
technology available to businesses, small and large alike, 
without initial investment in research and development costs, 
and they eliminate proprietary lock-in which helps foster 
industry standards for cloud computing providers and it is a 
critical first step in allowing users to move their 
applications and data from provider to provider as they see 
    There is no doubt that small businesses face growing cyber-
threats, especially in the form of intellectual property theft 
and business disruption, such as what happens when a small 
business's website is knocked off the Internet by a denial of 
service attack. It is more important than ever for small 
businesses leveraging new technologies to provide innovative 
services and solutions to ensure that they have a trusted 
provider ecosystem on which they can rely.
    Rackspace has increasingly supported small businesses via 
start-up programs which provide free or discounted cloud 
resources to new enterprises. This helps remove some of the 
initial roadblocks to success. The mobile application space is 
particularly explosive with small business-led innovation as 
entrepreneurs are able to leverage diverse and powerful cloud 
computing resources to deliver innovative, integrated, and 
mobile application experiences to customers, professionals, and 
enterprises with little or no barrier to entry. And that is 
really the key point in the application space.
    To further support this innovative sector, Rackspace has 
joined with the Application Developers Alliance, an industry 
association dedicated to meeting the unique needs of 
application developers as creators, innovators, and 
entrepreneurs. The Alliance includes more than 20,000 
individual application developers and more than 100 companies, 
investors, and stakeholders, and it strives to deliver 
essential resources, serve as a collective voice on policy 
issues for all the small businesses who might not otherwise be 
able to be present, and act as kind of the connective tissue in 
the app ecosystem. Rackspace-assisted start-ups have run the 
spectrum of the mobile app space, including iPad applications 
to support physicians and information management, literature 
apps to help book lovers share the reading experience, language 
learning and test prep apps, and app systems that frankly make 
it easier to make even more apps.
    Turning back to the critical question, what can the federal 
government do to help protect small businesses from cyber-
threats, it is first important to acknowledge that because of a 
lack of resources to invest in expensive security appliances or 
with which to maintain a large staff of security professionals, 
many common prescriptions have limited effectiveness when it 
comes to protecting the small business environment from cyber 
threats. That is not to say that these challenges are by any 
means insurmountable. Policies which focus on education and 
training can help equip small business professionals with the 
know-how necessary to respond to cyber threats and economic 
incentives to implement security appliances can help offset the 
cost of maintaining a secure infrastructure. It is crucial that 
privacy and security regulations are implemented in addressable 
fashion so as to provide a foundation of security principles 
while allowing businesses to retain the flexibility necessary 
to remain competitive and innovative.
    We must avoid regulating small businesses out of the 
marketplace by imposing retrospective or overly burdensome 
requirements to implement security measures which ensure or 
outright guarantee that no data can be breached. Instead, we 
should focus on requiring reasonable and appropriate controls 
to address threats in the context of a competitive business 
environment, disseminating critical information about current 
threats and best practices to the small business community, and 
promoting a coherent set of sector-specific regulations, 
privacy protections, security requirements, and collaborative 
commitments. While it may be impossible for any company to 
guarantee the security of its systems, together we can lay a 
foundation to keep the American technology sector secure, 
innovative, and internationally competitive.
    Thank you very much for your Committee's time.
    Chairman COLLINS. Thank you, Mr. Freeman. We will have to 
adjourn now for I am thinking about 30 minutes to go cast our 
votes. You can see what is going on right now, at which point 
we will be back. Thank you.
    Chairman COLLINS. The Committee will now reconvene. Ranking 
Member Hahn had to catch a flight so I would now like to 
introduce our third speaker. Dan Shapero is the founder of 
ClikCloud, a company that provides cloud-based digital 
marketing services for the IT service channel. As an 
entrepreneur, Dan has extensive experience growing his own 
company and helping other SBAs grow their businesses by 
leveraging cutting edge technologies to gain strategic 
advantages over larger and better capitalized competitors. He 
is testifying on behalf of CompTIA.
    Welcome. You have five minutes to present your testimony.

                    STATEMENT OF DAN SHAPERO

    Mr. SHAPERO. Good morning, Chairman Collins, Ranking Member 
Hahn, and Distinguished Members of the House Subcommittee on 
Health and Technology. I would like to thank you for holding 
this important hearing. This testimony is submitted on behalf 
of the Computing Technology Industry Association (CompTIA).
    My name is Dan Shapero. I am a CompTIA member and founder 
of ClikCloud, a company I launched in 2010 focusing on offering 
a variety of IT services, such as digital marketing, website 
hosting, search engine optimization, blogging, e-mail 
newsletters, and other business advisory services.
    I am a California native and I am a graduate of the 
University of California in San Diego. Prior to ClikCloud I 
spent over 20 years working in the IT sector in various 
capacities. I have also launched or helped other entrepreneurs 
launch several IT startups. My past clients include Vicinity, 
which is now Microsoft Maps, and Avamar, which is now part of 
    My colleague on the panel will share with you some more 
technical details of cybersecurity threats and attacks 
prevailing on our Internet ecosystem. I hope to contribute to 
the discussion by sharing with you my perspective from an IT 
small business owner. I can assure you that cybersecurity is 
one of the most pressing issues facing the small business 
sector, but first I would like to provide you a quick overview 
on CompTIA.
    CompTIA is a nonprofit trade association and its members 
include thousands of small computer service businesses, as well 
as nearly every major computer hardware manufacturer, software 
publisher, and service provider. In addition, CompTIA is also 
the leading global provider of IT workforce vendor-neutral 
certification and there are over 1.4 million CompTIA IT vendor-
neutral certification holders worldwide. Many of those are for 
IT security.
    As a baseline, the IT security infrastructure for small 
business is as vulnerable to cyber-attacks and threats as large 
companies and firms. Unfortunately, small businesses are less 
resilient than their larger counterparts because they have 
fewer IT resources in terms of personnel, hardware and software 
to combat the onslaught of cyber threats and attacks that many 
SMBs encounter on a daily basis.
    Some small businesses are comprised of as few as 5 to 20 
employees, so resources come at a premium. As a small business 
owner, I have to rely on my own expertise to implement adequate 
measures to ensure that the IT infrastructure that supports my 
business is secure. I also have to make sure that my clients 
understand cybersecurity risks and the threats to their 
business. I advise them on the types of cybersecurity 
compliance measures that they must implement to keep their IT 
systems secure.
    In the last five years, we have seen a steady transition 
from a server environment to a cloud-based environment. This 
has created tremendous opportunity for the small business 
sector. The emergence of cloud technologies is now allowing 
small businesses affordable access to IT infrastructure, 
including software that was financially beyond reach just a few 
years ago, so it is even more critical now that we ensure that 
adequate measures and controls are in place to protect small 
businesses from cybersecurity threats and attacks.
    I would like to highlight two policy issues. First, the 
majority of cyber-attacks create exposure across state lines. 
This is the reason that data breaches are of serious concern. 
There are 47 different state data breach notification laws in 
place. In addition to the legal and regulatory compliance 
costs, there is also an impact of loss of revenue and loss of 
reputation that can be overwhelming to most small businesses. 
CompTIA believes that the creation of a national framework for 
data breach notification can go a long way toward reducing 
costs and eliminating barriers to entry for small business 
firms and it will also serve as an incentive towards job growth 
in the small business sector.
    Another issue that we face as small to medium businesses is 
the ability to recruit and retain in-house talent to help 
protect ourselves from cyber-attacks. All of our employees have 
responsibility in keeping us secure, especially those in IT-
related roles. However, there is a skills gap that is an issue 
that is affecting our IT community as a whole. There are 
approximately 250,0000 open IT jobs in the U.S. at any given 
time. IT training and certification is not a magic bullet; 
however, it is a critical part of the solution.
    In closing, I would like to thank you again for the 
opportunity to share our perspective on the issue of 
cybersecurity and would be happy to answer any questions.
    Chairman COLLINS. Thank you, Mr. Shapero.
    Our final witness is Dr. Phyllis Schneck. She is the vice 
president and chief technology officer for McAfee and has 
certainly testified before this Committee a year or so ago. Dr. 
Schneck received her Ph.D. in Computer Science from Georgia 
Tech University where she specialized in the field of 
information security. In addition to her role at McAfee, she 
serves as the chairman of the board of directors of the 
National Cyber Forensics and Training Alliance, a public-
private partnership used to prosecute cybercriminals worldwide.
    Welcome back to the Committee. You have five minutes to 
present your testimony.


    Ms. SCHNECK. Thank you. And good morning, Chairman Collins 
and other members of the Subcommittee.
    I am Phyllis Schneck, vice president and chief technology 
officer for Global Public Sector for McAfee. I really 
appreciate the Subcommittee's interest in this topic of 
cybersecurity for small business. I am pleased to address the 
Subcommittee once again.
    My testimony will focus on four key areas. The threat 
landscape and its implications for small business, what in 
general can we do about that for small business, what are the 
mitigations, and then what is it that the private sector and 
the public sector and government can do to address this.
    A bit of background. I come from the high performance 
computing world. Balancing how you take hardware design, 
software design, and get a CPU to do everything it can do for 
cryptography. So it is a balance of strong security and strong 
computing. I also had a startup of my own and understand some 
of the challenges in having a small business and was one of the 
founding designers of our Global Threat Intelligence at McAfee, 
which enables us as a large company to see 160 million points 
of light of where bad things may be happening across the 
Internet and create a weather map that protects everyone else. 
And as you mentioned, I do run the National Cyber Forensics 
Training Alliance, and the passion there is the information 
sharing and collaboration which we need desperately to get to 
the small businesses so that they, too, can benefit from that 
even though they may not have the time or the money or the 
resources to participate in that themselves.
    At McAfee, we are relentless. We are dedicated to providing 
connected security ecosystems that benefit small business, 
large business, government all over the world but that make 
sure that every part of the security ecosystem is learning as 
it protects and as a wholly-owned subsidiary of the Intel 
Corporation, we go all the way to the hardware and we are able 
to look at the actual pieces and parts and metal and silicon 
that run the instructions and make sure that we can detect 
adversary behavior and protect.
    Small to medium businesses make up 99.7 percent of our 
business fabric. They hold intellectual property, personal 
information. Many times they are the contractors building the 
next engines, yet they cannot afford strong security teams and 
they cannot afford separate resources which is why my 
colleagues and others today provide amazing services to them so 
they do not have to buy the equipment; they have the services. 
What I will address today is how we can help those small 
businesses that leverage so much on cloud and mobility and also 
help, as Ranking Member Hahn pointed out, 23 million small 
businesses. How we help them also gain the information sharing 
and collaboration that the larger businesses are getting the 
benefit of right now.
    On the mobile space, that has increased from what we have 
seen 70 percent in the past year. We went from 792 samples in 
our malware zoo as we call it to 37,000, and 95 percent of that 
increase was in 2012. Small business leverages these mobile 
devices because they are inexpensive in many cases. They are 
easy. They can do their home transactions, their work 
transactions all at once. They take them on the road and they 
leverage it with cloud services because there is very little 
computing resource on the small device so they can outsource 
the data storage. The threats to this and mobility, we see 
those threats of the adversary trying to access that device to 
get your personal information and/or access your computer 
network, so the small business that cannot afford necessarily a 
team to watch this has an even stronger vulnerability because 
they have so much of their infrastructure dependent on mobile.
    On the cloud side, you are basically outsourcing the 
processing and storage of your data. So the key there is to 
watch the data in motion and at rest. When you plug in that 
Ethernet cable or a quote or send our data somewhere else, you 
need to make sure they are encrypted and protected. You need to 
make sure that that cloud provider has forensics for you when 
you do want to report a breach and you do want to share 
information. Some cloud providers will charge extra to do that 
forensics investigation, so we would ask to look at that to 
make sure that the best security on the planet is affordable 
for the biggest business sector on the planet.
    When we start looking at what we can do as private sector, 
focus on security. Cybersecurity is a boardroom risk issue even 
in the smallest businesses. Design and invest in cybersecurity 
upfront. Mobile devices can be managed. That policy can be 
pushed from the boardroom to every phone and every table. It 
can be pushed to how you categorize what data is outsourced to 
the cloud and what data perhaps is not.
    On the government side, we need to incentivize 
cybersecurity, incentivize innovation, ensure that small 
business has the protection that big business has, ensure that 
small business is not forced into the heavy regulatory 
compliance side and moreover can do their real business and 
build the next engines and the next drugs.
    On the information sharing side, the Rogers-Ruppersberger 
bill, it would be a wonderful way to encourage information 
sharing between the largest companies and the smallest so that 
you get that 99 percent of the business fabric to be able to 
contribute what they see in the situational awareness and let 
them have access to what we see as big business. Currently, the 
ISACs are not affordable for most small businesses, the 
Information Sharing and Analysis Centers that are set up with 
government and private sector. We need to level that playing 
field and get all that information and all of that security 
protection, all that safety into our small business 
    Thank you very much, and I look forward to any questions.
    Chairman COLLINS. I want to thank all the panel members. 
One reason we are having the meeting is to shine a light on the 
fact that 77 percent of small businesses are not even 
considering this. They are coming to work every day to make a 
sale, to have some cash in the bank, pay their bills. It is not 
on their radar. We want to put it on their radar.
    So I guess I will start with the basic question that each 
of you could address, which is a small businessman comes in 
unsure if it is malware and it is the old-fashioned, somebody 
just trying to wreak havoc with his system. You will know it 
because your system will not turn on and funny things will show 
up. But today what we are worried about is they are going to 
steal intellectual property. They are going to steal personal 
information. How does the small business owner that this is not 
on his radar even know he was hacked? How would he come in and 
know someone snuck in a back door and stole that information? 
Or would he not know?
    Mr. WEBER. Mr. Chairman, I am going to do something that 
you almost never see a witness do. I am going to stop talking 
immediately because I am not an expert on these things and we 
have incredible experts on exactly the sort of systems that can 
detect an intrusion so that you would know about it.
    Mr. FREEMAN. I will address a couple of points about that 
question. The first is that most small businesses that are 
hacked have no idea that they have been hacked. Most large 
companies that have been hacked also have no idea that they 
have been hacked. This is especially applicable to corporate 
espionage and the theft of intellectual property. Outside of 
the case of business disruption attacks where you know you have 
been hacked because your website does not function anymore, the 
theft on the data breach side is much more difficult to spot. 
So if you start looking to solve the problem after a breach has 
occurred you are way too late. And I absolutely agree with your 
remarks that this has to be on the radar well in advance. 
Intrusion has to be detected in order for it to be responded 
to. And a number of the products from our other witnesses here 
can help businesses with intrusion detection and analysis but 
the fundamental answer is that security has to be part of that 
conversation. As Dr. Schneck put it, it has to be part of the 
boardroom conversation well in advance. We have to integrate 
security into our fundamental planning of all types of business 
development processes. Thank you.
    Mr. SHAPERO. I concur with Mr. Freeman. Chances are the 
small business owner does not really know. Now, if they are 
relying on cloud infrastructure, it may be incumbent on the 
cloud provider to notify them if there is a data breach or a 
data leak which may be conceived as a benefit of having your 
assets in the cloud. But more often than not, if it was just on 
their own network within their premises, chances are it went 
    Ms. SCHNECK. I will concur, and I will say pretty much 
everybody is owned, meaning there is a visitor most likely 
everywhere on every network. The idea is to be able to run well 
under attack. The trick here is resilience. How is this event--
because it will happen--it is just like the human body. You 
will get a cold but it will not kill you. So how is it that 
networks keep running? How do we build in resilience? It goes 
to the boardroom policy issue and it also goes to making your 
network, no matter how small or large it is, making your 
network smarter. There are a lot of shiny products out there. 
We all have them. But making sure when you invest in those 
shiny products they click together and they talk to each other 
and they make your network smarter, like an ecosystem. So if 
part of your body spots a germ, your body attacks it without 
having a meeting to do it. This is how we build our networks 
now. This is that connected philosophy. And one of the best 
things we can do is enable. Part of what we do, first of all at 
McAfee, is take our global threat picture and apply it to every 
small point that we protect. But as a community, we can take 
everybody's global picture, connect it, and protect even the 
smallest of businesses. So the detection of the intrusion will 
be earlier, but also the resilience to it will be a lot 
stronger. You will know how to recover from that. You will 
probably lose less. A very tactical example is the way 
intellectual property is ``lost'' is the access is gained by an 
intruder that knows how to execute their instruction next on 
your computer's list so they have control. They look for what 
they want and they make a copy of it. They copy it and they 
make a web connection and they send it back to a server that is 
waiting for it. We can spot that stuff. It is not even 
expensive. The idea is to know what you are looking for and it 
is not static. Know what you are looking for based on what the 
rest of the world is seeing right now, and a lot of that comes 
from information that would be shared to and from cloud 
    Chairman COLLINS. Thank you. I mean, again, our concern is 
it is one thing to say we should address this at the board 
level and we should, but that starts with an owner who thinks 
he is vulnerable. Seventy-seven percent of small business 
owners do not think they are vulnerable. They are. We know it 
and we just need to heighten that. So, again, from this 
Committee, if we said what are the top three things we should 
as a Committee focus on or explain to small business, besides 
going in the cloud, right? Number one, go to the cloud. But 
what are the first three things that we could do to try to 
highlight this? Or what would you recommend a small business 
    Mr. WEBER. Mr. Chairman, if I was going to make one 
recommendation, the thing that hurts our customers more than 
anything else is using poor passwords. It sounds so basic. You 
would think that today in 2013 that people would know what they 
ought to be doing but they do not. They are very dumb about 
password selection. So today a secure password ought to be at 
least 12 digits long. It ought to have capital letters, it 
ought to have lower case letters, and it ought to have a number 
or two in it. A password like that is not going to be cracked. 
But small businesses do not want to do that because it feels 
inconvenient. There are all kind of techniques you can use for 
generating these passwords and make them easy to remember.
    I will give you just one example of a problem that we had 
with this. Our company has a website called Cbeyond Online 
where you can go to modify your services, whether it is cloud 
servers or your phone services. And we had a large law firm in 
Atlanta with 90 attorneys who use our service, and one of the 
attorneys who had access to Cbeyond online had a very, very 
weak password. It was the name of his college mascot and they 
got hacked. And the hackers came in and, forwarded the firm's 
main telephone number to their cell phone. They then went to 
the firm's bank and deposited checks in their name worth 
$40,000. The bank called the law firm to verify. We had not 
seen this vendor before. We want to make sure that we should 
release these funds. Of course, their phones were forwarded so 
it rang to the criminal cell phones. They said, ``Absolutely. 
This is a top shelf vendor of ours. Please release those 
funds.'' And they lost $40,000 that way, just because of a weak 
    So if I were going to focus on one thing, the first line of 
defense is strong passwords. And if every small business in the 
United States started using appropriate passwords it would have 
a very significant impact on cyber crime.
    Chairman COLLINS. Thank you.
    Mr. FREEMAN. To carry on the notion that passwords are a 
first line of defense, I would just like to also emphasize it 
is critical to maintain a variance of passwords. At Rackspace, 
the number one threat we see to customers are when their 
systems are compromised because a malicious third party has 
garnered a list of passwords from another service. When you 
reuse the same password on your Evernote account as your Gmail 
account and someone is able to hack one or the other, they get 
a list of the passwords and they are able to use that against 
all of your infrastructure. An d routinely third parties will 
go out and simply bang against every provider available to see 
if the same user name and password combination exist.
    In combination with that, another practical approach is 
that business need to utilize encryption of all sensitive data, 
both economically sensitive and regulated data. Encryption 
really is the only means that has the fundamental integrity 
with which to protect data. Because systems will be compromised 
because we cannot guarantee that an intruder will not get 
access to a system, the only thing we can do is really secure 
the data that they might get access to, and encryption is far 
and beyond the gold standard when it comes to that type of 
    From sort of the broader approach, I agree with you there 
is sort of a chicken and egg problem. How do we have the 
security conversation when no one is having the security 
conversation? I think it is critical to look at policies that 
promote the conversation amongst users, businesses, and then 
the businesses' providers. So the providers consider it just 
part of doing business when they go and enter, whether it is 
with a cloud service provider or security provider or with 
another vendor, that security of information is simply 
integrated into that conversation and becomes part of the 
ordinary course of business.
    One possibility in order to incentivize that is to 
incentivize economically the use of security resources rather 
than to attempt to incentivize it through punitive regulations. 
I think that small businesses in particular are going to be 
much more responsive to economic incentives rather than to 
changing their behavior out of fear of punitive regulations, 
which often they do not have time to review in their mass and 
complexity. Thank you.
    Mr. SHAPERO. Well, first I would like to acknowledge the 
Committee for starting the dialogue. You asked what could the 
Committee focus on, exactly right, and it is great to know that 
small business is part of that dialogue--small businesses and 
their customers, frankly--and I urge you to continue on with 
the debate. For the business owners themselves I start off tip 
number one advice is make sure that your network is compliant. 
And when I say compliant, you do not just have anti-virus, 
anti-malware software, a firewall in place, but you are making 
sure that all your definitions are up-to-date, meaning that you 
are up-to-date on what the latest threats are. That your 
firmware on your firewall is up-to-date so that you have got 
the latest and greatest to protect yourself from those threats. 
And also your operating systems. So all those patches that come 
out on a regular basis. They might seem like a nuisance to many 
small business owners and it may be a basic thing like 
passwords, but make sure that you are applying them as 
recommended by your IT service provider. Encrypting your data 
is also an important part of ensuring that you have a compliant 
network. Doing a periodic network scan is something that you 
should do as part of making sure that you have a compliant 
network. So there is a whole list of checklists to make sure 
your network is compliant.
    The next thing is policies. So you pointed out most 
companies do not have a written policy for their employees. It 
might be something like acceptance use for mobile devices in 
their organization. Am I allowed to have corporate data on my 
personal device? Am I allowed to have personal data on my 
corporate device? Because it can get really tricky when a 
device might be lost or stolen and you are trying to lock down 
that data if you do not have those policies in place. Policies 
for what to do in case of a breach. Who do I notify? Which of 
those 47 states am I required to disclose to when I have lost 
data from my consumers? So having those policies in place is 
really important.
    And then I actually have four on my list so I will cut the 
last one off. The third is training. So it is really an 
educational process, not only for the business owner but for 
their staff as well so the employees understand the importance 
of why they cannot just have that 12 digit alpha numeric with 
caps and character password, but why it is important not to 
paste it on a post-it and stick it on your cubicle because you 
might forget it. So just making sure that you have the 
employees onboard as well because they really are the first 
line of defense. And as Mr. Weber pointed out, might be the 
ones taking that phone call, giving out or leaking out data in 
the organization. So it is really important that we raise the 
level of education of the business owners and their employees.
    Ms. SCHNECK. So I will echo. A lot of these comments are 
right on. This is not just a technology problem; this is a 
people problem. So a lot of emphasis on the training and 
education. When you incorporate a new business there are a lot 
of steps that people know they need to go through and not one 
of them is cybersecurity. So that is an afterthought 
completely, so already you start off behind. Many small 
businesses are harboring some of the neatest inventions for the 
next decades. They do not necessarily think about where they 
store stuff or categorize those assets and how you protect it. 
So it is very much a legal and policy challenge.
    As a ``security vendor'' I will say something potentially 
funny but anti-virus is not so much the way of the future; it 
is all the other things that were mentioned. But it is not 
having one of each; it is taking a step back and making a plan 
that fits that company, one that fits that budget, and that can 
get done when a company is incentivized to take a really good 
nontechnology look at the cybersecurity they need. What are my 
assets? What are my risks? I absolutely will have an intrusion. 
And then how do you bounce back from that and how do you create 
a culture of security, a culture of resiliency? And the modern 
maturity models that we see show that a good upfront investment 
in cybersecurity--and it does not mean an expensive one, it 
means a smart one, an educated one--is the upfront investment. 
And over time you actually spend less money and get more 
resilience because that connected security system is learning. 
Anyone can protect against an attack we know about. What we get 
hurt by as a community are the attacks that we have never seen 
before, and those are very well crafted because our enemies are 
innovating. So the only counter to that is innovation itself. 
And what I would ask for and suggest is something like tax 
breaks or insurance breaks. Those things are very attractive to 
new businesses. So when you stand up that new business, what 
are the things I can do to save the most money and be the most 
secure that look good to the three people that work for me or 
to the venture capitalist that put his money into me? And I 
think so from the training perspective, the people perspective, 
and overall holistic risk perspective. Then you can start 
adding all these wonderful technologies that we all have.
    Chairman COLLINS. Well, thank you. I want to thank all the 
members for participating because I just think this is a step 
in the direction for the Small Business Committee on an 
awareness front and I think also interfacing with the SBA. I 
think just saying to someone who calls up and says I am 
creating a business, making sure that the issue of 
cybersecurity and the importance of it is on the checklist. I 
mean, let us just for one thing get it on the checklist. So I 
think there is a lot we can do just shining a spotlight and we 
have done some of that today. We intend to do more. We are 
going to make sure that at the end of this meeting that we do 
send a letter to some of the key federal agencies and summarize 
the findings here. We will also be talking in a broader 
perspective with some of the news media about cybersecurity, 
and we are going to ask the federal agencies to come back to us 
and detail what they are doing to deal with the issue of 
cybersecurity, the importance, and especially as we said today, 
small companies do not even know they just lost their strategic 
plan, they just lost their bank statement, they just lost a 
list of all their employees and their employees' social 
security numbers, their strategic plan. I mean, if you could 
imagine setting them in the lobby for someone to copy, to some 
extent that is what they are open to. So we are just going to 
step forward and make sure that small business understands the 
risk. It is real. It is more severe today than it was 10 years 
ago, and so your testimony today is helpful, and certainly your 
list of suggestions. We will make sure that we include that. 
They were very common sense and in many cases not that 
    So I will ask unanimous consent from the members. Seeing 
there is no objection I will so order that. And this meeting is 
now adjourned. Thank you very much.
    [Whereupon, at 11:32 a.m., the Subcommittee was adjourned.]
                        Statement for the Record

             William Weber, General Counsel, Cbeyond, Inc.

                               Before the

                 United States House of Representatives

                      Committee on Small Business

               Subcommittee on Healthcare and Technology

                               Hearing on

 Protecting Small Businesses Against Emerging and Complex Cyber-Attacks

                             March 21, 2013

    Mr. Chairman and members of the Subcommittee, Cbeyond 
appreciates the opportunity to provide a statement for the 
record for today's hearing. Cbeyond provides cloud and 
communications services to more than 60,000 small and medium 
businesses (SMBs) nationwide; in our most established markets 
including Atlanta, Dallas, Denver and Houston, we provide 
services to more than 15% of all businesses with between 5 and 
250 employees. Our annual revenue is nearly $500 million, and 
we have approximately 2000 employees. Last year, Forbes 
magazine named us one of America's Most Trusted Companies and--
together with Kraft Foods and Timberland--we were given the 
Points of Light Corporate Engagement Award of Excellence.

    I hope today to give you a brief overview of what cloud 
computing is, why it matters to SMBs, the cyber-security 
threats facing these companies and ways that those threats can 
be mitigated.

    What is Cloud Computing?

    Unfortunately, I am old enough to remember the giant 
computers of the 1960's with their punch cards and putty-
colored terminals with ghostly green type. These machines 
differed from the computers our children grew up with in that 
their computing power was not in the terminals themselves; the 
computing power was in a mainframe computer located in another 
room or another building. This was why you sometimes heard the 
machines you typed on described as ``dumb terminals.''

    Beginning in the late 70's and moving through the 80's, 
computing power gradually migrated from the network core to the 
network edge. This was the rise of the personal computer, and 
as competition blossomed and prices tumbled, true computing 
power became available to home and small business users for the 
first time. This democratization of computing resources remade 
our economy and fundamentally changed the way many of us work.

    As PCs became ever smarter, faster and cheaper, we began to 
make demands on them that were difficult to achieve without a 
network. So we built a new kind of network. These new networks 
were fundamentally different from the old because now the 
computing power resided primarily at the edges. The networks 
themselves served to route information (like email) from PC to 
PC and to store information in central locations that needed to 
be accessed by many people simultaneously (like databases).

    Soon, though, we discovered a need to return some real 
computing power to the network itself. Let's take a law firm as 
an example. By the mid-90s, law firms got tired of having to 
buy the same programs for all their computers, particularly the 
programs they used to bill their time, store and access 
important documents and organize their calendars. Software 
makers responded by creating versions of their software that 
could reside on a central server connected to individual 
computers via the Ethernet cables of the law firm network. Now 
multiple attorneys and assistants could access the same central 
information, bills could be generated automatically and the 
vast document databases that made legal work simpler could be 
shared, searched and accessed by dozens of people 

    This model worked well, but it had one major drawback: it 
required the law firm to maintain what amounted to a server 
farm on their premises and extensive Information Technology 
(IT) staff to take care of the servers and the internal 
network. It was also capital intensive because the firm had to 
purchase enough servers to run their enterprise software 
applications and back all those applications up. And, of 
course, they had to buy more resources than they actually 
needed to account for potential growth and be able to respond 
immediately to problems with an individual server. For a law 
firm--as with any other business--downtime would mean lost 
revenue. And this brings us to what people call ``the cloud.''

    So what is the cloud? At a high level it is the movement of 
server-based computing power off the premises and onto servers 
that users access in a remote location over a private network 
or, in many instances, over the Internet. You already know 
about more consumer-focused, cloud-based services than you may 
think. Netflix's streaming video service is one. Facebook is 
another. Both these applications store vast amounts of 
information on remote servers somewhere on the Internet and 
deliver that information (and the computing power necessary to 
process it) to you on demand.

    Why Do SMBs Care About the Cloud?

    Understanding the basics of cloud computing is important, 
but it is just as important to understand how the businesses in 
your home districts use the cloud. A few examples might look 
like this:

     A seventeen-location Los Angeles furniture company 
sending all of its security footage directly to the cloud where 
they can store it securely and use server processing power to 
review and search it.

     A major insurance company with its US headquarters 
in Minnetonka moving its IT test environment to Amazon servers 
to avoid the capital costs associated with purchasing dozens of 
servers it will only need several times a year.

     A mid-size law firm with offices in Atlanta, 
Charlotte and Louisville moving its billing, time-keeping and 
accounting software to Cbeyond servers so that all of its 
offices can access the same data at the same time.

     A group of orthopedic surgeons in Denver moving 
all its patient records to the cloud to avoid the cost of 
maintaining the servers necessary to store, search and access 
x-rays and to ensure it meets its HIPPA obligations.

    Why would these businesses want to move these applications 
and information to off-premise servers? There are many reasons, 
some of which are embedded in the examples above. First, 
getting someone else to manage their servers allows an SMB to 
focus on their business rather than their infrastructure. 
Lawyers want to practice law, doctors want to practice 
medicine, real estate agents want to close deals and architects 
want to design buildings. They don't want to spend time taking 
care of internal IT resources. Cloud computing allows them to 
realize this dream.

    Second, cloud computing allows companies to preserve 
capital. Rather than buying servers that they then have to pay 
to maintain and upgrade, the business can rent only the server 
capacity it needs for the time it needs it. There are no 
installation cycles and no need for extra square footage or 
additional air conditioning or electrical upgrades.

    Third, cloud computing is fundamentally more secure in a 
variety of ways. It is physically more secure because data 
centers--unlike most places of business--are consciously 
designed to the highest access security and fire control 
standards. Business data is also more secure because a server 
operating in a data center is monitored around the clock and 
potential failures can often be detected and dealt with before 
they occur; this kind of monitoring and response simply cannot 
occur in SMB IT environments. Data in the cloud can be backed 
up to multiple, geographically diverse locations automatically; 
if there is a tornado that destroys a data center in 
Indianapolis, a business can seamlessly and without pause 
access that data from its duplicate in a Denver data center. 
Security patches and operating system updates on cloud-based 
servers are installed the instant they become available. And, 
finally, servers in a data center are sitting behind the most 
sophisticated, well-monitored firewalls available, and their 
anti-virus software is constantly updated with no intervention 
or action required by the business; it's all part of the 
service a business buys when it moves its data to the cloud.

    Fourth, cloud computing gives a business IT flexibility in 
that they can grow and shrink their computing resources on-
demand, preserving both capital and time. If a business needs 
to test major software releases under heavy loads a few times a 
year, it can simply spin up cloud servers, run their tests and 
then spin them down, saving time, saving money and avoiding the 
cost of infrastructure it has only occasional need for.

    Finally, the cloud allows businesses to increase IT 
velocity. If an innovator has an idea, it can be put to the 
test immediately. No more waiting for a server to ship and get 
installed. This compresses planning cycles, keeps our 
entrepreneurs focused on innovation rather than the 
infrastructure of innovation and allows new ideas to launch at 
the speed of the idea rather than the speed of FedEx.

    How Does Cbeyond Help SMBs Take Advantage of Cloud 

    If my comments thus far make cloud computing sound like the 
answer to many of the problems that SMBs confront as they 
launch or grow, good. Because that's an accurate view: cloud 
computing helps preserve capital, increases security and makes 
launching or growing a business both cheaper and faster. But 
SMBs need help to make the best use of cloud computing, help 
that can only come from their service providers.

    Unlike the large businesses that first began making use of 
the cloud, SMBs do not have extensive IT resources. They don't 
know how to move the applications that run their business into 
the cloud, and they don't know how to migrate the associated 
data. In fact, they generally don't even know what cloud 
computing resources they actually need to do whatever it is 
they want to do.

    The large telecommunications and large cloud-only providers 
do a great job serving enterprise businesses with big IT staffs 
who know exactly what they need. The giant telecom companies 
and cable providers also provide high-quality services to the 
small businesses that need basic services like Internet 
bandwidth, phones and email. But what about the sophisticated 
SMB that wants to use the cloud to preserve capital for job 
creation and innovation? They are in a tough spot: they don't 
have the IT staff to help them with their migration to the 
cloud, and the big cloud providers are not set up to help them 
get QuickBooks and similar enterprise applications up and 
running in their data center. This is where companies like 
Cbeyond can help.

    Competitive telecommunications providers are the experts in 
the technology needs of SMBs because it's all we do. We have 
direct sales people who introduce businesses to the power of 
the cloud and personnel whose only job is to help businesses 
choose exactly the resources they need for the job at hand. We 
innovate to serve our small business customers by creating 
cloud offerings tailored specifically to their needs, building 
applications specifically designed to migrate their data and 
providing the kind of personalized support they need to succeed 
and to learn how to protect their business-critical data and 

    What Cyber-Security Threats Face SMBs That Move Computing 
Resources to the Cloud?

    While the move to the cloud can be of tremendous benefit to 
SMBs from a variety of perspectives, many are concerned about 
security. And they should be: cyber-security must be a primary 
concern for any Internet-connected business. The first point 
that needs to be made there is that the nature of the cyber-
threats facing SMBs as they move into the cloud are not much 
different from the threats they have always faced if they have 
a network that is connected to the Internet. They still need to 
protect their internal networks, protect their data as it is 
transmitted from one network to another and protect their 
network endpoints--their individual PCs--from compromise.

    Most digital attacks on SMBs enter the business through a 
network connection to the Internet, and the fist line of 
defense is having systems in place to block these threats from 
crossing into their private networks from the public Internet. 
Many SMBs, particularly those with more than one location, have 
multiple internal networks, and they must also ensure that 
their data is safe as it moves from one secure network to 
another. To understand these threats more completely, a good--
if somewhat hackneyed--analogy is to a medieval castle.

    If you think of an SMB's internal network as its castle, a 
good firewall and content filter is like its drawbridge and 
moat, controlling access to the castle and ensuring that only 
authorized people (packets) are admitted. Firewalls filter data 
at the protocol level to ensure it is authorized, and content 
filters search inside the data itself to see if there is any 
spam or malware hidden inside so that it can be stopped before 
it penetrates the internal network.

    But medieval kings were not only concerned about the wrong 
people sneaking into their castles; they also had to be 
concerned with threats from afar, and--like guards stationed 
along the walls and towers of the castle--this is where 
intrusion detection systems (IDSs) and distributed denial of 
service (DDoS) defenses come into play. In network security 
parlance, an intrusion happens when a cyber-criminal breaks 
into a network without causing any visible damage and then 
silently extracts information from the network, information 
like social security and credit card numbers. IDSs are designed 
to watch for and flag intrusions.

    A DDoS attacks is designed to make a network unavailable to 
its intended users by overloading web-connected servers. DDoS 
attacks are hard to defend against, but they often begin with 
multiple firewall contacts. Appropriate intrusion detection 
software can warn an SMB of an impeding attack so steps can be 
taken to deflect the attack and keep the network running.

    But what about information that needs to leave the castle 
securely and travel across open country? This is where a 
Virtual Private Network (VPN) comes into play. Like the 
security detail a king might use to surround private 
communications being sent to another castle, a VPN creates a 
secure, encrypted link between one private network connected to 
the Internet and another, ensuring that data traversing the 
public Internet is safe from compromise. The VPN encapsulates, 
encrypts and authenticates the data on both ends of the 
communication so it cannot be intercepted, modified or stolen. 
A good VPN protects the transmitted data so well that criminals 
looking for it don't even see it pass by on the Internet.

    Unfortunately, no matter how well an SMB takes care of 
network security issues, there remains the possibility that its 
security can be compromised by issues with its network 
endpoints, its individual PCs. New species of virus can sneak 
through even the most sophisticated content monitoring systems, 
and laptops are often taken home where unwary Internet usage or 
just bad luck can result in infection. The Verizon 2010 Data 
Breach Investigations Report (which contained information from 
both Verizon and the United States Secret Service) indicated 
that 46% of all verified security breaches came from inside a 
business firewall. And these intrusions can be quite serious, 
as key-loggers steal network passwords or viruses introduced by 
angry employees destroy data.

    To combat the threat of attack from inside the firewall, 
SMBs can use antivirus, anti-spam and anti-spyware software 
which--when properly maintained and updated--can catch 
infections on network endpoints before they do any damage. They 
can also implement malicious web-site protections that prevent 
their employees from accidentally visiting sites that are known 
to cause infections or phishing sites that are designed to fool 
users into providing confidential information. Most 
importantly, businesses can make sure that the operating 
systems on their individual computers are updated regularly so 
that patches designed to close security holes are installed the 
instant they become available.

    Finally, what about the cloud? One of the tremendous 
virtues of the cloud is that it allows an SMB to access cloud-
based applications and computing resources from anywhere in the 
world. But its access-from-anywhere convenience also presents a 
security threat if non-secure passwords are used. There are 
simple measures a business can take to ensure that its 
employees each have their own password and that those passwords 
are secure, meaning that they are at least twelve digits long 
and contain both lower case and upper case letters as well as 
numbers. Further, SMBs can ensure that they encrypt all 
sensitive data on their employee laptops and have the ability 
to remotely wipe smart phones and other devices that are easily 

    How does Cbeyond Help SMBs with the Cyber-Security Threat?

    Cbeyond was built from the ground-up to deliver technology 
services only to SMBs, and we strive to serve as their 
technology ally. An October, 2012 study of SMB security 
practices by the National Cyber Security Alliance and Symantec 
interviewed more than one thousand businesses with less than 
250 employees and found that:

      90% do not have an internal IT manager focused on 
technology-related issues;
     87% do not have a formal written Internet security 
     68% do not provide any cyber-security training to 
their employees; and
     83% do not have an automated systems that requires 
employees to periodically change their passwords.

    Given these statistics, we view helping our customers with 
their cyber-security needs to be a key part of our role as 
their technology ally, and we do this in two ways: through our 
products and through education.

    From an education perspective, we maintain a blog at 
www.cbeyond.com that regularly addresses security issues faced 
by SMBs and provides links to in-depth information contained in 
industry whitepapers. We also draft our own whitepapers on 
security issues and distribute them to customers and partners. 
Finally, we educate our vendors and partners at live events on 
emerging security threats and how to address them with their 

    From a product perspective, we do everything we can to 
provide cyber-security protection to our customers so they can 
focus on running their business rather than focusing on 
security. Our security products for customer networks include 
the most advanced managed firewall protection available via our 
TotalCloud Data Center and--most importantly--a private network 
that extends a customer's Local Area Network (LAN) into our SOC 
2 and SOC 3 compliant data center so that their business-
critical data never traverses the public Internet at all. For 
our multi-location customers and customers who need to be able 
to access their cloud resources remotely, we offer VPN services 
to protect data that must transit the public Internet.

    Our products aimed at protecting customer endpoints include 
Secure Desktop which is constantly updated without customer 
intervention and stops viruses and spyware before they can 
infect a customer computer. Our customers can check the 
security status of every PC they own via an online portal. We 
also offer network security assessments on customer request, 
and--if they have a problem with a virus or other malware--we 
will visit their business to take care of the issue.

    Cyber-security is one of the most critical issues facing 
Internet-connected SMBs today, and the role that the 
Subcommittee can play in educating them about the threat and 
the ways to mitigate it cannot be underestimated. Mr. Chairman 
and members of the Subcommittee, I appreciate the Committee's 
interest in this important topic and thank you for the 
opportunity to provide this statement for the record.




                              McAFEE, Inc.



                      COMMITTEE ON SMALL BUSINESS



                             MARCH 21, 2013

    Good morning Chairman Collins, Ranking Member Hahn, and 
other members of the Subcommittee. I am Phyllis Schneck, Vice 
President and Chief Technology Officer, Global Public Sector 
for McAfee, Inc. We appreciate the Subcommittee's interest in 
cyber security as it affects small business, and I'm pleased to 
be addressing the Subcommittee once again.

    My testimony will focus on the following areas:

           The threat landscape and its implications 
        for small business
           Recommended best practices for small 
        businesses to protect themselves
           What the private sector can do to help small 
           What government can do to help small 

    First I would like to provide some background on my 
experience and on McAfee.

    I have dedicated my entire professional career to the 
security and infrastructure protection community. My technical 
background is in high performance computing and cryptography. 
In addition to my role with McAfee, I serve as Chairman of the 
Board of Directors of the National Cyber Forensics and Training 
Alliance (NCFTA), a partnership between government, law 
enforcement, and the private sector for information analytics 
that has been used to prosecute over 400 cyber criminals 
worldwide. Earlier, I worked as Vice President of Threat 
Intelligence at McAfee and was responsible for the design and 
application of McAfee'sTM Internet reputation 
intelligence. I am the Vice Chair of the Information Security 
and Privacy Advisory Board (ISPAB) and have also served as a 
commissioner and working group co-chair on the public-private 
partnership for the Center for Strategic and International 
Studies (CSIS) Commission to Advise the 44th President on Cyber 

    Additionally, I served for eight years as chairman of the 
National Board of Directors of the FBI's InfraGardTM 
program and as founding president of InfraGard Atlanta, growing 
the InfraGard program from 2000 to over 33,000 members 
nationwide. Prior to joining McAfee, I was Vice President of 
Research Integration at Secure Computing. I hold a Ph.D. in 
Computer Science from Georgia Tech, where I pioneered the field 
of information security and security-based high-performance 

    McAfee's Role in Cyber Security

    McAfee, Inc. protects businesses, consumers and the public 
sector from cyber-attacks, viruses, and a wide range of online 
security threats. Headquartered in Santa Clara, California, and 
Plano, Texas, McAfee is the world's largest dedicated security 
technology company and is a proven force in combating the 
world's toughest security challenges. McAfee is a wholly owned 
subsidiary of Intel Corporation.

    McAfee delivers proactive and proven solutions, services, 
and global threat intelligence that help secure systems and 
networks around the world, allowing users to safely connect to 
the Internet and browse and shop the web more securely. Fueled 
by an award-winning research team, McAfee creates innovative 
products that empower home users, businesses, the public 
sector, and service providers by enabling them to prove 
compliance with regulations, protect data, prevent disruptions, 
identify vulnerabilities, and continuously monitor and improve 
their security.

    To help organizations take full advantage of their security 
infrastructure, McAfee launched the Security Innovation 
Alliance, which allows organizations to benefit from the most 
innovative security technologies from thousands of developers, 
who can now snap into our extensible management platform. 
Today, more than 160 technology partners--large and small 
businesses all committed to continuous innovation in security--
have joined the alliance, with more to be announced soon.

    The Threat Landscape and its Implications for Small 

    Since I last testified before the Subcommittee the cyber 
threat has only intensified. I want to focus on two areas where 
information technology is helping small business be more 
efficient but where caution is also necessary. These are the 
areas of mobile communications and the cloud.

    Mobile Threats

    It should come as no surprise that cyber criminals follow 
the latest technology trends because that's where the targets 
are the most promising. The growth in mobile communications is 
staggering, and the U.S. leads the world in mobility. Globally, 
mobile data traffic grew 70% in 2012, and by the end of this 
year the number of mobile-connected devices is expected to 
exceed the world's population, according to the Cisco Visual 
Networking Index.

    Small businesses, as others, are relying more on mobile 
devices not only for communication but also for business 
processes, and there's every reason to believe this trend will 
continue. When I last appeared before the subcommittee, in 
December of 2011, mobile threats had begun to appear on the 
radar screen. Now they are front and center.

    According to McAfee Labs, the growth in mobile malware 
almost doubled in each of the last two quarters of 2012. At the 
beginning of this year, the total number of samples in our 
mobile malware ``zoo'' reached almost 37,000--with 95% of those 
having arrived in 2012. To put this in perspective, in all of 
2011 we gathered only 792 samples. The Android platform is the 
lead target of mobile malware, with 97% of last quarter's (4th 
Q 2012) being directed there.

    One of the most volatile and worrisome areas of threats 
today is some new functionality in malware. A scam known as 
Android/MarketPay is a Trojan horse program that buys apps from 
an app store without a user's permission. We're likely to see 
crooks take this malware's app-buying payload and add it to a 
mobile worm. With such a mobile worm, attackers will no longer 
need victims to install a piece of malware. And if user 
interaction isn't needed, there will be nothing to prevent a 
mobile worm from going on a shopping spree.

    Another developing area for mobile threats is in phones or 
other devices with near-field communications (NFC), which are 
becoming more common. As users are able to make ``tap and pay'' 
purchases in more locations, they'll carry their digital 
wallets everywhere. That flexibility will, unfortunately, also 
be a boon to thieves. Attackers will create mobile worms with 
NFC capabilities to propagate (via the ``bump and infect'' 
method) and to steal money. Malware writers will thrive in 
areas with dense populations (airports, malls, theme parks, 
etc.). An NFC-enable worm would run rampant through a large 
crowd, infecting victims and potentially stealing from their 
wallet accounts.

    Attackers love it when users install malicious apps that 
let the bad guys gain complete control of victims' phones; it's 
no wonder that mobile backdoors remain popular with attackers. 
Android/FakeLookout.A is a mobile backdoor that pretends to be 
an update to antivirus software. In reality it hands control of 
a phone to an attacker. It's designed to steal and upload text 
messages and other files to the attacker's server. Another one 
of these is Android/GinMaster.A, a mobile backdoor that uses a 
root exploit to gain further access to a user's phone. It posts 
a number of pieces of identifying information to the attacker's 
server and accepts commands from the attacker.

    As you can see, innovation is thriving in mobile malware 
development and needs to thrive even more strongly in our small 
businesses. Faced with the challenges of ``Bring your own 
device,'' sometimes known as ``BYOD,'' many small businesses 
will struggle with maintaining security and management control 
over a wide spectrum of devices that consumers increasingly 
want to use for their work.

    Migration to the Cloud

    Another IT trend that serves small business particularly 
well is migration to the cloud. Small businesses, in 
particular, can find real efficiencies in outsourcing their IT 
and communications systems to the cloud. They can reduce costs, 
improve offerings, eliminate complexity and have less need for 
onsite IT staff. These are great objectives--as long as 
security is not sacrificed.

    I won't go into detail here, but not surprisingly, we are 
seeing bad actors target cloud providers. Most cloud providers 
do not offer a forensics capability as part of their base 
offering. This means that if a company's data stored in the 
cloud is breached, it will cost the company extra to provide 
forensic data to either law enforcement or a security firm so 
that the breach can be traced and remediated. Small business 
owners should address this need up front with cloud providers 
so they are not surprised if a breach occurs.

    This is especially important at this time, when companies 
of all sizes are being encouraged to report breaches or 
suspected events to 1) protect victims, and 2) use the behavior 
intelligence and forensics around the event to help protect 
others. There has never been a more important time for a 
security provider--cloud or otherwise--to enable easy, sound, 
connected intelligence and behavioral analysis at a price point 
that is a worthy investment. This helps small businesses 
individually and collectively.

    What Can Small Businesses Do to Protect Themselves?

    Mobility and the cloud are here to stay, and it makes sense 
for small business to embrace these trends. They shouldn't do 
so without protections, however; this, too, makes good business 

    Here are some recommendations for small businesses to 
protect themselves:

    In General

    At McAfee, we believe in ``Security Connected,'' from the 
chip to the cloud. As a part of the Intel Corporation, we 
explore behaviors from hardware to software and specialize in 
recognizing malicious intent before it can cause irrevocable 
harm. The keys are ensuring that cyber security is a boardroom 
issue of risk--even in the smallest of companies--and enabling 
companies to implement a connected, holistic approach that 
considers their networks an ecosystem of traditional, mobile 
and cloud devices and services.

    This ecosystem concept is well described in the white paper 
from the National Protection and Programs Directorate within 
the Department of Homeland Security. Done correctly, networks 
can detect behaviors over time and begin to recognize, almost 
biologically, threats before those threats can overtake network 
functionality. Maturity models have shown that for any size 
organization, a wise design up-front leads to increasing 
security and decreasing cost over time. A connected, behavior-
based approach enables network components such as phones, 
laptops and servers to communication observed behavior amongst 
each other. Security can thus be managed in real-time based on 
policy that adapts to current threats and provides resilience: 
the ability to run while under attack.

    These intelligent systems are the result of innovation, and 
we need to help small business make wise--not expensive--
choices to create a connected security foundation. As I 
mentioned in my prior testimony to this Committee, small 
business comprises over 95% of the U.S. business fabric. Small 
businesses have personal information stored, operational 
requirements and valuable intellectual property, and they need 
strong cyber security as much as large enterprises. Budget 
constraints in smaller businesses accentuate the need for a 
connected, ecosystem-based strategy in planning in security 

    For Mobility

    Like laptop and desktop PCs, today's mobile devices are 
complex platforms with multiple modes of communication, 
significant processing power and large storage capabilities. 
This by itself would make today's mobile devices subject to the 
same risks as business laptops; however, mobile devices have 
certain characteristics that make them even more vulnerable 
than PCs. Thus we recommend contracting with reputable service 
providers who take security seriously.

    There are also precautions that small business owners can 
take to make sure their employees' devices are secure. Here's a 
partial list:

           Track and adaptively manage the devices that 
        access your corporate network
           Educate employees on their role in 
        protecting the organization, its data, and brand 
        against theft, loss or malicious use
           Use passwords
           Encrypt on-device data and email, and ensure 
        mobile device data and email remote ``wipe'' 
           Have policy controls over memory card usage 
        and encrypt that data.
           Implement Bluetooth controls, such as 
        installing firewalls and pairing with only known, 
        trusted devices
           Protect against Trojans with blacklisting 
        and whitelisting applications
           Have policy controls over web browser use 
        and website access
           Install a firewall on the mobile device to 
        restrict inbound connections and prevent use of the 
        mobile device as a bridge

    The best security providers offer both targeted and 
comprehensive protections for the leading mobile device 
platforms. As mentioned earlier, Android devices are attacked 
much more than others. As an example of emerging mobile 
security software, McAfee last week announced an embedded 
control solution that is the industry's first to reside in the 
Android kernel. The control is embedded in the operating system 
rather than sitting at the user level, which is what makes it 
unique. As businesses depend more on mobile devices, security 
vendors will continue to innovate in the mobile space.

    For the Cloud

    Nine out of 10 businesses cite security as the top obstacle 
to cloud adoption, according to International Data Corporation 
(IDC). Yet small businesses can take advantage of cloud 
computing safely with some precautions upfront. These include 
making sure they are outsourcing to a cloud provider that can 
ensure robust security. We recommend that cloud providers 
contract with a third-party security vendor, offering the most 
up-to-date protections for the most recent--and emerging--

    But there are steps small business owners can take before 
even getting data to the cloud provider. You can think of these 
practices as building a secure bridge to the cloud. Here are a 
few recommendations:

    Discover and classify data in the organization before it 
even leaves to go to the cloud

    Before even beginning to consider what type of data should 
or should not be moved to the cloud, a business must first 
understand what data it has, where it resides--and more 
importantly--the value or sensitivity of the data. Only when 
there is a complete inventory of the data can an organization 
begin to classify the data to build the appropriate policies to 
protect it and then enforce policies while data travels both 
within and outside the organization.

    These policies can be kept simple, but they should be in 
place to enable cyber security to be managed as a risk 
mitigation tool and business enabler for small business.

    Secure the primary channels of traffic that move data to 
and from the cloud

    These channels include email traffic, web traffic 
(including mobile), and authentication traffic (making sure 
users are who they say they are, and that they are authorized 
to access the data).

    McAfee and other comprehensive security vendors offer cloud 
security platforms that are very effective at managing these 

    It's also possible for small businesses to get their 
security virtually--whether or not they are outsourcing their 
IT. Again, we and other security vendors offer security via a 
third party, or ``the cloud,'' and this can be a cost-effective 
way for small businesses to get optimum security without having 
to manage everything themselves.

    What the Private Sector Can Do to Help Small Businesses

    In addition to providing security for mobility and the 
cloud, the security and IT industries need to keep their focus 
on innovation in order to help small business and other 
organizations. At McAfee we feel strongly that the path forward 
is for security to be integrated into products at the 
beginning, for disparate islands of security to be connected, 
and for security vendors to offer real-time situational 
awareness of threats.

    Security features are not as effective when they are glued 
onto systems as an afterthought. Rather, cyber security must be 
integrated into equipment, systems and networks at the very 
start of the design process. Security must be embedded in a 
product or network element so that it becomes an integral part 
of the product's or element's functioning. Products must also 
be built to communicate with each other--exchanging information 
in real-time about what each product is seeing on the network 
to create the behavioural knowledge throughout the network 
ecosystem. This design-level approach is not only more 
effective; it is less cumbersome and less expensive than trying 
to lock down systems that are inherently insecure. This 
approach also provides tremendous cost savings for small 
businesses, because the products and services that enable the 
business have more native security and lead to a safer 
infrastructure with less need for additional expenditures.

    McAfee and Intel create and support these Security by 
Design and Security Connected approaches. Today's attackers now 
can be stopped below the machine's applications layer--and even 
below the operating system. McAfee and Intel are working 
together to change the security paradigm to dynamically and 
adaptively protect systems against attacks at the core of 
computing, and to provide proactive defenses in real-time, 
making networks intelligent enough to prevent malicious 
instructions from reaching their targets--instead of requiring 
those targets to be vaccinated using signatures.

    We also believe that as a security industry we must unify, 
simplify, and strengthen the way we provide security. We need 
to provide a framework for integrating potentially disparate 
technologies--building bridges between security islands to 
close coverage and technology gaps. This is the rationale for 
McAfee's Security Connected platform. With cyber security 
integration, security companies and their small business 
customers will be able to quickly and comprehensively detect 
and deter threats.

    And having real-time visibility into emerging threats and a 
comprehensive view across the threat landscape is a powerful 
means of defeating cyber incursions. One robust technology that 
enables this real-time global visibility is called Global 
Threat Intelligence. With Global Threat Intelligence, millions 
of sensors scan the Internet across the globe and feed back 
real-time data on threats. This data is instantaneously 
correlated and fed back into security products, delivering 
real-time protection to customers, as we identify and block 
malicious files, Internet protocols and web addresses. With 
even more threat data from more security organizations fed into 
this network, customers would get even more comprehensive 
visibility into the quickly changing patterns of infestations 
and could take immediate steps to counter them.

    What Government Can Do to Help Small Business: Enable 
Information Sharing

    It's hard to overstate the importance of being able to 
share threat information between the private sector and the 
government. There are several initiatives that can facilitate 
this process, and I'll discuss two of them: an information 
sharing bill and an information sharing mechanism available to 
large business known as ISACs, or Information Sharing and 
Analysis Centers.

    An Information Sharing Bill - Rogers/Ruppersberger

    During the last Congress and again this year, House 
Intelligence Chairman Mike Rogers (R-Michigan) and Ranking 
Member Dutch Ruppersberger (D-Maryland) introduced the Cyber 
Intelligence Sharing and Protection Act, also known as CISPA. 
The bill would facilitate the sharing of cyber intelligence 
between the government and the private sector. Significantly, 
the bill would offer liability protections for private entities 
sharing cyber threat information in good faith. Ensuring that 
sufficient privacy protections are baked into this bill will 
help cement the broad consensus necessary to make this proposal 
a legal reality.

    An Information Sharing Construct - ISACs

    While we definitely need legislation for robust information 
sharing, the government has endorsed and the private sector has 
put in place several Information Sharing and Analysis Centers, 
or ISACS. These ISACS, which are organized by sector, provide a 
specific mechanism for sharing cyber threat data.

    Small businesses have neither the budgets nor the cyber 
experts to participate in a traditional ISAC. Indeed this 
Committee might consider the merits of conducting a study or 
holding a hearing on this matter to develop policy proposals to 
enable deeper small business community participation in the 
ISAC community. As we know, small businesses represent 99.7% of 
all employer firms and employ about half of all private sector 
employees, according to the Small Business Administration. We 
need to find a way to include small business in our nation's 
security paradigm--and that includes information sharing.

    The National Cyber Forensics and Training Alliance (NCFTA) 
is one example of successful information sharing. Small 
businesses need the intelligence that such collaborations 
provide, and perhaps the small business community could 
leverage the information sharing agreements in the NCFTA so 
that collectively they could better protect the U.S. small 
business fabric, and thus our economy.

    Thank you for the opportunity to address the subcommittee. 
I will be happy to answer any questions.